Skip to content

Files

Latest commit

jamesbuckettjamesbuckett
Files and Fixes
Oct 24, 2022
53e8f0a · Oct 24, 2022

History

History
282 lines (224 loc) · 7.7 KB

02-kubernetes-configuration.md

File metadata and controls

282 lines (224 loc) · 7.7 KB

Kubernetes Tutorial - Configuration

  • Resource Quota - Namespace restriction on total resource usage
  • Limit Range - A policy to constrain resource allocations (to Pods or Containers) in a namespace
  • Configuration Map - Storing environmental variables per namespace
  • Secret - Storing obfuscated environmental variables per namespace

01-config

Kubernetes Configuration

Kubernetes Namespace (ns) - Logical isolation for your application 

kubectl create namespace ns-bootcamp-configuration
kubectl config set-context --current --namespace=ns-bootcamp-configuration

Kubernetes ResourceQuota (quota) - Namespace restriction on total resource usage

Problem Statement: I want to prevent resource contention and "land grabs" by controlling how much CPU or memory an application can consume.

tl;dr – CPU and Memory constraints for the namespace

03-quota

kubernetes.io bookmark: Create a ResourceQuota

cat << EOF | kubectl apply -f -
apiVersion: v1
kind: ResourceQuota
metadata:
  name: my-quota  
spec:
  hard:
    cpu: 500Mi
    memory: 2G
EOF

Observation:

  • Start Octant
  • Go to Cluster Overview on left side
  • Go to Namespaces
  • Scroll down to Resource Quotas

Kubernetes LimitRange (limits) A policy to constrain resource allocations (to Pods or Containers) in a namespace

03-quota

Problem Statement: I want to set default CPU and Memory allocations for my microservices if missing

tl;dr – Forgot to define CPU and Memory in your Pod spec, no worries let me set some defaults for you

cat << EOF | kubectl apply -f -
apiVersion: v1
kind: LimitRange
metadata:
  name: my-limit-range  
spec:
  limits:
  - default:
      cpu: 250m
      memory: 256Mi
    defaultRequest:
      cpu: 100m
      memory: 128Mi
    type: Container 
EOF

Observation:

  • Start Octant
  • Go to Cluster Overview on left side
  • Go to Namespaces
  • Scroll down to Resource Limits

Kubernetes ConfigMap (cm) - Storing environmental variables per namespace

Problem Statement: I want to store configuration (environmental variables) in the environment

tl;dr – All configuration data should be stored separately from the code

03-cm

kubernetes.io bookmark: Define a container environment variable with data from a single ConfigMap

cat << EOF | kubectl apply -f -
apiVersion: v1
kind: ConfigMap
metadata:
  name: my-configmap  
data:
  error-log-level: notice
EOF

Kubernetes Secret - Storing obfuscated environmental variables per namespace

Problem Statement: I want a way to obfuscate my environmental variables

tl;dr – base64 encoded environment variables in memory

03-secret

kubernetes.io bookmark: Using Secrets as environment variables

cat << EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: my-secret  
data:
  password: MTIzNDU2
  user: Ym9i
kind: Secret
metadata:
  name: my-secret
EOF

Kubernetes Secret - The Laws of Three

tl;dr – Kubernetes always respects the Law of Three

Kubernetes Secret - Types of Secret

There are three types of secret: (TYPES)

  • generic #👈👈👈 Part of CKAD exam
    • Create a secret from a local file, directory, or literal value
  • tls
    • Create a TLS secret
  • docker-registry
    • Create a secret for use with a Docker registry

Kubernetes Secret - Create a Secret

There are three ways to create a secret: (CREATION)

Kubernetes Secret - Consume a Secret

There are three ways to use a secret: (CONSUMPTION)

  • As files in a volume mounted on one or more of its containers
  • As container environment variable #👈👈👈 Part of CKAD exam
  • By the kubelet when pulling images for the Pod

Example: A Pod consuming the ConfigMap and Secret

03-pod-cm-sec

cat << EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: my-pod  
spec:
  containers:
  - name: my-container
    image: nginx:1.20.0
    ports:
    - containerPort: 80
    env: #👈👈👈 Environment Variable section
      - name: error-log-level
        valueFrom:
          configMapKeyRef:
            name: my-configmap  #👈👈👈 Configuration Map
            key: error-log-level
      - name: SECRET-ENV-USER
        valueFrom:
          secretKeyRef:
            name: my-secret  #👈👈👈 Secret
            key: user
      - name: SECRET-ENV-PASSWORD
        valueFrom:
          secretKeyRef:
            name: my-secret  #👈👈👈 Secret
            key: password
EOF

Observation

  • Start Octant
  • Go to Workloads...Pods
  • Select my-pod...Terminal...type env
# kubectl exec --stdin --tty my-pod -- /bin/bash

root@my-pod:/# env
error-log-level=notice #👈👈👈
SECRET-ENV-USER=bob #👈👈👈
SECRET-ENV-PASSWORD=123456 #👈👈👈
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_SERVICE_PORT=443
HOSTNAME=my-pod
PWD=/
PKG_RELEASE=1~buster
HOME=/root
KUBERNETES_PORT_443_TCP=tcp://10.245.0.1:443
NJS_VERSION=0.5.3
TERM=xterm
SHLVL=1
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP_ADDR=10.245.0.1
KUBERNETES_SERVICE_HOST=10.245.0.1
KUBERNETES_PORT=tcp://10.245.0.1:443
KUBERNETES_PORT_443_TCP_PORT=443
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
NGINX_VERSION=1.20.0


Clean Up

Clean Up 

cd
yes | rm -R ~/ckad/
kubectl delete ns ns-bootcamp-configuration --grace-period 0 --force


Next Kubernetes Tutorial - Kubernetes Workloads

End of Section