Wghdr's Blog!

k8s

实用yaml

wghdr

测试/调试服务

nginx服务

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx
---
apiVersion: v1
kind: Service
metadata:
  name: nginx
  labels:
    app: nginx
spec:
  type: ClusterIP
  ports:
  - port: 80
    protocol: TCP
    name: http
  selector:
    app: nginx

网络调试pod

apiVersion: apps/v1
kind: Deployment
metadata:
    name: debug
spec:
    replicas: 1
    selector:
        matchLabels:
            app: debug
    template:
        metadata:
            label:
                app: debug
        spec:
            containers:
            - name: debbug
              image: net-tools:latest

ingress

在test的命名空间下,创建后端是test:80,域名是test.com,开启tls,secrest为test-secret,名字为test的ingress

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
    name: test-ingress
    namespace: test
spec:
    ingressClassName: nginx
    rules:
    - host: test.com
      http:
        paths:
        - path: /
          pathType: Prefix
          backend:
            service:
                name: test
                port: 
                    number: 80
    tls:
    - hosts:
      - test.com
      secretName: test-secret

pod调度

尽量调度到不同节点

affinity:
  podAntiAffinity:
    preferredDuringSchedulingIgnoredDuringExecution:
    - weight: 100
      podAffinityTerm:
        labelSelector:
          matchExpressions:
          - key: k8s-app
            operator: In
            values:
            - kube-dns
      topologyKey: kubernetes.io/hostname

必须调度到不同节点

affinity:
 podAntiAffinity:
   requiredDuringSchedulingIgnoredDuringExecution:
   - weight: 100
     labelSelector:
       matchExpressions:
       - key: k8s-app
         operator: In
         values:
         - kube-dns
     topologyKey: kubernetes.io/hostname

只调度到有指定 label 的节点

affinity:
 nodeAffinity:
   requiredDuringSchedulingIgnoredDuringExecution:
     nodeSelectorTerms:
       matchExpressions:
       - key: test
         operator: In
         values:
         - true

RBAC

用户授权

给wgh用户授权test命名空间所有权限

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
    name: wgh-role
    namespace: test
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
    name: wgh-bind
    namespace: test
subjects:
- kind: User
  name: wgh
  apiGroup: rbac.authorization.k8s.io/v1
roleRef:
    kind: Role
    name: wgh-role
    apiGroup: rbac.authorization.k8s.io

给wgh用户授权readonly命名空间只读权限

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
    name: wgh-role
    namespace: readonly
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authroization.k8s.io/v1
kind: RoleBinding
metadata:
    name: wgh-bind
    namespace: readonly
subjects:
- kind: User
  name: wgh
  apiGroup: rbac.authroization.k8s.io/v1
roleRef:
    kind: Role
    name: wgh-role
    apiGroup: rbac.authroization.k8s.io/v1

给wgh授权整个集群的只读权限

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: wgh-readonly
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: readonly-to-wgh
subjects:
- kind: User
  name: wgh
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: wgh-readonly
  apiGroup: rbac.authorization.k8s.io

给wghdr用户组里所有用户授权secret读权限

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
    name: secret-read
rules:
- apiGroups: ["*"]
  resources: ["secrets"]
  verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
    name: wghdr-read
subjects:
- kind: Group
  name: wghdr
  apiVersion: rbac.authorization.k8s.io/v1
roleRef:
    kind: ClusterRole
    name: secret-read
    apiVersion: rbac.authorization.k8s.io/v1

secret读权限除外

一般禁止用户读取secret,而rbac不能将某个resource除外,所以得列举出除了secret的所有资源。

ServiceAccount 授权

授权wgh这个ServiceAccount读取test命名空间中Pod和log

apiVersion: v1
kind: ServiceAccount
metadata:
    name: wgh
    namespace: test
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
    name: wgh-role
    namespace: test
rules:
- apiGroups: [""]
  resources: ["pods", "pods/log"]
  verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
    name: wgh-role-bind
    namespace: test
subjects:
- kind: ServiceAccount 
  name: wgh
  namespace: test
roleRef:
    kind: Role
    name: wgh-role
    apiGroup: rbac.authorization.k8s.io

最高权限

apiVersion: v1
kind: ServiceAccount
metadata:
  name: cluster-admin
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-admin
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: cluster-admin
  namespace: kube-system
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
分类: k8s
0 0 投票数
文章评分
订阅评论
提醒
guest

0 评论
最旧
最新 最多投票
内联反馈
查看所有评论

相关文章

开始在上面输入您的搜索词,然后按回车进行搜索。按ESC取消。

返回顶部
0
希望看到您的想法,请您发表评论x