526互联

Kubernetes: manifest template

发布时间 2023-04-02 19:15:20作者: ascertain

 

apiVersion: v1 Kind: pod

apiVersion: v1
kind: Pod
metadata:
  annotations:
    kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 192.168.8.11:6443
    kubernetes.io/config.hash: 755e36554917832e5f2c40bbb2e580cb
  labels:
    component: kube-apiserver
    tier: control-plane
  name: kube-apiserver-vandal-1
  namespace: kube-system
  # ownerReferences:
  # - apiVersion: v1
  #   controller: true
  #   kind: Node
  #   name: vandal-1
  #   uid: 77f24839-9368-4d4c-a024-4c8452ef2b3d
spec:
  dnsPolicy: ClusterFirst
  enableServiceLinks: true
  hostNetwork: true
  nodeName: vandal-1
  preemptionPolicy: PreemptLowerPriority
  priority: 2000001000
  priorityClassName: system-node-critical
  restartPolicy: Always
  schedulerName: default-scheduler
  securityContext:
    seccompProfile:
      type: RuntimeDefault
  terminationGracePeriodSeconds: 30
  tolerations:
  - effect: NoExecute
    operator: Exists
  volumes:
  - hostPath:
      path: /etc/ssl/certs
      type: DirectoryOrCreate
    name: ca-certs
  - hostPath:
      path: /etc/pki
      type: DirectoryOrCreate
    name: etc-pki
  - hostPath:
      path: /etc/kubernetes/pki
      type: DirectoryOrCreate
    name: k8s-certs
  # ~~~~~~ ServiceAccount ~~~~~~
  automountServiceAccountToken: true
  serviceAccountName: codify
  # ^^^^^^ ServiceAccount ^^^^^^
  #---------------------------------------------------------------------
  # Containers
  #---------------------------------------------------------------------
  containers:
  - name: kube-apiserver
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    command:
      - kube-apiserver
      - --advertise-address=192.168.8.11
      - --allow-privileged=true
      - --authorization-mode=Node,RBAC
      - --client-ca-file=/etc/kubernetes/pki/ca.crt
      - --enable-admission-plugins=NodeRestriction
      - --enable-bootstrap-token-auth=true
      - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
      - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
      - --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
      - --etcd-servers=https://127.0.0.1:2379
      - --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
      - --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
      - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
      - --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
      - --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
      - --requestheader-allowed-names=front-proxy-client
      - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
      - --requestheader-extra-headers-prefix=X-Remote-Extra-
      - --requestheader-group-headers=X-Remote-Group
      - --requestheader-username-headers=X-Remote-User
      - --secure-port=6443
      - --service-account-issuer=https://kubernetes.default.svc.cluster.local
      - --service-account-key-file=/etc/kubernetes/pki/sa.pub
      - --service-account-signing-key-file=/etc/kubernetes/pki/sa.key
      - --service-cluster-ip-range=10.96.0.0/12
      - --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
      - --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
    image: registry.k8s.io/kube-apiserver:v1.26.0
    imagePullPolicy: IfNotPresent
    # ~~~~~~ Probes ~~~~~~
    livenessProbe:
      failureThreshold: 8
      httpGet:
        host: 192.168.8.11
        path: /livez
        port: 6443
        scheme: HTTPS
      initialDelaySeconds: 10
      periodSeconds: 10
      successThreshold: 1
      timeoutSeconds: 15
    readinessProbe:
      failureThreshold: 3
      httpGet:
        host: 192.168.8.11
        path: /readyz
        port: 6443
        scheme: HTTPS
      periodSeconds: 1
      successThreshold: 1
      timeoutSeconds: 15
    startupProbe:
      failureThreshold: 24
      httpGet:
        host: 192.168.8.11
        path: /livez
        port: 6443
        scheme: HTTPS
      initialDelaySeconds: 10
      periodSeconds: 10
      successThreshold: 1
      timeoutSeconds: 15
    # ^^^^^^ Probes ^^^^^^
    # ~~~~~~ Resources ~~~~~~
    resources:
      limits:
        memory: 4Gi
        cpu: 2000m
      requests:
        memory: 100Mi
        cpu: 250m
    # ^^^^^^ Resources ^^^^^^
    # ~~~~~~ VolumeMounts ~~~~~~
    volumeMounts:
    - mountPath: /etc/ssl/certs
      name: ca-certs
      readOnly: true
    - mountPath: /etc/pki
      name: etc-pki
      readOnly: true
    - mountPath: /etc/kubernetes/pki
      name: k8s-certs
      readOnly: true
    # ^^^^^^ VolumeMounts ^^^^^^


apiVersion: rbac.authorization.k8s.io/v1 Kind: Role 

# Role
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: pod-reader
rules:
  - apiGroups: [''] # indicate the core API group
    resources: ['pods']
    verbs: ['get', 'watch', 'list']
  - apiGroups: ['']
    # GET /api/v1/namespaces/{namespace}/pods/{pod}/log
    resources: ['pods/log']
    verbs: ['get', 'list']
  - apiGroups: ['']
    # at HTTP level, the name of the resource for accessing ConfigMap object is 'configmaps'
    resources: ['configmaps']
    resourceNames: ['my-configmap']
    verbs: ['update', 'get']
  - apiGroups: ['batch']
    resources: ['*']
    verbs: ['*']
  - apiGroups: ['apps']
    resources: ['deployments']
    verbs: ['get', 'list', 'watch', 'create', 'update', 'patch', 'delete']
---
# ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: secret-reader
rules:
  - apiGroups: ['']
    resources: ['secrets']
    verbs: ['get', 'watch', 'list']
  - apiGroups: ['']
    resources: ['nodes']
    verbs: ['get', 'list', 'watch']
  - nonResourceURLs: ['/healthz', '/healthz/*']
    verbs: ['get', 'post']
---
# RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  namespace: default
  name: read-pods
subjects:
  - kind: User
    name: anatomy # case-sensitive
    apiGroup: rbac.authorization.k8s.io
  - kind: ServiceAccount
    name: default
    namespace: kube-system
  - kind: Group
    name: system:serviceaccounts:qa  # all service accounts in the qa namespace
    apiGroup: rbac.authorization.k8s.io
  - kind: Group
    name: system:serviceaccounts  # all service accounts in any namespace
    apiGroup: rbac.authorization.k8s.io
  - kind: Group
    name: system:authenticated  # for all authenticated users
    apiGroup: rbac.authorization.k8s.io
  - kind: Group
    name: system:unauthenticated  # for all unauthenticated users
    apiGroup: rbac.authorization.k8s.io
roleRef: # roleRef specifies the binding to a Role/ClusterRole
  apiGroup: rbac.authorization.k8s.io
  kind: Role # Role | ClusterRole
  name: pod-reader
---
# ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: read-secrets-global
subjects:
  - kind: Group
    name: manager
    apiGroup: rbac.authorization.k8s.io
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: secret-reader
---
# Aggregated ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: monitoring
aggregationRule:
  clusterRoleSelectors:
    - matchLabels:
        rbac.example.com/aggregate-to-monitoring: 'true'
rules: [] # control plane automatically fills in the rules
---
# Add to Aggregated ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: monitoring-endpoints
  labels:
    rbac.example.com/aggregate-to-monitoring: 'true'
# when you create this ClusterRole, the rules below will be added to the `monitoring` ClusterRole
rules:
  - apiGroups: ['']
    resources: ['services', 'endpointslices', 'pods']
    verbs: ['get', 'list', 'watch']