Reference¶
This section gives you typical resource configuration manifests for the kind of objects you might want to create in RAIL. These manifests should be good starting points for cut&paste.
Remember to replace the strings app-name, TJ0999, and adm-it-xxx with your own.
ConfigMap¶
A collection of key/value pairs which you can treat as either files or environment variables.
apiVersion: v1
kind: ConfigMap
metadata:
name: app-name-volume
data:
app-name.ini: |
# Config data
app_name = app-name
another-file.txt: |
# Another file data
...
CronJob¶
On a periodic schedule create a new Job that will ensure to run a Pod doing some task.
apiVersion: batch/v1
kind: CronJob
metadata:
name: app-name
spec:
schedule: "@hourly"
concurrencyPolicy: Forbid
successfulJobsHistoryLimit: 2
failedJobsHistoryLimit: 2
jobTemplate:
spec:
backoffLimit: 0
template:
metadata:
labels:
app.kubernetes.io/name: app-name
app.kubernetes.io/component: cleanup
uib.no/service: TJ0999
spec:
restartPolicy: Never
containers:
- name: app
image: ...
# RAIL requires us to specify how resource hungry each container is
resources:
requests:
cpu: 100m
memory: 20Mi
limits:
cpu: 500m
memory: 100Mi
# This states the defaults for the securityContext and will get rid of
# the warning that you should set these values. These values can not be
# set at the Pod-level, so they need to be specified here.
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsNonRoot: true
seccompProfile:
type:
RuntimeDefault
Deployment¶
Ensures that a set of Pods matching the given template are running in the cluster.
apiVersion: apps/v1
kind: Deployment
metadata:
name: app-name
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: app-name
#app.kubernetes.io/instance: ...
app.kubernetes.io/component: http-deamon
template:
metadata:
labels:
app.kubernetes.io/name: app-name
#app.kubernetes.io/instance: ...
app.kubernetes.io/component: http-deamon
uib.no/service: TJ0999
spec:
containers:
- name: app
image: git.app.uib.no:4567/it/site/app-name.app.uib.no/app-name:prod-YYYY-MM-DD
ports:
- name: http
containerPort: 8080
protocol: TCP
# RAIL requires us to specify how resource hungry each container is
resources:
requests:
cpu: 100m
memory: 20Mi
limits:
cpu: 500m
memory: 100Mi
# This states the defaults for the securityContext and will get rid of
# the warning that you should set these values. These values can not be
# set at the Pod-level, so they need to be specified here.
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsNonRoot: true
seccompProfile:
type:
RuntimeDefault
ImageRepository (Flux)¶
Monitor the tags present for the specified image in an external container image registry.
apiVersion: image.toolkit.fluxcd.io/v1beta2
kind: ImageRepository
metadata:
name: app-name
spec:
image: itgit.app.uib.no:4567/it/xx/xxx/app-repo/app-image
interval: 1m3s
provider: generic
secretRef:
name: pull-secret
ImagePolicy (Flux)¶
Determine what container image tag to use.
apiVersion: image.toolkit.fluxcd.io/v1beta2
kind: ImagePolicy
metadata:
name: app-name
spec:
imageRepositoryRef:
name: app-name
filterTags:
pattern: '^prod-\d{4}-\d{2}-\d{2}'
policy:
alphabetical:
order: asc
ImageUpdateAutomation (Flux)¶
Update the Gitops repo when new container images become available.
apiVersion: image.toolkit.fluxcd.io/v1beta2
kind: ImageUpdateAutomation
metadata:
name: app-name
spec:
git:
checkout:
ref:
branch: main
push:
branch: main
commit:
author:
name: fluxcdbot
email: fluxcdbot@noreply.uib.no
messageTemplate: '{{ .AutomationObject }}: {{range .Changed.Changes}}{{print .OldValue}} -> {{println .NewValue}}{{end}}'
interval: 1m0s
sourceRef:
kind: GitRepository
name: adm-it-xxx
namespace: adm-it-xxx
update:
strategy: Setters
path: base/app-name
Ingress¶
Routing from web-address exposed to the world outside the cluster to an internal Service.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: app-name
annotations:
cert-manager.io/cluster-issuer: harica-temp
cert-manager.io/private-key-algorithm: ECDSA
cert-manager.io/usages: "digital signature"
cert-manager.io/private-key-rotation-policy: Always
#nginx.ingress.kubernetes.io/whitelist-source-range: 129.177.0.0/16,2001:700:200::/48
spec:
ingressClassName: nginx
rules:
- host: app-name.${rail_region}.${rail_env}.rail.uib.no
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app-name
port:
name: http
tls:
- hosts:
- app-name.${rail_region}.${rail_env}.rail.uib.no
secretName: app-name.${rail_region}.${rail_env}.rail.uib.no-tls
Kustomization (Flux)¶
Makes the resources in a Namespace mirror a directory of manifests in a GitOps repository.
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: adm-it-xxx-subname
spec:
sourceRef:
kind: GitRepository
name: adm-it-xxx
path: clustername/subname
targetNamespace: adm-it-xxx-subname
prune: true
wait: true
interval: 30m0s
retryInterval: 2m0s
timeout: 3m0s
decryption:
provider: sops
secretRef:
name: sops-gpg
postBuild:
substitute:
rail_env: ${rail_env}
rail_region: ${rail_region}
rail_cluster: ${rail_cluster}
Kustomization (Kustomize)¶
Metadata for a kustomization directory in the client file system. This is not a Kubernetes resource but use a similar file format.
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- manifest1.yaml
- manifest2.yaml
- ../../base/other-kustomization
NetworkPolicy¶
Describes what Pods can connect to what other Pods.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: app-name
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: app-name
#app.kubernetes.io/instance: ...
app.kubernetes.io/component: http-deamon
policyTypes:
- Ingress
ingress:
- ports:
- port: http
from:
PersistentVolumeClaim¶
Allocates a storage volume of the given size.
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: app-name-volume
spec:
storageClassName: rook-ceph-block
accessModes:
- ReadWriteOncePod
resources:
requests:
storage: 500Mi
Secret¶
Store key/value pairs in an obfuscated form.
apiVersion: v1
kind: Secret
metadata:
name: app-name-secret
type: Opaque
stringData:
SECRET_KEY1: ...
SECRET_KEY2: ...
Service¶
Register a cluster internal DNS-name and forwards its traffic to the selected Pods.
apiVersion: v1
kind: Service
metadata:
name: app-name
spec:
selector:
app.kubernetes.io/name: app-name
#app.kubernetes.io/instance: ...
app.kubernetes.io/component: http-deamon
ports:
- name: http
port: 80
targetPort: http
protocol: TCP
SubnamespaceAnchor¶
Creates a Namespace and makes it a child of the anchors namespace.
apiVersion: hnc.x-k8s.io/v1alpha2
kind: SubnamespaceAnchor
metadata:
name: adm-it-xxx-subname