DEV Community: Ježek The latest articles on DEV Community by Ježek (@hedgehog). https://dev.to/hedgehog https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1712568%2Fc283581e-f5d4-4b95-827f-ea64399009b9.jpeg DEV Community: Ježek https://dev.to/hedgehog en Getting started with Argo CD using the CLI Ježek Thu, 04 Dec 2025 00:58:54 +0000 https://dev.to/hedgehog/getting-started-with-argo-cd-using-the-cli-3l7h https://dev.to/hedgehog/getting-started-with-argo-cd-using-the-cli-3l7h <p><a href="https://argo-cd.readthedocs.io/" rel="noopener noreferrer">Argo CD</a> is a declarative, GitOps-based continuous delivery (CD) tool for <a href="https://kubernetes.io/" rel="noopener noreferrer">Kubernetes</a>. It automates the deployment and lifecycle management of applications in a cluster by using <a href="https://git-scm.com/" rel="noopener noreferrer">Git</a> repositories as the single source of truth for the desired state of the infrastructure.</p> <p>This article explains how to set up <code>Argo CD</code> and deploy an application in a <code>Kubernetes</code> cluster using the command line and manifests.</p> <h2> Prerequisites: </h2> <ul> <li>Installed the <a href="https://kind.sigs.k8s.io" rel="noopener noreferrer">kind</a> with <a href="https://kind.sigs.k8s.io/docs/user/loadbalancer/" rel="noopener noreferrer">Cloud Provider KIND</a> </li> <li>Installed <a href="https://argo-cd.readthedocs.io/en/stable/cli_installation/" rel="noopener noreferrer">ArgoCD CLI</a> </li> </ul> <h2> Kubernetes Cluster <a></a> </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># kind-cluster.yaml</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Cluster</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kind.x-k8s.io/v1alpha4</span> <span class="na">networking</span><span class="pi">:</span> <span class="na">apiServerPort</span><span class="pi">:</span> <span class="m">6443</span> <span class="na">nodes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">role</span><span class="pi">:</span> <span class="s">control-plane</span> <span class="pi">-</span> <span class="na">role</span><span class="pi">:</span> <span class="s">worker</span> <span class="pi">-</span> <span class="na">role</span><span class="pi">:</span> <span class="s">worker</span> <span class="pi">-</span> <span class="na">role</span><span class="pi">:</span> <span class="s">worker</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kind create cluster <span class="nt">--config</span> kind-cluster.yaml Creating cluster <span class="s2">"kind"</span> ... • Ensuring node image <span class="o">(</span>kindest/node:v1.33.1<span class="o">)</span> 🖼 ... ✓ Ensuring node image <span class="o">(</span>kindest/node:v1.33.1<span class="o">)</span> 🖼 • Preparing nodes 📦 📦 📦 📦 ... ✓ Preparing nodes 📦 📦 📦 📦 • Writing configuration 📜 ... ✓ Writing configuration 📜 • Starting control-plane 🕹️ ... ✓ Starting control-plane 🕹️ • Installing CNI 🔌 ... ✓ Installing CNI 🔌 • Installing StorageClass 💾 ... ✓ Installing StorageClass 💾 • Joining worker nodes 🚜 ... ✓ Joining worker nodes 🚜 Set kubectl context to <span class="s2">"kind-kind"</span> You can now use your cluster with: kubectl cluster-info <span class="nt">--context</span> kind-kind Have a <span class="nb">nice </span>day! 👋 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get nodes NAME STATUS ROLES AGE VERSION kind-control-plane Ready control-plane 7m2s v1.33.1 kind-worker Ready &lt;none&gt; 6m53s v1.33.1 kind-worker2 Ready &lt;none&gt; 6m53s v1.33.1 kind-worker3 Ready &lt;none&gt; 6m53s v1.33.1 </code></pre> </div> <h2> Argo CD </h2> <h3> Setup the Argo CD </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create namespace argocd namespace/argocd created <span class="nv">$ </span>kubectl get namespaces NAME STATUS AGE argocd Active 9s default Active 15m kube-node-lease Active 15m kube-public Active 15m kube-system Active 15m local-path-storage Active 15m </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-n</span> argocd <span class="nt">-f</span> https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml customresourcedefinition.apiextensions.k8s.io/applications.argoproj.io created customresourcedefinition.apiextensions.k8s.io/applicationsets.argoproj.io created customresourcedefinition.apiextensions.k8s.io/appprojects.argoproj.io created serviceaccount/argocd-application-controller created serviceaccount/argocd-applicationset-controller created serviceaccount/argocd-dex-server created serviceaccount/argocd-notifications-controller created serviceaccount/argocd-redis created serviceaccount/argocd-repo-server created serviceaccount/argocd-server created role.rbac.authorization.k8s.io/argocd-application-controller created role.rbac.authorization.k8s.io/argocd-applicationset-controller created role.rbac.authorization.k8s.io/argocd-dex-server created role.rbac.authorization.k8s.io/argocd-notifications-controller created role.rbac.authorization.k8s.io/argocd-redis created role.rbac.authorization.k8s.io/argocd-server created clusterrole.rbac.authorization.k8s.io/argocd-application-controller created clusterrole.rbac.authorization.k8s.io/argocd-applicationset-controller created clusterrole.rbac.authorization.k8s.io/argocd-server created rolebinding.rbac.authorization.k8s.io/argocd-application-controller created rolebinding.rbac.authorization.k8s.io/argocd-applicationset-controller created rolebinding.rbac.authorization.k8s.io/argocd-dex-server created rolebinding.rbac.authorization.k8s.io/argocd-notifications-controller created rolebinding.rbac.authorization.k8s.io/argocd-redis created rolebinding.rbac.authorization.k8s.io/argocd-server created clusterrolebinding.rbac.authorization.k8s.io/argocd-application-controller created clusterrolebinding.rbac.authorization.k8s.io/argocd-applicationset-controller created clusterrolebinding.rbac.authorization.k8s.io/argocd-server created configmap/argocd-cm created configmap/argocd-cmd-params-cm created configmap/argocd-gpg-keys-cm created configmap/argocd-notifications-cm created configmap/argocd-rbac-cm created configmap/argocd-ssh-known-hosts-cm created configmap/argocd-tls-certs-cm created secret/argocd-notifications-secret created secret/argocd-secret created service/argocd-applicationset-controller created service/argocd-dex-server created service/argocd-metrics created service/argocd-notifications-controller-metrics created service/argocd-redis created service/argocd-repo-server created service/argocd-server created service/argocd-server-metrics created deployment.apps/argocd-applicationset-controller created deployment.apps/argocd-dex-server created deployment.apps/argocd-notifications-controller created deployment.apps/argocd-redis created deployment.apps/argocd-repo-server created deployment.apps/argocd-server created statefulset.apps/argocd-application-controller created networkpolicy.networking.k8s.io/argocd-application-controller-network-policy created networkpolicy.networking.k8s.io/argocd-applicationset-controller-network-policy created networkpolicy.networking.k8s.io/argocd-dex-server-network-policy created networkpolicy.networking.k8s.io/argocd-notifications-controller-network-policy created networkpolicy.networking.k8s.io/argocd-redis-network-policy created networkpolicy.networking.k8s.io/argocd-repo-server-network-policy created networkpolicy.networking.k8s.io/argocd-server-network-policy created </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get all <span class="nt">-n</span> argocd NAME READY STATUS RESTARTS AGE pod/argocd-application-controller-0 1/1 Running 0 4m14s pod/argocd-applicationset-controller-fc5545556-xwf5k 1/1 Running 0 4m15s pod/argocd-dex-server-f59c65cff-rn6m5 1/1 Running 1 <span class="o">(</span>3m10s ago<span class="o">)</span> 4m15s pod/argocd-notifications-controller-59f6949d7-qmw9h 1/1 Running 0 4m15s pod/argocd-redis-75c946f559-r7hw9 1/1 Running 0 4m15s pod/argocd-repo-server-6959c47c44-zcgvw 1/1 Running 0 4m15s pod/argocd-server-65544f4864-d8bdg 1/1 Running 0 4m15s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT<span class="o">(</span>S<span class="o">)</span> AGE service/argocd-applicationset-controller ClusterIP 10.96.198.72 &lt;none&gt; 7000/TCP,8080/TCP 4m15s service/argocd-dex-server ClusterIP 10.96.130.197 &lt;none&gt; 5556/TCP,5557/TCP,5558/TCP 4m15s service/argocd-metrics ClusterIP 10.96.76.149 &lt;none&gt; 8082/TCP 4m15s service/argocd-notifications-controller-metrics ClusterIP 10.96.212.160 &lt;none&gt; 9001/TCP 4m15s service/argocd-redis ClusterIP 10.96.87.147 &lt;none&gt; 6379/TCP 4m15s service/argocd-repo-server ClusterIP 10.96.249.213 &lt;none&gt; 8081/TCP,8084/TCP 4m15s service/argocd-server ClusterIP 10.96.182.198 &lt;none&gt; 80:31808/TCP,443:32242/TCP 4m15s service/argocd-server-metrics ClusterIP 10.96.205.52 &lt;none&gt; 8083/TCP 4m15s NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/argocd-applicationset-controller 1/1 1 1 4m15s deployment.apps/argocd-dex-server 1/1 1 1 4m15s deployment.apps/argocd-notifications-controller 1/1 1 1 4m15s deployment.apps/argocd-redis 1/1 1 1 4m15s deployment.apps/argocd-repo-server 1/1 1 1 4m15s deployment.apps/argocd-server 1/1 1 1 4m15s NAME DESIRED CURRENT READY AGE replicaset.apps/argocd-applicationset-controller-fc5545556 1 1 1 4m15s replicaset.apps/argocd-dex-server-f59c65cff 1 1 1 4m15s replicaset.apps/argocd-notifications-controller-59f6949d7 1 1 1 4m15s replicaset.apps/argocd-redis-75c946f559 1 1 1 4m15s replicaset.apps/argocd-repo-server-6959c47c44 1 1 1 4m15s replicaset.apps/argocd-server-65544f4864 1 1 1 4m15s NAME READY AGE statefulset.apps/argocd-application-controller 1/1 4m15s </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl patch svc argocd-server <span class="nt">-n</span> argocd <span class="nt">-p</span> <span class="s1">'{"spec": {"type": "LoadBalancer"}}'</span> service/argocd-server patched <span class="nv">$ </span>kubectl get svc argocd-server <span class="nt">-n</span> argocd <span class="nt">-o</span><span class="o">=</span><span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.status.loadBalancer.ingress[0].ip}'</span> 172.18.0.6 <span class="nv">$ </span>curl <span class="nt">-sIL</span> http://172.18.0.6:80 <span class="nt">-k</span> HTTP/1.1 307 Temporary Redirect Content-Type: text/html<span class="p">;</span> <span class="nv">charset</span><span class="o">=</span>utf-8 Location: https://172.18.0.6/ Date: Fri, 28 Nov 2025 14:30:00 GMT HTTP/1.1 200 OK Accept-Ranges: bytes Content-Length: 788 Content-Security-Policy: frame-ancestors <span class="s1">'self'</span><span class="p">;</span> Content-Type: text/html<span class="p">;</span> <span class="nv">charset</span><span class="o">=</span>utf-8 Vary: Accept-Encoding X-Frame-Options: sameorigin X-Xss-Protection: 1 Date: Fri, 28 Nov 2025 14:30:00 GMT </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>argocd admin initial-password <span class="nt">-n</span> argocd CH5hFPo5q1TcHi9- This password must be only used <span class="k">for </span>first <span class="nb">time </span>login. We strongly recommend you update the password using <span class="sb">`</span>argocd account update-password<span class="sb">`</span><span class="nb">.</span> <span class="nv">$ </span>argocd login 172.18.0.6 <span class="nt">--insecure</span> <span class="nt">--username</span> admin Password: CH5hFPo5q1TcHi9- <span class="s1">'admin:login'</span> logged <span class="k">in </span>successfully Context <span class="s1">'172.18.0.6'</span> updated </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>argocd account update-password <span class="k">***</span> Enter password of currently logged <span class="k">in </span>user <span class="o">(</span>admin<span class="o">)</span>: <span class="k">***</span> Enter new password <span class="k">for </span>user admin: <span class="k">***</span> Confirm new password <span class="k">for </span>user admin: Password updated Context <span class="s1">'172.18.0.6'</span> updated <span class="nv">$ </span>kubectl <span class="nt">-n</span> argocd delete secret argocd-initial-admin-secret secret <span class="s2">"argocd-initial-admin-secret"</span> deleted </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>argocd version argocd: v3.2.0+66b2f30 BuildDate: 2025-11-04T15:21:01Z GitCommit: 66b2f302d91a42cc151808da0eec0846bbe1062c GitTreeState: clean GoVersion: go1.25.0 Compiler: gc Platform: windows/amd64 argocd-server: v3.2.0+66b2f30 BuildDate: 2025-11-04T14:51:35Z GitCommit: 66b2f302d91a42cc151808da0eec0846bbe1062c GitTreeState: clean GoVersion: go1.25.0 Compiler: gc Platform: linux/amd64 Kustomize Version: v5.7.0 2025-06-28T07:00:07Z Helm Version: v3.18.4+gd80839c Kubectl Version: v0.34.0 </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj2e7hhqzur4m3bpbg2z6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj2e7hhqzur4m3bpbg2z6.png" alt=" " width="800" height="233"></a></p> <h3> Setup a Repository </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>argocd repo add https://github.com/viastakhov/argocd-kustomize-demo.git Repository <span class="s1">'https://github.com/viastakhov/argocd-kustomize-demo.git'</span> added <span class="nv">$ </span>argocd repo list TYPE NAME REPO INSECURE OCI LFS CREDS STATUS MESSAGE PROJECT git https://github.com/viastakhov/argocd-kustomize-demo.git <span class="nb">false false false false </span>Successful </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkauk83e3qtxw7pe1u349.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkauk83e3qtxw7pe1u349.png" alt=" " width="800" height="240"></a></p> <h3> Create a Project </h3> <p><a href="https://argo-cd.readthedocs.io/en/stable/user-guide/projects/" rel="noopener noreferrer">Projects</a> provide a logical grouping of applications, which is useful when Argo CD is used by multiple teams.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># ./argo-cd/project.yaml </span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">AppProject</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">sourceRepos</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">destinations</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">server</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">clusterResourceWhitelist</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">group</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">kind</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>argocd proj create <span class="nt">-f</span> ./argo-cd/project.yaml <span class="nv">$ </span>argocd proj list NAME DESCRIPTION DESTINATIONS SOURCES CLUSTER-RESOURCE-WHITELIST NAMESPACE-RESOURCE-BLACKLIST SIGNATURE-KEYS ORPHANED-RESOURCES DESTINATION-SERVICE-ACCOUNTS default <span class="k">*</span>,<span class="k">*</span> <span class="k">*</span> <span class="k">*</span>/<span class="k">*</span> &lt;none&gt; &lt;none&gt; disabled &lt;none&gt; nginx <span class="k">*</span>,<span class="k">*</span> <span class="k">*</span> <span class="k">*</span>/<span class="k">*</span> &lt;none&gt; &lt;none&gt; disabled &lt;none&gt; </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fic3m1wuhav2uzbnf3qym.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fic3m1wuhav2uzbnf3qym.png" alt=" " width="800" height="238"></a></p> <h3> Create an Application </h3> <p>An <a href="https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#applications" rel="noopener noreferrer">Application</a> is the Kubernetes resource object representing a deployed application instance in an environment.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># ./argo-cd/appset.yaml </span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ApplicationSet</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">goTemplate</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">goTemplateOptions</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">missingkey=error"</span><span class="pi">]</span> <span class="na">generators</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">git</span><span class="pi">:</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">https://github.com/viastakhov/argocd-kustomize-demo.git</span> <span class="na">revision</span><span class="pi">:</span> <span class="s">HEAD</span> <span class="na">directories</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">kustomize/overlays/*</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">nginx-{{index</span><span class="nv"> </span><span class="s">.path.segments</span><span class="nv"> </span><span class="s">2}}'</span> <span class="na">finalizers</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">resources-finalizer.argocd.argoproj.io</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">project</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">source</span><span class="pi">:</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">https://github.com/viastakhov/argocd-kustomize-demo.git</span> <span class="na">targetRevision</span><span class="pi">:</span> <span class="s">HEAD</span> <span class="na">path</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{{.path.path}}'</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">server</span><span class="pi">:</span> <span class="s">https://kubernetes.default.svc</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{{index</span><span class="nv"> </span><span class="s">.path.segments</span><span class="nv"> </span><span class="s">2}}'</span> <span class="na">syncPolicy</span><span class="pi">:</span> <span class="na">syncOptions</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">CreateNamespace=false</span> <span class="na">automated</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">prune</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">selfHeal</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">allowEmpty</span><span class="pi">:</span> <span class="kc">false</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>argocd appset create ./argo-cd/appset.yaml ApplicationSet <span class="s1">'nginx'</span> created Name: argocd/nginx Project: nginx Server: https://kubernetes.default.svc Namespace: <span class="o">{{</span>index .path.segments 2<span class="o">}}</span> Source: - Repo: https://github.com/viastakhov/argocd-kustomize-demo.git Target: HEAD Path: <span class="o">{{</span>.path.path<span class="o">}}</span> SyncPolicy: Automated <span class="nv">$ </span>argocd appset list NAME PROJECT SYNCPOLICY CONDITIONS REPO PATH TARGET argocd/nginx nginx nil <span class="o">[{</span>ParametersGenerated Successfully generated parameters <span class="k">for </span>all Applications 2025-12-04 03:04:54 +0300 MSK True ParametersGenerated<span class="o">}</span> <span class="o">{</span>ResourcesUpToDate All applications have been generated successfully 2025-12-04 03:04:54 +0300 MSK True ApplicationSetUpToDate<span class="o">}]</span> https://github.com/viastakhov/argocd-kustomize-demo.git <span class="o">{{</span>.path.path<span class="o">}}</span> HEAD </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>argocd app list NAME CLUSTER NAMESPACE PROJECT STATUS HEALTH SYNCPOLICY CONDITIONS REPO PATH TARGET argocd/nginx-dev https://kubernetes.default.svc dev nginx Synced Healthy Auto &lt;none&gt; https://github.com/viastakhov/argocd-kustomize-demo.git kustomize/overlays/dev HEAD argocd/nginx-prod https://kubernetes.default.svc prod nginx Synced Healthy Auto &lt;none&gt; https://github.com/viastakhov/argocd-kustomize-demo.git kustomize/overlays/prod HEAD </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>argocd app resources nginx-prod GROUP KIND NAMESPACE NAME ORPHANED ConfigMap production nginx-conf-c6752d2t6f No Namespace production No Service production nginx-svc No apps Deployment production nginx-app No </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>argocd app get nginx-prod Name: argocd/nginx-prod Project: nginx Server: https://kubernetes.default.svc Namespace: prod URL: https://172.18.0.6/applications/nginx-prod Source: - Repo: https://github.com/viastakhov/argocd-kustomize-demo.git Target: HEAD Path: kustomize/overlays/prod SyncWindow: Sync Allowed Sync Policy: Automated Sync Status: Synced to HEAD <span class="o">(</span>d70b25e<span class="o">)</span> Health Status: Healthy GROUP KIND NAMESPACE NAME STATUS HEALTH HOOK MESSAGE Namespace prod production Running Synced namespace/production created ConfigMap production nginx-conf-c6752d2t6f Synced configmap/nginx-conf-c6752d2t6f created Service production nginx-svc Synced Healthy service/nginx-svc created apps Deployment production nginx-app Synced Healthy deployment.apps/nginx-app created Namespace production Synced </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fna2r36l5hok5j19v6h6i.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fna2r36l5hok5j19v6h6i.png" alt=" " width="800" height="241"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxkeci919mfgrs14igd7g.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxkeci919mfgrs14igd7g.png" alt=" " width="800" height="252"></a></p> <h3> Cleanup </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>argocd appset delete nginx Are you sure you want to delete <span class="s1">'nginx'</span> and all its Applications? <span class="o">[</span>y/n] y applicationset <span class="s1">'nginx'</span> deleted <span class="nv">$ </span>argocd appset list NAME PROJECT SYNCPOLICY CONDITIONS REPO PATH TARGET <span class="nv">$ </span>argocd app list NAME CLUSTER NAMESPACE PROJECT STATUS HEALTH SYNCPOLICY CONDITIONS REPO PATH TARGET </code></pre> </div> <h3> Bonus </h3> <h4> Applications In Any Namespace </h4> <p>Since version 2.5, Argo CD supports managing <code>Application</code> resources in namespaces other than the namespace of the control plane (usually <code>argocd</code>), but this feature has to be explicitly enabled and configured accordingly.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># ./argo-cd/project.yaml </span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">AppProject</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">sourceNamespaces</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">sourceRepos</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">destinations</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">server</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">clusterResourceWhitelist</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">group</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">kind</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>argocd proj create <span class="nt">-f</span> ./argo-cd/project.yaml </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl patch cm/argocd-cmd-params-cm <span class="nt">-n</span> argocd <span class="nt">-p</span> <span class="s1">'{"data": {"application.namespaces": "'</span><span class="k">*</span><span class="s1">'"}}'</span> configmap/argocd-cmd-params-cm patched <span class="nv">$ </span>kubectl rollout restart <span class="nt">-n</span> argocd deployment argocd-server deployment.apps/argocd-server restarted <span class="nv">$ </span>kubectl rollout restart <span class="nt">-n</span> argocd statefulset argocd-application-controller statefulset.apps/argocd-application-controller restarted </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl patch clusterrole argocd-server <span class="nt">--type</span><span class="o">=</span><span class="s1">'json'</span> <span class="nt">-p</span><span class="o">=</span><span class="s1">'[{"op": "replace", "path": "/rules/3/resources", "value": ["applications", "applicationsets", "appprojects"]}]'</span> clusterrole.rbac.authorization.k8s.io/argocd-server patched <span class="nv">$ </span>kubectl patch clusterrole argocd-server <span class="nt">--type</span><span class="o">=</span><span class="s1">'json'</span> <span class="nt">-p</span><span class="o">=</span><span class="s1">'[{"op": "replace", "path": "/rules/3/verbs", "value": ["get", "watch", "list", "create", "update", "delete", "patch"]}]'</span> clusterrole.rbac.authorization.k8s.io/argocd-server patched </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create ns development namespace/development created <span class="nv">$ </span>kubectl create ns production namespace/production created </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>argocd app create nginx <span class="se">\</span> <span class="nt">--repo</span> https://github.com/viastakhov/argocd-kustomize-demo.git <span class="se">\</span> <span class="nt">--path</span> kustomize/overlays/dev <span class="se">\</span> <span class="nt">--dest-server</span> https://kubernetes.default.svc <span class="se">\</span> <span class="nt">--dest-namespace</span> development <span class="se">\</span> <span class="nt">--sync-policy</span> auto <span class="se">\</span> <span class="nt">--project</span> nginx <span class="se">\</span> <span class="nt">--app-namespace</span> development <span class="se">\</span> <span class="nt">--set-finalizer</span> application <span class="s1">'nginx'</span> created <span class="nv">$ </span>argocd app create nginx <span class="se">\</span> <span class="nt">--repo</span> https://github.com/viastakhov/argocd-kustomize-demo.git <span class="se">\</span> <span class="nt">--path</span> kustomize/overlays/prod <span class="se">\</span> <span class="nt">--dest-server</span> https://kubernetes.default.svc <span class="se">\</span> <span class="nt">--dest-namespace</span> production <span class="se">\</span> <span class="nt">--sync-policy</span> auto <span class="se">\</span> <span class="nt">--project</span> nginx <span class="se">\</span> <span class="nt">--app-namespace</span> production <span class="se">\</span> <span class="nt">--set-finalizer</span> application <span class="s1">'nginx'</span> created </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>argocd app list NAME CLUSTER NAMESPACE PROJECT STATUS HEALTH SYNCPOLICY CONDITIONS REPO PATH TARGET development/nginx https://kubernetes.default.svc development nginx Synced Healthy Auto &lt;none&gt; https://github.com/viastakhov/argocd-kustomize-demo.git kustomize/overlays/dev production/nginx https://kubernetes.default.svc production nginx Synced Healthy Auto &lt;none&gt; https://github.com/viastakhov/argocd-kustomize-demo.git kustomize/overlays/prod <span class="nv">$ </span>kubectl get applications <span class="nt">-n</span> development <span class="nt">-o</span> wide NAME SYNC STATUS HEALTH STATUS REVISION PROJECT nginx Synced Healthy 2550d54636eee62d843f4c56b27b7bdcf351d34a nginx <span class="nv">$ </span>kubectl get applications <span class="nt">-n</span> production <span class="nt">-o</span> wide NAME SYNC STATUS HEALTH STATUS REVISION PROJECT nginx Synced Healthy 2550d54636eee62d843f4c56b27b7bdcf351d34a nginx </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fug27a3nwm5c629nq672k.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fug27a3nwm5c629nq672k.png" alt="Applications" width="800" height="364"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete ns development namespace <span class="s2">"development"</span> deleted <span class="nv">$ </span>kubectl delete ns production namespace <span class="s2">"production"</span> deleted <span class="nv">$ </span>argocd app list NAME CLUSTER NAMESPACE PROJECT STATUS HEALTH SYNCPOLICY CONDITIONS REPO PATH TARGET </code></pre> </div> kubernetes argocd gitops kustomize Kubernetes by Example Ježek Wed, 05 Nov 2025 20:24:58 +0000 https://dev.to/hedgehog/the-joy-of-kubernetes-4ijl https://dev.to/hedgehog/the-joy-of-kubernetes-4ijl <p>The article explores <a href="https://kubernetes.io/" rel="noopener noreferrer">Kubernetes</a> through practical examples.</p> <p>The content of the article was structured to ensure clarity and depth while maintaining focus on real-world use cases. By leveraging the hands-on approach advocated throughout the publication, readers will gain an enhanced understanding of core <a href="https://kubernetes.io/docs/concepts/" rel="noopener noreferrer">concepts</a> in Kubernetes such as pod management, service discovery, etc.</p> <p>The article was inspired by the book <a href="https://www.manning.com/books/kubernetes-in-action" rel="noopener noreferrer">Kubernetes in Action</a> by <a href="https://github.com/luksa" rel="noopener noreferrer">Marko Lukša</a>, and in the process of preparing this article, the official <a href="https://kubernetes.io/docs/" rel="noopener noreferrer">Kubernetes Documentation</a> was utilized as a primary reference material. Thus, I insistently recommend that you familiarize yourself with the above-mentioned references in advance.</p> <p>Enjoy!</p> <h2> Table Of Contents </h2> <ul> <li>Kubernetes in Docker</li> <li>Pods</li> <li>Namespaces</li> <li>ReplicaSet</li> <li>DaemonSet</li> <li>Jobs</li> <li>CronJob</li> <li>Service</li> <li>Ingress</li> <li>Probes</li> <li>Volumes</li> <li>ConfigMaps</li> <li>Secrets</li> <li>Deployments</li> <li>StatefulSet</li> <li>ServiceAccount</li> <li>RBAC</li> <li>Pod Security</li> <li>NetworkPolicy</li> <li>LimitRange</li> <li>ResourceQuota</li> <li>HorizontalPodAutoscaler</li> <li>PodDisruptionBudget</li> <li>Taints and Tolerations</li> <li>Affinity</li> </ul> <h2> Kubernetes in Docker <a></a> </h2> <p><a href="https://kind.sigs.k8s.io/" rel="noopener noreferrer">kind</a> is a tool for running local Kubernetes clusters using Docker container <code>nodes</code>.</p> <h3> Create a cluster </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># kind-cluster.yaml</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Cluster</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kind.x-k8s.io/v1alpha4</span> <span class="na">networking</span><span class="pi">:</span> <span class="na">apiServerPort</span><span class="pi">:</span> <span class="m">6443</span> <span class="na">nodes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">role</span><span class="pi">:</span> <span class="s">control-plane</span> <span class="pi">-</span> <span class="na">role</span><span class="pi">:</span> <span class="s">worker</span> <span class="na">extraPortMappings</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">30666</span> <span class="na">hostPort</span><span class="pi">:</span> <span class="m">40000</span> <span class="pi">-</span> <span class="na">role</span><span class="pi">:</span> <span class="s">worker</span> <span class="na">extraPortMappings</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">30666</span> <span class="na">hostPort</span><span class="pi">:</span> <span class="m">40001</span> <span class="pi">-</span> <span class="na">role</span><span class="pi">:</span> <span class="s">worker</span> <span class="na">extraPortMappings</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">30666</span> <span class="na">hostPort</span><span class="pi">:</span> <span class="m">40002</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kind create cluster <span class="nt">--config</span> kind-cluster.yaml Creating cluster <span class="s2">"kind"</span> ... • Ensuring node image <span class="o">(</span>kindest/node:v1.33.1<span class="o">)</span> 🖼 ... ✓ Ensuring node image <span class="o">(</span>kindest/node:v1.33.1<span class="o">)</span> 🖼 • Preparing nodes 📦 📦 📦 📦 ... ✓ Preparing nodes 📦 📦 📦 📦 • Writing configuration 📜 ... ✓ Writing configuration 📜 • Starting control-plane 🕹️ ... ✓ Starting control-plane 🕹️ • Installing CNI 🔌 ... ✓ Installing CNI 🔌 • Installing StorageClass 💾 ... ✓ Installing StorageClass 💾 • Joining worker nodes 🚜 ... ✓ Joining worker nodes 🚜 Set kubectl context to <span class="s2">"kind-kind"</span> You can now use your cluster with: kubectl cluster-info <span class="nt">--context</span> kind-kind </code></pre> </div> <h3> Cluster info </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kind get clusters kind </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl cluster-info <span class="nt">--context</span> kind-kind Kubernetes control plane is running at https://127.0.0.1:6443 CoreDNS is running at https://127.0.0.1:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy </code></pre> </div> <h3> Cluster nodes </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get nodes NAME STATUS ROLES AGE VERSION kind-control-plane Ready control-plane 39m v1.33.1 kind-worker Ready &lt;none&gt; 39m v1.33.1 kind-worker2 Ready &lt;none&gt; 39m v1.33.1 kind-worker3 Ready &lt;none&gt; 39m v1.33.1 </code></pre> </div> <h2> Pods <a></a> </h2> <p><a href="https://kubernetes.io/docs/concepts/workloads/pods/" rel="noopener noreferrer">Pods</a> are the smallest deployable units of computing that you can create and manage in Kubernetes.</p> <h3> Create a pod </h3> <h4> Imperative way </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl run kubia <span class="nt">--image</span><span class="o">=</span>luksa/kubia <span class="nt">--port</span><span class="o">=</span>8080 pod/kubia created </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get pods NAME READY STATUS RESTARTS AGE kubia 1/1 Running 0 5m26s </code></pre> </div> <h4> Declarative way </h4> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># pod-basic.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubia</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">image</span><span class="pi">:</span> <span class="s">luksa/kubia</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubia</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create <span class="nt">-f</span> pod-basic.yaml pod/kubia created </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get po NAME READY STATUS RESTARTS AGE kubia 1/1 Running 0 9s </code></pre> </div> <h3> Logs </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl logs kubia Kubia server starting... </code></pre> </div> <p>Logs from specific container in pod:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl logs kubia <span class="nt">-c</span> kubia Kubia server starting... </code></pre> </div> <h3> Port forwarding from host to pod </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl port-forward kubia 30000:8080 Forwarding from 127.0.0.1:30000 -&gt; 8080 Forwarding from <span class="o">[</span>::1]:30000 -&gt; 8080 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>curl <span class="nt">-s</span> localhost:30000 You<span class="s1">'ve hit kubia </span></code></pre> </div> <h3> Labels and Selectors </h3> <p><a href="https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/" rel="noopener noreferrer">Labels</a> are key/value pairs that are attached to objects such as Pods.</p> <h4> Labels </h4> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># pod-labels.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubia-labels</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">tier</span><span class="pi">:</span> <span class="s">backend</span> <span class="na">env</span><span class="pi">:</span> <span class="s">dev</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">image</span><span class="pi">:</span> <span class="s">luksa/kubia</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubia</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create <span class="nt">-f</span> pod-labels.yaml pod/kubia-labels created </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get po <span class="nt">--show-labels</span> NAME READY STATUS RESTARTS AGE LABELS kubia 1/1 Running 0 4d22h &lt;none&gt; kubia-labels 1/1 Running 0 30s <span class="nb">env</span><span class="o">=</span>dev,tier<span class="o">=</span>backend </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get po <span class="nt">--label-columns</span> tier,env NAME READY STATUS RESTARTS AGE TIER ENV kubia 1/1 Running 0 4d22h kubia-labels 1/1 Running 0 20m backend dev </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl label po kubia-labels <span class="nb">env</span><span class="o">=</span><span class="nb">test </span>error: <span class="s1">'env'</span> already has a value <span class="o">(</span>dev<span class="o">)</span>, and <span class="nt">--overwrite</span> is <span class="nb">false</span> <span class="nv">$ </span>kubectl label po kubia-labels <span class="nb">env</span><span class="o">=</span><span class="nb">test</span> <span class="nt">--overwrite</span> pod/kubia-labels labeled <span class="nv">$ </span>kubectl get po <span class="nt">--label-columns</span> tier,env NAME READY STATUS RESTARTS AGE TIER ENV kubia 1/1 Running 0 4d22h kubia-labels 1/1 Running 0 24m backend <span class="nb">test</span> </code></pre> </div> <h4> Selectors </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get po <span class="nt">-l</span> <span class="s1">'env'</span> <span class="nt">--show-labels</span> NAME READY STATUS RESTARTS AGE LABELS kubia-labels 1/1 Running 0 3h25m <span class="nb">env</span><span class="o">=</span><span class="nb">test</span>,tier<span class="o">=</span>backend <span class="nv">$ </span>kubectl get po <span class="nt">-l</span> <span class="s1">'!env'</span> <span class="nt">--show-labels</span> NAME READY STATUS RESTARTS AGE LABELS kubia 1/1 Running 0 5d1h &lt;none&gt; <span class="nv">$ </span>kubectl get po <span class="nt">-l</span> <span class="nv">tier</span><span class="o">=</span>backend <span class="nt">--show-labels</span> NAME READY STATUS RESTARTS AGE LABELS kubia-labels 1/1 Running 0 3h28m <span class="nb">env</span><span class="o">=</span><span class="nb">test</span>,tier<span class="o">=</span>backend </code></pre> </div> <h3> Annotations </h3> <p>You can use <a href="https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/" rel="noopener noreferrer">annotations</a> to attach arbitrary non-identifying metadata to objects.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># pod-annotations.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubia-annotations</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">imageregistry</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://hub.docker.com/"</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">image</span><span class="pi">:</span> <span class="s">luksa/kubia</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubia</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create <span class="nt">-f</span> pod-annotations.yaml pod/kubia-annotations created <span class="nv">$ </span>kubectl describe pod kubia-annotations | <span class="nb">grep </span>Annotations Annotations: imageregistry: https://hub.docker.com/ </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl annotate pod/kubia-annotations <span class="nv">imageregistry</span><span class="o">=</span>nexus.org <span class="nt">--overwrite</span> pod/kubia-annotations annotated <span class="nv">$ </span>kubectl describe pod kubia-annotations | <span class="nb">grep </span>Annotations Annotations: imageregistry: nexus.org </code></pre> </div> <h2> Namespaces <a></a> </h2> <p><a href="https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" rel="noopener noreferrer">Namespaces</a> provide a mechanism for isolating groups of resources within a single cluster.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get ns NAME STATUS AGE default Active 5d2h kube-node-lease Active 5d2h kube-public Active 5d2h kube-system Active 5d2h local-path-storage Active 5d2h </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get pods <span class="nt">--namespace</span><span class="o">=</span>default NAME READY STATUS RESTARTS AGE kubia 1/1 Running 0 5d2h kubia-annotations 1/1 Running 0 19m kubia-labels 1/1 Running 0 4h15m </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create namespace custom-namespace namespace/custom-namespace created <span class="nv">$ </span>kubectl get pods <span class="nt">--namespace</span><span class="o">=</span>custom-namespace No resources found <span class="k">in </span>custom-namespace namespace. </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl run nginx <span class="nt">--image</span><span class="o">=</span>nginx <span class="nt">--namespace</span><span class="o">=</span>custom-namespace pod/nginx created <span class="nv">$ </span>kubectl get pods <span class="nt">--namespace</span><span class="o">=</span>custom-namespace NAME READY STATUS RESTARTS AGE nginx 1/1 Running 0 61s </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl config set-context <span class="nt">--current</span> <span class="nt">--namespace</span><span class="o">=</span>custom-namespace Context <span class="s2">"kind-kind"</span> modified. <span class="nv">$ </span>kubectl get pods NAME READY STATUS RESTARTS AGE nginx 1/1 Running 0 2m57s <span class="nv">$ </span>kubectl config set-context <span class="nt">--current</span> <span class="nt">--namespace</span><span class="o">=</span>default Context <span class="s2">"kind-kind"</span> modified. <span class="nv">$ </span>kubectl get pods NAME READY STATUS RESTARTS AGE kubia 1/1 Running 0 5d2h kubia-annotations 1/1 Running 0 30m kubia-labels 1/1 Running 0 4h26m </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete ns custom-namespace namespace <span class="s2">"custom-namespace"</span> deleted <span class="nv">$ </span>kubectl get pods <span class="nt">--namespace</span><span class="o">=</span>custom-namespace No resources found <span class="k">in </span>custom-namespace namespace. <span class="nv">$ </span>kubectl get ns NAME STATUS AGE default Active 5d3h kube-node-lease Active 5d3h kube-public Active 5d3h kube-system Active 5d3h local-path-storage Active 5d3h </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete po <span class="nt">--all</span> pod <span class="s2">"kubia"</span> deleted pod <span class="s2">"kubia-annotations"</span> deleted pod <span class="s2">"kubia-labels"</span> deleted <span class="nv">$ </span>kubectl get ns NAME STATUS AGE default Active 5d3h kube-node-lease Active 5d3h kube-public Active 5d3h kube-system Active 5d3h local-path-storage Active 5d3h <span class="nv">$ </span>kubectl get pods <span class="nt">--namespace</span><span class="o">=</span>default No resources found <span class="k">in </span>default namespace. </code></pre> </div> <h2> ReplicaSet <a></a> </h2> <p>A <a href="https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/" rel="noopener noreferrer">ReplicaSet</a>'s purpose is to maintain a stable set of replica Pods running at any given time. As such, it is often used to guarantee the availability of a specified number of identical Pods.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># replicaset.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ReplicaSet</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubia</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">3</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">kubia</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">kubia</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubia</span> <span class="na">image</span><span class="pi">:</span> <span class="s">luksa/kubia</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create <span class="nt">-f</span> replicaset.yaml replicaset.apps/kubia created <span class="nv">$ </span>kubectl get po NAME READY STATUS RESTARTS AGE kubia-5l82z 1/1 Running 0 5s kubia-bkjwk 1/1 Running 0 5s kubia-k78j5 1/1 Running 0 5s <span class="nv">$ </span>kubectl get rs NAME DESIRED CURRENT READY AGE kubia 3 3 3 64s </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete rs kubia replicaset.apps <span class="s2">"kubia"</span> deleted <span class="nv">$ </span>kubectl get rs No resources found <span class="k">in </span>default namespace. <span class="nv">$ </span>kubectl get po NAME READY STATUS RESTARTS AGE kubia-5l82z 1/1 Terminating 0 5m30s kubia-bkjwk 1/1 Terminating 0 5m30s kubia-k78j5 1/1 Terminating 0 5m30s </code></pre> </div> <h2> DaemonSet <a></a> </h2> <p>A <a href="https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/" rel="noopener noreferrer">DaemonSet</a> ensures that all (or some) Nodes run a copy of a Pod. As nodes are added to the cluster, Pods are added to them.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># daemonset.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">DaemonSet</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">fluentd</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">fluentd</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">fluentd</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">nodeSelector</span><span class="pi">:</span> <span class="na">disk</span><span class="pi">:</span> <span class="s">ssd</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">fluentd</span> <span class="na">image</span><span class="pi">:</span> <span class="s">quay.io/fluentd_elasticsearch/fluentd:v5.0.1</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create <span class="nt">-f</span> daemonset.yaml daemonset.apps/fluentd created <span class="nv">$ </span>kubectl get ds NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE fluentd 0 0 0 0 0 <span class="nv">disk</span><span class="o">=</span>ssd 115s <span class="nv">$ </span>kubectl get po No resources found <span class="k">in </span>default namespace. <span class="nv">$ </span>kubectl get node NAME STATUS ROLES AGE VERSION kind-control-plane Ready control-plane 5d21h v1.33.1 kind-worker Ready &lt;none&gt; 5d21h v1.33.1 kind-worker2 Ready &lt;none&gt; 5d21h v1.33.1 kind-worker3 Ready &lt;none&gt; 5d21h v1.33.1 <span class="nv">$ </span>kubectl label node kind-worker3 <span class="nv">disk</span><span class="o">=</span>ssd node/kind-worker3 labeled <span class="nv">$ </span>kubectl get ds NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE fluentd 1 1 1 1 1 <span class="nv">disk</span><span class="o">=</span>ssd 3m49s <span class="nv">$ </span>kubectl get po NAME READY STATUS RESTARTS AGE fluentd-cslcb 1/1 Running 0 39s </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete ds fluentd daemonset.apps <span class="s2">"fluentd"</span> deleted <span class="nv">$ </span>kubectl get ds No resources found <span class="k">in </span>default namespace. <span class="nv">$ </span>kubectl get po No resources found <span class="k">in </span>default namespace. </code></pre> </div> <h2> Jobs <a></a> </h2> <p><a href="https://kubernetes.io/docs/concepts/workloads/controllers/job/" rel="noopener noreferrer">Jobs</a> represent one-off tasks that run to completion and then stop.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># job.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">batch/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Job</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">pi</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">template</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">pi</span> <span class="na">image</span><span class="pi">:</span> <span class="s">perl:5.34.0</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">perl"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">-Mbignum=bpi"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">-wle"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">print</span><span class="nv"> </span><span class="s">bpi(2000)"</span><span class="pi">]</span> <span class="na">restartPolicy</span><span class="pi">:</span> <span class="s">Never</span> <span class="na">backoffLimit</span><span class="pi">:</span> <span class="m">4</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create <span class="nt">-f</span> job.yaml job.batch/pi created <span class="nv">$ </span>kubectl get <span class="nb">jobs </span>NAME STATUS COMPLETIONS DURATION AGE pi Running 0/1 34s 34s <span class="nv">$ </span>kubectl get <span class="nb">jobs </span>NAME STATUS COMPLETIONS DURATION AGE pi Complete 1/1 54s 62s <span class="nv">$ </span>kubectl get po NAME READY STATUS RESTARTS AGE pi-8rdmn 0/1 Completed 0 2m1s <span class="nv">$ </span>kubectl events pod/pi-8rdmn LAST SEEN TYPE REASON OBJECT MESSAGE 3m44s Normal Scheduled Pod/pi-8rdmn Successfully assigned default/pi-8rdmn to kind-worker2 3m44s Normal Pulling Pod/pi-8rdmn Pulling image <span class="s2">"perl:5.34.0"</span> 3m44s Normal SuccessfulCreate Job/pi Created pod: pi-8rdmn 2m59s Normal Pulled Pod/pi-8rdmn Successfully pulled image <span class="s2">"perl:5.34.0"</span> <span class="k">in </span>44.842s <span class="o">(</span>44.842s including waiting<span class="o">)</span><span class="nb">.</span> Image size: 336374010 bytes. 2m59s Normal Created Pod/pi-8rdmn Created container: pi 2m59s Normal Started Pod/pi-8rdmn Started container pi 2m50s Normal Completed Job/pi Job completed </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete job/pi job.batch <span class="s2">"pi"</span> deleted <span class="nv">$ </span>kubectl get po No resources found <span class="k">in </span>default namespace. </code></pre> </div> <h2> CronJob <a></a> </h2> <p><a href="https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/" rel="noopener noreferrer">CronJob</a> starts one-time Jobs on a repeating schedule.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># cronjob.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">batch/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">CronJob</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">hello</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">schedule</span><span class="pi">:</span> <span class="s2">"</span><span class="s">*</span><span class="nv"> </span><span class="s">*</span><span class="nv"> </span><span class="s">*</span><span class="nv"> </span><span class="s">*</span><span class="nv"> </span><span class="s">*"</span> <span class="na">jobTemplate</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">template</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">hello</span> <span class="na">image</span><span class="pi">:</span> <span class="s">busybox:1.28</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="s">IfNotPresent</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">/bin/sh</span> <span class="pi">-</span> <span class="s">-c</span> <span class="pi">-</span> <span class="s">date; echo Hello from the Kubernetes cluster</span> <span class="na">restartPolicy</span><span class="pi">:</span> <span class="s">OnFailure</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create <span class="nt">-f</span> cronjob.yaml cronjob.batch/hello created <span class="nv">$ </span>kubectl get cronjobs NAME SCHEDULE TIMEZONE SUSPEND ACTIVE LAST SCHEDULE AGE hello <span class="k">*</span> <span class="k">*</span> <span class="k">*</span> <span class="k">*</span> <span class="k">*</span> &lt;none&gt; False 0 8s 55s <span class="nv">$ </span>kubectl get pods NAME READY STATUS RESTARTS AGE hello-29223074-gsztp 0/1 Completed 0 30s <span class="nv">$ </span>kubectl get pods NAME READY STATUS RESTARTS AGE hello-29223074-gsztp 0/1 Completed 0 106s hello-29223075-9r7kx 0/1 Completed 0 46s </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete cronjobs/hello cronjob.batch <span class="s2">"hello"</span> deleted <span class="nv">$ </span>kubectl get cronjobs No resources found <span class="k">in </span>default namespace. <span class="nv">$ </span>kubectl get pods No resources found <span class="k">in </span>default namespace. </code></pre> </div> <h2> Service <a></a> </h2> <p><a href="https://kubernetes.io/docs/concepts/services-networking/service/" rel="noopener noreferrer">Service</a> is a method for exposing a network application that is running as one or more Pods in your cluster.</p> <p>There several Service types supported in Kubernetes:</p> <ul> <li>ClusterIP</li> <li>NodePort</li> <li>ExternalName</li> <li>LoadBalancer</li> </ul> <h3> ClusterIP </h3> <p>Exposes the Service on a cluster-internal IP. Choosing this value makes the Service only reachable from within the cluster. This is the default that is used if you don't explicitly specify a type for a Service. You can expose the Service to the public internet using an <a href="https://kubernetes.io/docs/concepts/services-networking/ingress/" rel="noopener noreferrer">Ingress</a> or a <a href="https://gateway-api.sigs.k8s.io/" rel="noopener noreferrer">Gateway</a>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># pod-labels.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubia-labels</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">tier</span><span class="pi">:</span> <span class="s">backend</span> <span class="na">env</span><span class="pi">:</span> <span class="s">dev</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">image</span><span class="pi">:</span> <span class="s">luksa/kubia</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubia</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># service-basic.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubia-svc</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">tier</span><span class="pi">:</span> <span class="s">backend</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">8080</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create <span class="nt">-f</span> pod-labels.yaml pod/kubia-labels created <span class="nv">$ </span>kubectl create <span class="nt">-f</span> service-basic.yaml service/kubia-svc created <span class="nv">$ </span>kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT<span class="o">(</span>S<span class="o">)</span> AGE kubernetes ClusterIP 10.96.0.1 &lt;none&gt; 443/TCP 21d kubia-svc ClusterIP 10.96.158.86 &lt;none&gt; 80/TCP 5s <span class="nv">$ </span>kubectl get po NAME READY STATUS RESTARTS AGE kubia-labels 1/1 Running 0 116s <span class="nv">$ </span>kubectl <span class="nb">exec </span>kubia-labels <span class="nt">--</span> curl <span class="nt">-s</span> http://10.96.158.86:80 You<span class="s1">'ve hit kubia-labels </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete <span class="nt">-f</span> service-basic.yaml service <span class="s2">"kubia-svc"</span> deleted <span class="nv">$ </span>kubectl delete <span class="nt">-f</span> pod-labels.yaml pod <span class="s2">"kubia-labels"</span> deleted </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># pod-nginx.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">proxy</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx:stable</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http-web-svc</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># service-nginx.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-svc</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">proxy</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http-port</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="s">http-web-svc</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create <span class="nt">-f</span> pod-nginx.yaml pod/nginx created <span class="nv">$ </span>kubectl create <span class="nt">-f</span> service-nginx.yaml service/nginx-svc created <span class="nv">$ </span>kubectl get po NAME READY STATUS RESTARTS AGE nginx 1/1 Running 0 5m51s <span class="nv">$ </span>kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT<span class="o">(</span>S<span class="o">)</span> AGE kubernetes ClusterIP 10.96.0.1 &lt;none&gt; 443/TCP 21d nginx-svc ClusterIP 10.96.230.243 &lt;none&gt; 8080/TCP 32s <span class="nv">$ </span>kubectl <span class="nb">exec </span>nginx <span class="nt">--</span> curl <span class="nt">-sI</span> http://10.96.230.243:8080 HTTP/1.1 200 OK Server: nginx/1.28.0 Date: Thu, 07 Aug 2025 12:09:24 GMT Content-Type: text/html Content-Length: 615 Last-Modified: Wed, 23 Apr 2025 11:48:54 GMT Connection: keep-alive ETag: <span class="s2">"6808d3a6-267"</span> Accept-Ranges: bytes <span class="nv">$ </span>kubectl <span class="nb">exec </span>nginx <span class="nt">--</span> curl <span class="nt">-sI</span> http://nginx-svc:8080 | <span class="nb">head</span> <span class="nt">-n</span> 2 HTTP/1.1 200 OK Server: nginx/1.28.0 <span class="nv">$ </span>kubectl <span class="nb">exec </span>nginx <span class="nt">--</span> curl <span class="nt">-sI</span> http://nginx-svc.default:8080 | <span class="nb">head</span> <span class="nt">-n</span> 2 HTTP/1.1 200 OK Server: nginx/1.28.0 <span class="nv">$ </span>kubectl <span class="nb">exec </span>nginx <span class="nt">--</span> curl <span class="nt">-sI</span> http://nginx-svc.default.svc:8080 | <span class="nb">head</span> <span class="nt">-n</span> 2 HTTP/1.1 200 OK Server: nginx/1.28.0 <span class="nv">$ </span>kubectl <span class="nb">exec </span>nginx <span class="nt">--</span> curl <span class="nt">-sI</span> http://nginx-svc.default.svc.cluster.local:8080 | <span class="nb">head</span> <span class="nt">-n</span> 2 HTTP/1.1 200 OK Server: nginx/1.28.0 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete <span class="nt">-f</span> service-nginx.yaml service <span class="s2">"nginx-svc"</span> deleted <span class="nv">$ </span>kubectl delete <span class="nt">-f</span> pod-nginx.yaml pod <span class="s2">"nginx"</span> deleted </code></pre> </div> <h3> ExternalName </h3> <p>Maps the Service to the contents of the <code>externalName</code> field (for example, to the hostname <code>api.foo.bar.example</code>). The mapping configures your cluster's DNS server to return a <code>CNAME</code> record with that external hostname value. No proxying of any kind is set up.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># service-ext.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">httpbin-service</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">ExternalName</span> <span class="na">externalName</span><span class="pi">:</span> <span class="s">httpbin.org</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create <span class="nt">-f</span> service-ext.yaml service/httpbin-service created <span class="nv">$ </span>kubectl create <span class="nt">-f</span> pod-basic.yaml pod/kubia created <span class="nv">$ </span>kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT<span class="o">(</span>S<span class="o">)</span> AGE httpbin-service ExternalName &lt;none&gt; httpbin.org &lt;none&gt; 4m17s kubernetes ClusterIP 10.96.0.1 &lt;none&gt; 443/TCP 22d <span class="nv">$ </span>kubectl <span class="nb">exec </span>kubia <span class="nt">--</span> curl <span class="nt">-sk</span> <span class="nt">-X</span> GET https://httpbin-service/uuid <span class="nt">-H</span> <span class="s2">"accept: application/json"</span> <span class="o">{</span> <span class="s2">"uuid"</span>: <span class="s2">"6a48fe51-a6b6-4e0a-9ef2-381ba7ea2c69"</span> <span class="o">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete <span class="nt">-f</span> pod-basic.yaml pod <span class="s2">"kubia"</span> deleted <span class="nv">$ </span>kubectl delete <span class="nt">-f</span> service-ext.yaml service <span class="s2">"httpbin-service"</span> deleted </code></pre> </div> <h3> NodePort </h3> <p>Exposes the Service on each Node's IP at a static port (the <code>NodePort</code>). To make the node port available, Kubernetes sets up a cluster IP address, the same as if you had requested a Service of type: <code>ClusterIP</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># service-nginx-nodeport.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-svc</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">NodePort</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">proxy</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="s">http-web-svc</span> <span class="na">nodePort</span><span class="pi">:</span> <span class="m">30666</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create <span class="nt">-f</span> pod-nginx.yaml pod/nginx created <span class="nv">$ </span>kubectl create <span class="nt">-f</span> service-nginx-nodeport.yaml service/nginx-svc created <span class="nv">$ </span>kubectl get svc nginx-svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT<span class="o">(</span>S<span class="o">)</span> AGE nginx-svc NodePort 10.96.252.35 &lt;none&gt; 8080:30666/TCP 9s <span class="nv">$ </span>docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES da2c842ddfd6 kindest/node:v1.33.1 <span class="s2">"/usr/local/bin/entr…"</span> 3 weeks ago Up 3 weeks 0.0.0.0:40000-&gt;30666/tcp kind-worker 16bf718b93b6 kindest/node:v1.33.1 <span class="s2">"/usr/local/bin/entr…"</span> 3 weeks ago Up 3 weeks 127.0.0.1:6443-&gt;6443/tcp kind-control-plane bb18cefdb180 kindest/node:v1.33.1 <span class="s2">"/usr/local/bin/entr…"</span> 3 weeks ago Up 3 weeks 0.0.0.0:40002-&gt;30666/tcp kind-worker3 42cea7794f0b kindest/node:v1.33.1 <span class="s2">"/usr/local/bin/entr…"</span> 3 weeks ago Up 3 weeks 0.0.0.0:40001-&gt;30666/tcp kind-worker2 <span class="nv">$ </span>curl <span class="nt">-sI</span> http://localhost:40000 | <span class="nb">head</span> <span class="nt">-n</span> 2 HTTP/1.1 200 OK Server: nginx/1.28.0 <span class="nv">$ </span>curl <span class="nt">-sI</span> http://localhost:40001 | <span class="nb">head</span> <span class="nt">-n</span> 2 HTTP/1.1 200 OK Server: nginx/1.28.0 <span class="nv">$ </span>curl <span class="nt">-sI</span> http://localhost:40002 | <span class="nb">head</span> <span class="nt">-n</span> 2 HTTP/1.1 200 OK Server: nginx/1.28.0 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete <span class="nt">-f</span> service-nginx-nodeport.yaml service <span class="s2">"nginx-svc"</span> deleted <span class="nv">$ </span>kubectl delete <span class="nt">-f</span> pod-nginx.yaml pod <span class="s2">"nginx"</span> deleted </code></pre> </div> <h3> LoadBalancer </h3> <p>Exposes the Service externally using an external load balancer. Kubernetes does not directly offer a load balancing component; you must provide one, or you can integrate your Kubernetes cluster with a cloud provider.</p> <p>Let's a look how to get service of type <code>LoadBalancer</code> working in a <code>kind cluster</code> using <a href="https://kind.sigs.k8s.io/docs/user/loadbalancer/" rel="noopener noreferrer">Cloud Provider KIND</a>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># service-lb-demo.yaml</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">foo-app</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">http-echo</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">/agnhost</span> <span class="pi">-</span> <span class="s">serve-hostname</span> <span class="pi">-</span> <span class="s">--http=true</span> <span class="pi">-</span> <span class="s">--port=8080</span> <span class="na">image</span><span class="pi">:</span> <span class="s">registry.k8s.io/e2e-test-images/agnhost:2.39</span> <span class="na">name</span><span class="pi">:</span> <span class="s">foo-app</span> <span class="nn">---</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">bar-app</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">http-echo</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">/agnhost</span> <span class="pi">-</span> <span class="s">serve-hostname</span> <span class="pi">-</span> <span class="s">--http=true</span> <span class="pi">-</span> <span class="s">--port=8080</span> <span class="na">image</span><span class="pi">:</span> <span class="s">registry.k8s.io/e2e-test-images/agnhost:2.39</span> <span class="na">name</span><span class="pi">:</span> <span class="s">bar-app</span> <span class="nn">---</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http-echo-service</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">LoadBalancer</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">http-echo</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">5678</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">8080</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create <span class="nt">-f</span> service-lb-demo.yaml pod/foo-app created pod/bar-app created service/http-echo-service created <span class="nv">$ </span>kubectl get svc http-echo-service NAME TYPE CLUSTER-IP EXTERNAL-IP PORT<span class="o">(</span>S<span class="o">)</span> AGE http-echo-service LoadBalancer 10.96.97.99 172.18.0.6 5678:31196/TCP 58s <span class="nv">$ </span>kubectl get svc http-echo-service <span class="nt">-o</span><span class="o">=</span><span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.status.loadBalancer.ingress[0].ip}'</span> 172.18.0.6 <span class="nv">$ </span><span class="k">for </span>_ <span class="k">in</span> <span class="o">{</span>1..4<span class="o">}</span><span class="p">;</span> <span class="k">do </span>curl <span class="nt">-s</span> 172.18.0.6:5678<span class="p">;</span> <span class="nb">echo</span><span class="p">;</span> <span class="k">done </span>foo-app bar-app bar-app foo-app </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete <span class="nt">-f</span> service-lb-demo.yaml pod <span class="s2">"foo-app"</span> deleted pod <span class="s2">"bar-app"</span> deleted service <span class="s2">"http-echo-service"</span> deleted </code></pre> </div> <h2> Ingress <a></a> </h2> <p><a href="https://kubernetes.io/docs/concepts/services-networking/ingress/" rel="noopener noreferrer">Ingress</a> exposes HTTP and HTTPS routes from outside the cluster to services within the cluster.</p> <h3> Ingress Controller </h3> <p>In order for an <code>Ingress</code> to work in your cluster, there must be an <a href="https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/" rel="noopener noreferrer">Ingress Controller</a> running. </p> <p>You have to run <a href="https://kind.sigs.k8s.io/docs/user/loadbalancer/" rel="noopener noreferrer">Cloud Provider KIND</a> to enable the loadbalancer controller which <a href="https://github.com/kubernetes/ingress-nginx/blob/main/README.md" rel="noopener noreferrer">Nginx Ingress</a> controller will use through the loadbalancer API in a <code>kind cluster</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> https://kind.sigs.k8s.io/examples/ingress/deploy-ingress-nginx.yaml namespace/ingress-nginx created serviceaccount/ingress-nginx created serviceaccount/ingress-nginx-admission created role.rbac.authorization.k8s.io/ingress-nginx created role.rbac.authorization.k8s.io/ingress-nginx-admission created clusterrole.rbac.authorization.k8s.io/ingress-nginx created clusterrole.rbac.authorization.k8s.io/ingress-nginx-admission created rolebinding.rbac.authorization.k8s.io/ingress-nginx created rolebinding.rbac.authorization.k8s.io/ingress-nginx-admission created clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx created clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx-admission created configmap/ingress-nginx-controller created service/ingress-nginx-controller created service/ingress-nginx-controller-admission created deployment.apps/ingress-nginx-controller created job.batch/ingress-nginx-admission-create created job.batch/ingress-nginx-admission-patch created ingressclass.networking.k8s.io/nginx created validatingwebhookconfiguration.admissionregistration.k8s.io/ingress-nginx-admission created </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl <span class="nb">wait</span> <span class="nt">--namespace</span> ingress-nginx <span class="se">\</span> <span class="o">&gt;</span> <span class="nt">--for</span><span class="o">=</span><span class="nv">condition</span><span class="o">=</span>ready pod <span class="se">\</span> <span class="o">&gt;</span> <span class="nt">--selector</span><span class="o">=</span>app.kubernetes.io/component<span class="o">=</span>controller <span class="se">\</span> <span class="o">&gt;</span> <span class="nt">--timeout</span><span class="o">=</span>90s pod/ingress-nginx-controller-86bb9f8d4b-4hg7w condition met </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get all <span class="nt">-n</span> ingress-nginx NAME READY STATUS RESTARTS AGE pod/ingress-nginx-admission-create-ldc97 0/1 Completed 0 2m25s pod/ingress-nginx-admission-patch-zzlh7 0/1 Completed 0 2m25s pod/ingress-nginx-controller-86bb9f8d4b-4hg7w 1/1 Running 0 2m25s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT<span class="o">(</span>S<span class="o">)</span> AGE service/ingress-nginx-controller LoadBalancer 10.96.146.11 172.18.0.6 80:30367/TCP,443:31847/TCP 2m25s service/ingress-nginx-controller-admission ClusterIP 10.96.50.204 &lt;none&gt; 443/TCP 2m25s NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/ingress-nginx-controller 1/1 1 1 2m25s NAME DESIRED CURRENT READY AGE replicaset.apps/ingress-nginx-controller-86bb9f8d4b 1 1 1 2m25s NAME STATUS COMPLETIONS DURATION AGE job.batch/ingress-nginx-admission-create Complete 1/1 11s 2m25s job.batch/ingress-nginx-admission-patch Complete 1/1 12s 2m25s </code></pre> </div> <h3> Ingress resources </h3> <p>The <code>Ingress</code> concept lets you map traffic to different backends based on rules you define via the Kubernetes API. Traffic routing is controlled by rules defined on the Ingress resource.</p> <h4> Basic usage </h4> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># pod-foo-bar.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubia-foo</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">foo</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">image</span><span class="pi">:</span> <span class="s">luksa/kubia</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubia</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http-port</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubia-bar</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">bar</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">image</span><span class="pi">:</span> <span class="s">luksa/kubia</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubia</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http-port</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># service-foo-bar.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubia-foo-svc</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">foo</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http-port</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="s">http-port</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubia-bar-svc</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">bar</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http-port</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="s">http-port</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># ingress-basic.yaml </span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Ingress</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubia</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">http</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/foo</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">Prefix</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubia-foo-svc</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="m">80</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/bar</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">Prefix</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubia-bar-svc</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="m">80</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create <span class="nt">-f</span> pod-foo-bar.yaml pod/kubia-foo created pod/kubia-bar created <span class="nv">$ </span>kubectl create <span class="nt">-f</span> service-foo-bar.yaml service/kubia-foo-svc created service/kubia-bar-svc created <span class="nv">$ </span>kubectl create <span class="nt">-f</span> ingress-basic.yaml ingress.networking.k8s.io/kubia created </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT<span class="o">(</span>S<span class="o">)</span> AGE kubernetes ClusterIP 10.96.0.1 &lt;none&gt; 443/TCP 22d kubia-bar-svc ClusterIP 10.96.230.115 &lt;none&gt; 80/TCP 4m12s kubia-foo-svc ClusterIP 10.96.49.21 &lt;none&gt; 80/TCP 4m13s <span class="nv">$ </span>kubectl get ingress NAME CLASS HOSTS ADDRESS PORTS AGE kubia &lt;none&gt; <span class="k">*</span> localhost 80 67s <span class="nv">$ </span>kubectl <span class="nt">-n</span> ingress-nginx get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT<span class="o">(</span>S<span class="o">)</span> AGE ingress-nginx-controller LoadBalancer 10.96.146.11 172.18.0.6 80:30367/TCP,443:31847/TCP 63m ingress-nginx-controller-admission ClusterIP 10.96.50.204 &lt;none&gt; 443/TCP 63m </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get services <span class="se">\</span> <span class="o">&gt;</span> <span class="nt">--namespace</span> ingress-nginx <span class="se">\</span> <span class="o">&gt;</span> ingress-nginx-controller <span class="se">\</span> <span class="o">&gt;</span> <span class="nt">--output</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.status.loadBalancer.ingress[0].ip}'</span> 172.18.0.6 <span class="nv">$ </span>curl <span class="nt">-s</span> http://172.18.0.6:80/foo You<span class="s1">'ve hit kubia-foo $ curl -s http://172.18.0.6:80/bar You'</span>ve hit kubia-bar <span class="nv">$ </span>curl <span class="nt">-s</span> http://172.18.0.6:80/baz &lt;html&gt; &lt;<span class="nb">head</span><span class="o">&gt;</span>&lt;title&gt;404 Not Found&lt;/title&gt;&lt;/head&gt; &lt;body&gt; &lt;center&gt;&lt;h1&gt;404 Not Found&lt;/h1&gt;&lt;/center&gt; &lt;hr&gt;&lt;center&gt;nginx&lt;/center&gt; &lt;/body&gt; &lt;/html&gt; </code></pre> </div> <blockquote> <p>In order to use ingress address localhost (<code>curl http://localhost/foo</code>) you should define <code>extraPortMapping</code> in <code>kind</code> cluster configuration as described in <a href="https://kind.sigs.k8s.io/docs/user/configuration/#extra-port-mappings" rel="noopener noreferrer">Extra Port Mappings</a>.<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete ingress/kubia ingress.networking.k8s.io <span class="s2">"kubia"</span> deleted </code></pre> </div> <h4> Using a host </h4> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># ingress-hosts.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Ingress</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubia</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">host</span><span class="pi">:</span> <span class="s">foo.kubia.com</span> <span class="na">http</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">Prefix</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubia-foo-svc</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="m">80</span> <span class="pi">-</span> <span class="na">host</span><span class="pi">:</span> <span class="s">bar.kubia.com</span> <span class="na">http</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">Prefix</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubia-bar-svc</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="m">80</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create <span class="nt">-f</span> ingress-hosts.yaml ingress.networking.k8s.io/kubia created <span class="nv">$ </span>kubectl get ingress/kubia NAME CLASS HOSTS ADDRESS PORTS AGE kubia &lt;none&gt; foo.kubia.com,bar.kubia.com localhost 80 103s </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>curl <span class="nt">-s</span> http://172.18.0.6 &lt;html&gt; &lt;<span class="nb">head</span><span class="o">&gt;</span>&lt;title&gt;404 Not Found&lt;/title&gt;&lt;/head&gt; &lt;body&gt; &lt;center&gt;&lt;h1&gt;404 Not Found&lt;/h1&gt;&lt;/center&gt; &lt;hr&gt;&lt;center&gt;nginx&lt;/center&gt; &lt;/body&gt; &lt;/html&gt; <span class="nv">$ </span>curl <span class="nt">-s</span> http://172.18.0.6 <span class="nt">-H</span> <span class="s1">'Host: foo.kubia.com'</span> You<span class="s1">'ve hit kubia-foo '</span> <span class="nv">$ </span>curl <span class="nt">-s</span> http://172.18.0.6 <span class="nt">-H</span> <span class="s1">'Host: bar.kubia.com'</span> You<span class="s1">'ve hit kubia-bar </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete ingress/kubia ingress.networking.k8s.io <span class="s2">"kubia"</span> deleted </code></pre> </div> <h4> TLS </h4> <p>You can secure an Ingress by specifying a <a href="https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets" rel="noopener noreferrer">Secret</a> that contains a TLS private key and certificate.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>openssl genrsa <span class="nt">-out</span> tls.key 2048 Generating RSA private key, 2048 bit long modulus <span class="o">(</span>2 primes<span class="o">)</span> ............................................+++++ ............+++++ e is 65537 <span class="o">(</span>0x010001<span class="o">)</span> <span class="nv">$ </span>openssl req <span class="nt">-new</span> <span class="nt">-x509</span> <span class="nt">-key</span> tls.key <span class="nt">-out</span> tls.crt <span class="nt">-days</span> 360 <span class="nt">-subj</span> //CN<span class="o">=</span>foo.kubia.com <span class="nv">$ </span>kubectl create secret tls tls-secret <span class="nt">--cert</span><span class="o">=</span>tls.crt <span class="nt">--key</span><span class="o">=</span>tls.key secret/tls-secret created </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># ingress-tls.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Ingress</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubia</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">tls</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">foo.kubia.com</span> <span class="na">secretName</span><span class="pi">:</span> <span class="s">tls-secret</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">host</span><span class="pi">:</span> <span class="s">foo.kubia.com</span> <span class="na">http</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">Prefix</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubia-foo-svc</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="m">80</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create <span class="nt">-f</span> ingress-tls.yaml ingress.networking.k8s.io/kubia created <span class="nv">$ </span>kubectl get ingress/kubia NAME CLASS HOSTS ADDRESS PORTS AGE kubia &lt;none&gt; foo.kubia.com localhost 80, 443 2m13s <span class="nv">$ </span>curl <span class="nt">-sk</span> https://172.18.0.6:443 <span class="nt">-H</span> <span class="s1">'Host: foo.kubia.com'</span> You<span class="s1">'ve hit kubia-foo </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete ingress/kubia ingress.networking.k8s.io <span class="s2">"kubia"</span> deleted <span class="nv">$ </span>kubectl delete secret/tls-secret secret <span class="s2">"tls-secret"</span> deleted <span class="nv">$ </span>kubectl delete <span class="nt">-f</span> pod-foo-bar.yaml pod <span class="s2">"kubia-foo"</span> deleted pod <span class="s2">"kubia-bar"</span> deleted <span class="nv">$ </span>kubectl delete <span class="nt">-f</span> service-foo-bar.yaml service <span class="s2">"kubia-foo-svc"</span> deleted service <span class="s2">"kubia-bar-svc"</span> deleted </code></pre> </div> <h2> Probes <a></a> </h2> <p>A <a href="https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes" rel="noopener noreferrer">probe</a> is a diagnostic performed periodically by the kubelet on a container. To perform a diagnostic, the kubelet either executes code within the container, or makes a network request.</p> <h3> livenessProbe </h3> <blockquote> <p>Indicates whether the container is running. If the liveness probe fails, the kubelet kills the container<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># pod-liveness-probe.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubia-liveness</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">image</span><span class="pi">:</span> <span class="s">luksa/kubia-unhealthy</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubia</span> <span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8080</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create <span class="nt">-f</span> pod-liveness-probe.yaml pod/kubia-liveness created <span class="nv">$ </span>kubectl get po NAME READY STATUS RESTARTS AGE kubia-liveness 1/1 Running 0 42s <span class="nv">$ </span>kubectl events pod/kubia-liveness LAST SEEN TYPE REASON OBJECT MESSAGE 113s Normal Scheduled Pod/kubia-liveness Successfully assigned default/kubia-liveness to kind-worker3 112s Normal Pulling Pod/kubia-liveness Pulling image <span class="s2">"luksa/kubia-unhealthy"</span> 77s Normal Pulled Pod/kubia-liveness Successfully pulled image <span class="s2">"luksa/kubia-unhealthy"</span> <span class="k">in </span>34.865s <span class="o">(</span>34.865s including waiting<span class="o">)</span><span class="nb">.</span> Image size: 263841919 bytes. 77s Normal Created Pod/kubia-liveness Created container: kubia 77s Normal Started Pod/kubia-liveness Started container kubia 2s <span class="o">(</span>x3 over 22s<span class="o">)</span> Warning Unhealthy Pod/kubia-liveness Liveness probe failed: HTTP probe failed with statuscode: 500 2s Normal Killing Pod/kubia-liveness Container kubia failed liveness probe, will be restarted <span class="nv">$ </span>kubectl get po NAME READY STATUS RESTARTS AGE kubia-liveness 1/1 Running 1 <span class="o">(</span>20s ago<span class="o">)</span> 2m41s </code></pre> </div> <h3> readinessProbe </h3> <blockquote> <p>Indicates whether the container is ready to respond to requests. If the readiness probe fails, the <a href="https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/" rel="noopener noreferrer">EndpointSlice</a> controller removes the Pod's IP address from the <code>EndpointSlices</code> of all Services that match the Pod<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># pod-readiness-probe.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubia-readiness</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">kubia</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">image</span><span class="pi">:</span> <span class="s">luksa/kubia</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubia</span> <span class="na">readinessProbe</span><span class="pi">:</span> <span class="na">exec</span><span class="pi">:</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">cat</span> <span class="pi">-</span> <span class="s">/tmp/ready</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">10</span> <span class="na">periodSeconds</span><span class="pi">:</span> <span class="m">5</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http-web</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># service-readiness-probe.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubia-svc</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">LoadBalancer</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">kubia</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="s">http-web</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create <span class="nt">-f</span> pod-readiness-probe.yaml pod/kubia-readiness created <span class="nv">$ </span>kubectl create <span class="nt">-f</span> service-readiness-probe.yaml service/kubia-svc created <span class="nv">$ </span>kubectl get po NAME READY STATUS RESTARTS AGE kubia-readiness 0/1 Running 0 23s <span class="nv">$ </span>kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT<span class="o">(</span>S<span class="o">)</span> AGE kubernetes ClusterIP 10.96.0.1 &lt;none&gt; 443/TCP 23d kubia-svc LoadBalancer 10.96.150.51 172.18.0.7 80:31868/TCP 33s </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl <span class="nb">exec </span>kubia-readiness <span class="nt">--</span> curl <span class="nt">-s</span> http://localhost:8080 You<span class="s1">'ve hit kubia-readiness'</span> <span class="nv">$ </span>kubectl <span class="nb">exec </span>kubia-readiness <span class="nt">--</span> curl <span class="nt">-s</span> http://kubia-svc:80 <span class="nb">command </span>terminated with <span class="nb">exit </span>code 7 <span class="nv">$ </span>curl <span class="nt">-sv</span> http://172.18.0.7:80 <span class="k">*</span> Trying 172.18.0.7:80... <span class="k">*</span> Connected to 172.18.0.7 <span class="o">(</span>172.18.0.7<span class="o">)</span> port 80 <span class="o">(</span><span class="c">#0)</span> <span class="o">&gt;</span> GET / HTTP/1.1 <span class="o">&gt;</span> Host: 172.18.0.7 <span class="o">&gt;</span> User-Agent: curl/7.79.1 <span class="o">&gt;</span> Accept: <span class="k">*</span>/<span class="k">*</span> <span class="o">&gt;</span> <span class="k">*</span> Empty reply from server <span class="k">*</span> Closing connection 0 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl <span class="nb">exec </span>kubia-readiness <span class="nt">--</span> <span class="nb">touch </span>tmp/ready <span class="nv">$ </span>kubectl get po NAME READY STATUS RESTARTS AGE kubia-readiness 1/1 Running 0 2m38s <span class="nv">$ </span>kubectl <span class="nb">exec </span>kubia-readiness <span class="nt">--</span> curl <span class="nt">-s</span> http://kubia-svc:80 You<span class="s1">'ve hit kubia-readiness $ curl -s http://172.18.0.7:80 You'</span>ve hit kubia-readiness </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete <span class="nt">-f</span> pod-readiness-probe.yaml pod <span class="s2">"kubia-readiness"</span> deleted <span class="nv">$ </span>kubectl delete <span class="nt">-f</span> service-readiness-probe.yaml service <span class="s2">"kubia-svc"</span> deleted </code></pre> </div> <h3> startupProbe </h3> <blockquote> <p>Indicates whether the application within the container is started. All other probes are disabled if a startup probe is provided, until it succeeds. If the startup probe fails, the kubelet kills the container.<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">liveness-port</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/healthz</span> <span class="na">port</span><span class="pi">:</span> <span class="s">liveness-port</span> <span class="na">failureThreshold</span><span class="pi">:</span> <span class="m">1</span> <span class="na">periodSeconds</span><span class="pi">:</span> <span class="m">10</span> <span class="na">startupProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/healthz</span> <span class="na">port</span><span class="pi">:</span> <span class="s">liveness-port</span> <span class="na">failureThreshold</span><span class="pi">:</span> <span class="m">30</span> <span class="na">periodSeconds</span><span class="pi">:</span> <span class="m">10</span> </code></pre> </div> <p>For more information about configuring probes, see <a href="https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/" rel="noopener noreferrer">Configure Liveness, Readiness and Startup Probes</a></p> <h2> Volumes <a></a> </h2> <p>Kubernetes <a href="https://kubernetes.io/docs/concepts/storage/volumes/" rel="noopener noreferrer">volumes</a> provide a way for containers in a pod to access and share data via the filesystem. Data sharing can be between different local processes within a container, or between different containers, or between Pods.</p> <p>Kubernetes supports several <a href="https://kubernetes.io/docs/concepts/storage/volumes/#volume-types" rel="noopener noreferrer">types of volumes</a>.</p> <h3> Ephemeral Volumes </h3> <p><a href="https://kubernetes.io/docs/concepts/storage/ephemeral-volumes/" rel="noopener noreferrer">Ephemeral volumes</a> are temporary storage that are intrinsically linked to the lifecycle of a Pod. Ephemeral volumes are designed for scenarios where data persistence is not required beyond the life of a single Pod.</p> <p>Kubernetes supports several different kinds of ephemeral volumes for different purposes: <a href="https://kubernetes.io/docs/concepts/storage/volumes/#emptydir" rel="noopener noreferrer">emptyDir</a>, <a href="https://kubernetes.io/docs/concepts/storage/volumes/#configmap" rel="noopener noreferrer">configmap</a>, <a href="https://kubernetes.io/docs/concepts/storage/volumes/#downwardapi" rel="noopener noreferrer">downwardAPI</a>, <a href="https://kubernetes.io/docs/concepts/storage/volumes/#secret" rel="noopener noreferrer">secret</a>, <a href="https://kubernetes.io/docs/concepts/storage/volumes/#image" rel="noopener noreferrer">image</a>, <a href="https://kubernetes.io/docs/concepts/storage/ephemeral-volumes/#csi-ephemeral-volumes" rel="noopener noreferrer">CSI</a></p> <h4> emptyDir </h4> <blockquote> <p>For a Pod that defines an <code>emptyDir</code> volume, the volume is created when the Pod is assigned to a node. The <code>emptyDir</code> volume is initially empty.<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># pod-volume-emptydir.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx:stable</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/tmp-cache</span> <span class="na">name</span><span class="pi">:</span> <span class="s">tmp</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">tmp</span> <span class="na">emptyDir</span><span class="pi">:</span> <span class="pi">{}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create <span class="nt">-f</span> pod-volume-emptydir.yaml pod/nginx created <span class="nv">$ </span>kubectl <span class="nb">exec </span>nginx <span class="nt">--</span> <span class="nb">ls</span> <span class="nt">-l</span> | <span class="nb">grep </span>cache drwxrwxrwx 2 root root 4096 Aug 11 08:13 tmp-cache </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete <span class="nt">-f</span> pod-volume-emptydir.yaml pod <span class="s2">"nginx"</span> deleted </code></pre> </div> <p>You can create a volume in memory using using <code>tmpfs</code> file system:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">tmp</span> <span class="na">emptyDir</span><span class="pi">:</span> <span class="na">sizeLimit</span><span class="pi">:</span> <span class="s">500Mi</span> <span class="na">medium</span><span class="pi">:</span> <span class="s">Memory</span> </code></pre> </div> <h3> Projected Volumes </h3> <p>A <a href="https://kubernetes.io/docs/concepts/storage/projected-volumes/" rel="noopener noreferrer">projected volume</a> maps several existing volume sources into the same directory.</p> <p>Currently, the following types of volume sources can be projected: <a href="https://kubernetes.io/docs/concepts/storage/volumes/#secret" rel="noopener noreferrer">secret</a>, <a href="https://kubernetes.io/docs/concepts/storage/volumes/#downwardapi" rel="noopener noreferrer">downwardAPI</a>, <a href="https://kubernetes.io/docs/concepts/storage/volumes/#configmap" rel="noopener noreferrer">configMap</a>, <a href="https://kubernetes.io/docs/concepts/storage/projected-volumes/#serviceaccounttoken" rel="noopener noreferrer">serviceAccountToken</a>, <a href="https://kubernetes.io/docs/concepts/storage/projected-volumes/#clustertrustbundle" rel="noopener noreferrer">clusterTrustBundle</a></p> <h3> Persistent Volumes </h3> <p>Persistent volumes offer durable storage, meaning the data stored within them persists even after the associated Pods are deleted, restarted, or rescheduled.</p> <h4> PersistentVolume </h4> <p>A <a href="https://kubernetes.io/docs/concepts/storage/persistent-volumes/" rel="noopener noreferrer">PersistentVolume</a> (PV) is a piece of storage in the cluster that has been provisioned by an administrator or dynamically provisioned using <a href="https://kubernetes.io/docs/concepts/storage/storage-classes/" rel="noopener noreferrer">Storage Classes</a>.</p> <p><code>PersistentVolume</code> types are implemented as plugins. Kubernetes currently supports the following plugins: <a href="https://kubernetes.io/docs/concepts/storage/volumes/#csi" rel="noopener noreferrer">csi</a>, <a href="https://kubernetes.io/docs/concepts/storage/volumes/#fc" rel="noopener noreferrer">fc</a>, <a href="https://kubernetes.io/docs/concepts/storage/volumes/#iscsi" rel="noopener noreferrer">iscsi</a>, <a href="https://kubernetes.io/docs/concepts/storage/volumes/#local" rel="noopener noreferrer">local</a>, <a href="https://kubernetes.io/docs/concepts/storage/volumes/#nfs" rel="noopener noreferrer">nfs</a>, <a href="https://kubernetes.io/docs/concepts/storage/volumes/#hostpath" rel="noopener noreferrer">hostPath</a></p> <h5> hostPath </h5> <p>A <code>hostPath</code> volume mounts a file or directory from the host node's filesystem into your Pod.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># pod-volume-hostpath.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx:stable</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/cache</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cache</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cache</span> <span class="na">hostPath</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/data/cache</span> <span class="na">type</span><span class="pi">:</span> <span class="s">DirectoryOrCreate</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create <span class="nt">-f</span> pod-volume-hostpath.yaml pod/nginx created <span class="nv">$ </span>kubectl <span class="nb">exec </span>nginx <span class="nt">--</span> <span class="nb">ls</span> <span class="nt">-l</span> | <span class="nb">grep </span>cache drwxr-xr-x 2 root root 4096 Aug 11 12:27 cache </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete <span class="nt">-f</span> pod-volume-hostpath.yaml pod <span class="s2">"nginx"</span> deleted </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># pv-hostpath.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">PersistentVolume</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">pv-redis</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">capacity</span><span class="pi">:</span> <span class="na">storage</span><span class="pi">:</span> <span class="s">1Gi</span> <span class="na">accessModes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ReadWriteOnce</span> <span class="pi">-</span> <span class="s">ReadOnlyMany</span> <span class="na">persistentVolumeReclaimPolicy</span><span class="pi">:</span> <span class="s">Retain</span> <span class="na">hostPath</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/data/redis</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create <span class="nt">-f</span> pv-hostpath.yaml persistentvolume/pv-redis created <span class="nv">$ </span>kubectl get pv NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS VOLUMEATTRIBUTESCLASS REASON AGE pv-redis 1Gi RWO,ROX Retain Available &lt;<span class="nb">unset</span><span class="o">&gt;</span> 44s </code></pre> </div> <h4> PersistentVolumeClaim </h4> <p>A <code>PersistentVolumeClaim</code> (PVC) is a request for storage by a user. A <code>PersistentVolumeClaim</code> volume is used to mount a <code>PersistentVolume</code> into a Pod.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># pvc-basic.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">PersistentVolumeClaim</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">pvc-redis</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">storage</span><span class="pi">:</span> <span class="s">0.5Gi</span> <span class="na">accessModes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ReadWriteOnce</span> <span class="na">storageClassName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create <span class="nt">-f</span> pvc-basic.yaml persistentvolumeclaim/pvc-redis created <span class="nv">$ </span>kubectl get pvc NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS VOLUMEATTRIBUTESCLASS AGE pvc-redis Bound pv-redis 1Gi RWO,ROX &lt;<span class="nb">unset</span><span class="o">&gt;</span> 6s <span class="nv">$ </span>kubectl get pv NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS VOLUMEATTRIBUTESCLASS REASON AGE pv-redis 1Gi RWO,ROX Retain Bound default/pvc-redis &lt;<span class="nb">unset</span><span class="o">&gt;</span> 28s </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># pod-pvc.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">redis</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">redis</span> <span class="na">image</span><span class="pi">:</span> <span class="s">redis:6.2</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">redis-rdb</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/data</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">redis-rdb</span> <span class="na">persistentVolumeClaim</span><span class="pi">:</span> <span class="na">claimName</span><span class="pi">:</span> <span class="s">pvc-redis</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create <span class="nt">-f</span> pod-pvc.yaml pod/redis created <span class="nv">$ </span>kubectl get po redis <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.spec.volumes[?(@.name == "redis-rdb")]}'</span> <span class="o">{</span><span class="s2">"name"</span>:<span class="s2">"redis-rdb"</span>,<span class="s2">"persistentVolumeClaim"</span>:<span class="o">{</span><span class="s2">"claimName"</span>:<span class="s2">"pvc-redis"</span><span class="o">}}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl <span class="nb">exec </span>redis <span class="nt">--</span> redis-cli save OK <span class="nv">$ </span>kubectl get po redis <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.spec.nodeName}'</span> kind-worker2 <span class="nv">$ </span>docker <span class="nb">exec </span>kind-worker2 <span class="nb">ls</span> <span class="nt">-l</span> tmp/redis total 4 <span class="nt">-rw-------</span> 1 999 systemd-journal 102 Aug 11 14:47 dump.rdb </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete po/redis pod <span class="s2">"redis"</span> deleted <span class="nv">$ </span>kubectl delete pvc/pvc-redis persistentvolumeclaim <span class="s2">"pvc-redis"</span> deleted <span class="nv">$ </span>kubectl get pvc No resources found <span class="k">in </span>default namespace. <span class="nv">$ </span>kubectl get pv NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS VOLUMEATTRIBUTESCLASS REASON AGE pv-redis 1Gi RWO,ROX Retain Released default/pvc-redis &lt;<span class="nb">unset</span><span class="o">&gt;</span> 37m <span class="nv">$ </span>kubectl create <span class="nt">-f</span> pvc-basic.yaml persistentvolumeclaim/pvc-redis created <span class="nv">$ </span>kubectl get pvc NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS VOLUMEATTRIBUTESCLASS AGE pvc-redis Pending &lt;<span class="nb">unset</span><span class="o">&gt;</span> 9s <span class="nv">$ </span>kubectl get pv NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS VOLUMEATTRIBUTESCLASS REASON AGE pv-redis 1Gi RWO,ROX Retain Released default/pvc-redis &lt;<span class="nb">unset</span><span class="o">&gt;</span> 40m <span class="nv">$ </span>kubectl create <span class="nt">-f</span> pod-pvc.yaml pod/redis created <span class="nv">$ </span>kubectl get po NAME READY STATUS RESTARTS AGE redis 0/1 Pending 0 92s <span class="nv">$ </span>kubectl events pod/redis LAST SEEN TYPE REASON OBJECT MESSAGE 37m Normal Scheduled Pod/redis Successfully assigned default/redis to kind-worker2 37m Normal Pulling Pod/redis Pulling image <span class="s2">"redis:6.2"</span> 37m Normal Pulled Pod/redis Successfully pulled image <span class="s2">"redis:6.2"</span> <span class="k">in </span>5.993s <span class="o">(</span>5.993s including waiting<span class="o">)</span><span class="nb">.</span> Image size: 40179474 bytes. 37m Normal Created Pod/redis Created container: redis 37m Normal Started Pod/redis Started container redis 6m57s Normal Killing Pod/redis Stopping container redis 2m4s Warning FailedScheduling Pod/redis 0/4 nodes are available: pod has unbound immediate PersistentVolumeClaims. preemption: 0/4 nodes are available: 4 Preemption is not helpful <span class="k">for </span>scheduling. 8s <span class="o">(</span>x16 over 3m51s<span class="o">)</span> Normal FailedBinding PersistentVolumeClaim/pvc-redis no persistent volumes available <span class="k">for </span>this claim and no storage class is <span class="nb">set</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete pv/pv-redis persistentvolume <span class="s2">"pv-redis"</span> deleted <span class="nv">$ </span>kubectl get pvc NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS VOLUMEATTRIBUTESCLASS AGE pvc-redis Pending &lt;<span class="nb">unset</span><span class="o">&gt;</span> 61s <span class="nv">$ </span>kubectl create <span class="nt">-f</span> pv-hostpath.yaml persistentvolume/pv-redis created <span class="nv">$ </span>kubectl get pvc NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS VOLUMEATTRIBUTESCLASS AGE pvc-redis Bound pv-redis 1Gi RWO,ROX &lt;<span class="nb">unset</span><span class="o">&gt;</span> 2m2s </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete pod/redis pod <span class="s2">"redis"</span> deleted <span class="nv">$ </span>kubectl delete pvc/pvc-redis persistentvolumeclaim <span class="s2">"pvc-redis"</span> deleted <span class="nv">$ </span>kubectl delete pv/pv-redis persistentvolume <span class="s2">"pv-redis"</span> deleted </code></pre> </div> <h4> Dynamic Volume Provisioning </h4> <p><a href="https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/" rel="noopener noreferrer">Dynamic volume provisioning</a> allows storage volumes to be created on-demand. Without dynamic provisioning, cluster administrators have to manually make calls to their cloud or storage provider to create new storage volumes, and then create <code>PersistentVolume</code> objects to represent them in Kubernetes.</p> <h5> StorageClass </h5> <p>A <a href="https://kubernetes.io/docs/concepts/storage/storage-classes/" rel="noopener noreferrer">StorageClass</a> provides a way for administrators to describe the classes of storage they offer.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get storageclass NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE standard <span class="o">(</span>default<span class="o">)</span> rancher.io/local-path Delete WaitForFirstConsumer <span class="nb">false </span>25d </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># storageclass-local-path.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">storage.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">StorageClass</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">storageclass-redis</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">storageclass.kubernetes.io/is-default-class</span><span class="pi">:</span> <span class="s2">"</span><span class="s">false"</span> <span class="na">provisioner</span><span class="pi">:</span> <span class="s">rancher.io/local-path</span> <span class="na">volumeBindingMode</span><span class="pi">:</span> <span class="s">Immediate</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create <span class="nt">-f</span> storageclass-local-path.yaml storageclass.storage.k8s.io/storageclass-redis created <span class="nv">$ </span>kubectl get sc NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE standard <span class="o">(</span>default<span class="o">)</span> rancher.io/local-path Delete WaitForFirstConsumer <span class="nb">false </span>26d storageclass-redis rancher.io/local-path Delete Immediate <span class="nb">false </span>5m43s 26s </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># pvc-sc.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">PersistentVolumeClaim</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">pvc-dynamic-redis</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">volume.kubernetes.io/selected-node</span><span class="pi">:</span> <span class="s">kind-worker</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">storage</span><span class="pi">:</span> <span class="s">0.5Gi</span> <span class="na">accessModes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ReadWriteOnce</span> <span class="na">storageClassName</span><span class="pi">:</span> <span class="s">storageclass-redis</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create <span class="nt">-f</span> pvc-sc.yaml persistentvolumeclaim/pvc-dynamic-redis created <span class="nv">$ </span>kubectl get pvc NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS VOLUMEATTRIBUTESCLASS AGE pvc-dynamic-redis Pending storageclass-redis &lt;<span class="nb">unset</span><span class="o">&gt;</span> 8s <span class="nv">$ </span>kubectl get pvc NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS VOLUMEATTRIBUTESCLASS AGE pvc-dynamic-redis Bound pvc-0d78a617-e1ee-4d1e-8e59-37502fc711a9 512Mi RWO storageclass-redis &lt;<span class="nb">unset</span><span class="o">&gt;</span> 26s 0s <span class="nv">$ </span>kubectl get pv NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS VOLUMEATTRIBUTESCLASS REASON AGE pvc-0d78a617-e1ee-4d1e-8e59-37502fc711a9 512Mi RWO Delete Bound default/pvc-dynamic-redis storageclass-redis &lt;<span class="nb">unset</span><span class="o">&gt;</span> 47s </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete sc/st sc/standard sc/storageclass-redis <span class="nv">$ </span>kubectl delete sc/storageclass-redis storageclass.storage.k8s.io <span class="s2">"storageclass-redis"</span> deleted <span class="nv">$ </span>kubectl get pv No resources found </code></pre> </div> <h2> ConfigMaps <a></a> </h2> <p>A <a href="https://kubernetes.io/docs/concepts/configuration/configmap/" rel="noopener noreferrer">ConfigMap</a> is an API object used to store non-confidential data in key-value pairs. <code>Pods</code> can consume <code>ConfigMaps</code> as environment variables, command-line arguments, or as configuration files in a <code>volume</code>.</p> <h3> Creating ConfigMaps </h3> <h4> Imperative way </h4> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="c"># application.properties </span><span class="py">server.port</span><span class="p">=</span><span class="s">8080</span> <span class="py">spring.profiles.active</span><span class="p">=</span><span class="s">development</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create configmap my-config <span class="se">\</span> <span class="nt">--from-literal</span><span class="o">=</span><span class="nv">foo</span><span class="o">=</span>bar <span class="se">\</span> <span class="nt">--from-file</span><span class="o">=</span>app.props<span class="o">=</span>application.properties configmap/my-config created </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get cm/my-config NAME DATA AGE my-config 2 61s <span class="nv">$ </span>kubectl get cm/my-config <span class="nt">-o</span> yaml apiVersion: v1 data: app.props: |- <span class="c"># application.properties</span> server.port<span class="o">=</span>8080 spring.profiles.active<span class="o">=</span>development foo: bar kind: ConfigMap metadata: creationTimestamp: <span class="s2">"2025-09-15T20:20:44Z"</span> name: my-config namespace: default resourceVersion: <span class="s2">"3636455"</span> uid: 9c68ecb1-55ca-469a-b09e-3e1b625cd69b </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete cm my-config configmap <span class="s2">"my-config"</span> deleted </code></pre> </div> <h4> Declarative way </h4> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># cm.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-config</span> <span class="na">data</span><span class="pi">:</span> <span class="na">app.props</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">server.port=8080</span> <span class="s">spring.profiles.active=development</span> <span class="na">foo</span><span class="pi">:</span> <span class="s">bar</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> cm.yaml configmap/my-config created </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get cm/my-config NAME DATA AGE my-config 2 19s <span class="nv">$ </span>kubectl get cm/my-config <span class="nt">-o</span> yaml apiVersion: v1 data: app.props: | server.port<span class="o">=</span>8080 spring.profiles.active<span class="o">=</span>development foo: bar kind: ConfigMap metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: | <span class="o">{</span><span class="s2">"apiVersion"</span>:<span class="s2">"v1"</span>,<span class="s2">"data"</span>:<span class="o">{</span><span class="s2">"app.props"</span>:<span class="s2">"server.port=8080</span><span class="se">\n</span><span class="s2">spring.profiles.active=development</span><span class="se">\n</span><span class="s2">"</span>,<span class="s2">"foo"</span>:<span class="s2">"bar"</span><span class="o">}</span>,<span class="s2">"kind"</span>:<span class="s2">"ConfigMap"</span>,<span class="s2">"metadata"</span>:<span class="o">{</span><span class="s2">"annotations"</span>:<span class="o">{}</span>,<span class="s2">"name"</span>:<span class="s2">"my-config"</span>,<span class="s2">"namespace"</span>:<span class="s2">"default"</span><span class="o">}}</span> creationTimestamp: <span class="s2">"2025-09-15T20:27:51Z"</span> name: my-config namespace: default resourceVersion: <span class="s2">"3637203"</span> uid: a8d9fce1-f2bd-470c-93a2-3a7fcc560bbc </code></pre> </div> <h3> Using ConfigMaps </h3> <h4> Consuming an environment variable by a reference key </h4> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># pod-cm-env.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">env-configmap</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">printenv"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">MY_VAR"</span><span class="pi">]</span> <span class="na">image</span><span class="pi">:</span> <span class="s">busybox:latest</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">MY_VAR</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">configMapKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-config</span> <span class="na">key</span><span class="pi">:</span> <span class="s">foo</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> pod-cm-env.yaml pod/env-configmap created <span class="nv">$ </span>kubectl logs pod/env-configmap bar </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete <span class="nt">-f</span> pod-cm-env.yaml pod <span class="s2">"env-configmap"</span> deleted </code></pre> </div> <h4> Consuming all environment variables from the ConfigMap </h4> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># pod-cm-envfrom.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">env-from-configmap</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">printenv"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">config_foo"</span><span class="pi">]</span> <span class="na">image</span><span class="pi">:</span> <span class="s">busybox:latest</span> <span class="na">envFrom</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">prefix</span><span class="pi">:</span> <span class="s">config_</span> <span class="na">configMapRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-config</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> pod-cm-envfrom.yaml pod/env-from-configmap created <span class="nv">$ </span>kubectl logs pod/env-from-configmap bar </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete <span class="nt">-f</span> pod-cm-envfrom.yaml pod <span class="s2">"env-from-configmap"</span> deleted </code></pre> </div> <h4> Using configMap volume </h4> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># pod-cm-volumemount.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">configmap-volumemount</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">cat"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">/etc/props/app.props"</span><span class="pi">]</span> <span class="na">image</span><span class="pi">:</span> <span class="s">busybox:latest</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app-props</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/etc/props"</span> <span class="na">readOnly</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app-props</span> <span class="na">configMap</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-config</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> pod-cm-volumemount.yaml pod/configmap-volumemount created <span class="nv">$ </span>kubectl logs pod/configmap-volumemount server.port<span class="o">=</span>8080 spring.profiles.active<span class="o">=</span>development </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete <span class="nt">-f</span> pod-cm-volumemount.yaml pod <span class="s2">"configmap-volumemount"</span> deleted </code></pre> </div> <h4> Using configMap volume with items </h4> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># pod-cm-volume-items.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">configmap-volume-items</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">cat"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">/etc/configs/app.conf"</span><span class="pi">]</span> <span class="na">image</span><span class="pi">:</span> <span class="s">busybox:latest</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">config</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/etc/configs"</span> <span class="na">readOnly</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">config</span> <span class="na">configMap</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-config</span> <span class="na">items</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s">foo</span> <span class="na">path</span><span class="pi">:</span> <span class="s">app.conf</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> pod-cm-volume-items.yaml pod/configmap-volume-items created <span class="nv">$ </span>kubectl logs pod/configmap-volume-items bar </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete <span class="nt">-f</span> pod-cm-volume-items.yaml pod <span class="s2">"configmap-volume-items"</span> deleted </code></pre> </div> <h2> Secrets <a></a> </h2> <p>A <a href="https://kubernetes.io/docs/concepts/configuration/secret/" rel="noopener noreferrer">Secret</a> is an object that contains a small amount of sensitive data such as a password, a token, or a key. Such information might otherwise be put in a <code>Pod</code> specification or in a container image. Using a <code>Secret</code> means that you don't need to include confidential data in your application code..</p> <h3> Default Secrets in a Pod </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># pod-basic.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubia</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">image</span><span class="pi">:</span> <span class="s">luksa/kubia</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubia</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> pod-basic.yaml pod/kubia created <span class="nv">$ </span>kubectl get po/kubia <span class="nt">-o</span><span class="o">=</span><span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.spec.containers[0].volumeMounts}'</span> <span class="o">[{</span><span class="s2">"mountPath"</span>:<span class="s2">"/var/run/secrets/kubernetes.io/serviceaccount"</span>,<span class="s2">"name"</span>:<span class="s2">"kube-api-access-jd9vq"</span>,<span class="s2">"readOnly"</span>:true<span class="o">}]</span> <span class="nv">$ </span>kubectl get po/kubia <span class="nt">-o</span><span class="o">=</span><span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.spec.volumes[?(@.name == "kube-api-access-jd9vq")].projected.sources}'</span> <span class="o">[{</span><span class="s2">"serviceAccountToken"</span>:<span class="o">{</span><span class="s2">"expirationSeconds"</span>:3607,<span class="s2">"path"</span>:<span class="s2">"token"</span><span class="o">}}</span>,<span class="o">{</span><span class="s2">"configMap"</span>:<span class="o">{</span><span class="s2">"items"</span>:[<span class="o">{</span><span class="s2">"key"</span>:<span class="s2">"ca.crt"</span>,<span class="s2">"path"</span>:<span class="s2">"ca.crt"</span><span class="o">}]</span>,<span class="s2">"name"</span>:<span class="s2">"kube-root-ca.crt"</span><span class="o">}}</span>,<span class="o">{</span><span class="s2">"downwardAPI"</span>:<span class="o">{</span><span class="s2">"items"</span>:[<span class="o">{</span><span class="s2">"fieldRef"</span>:<span class="o">{</span><span class="s2">"apiVersion"</span>:<span class="s2">"v1"</span>,<span class="s2">"fieldPath"</span>:<span class="s2">"metadata.namespace"</span><span class="o">}</span>,<span class="s2">"path"</span>:<span class="s2">"namespace"</span><span class="o">}]}}]</span> <span class="nv">$ </span>kubectl <span class="nb">exec </span>po/kubia <span class="nt">--</span> <span class="nb">ls</span> /var/run/secrets/kubernetes.io/serviceaccount/ ca.crt namespace token <span class="nv">$ </span>kubectl delete <span class="nt">-f</span> pod-basic.yaml pod <span class="s2">"kubia"</span> deleted </code></pre> </div> <h3> Creating Secrets </h3> <h4> Imperative way </h4> <h5> Opaque Secrets </h5> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create secret generic empty-secret secret/empty-secret created <span class="nv">$ </span>kubectl get secret empty-secret NAME TYPE DATA AGE empty-secret Opaque 0 9s <span class="nv">$ </span>kubectl get secret/empty-secret <span class="nt">-o</span> yaml apiVersion: v1 kind: Secret metadata: creationTimestamp: <span class="s2">"2025-11-05T17:19:07Z"</span> name: empty-secret namespace: default resourceVersion: <span class="s2">"6290557"</span> uid: 031d7f8d-e96d-4e03-a90f-2cb96308354b <span class="nb">type</span>: Opaque <span class="nv">$ </span>kubectl delete secret/empty-secret secret <span class="s2">"empty-secret"</span> deleted </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>openssl genrsa <span class="nt">-out</span> tls.key Generating RSA private key, 2048 bit long modulus <span class="o">(</span>2 primes<span class="o">)</span> ...............................................................+++++ .................................+++++ e is 65537 <span class="o">(</span>0x010001<span class="o">)</span> <span class="nv">$ </span>openssl req <span class="nt">-new</span> <span class="nt">-x509</span> <span class="nt">-key</span> tls.key <span class="nt">-out</span> tls.crt <span class="nt">-subj</span> /CN<span class="o">=</span>kubia.com <span class="nv">$ </span>kubectl create secret generic kubia-secret <span class="nt">--from-file</span><span class="o">=</span>tls.key <span class="nt">--from-file</span><span class="o">=</span>tls.crt secret/kubia-secret created <span class="nv">$ </span>kubectl get secret/kubia-secret <span class="nt">-o</span> yaml apiVersion: v1 data: tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlEQ1RDQ0FmR2dBd0lCQWdJVUxxWEJaRn...LS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ0K tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQ0KTUlJRXBBSUJBQUtDQVFFQXR4UlRYMD...U2VQK3N3PT0NCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tDQo<span class="o">=</span> kind: Secret metadata: creationTimestamp: <span class="s2">"2025-11-05T17:26:21Z"</span> name: kubia-secret namespace: default resourceVersion: <span class="s2">"6291327"</span> uid: a06d4be4-3e21-47ea-8009-d300c1c449f9 <span class="nb">type</span>: Opaque <span class="nv">$ </span>kubectl delete secret/kubia-secret secret <span class="s2">"kubia-secret"</span> deleted </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create secret generic test-secret <span class="nt">--from-literal</span><span class="o">=</span><span class="s1">'username=admin'</span> <span class="nt">--from-literal</span><span class="o">=</span><span class="s1">'password=39528$vdg7Jb'</span> secret/test-secret created <span class="nv">$ </span>kubectl get secret/test-secret <span class="nt">-o</span> yaml apiVersion: v1 data: password: Mzk1MjgkdmRnN0pi username: <span class="nv">YWRtaW4</span><span class="o">=</span> kind: Secret metadata: creationTimestamp: <span class="s2">"2025-11-05T18:21:28Z"</span> name: test-secret namespace: default resourceVersion: <span class="s2">"6297117"</span> uid: 215daac1-7305-43f4-91c6-c7dbdeca2802 <span class="nb">type</span>: Opaque <span class="nv">$ </span>kubectl delete secret/test-secret secret <span class="s2">"test-secret"</span> deleted </code></pre> </div> <h5> TLS Secrets </h5> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create secret tls my-tls-secret <span class="nt">--key</span><span class="o">=</span>tls.key <span class="nt">--cert</span><span class="o">=</span>tls.crt secret/my-tls-secret created <span class="nv">$ </span>kubectl get secret/my-tls-secret <span class="nt">-o</span> yaml apiVersion: v1 data: tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlEQ1RDQ0FmR2dBd0lCQWdJVUxxWEJaRn...LS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ0K tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQ0KTUlJRXBBSUJBQUtDQVFFQXR4UlRYMD...U2VQK3N3PT0NCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tDQo<span class="o">=</span> kind: Secret metadata: creationTimestamp: <span class="s2">"2025-11-05T17:37:45Z"</span> name: my-tls-secret namespace: default resourceVersion: <span class="s2">"6292515"</span> uid: f15b375e-2404-4ca0-a08f-014a0efeec70 <span class="nb">type</span>: kubernetes.io/tls <span class="nv">$ </span>kubectl delete secret/my-tls-secret secret <span class="s2">"my-tls-secret"</span> deleted </code></pre> </div> <h5> Docker config Secrets </h5> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create secret docker-registry my-docker-registry-secret <span class="nt">--docker-username</span><span class="o">=</span>robert <span class="nt">--docker-password</span><span class="o">=</span>passw123 <span class="nt">--docker-server</span><span class="o">=</span>nexus.registry.com:5000 secret/my-docker-registry-secret created <span class="nv">$ </span>kubectl get secret/my-docker-registry-secret <span class="nt">-o</span> yaml apiVersion: v1 data: .dockerconfigjson: eyJhdXRocyI6eyJuZXh1cy5yZWdpc3RyeS5jb206NTAwMCI6eyJ1c2VybmFtZSI6InJvYmVydCIsInBhc3N3b3JkIjoicGFzc3cxMjMiLCJhdXRoIjoiY205aVpYSjBPbkJoYzNOM01USXoifX19 kind: Secret metadata: creationTimestamp: <span class="s2">"2025-11-05T17:44:10Z"</span> name: my-docker-registry-secret namespace: default resourceVersion: <span class="s2">"6293203"</span> uid: c9d05ef7-8c8c-4e2b-bf6f-27f80a45d545 <span class="nb">type</span>: kubernetes.io/dockerconfigjson <span class="nv">$ </span>kubectl delete secret/my-docker-registry-secret secret <span class="s2">"my-docker-registry-secret"</span> deleted </code></pre> </div> <h4> Declarative way </h4> <h5> Opaque Secrets </h5> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">echo</span> <span class="nt">-n</span> <span class="s1">'my-app'</span> | <span class="nb">base64 </span>bXktYXBw <span class="nv">$ </span><span class="nb">echo</span> <span class="nt">-n</span> <span class="s1">'39528$vdg7Jb'</span> | <span class="nb">base64 </span>Mzk1MjgkdmRnN0pi </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># opaque-secret.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">opaque-secret</span> <span class="na">data</span><span class="pi">:</span> <span class="na">username</span><span class="pi">:</span> <span class="s">bXktYXBw</span> <span class="na">password</span><span class="pi">:</span> <span class="s">Mzk1MjgkdmRnN0pi</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> opaque-secret.yaml secret/opaque-secret created <span class="nv">$ </span>kubectl get secrets NAME TYPE DATA AGE opaque-secret Opaque 2 4s <span class="nv">$ </span>kubectl delete <span class="nt">-f</span> opaque-secret.yaml secret <span class="s2">"opaque-secret"</span> deleted </code></pre> </div> <h5> Docker config Secrets </h5> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># dockercfg-secret.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">secret-dockercfg</span> <span class="na">type</span><span class="pi">:</span> <span class="s">kubernetes.io/dockercfg</span> <span class="na">data</span><span class="pi">:</span> <span class="na">.dockercfg</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">eyJhdXRocyI6eyJodHRwczovL2V4YW1wbGUvdjEvIjp7ImF1dGgiOiJvcGVuc2VzYW1lIn19fQo=</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> dockercfg-secret.yaml secret/secret-dockercfg created <span class="nv">$ </span>kubectl get secrets NAME TYPE DATA AGE secret-dockercfg kubernetes.io/dockercfg 1 3s <span class="nv">$ </span>kubectl describe secret/secret-dockercfg Name: secret-dockercfg Namespace: default Labels: &lt;none&gt; Annotations: &lt;none&gt; Type: kubernetes.io/dockercfg Data <span class="o">====</span> .dockercfg: 56 bytes <span class="nv">$ </span>kubectl delete <span class="nt">-f</span> dockercfg-secret.yaml secret <span class="s2">"secret-dockercfg"</span> deleted </code></pre> </div> <h5> Basic authentication Secret </h5> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># basicauth-secret.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">secret-basic-auth</span> <span class="na">type</span><span class="pi">:</span> <span class="s">kubernetes.io/basic-auth</span> <span class="na">stringData</span><span class="pi">:</span> <span class="na">username</span><span class="pi">:</span> <span class="s">admin</span> <span class="na">password</span><span class="pi">:</span> <span class="s">pass1234</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> basicauth-secret.yaml secret/secret-basic-auth created <span class="nv">$ </span>kubectl get secrets NAME TYPE DATA AGE secret-basic-auth kubernetes.io/basic-auth 2 3s <span class="nv">$ </span>kubectl describe secret/secret-basic-auth Name: secret-basic-auth Namespace: default Labels: &lt;none&gt; Annotations: &lt;none&gt; Type: kubernetes.io/basic-auth Data <span class="o">====</span> password: 8 bytes username: 5 bytes <span class="nv">$ </span>kubectl delete <span class="nt">-f</span> basicauth-secret.yaml secret <span class="s2">"secret-basic-auth"</span> deleted </code></pre> </div> <h3> Using Secrets </h3> <p><code>Secrets</code> can be mounted as data volumes or exposed as environment variables to be used by a container in a <code>Pod</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create secret generic test-secret <span class="nt">--from-literal</span><span class="o">=</span><span class="s1">'username=admin'</span> <span class="nt">--from-literal</span><span class="o">=</span><span class="s1">'password=39528$vdg7Jb'</span> secret/test-secret created <span class="nv">$ </span>kubectl describe secret test-secre Name: test-secret Namespace: default Labels: &lt;none&gt; Annotations: &lt;none&gt; Type: Opaque Data <span class="o">====</span> password: 12 bytes username: 5 bytes </code></pre> </div> <h4> Using Secrets as files from a Pod </h4> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># pod-secret-volumemount.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">secret-test-pod</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">test-container</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">secret-volume</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/etc/secret-volume</span> <span class="na">readOnly</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">secret-volume</span> <span class="na">secret</span><span class="pi">:</span> <span class="na">secretName</span><span class="pi">:</span> <span class="s">test-secret</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> pod-secret-volumemount.yaml pod/secret-test-pod created <span class="nv">$ </span>kubectl get pod secret-test-pod NAME READY STATUS RESTARTS AGE secret-test-pod 1/1 Running 0 30s <span class="nv">$ </span>kubectl <span class="nb">exec </span>secret-test-pod <span class="nt">--</span> <span class="nb">ls</span> /etc/secret-volume password username <span class="nv">$ </span>kubectl <span class="nb">exec </span>secret-test-pod <span class="nt">--</span> <span class="nb">head</span> /etc/secret-volume/<span class="o">{</span>username,password<span class="o">}</span> <span class="o">==&gt;</span> /etc/secret-volume/username &lt;<span class="o">==</span> admin <span class="o">==&gt;</span> /etc/secret-volume/password &lt;<span class="o">==</span> 39528<span class="nv">$vdg7Jb</span> <span class="nv">$ </span>kubectl delete <span class="nt">-f</span> pod-secret-volumemount.yaml pod <span class="s2">"secret-test-pod"</span> deleted </code></pre> </div> <h5> Project Secret keys to specific file paths </h5> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># pod-secret-volume-items.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">secret-test-pod</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">test-container</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">secret-volume</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/etc/secret-volume</span> <span class="na">readOnly</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">secret-volume</span> <span class="na">secret</span><span class="pi">:</span> <span class="na">secretName</span><span class="pi">:</span> <span class="s">test-secret</span> <span class="na">items</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s">username</span> <span class="na">path</span><span class="pi">:</span> <span class="s">my-group/my-username</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> pod-secret-volume-items.yaml pod/secret-test-pod created <span class="nv">$ </span>kubectl <span class="nb">exec </span>secret-test-pod <span class="nt">--</span> <span class="nb">ls</span> /etc/secret-volume my-group <span class="nv">$ </span>kubectl <span class="nb">exec </span>secret-test-pod <span class="nt">--</span> <span class="nb">ls</span> /etc/secret-volume/my-group my-username <span class="nv">$ </span>kubectl <span class="nb">exec </span>secret-test-pod <span class="nt">--</span> <span class="nb">head</span> /etc/secret-volume/my-group/my-username admin <span class="nv">$ </span>kubectl delete <span class="nt">-f</span> pod-secret-volume-items.yaml pod <span class="s2">"secret-test-pod"</span> deleted </code></pre> </div> <h4> Using Secrets as environment variables </h4> <h5> Define a container environment variable with data from a single Secret </h5> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># pod-secret-env-var.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">secret-test-pod</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">test-container</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">SECRET_PASSWORD</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">secretKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">test-secret</span> <span class="na">key</span><span class="pi">:</span> <span class="s">password</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> pod-secret-env-var.yaml pod/secret-test-pod created <span class="nv">$ </span>kubectl <span class="nb">exec </span>secret-test-pod <span class="nt">--</span> /bin/sh <span class="nt">-c</span> <span class="s1">'echo $SECRET_PASSWORD'</span> 39528<span class="nv">$vdg7Jb</span> <span class="nv">$ </span>kubectl delete <span class="nt">-f</span> pod-secret-env-var.yaml pod <span class="s2">"secret-test-pod"</span> deleted </code></pre> </div> <h5> Define all of the Secret's data as container environment variables </h5> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># pod-secret-envfrom.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">secret-test-pod</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">test-container</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">envFrom</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">secretRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">test-secret</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> pod-secret-envfrom.yaml pod/secret-test-pod created <span class="nv">$ </span>kubectl <span class="nb">exec </span>secret-test-pod <span class="nt">--</span> /bin/sh <span class="nt">-c</span> <span class="s1">'echo "username: $username\npassword: $password\n"'</span> username: admin password: 39528<span class="nv">$vdg7Jb</span> <span class="nv">$ </span>kubectl delete <span class="nt">-f</span> pod-secret-envfrom.yaml pod <span class="s2">"secret-test-pod"</span> deleted </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete secrets test-secret secret <span class="s2">"test-secret"</span> deleted </code></pre> </div> <h2> Deployments <a></a> </h2> <p>A <a href="https://kubernetes.io/docs/concepts/workloads/controllers/deployment/" rel="noopener noreferrer">Deployment</a> is a high-level resource used to manage and scale applications while ensuring they remain in the desired state. It provides a declarative way to define how many Pods should run, which container images they should use, and how updates should be applied.</p> <h3> Creating Deployments </h3> <h4> Imperative way </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create deployment my-nginx-deployment <span class="nt">--image</span><span class="o">=</span>nginx <span class="nt">--replicas</span><span class="o">=</span>3 <span class="nt">--port</span><span class="o">=</span>80 deployment.apps/my-nginx-deployment created <span class="nv">$ </span>kubectl get deploy NAME READY UP-TO-DATE AVAILABLE AGE my-nginx-deployment 3/3 3 3 20s <span class="nv">$ </span>kubectl rollout status deployment/my-nginx-deployment deployment <span class="s2">"my-nginx-deployment"</span> successfully rolled out <span class="nv">$ </span>kubectl get rs NAME DESIRED CURRENT READY AGE my-nginx-deployment-677c645895 3 3 3 2m30s <span class="nv">$ </span>kubectl get po NAME READY STATUS RESTARTS AGE my-nginx-deployment-677c645895-d4c9q 1/1 Running 0 2m58s my-nginx-deployment-677c645895-jdvtf 1/1 Running 0 2m58s my-nginx-deployment-677c645895-mkjsc 1/1 Running 0 2m58s <span class="nv">$ </span>kubectl port-forward deployments/my-nginx-deployment 80 Forwarding from 127.0.0.1:80 -&gt; 80 Forwarding from <span class="o">[</span>::1]:80 -&gt; 80 <span class="nv">$ </span>curl <span class="nt">-sI</span> localhost:80 HTTP/1.1 200 OK Server: nginx/1.29.3 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl <span class="nb">set </span>image deployment/my-nginx-deployment <span class="nv">nginx</span><span class="o">=</span>nginx:1.16.1 deployment.apps/my-nginx-deployment image updated <span class="nv">$ </span>kubectl rollout status deployment/my-nginx-deployment Waiting <span class="k">for </span>deployment <span class="s2">"my-nginx-deployment"</span> rollout to finish: 1 out of 3 new replicas have been updated... Waiting <span class="k">for </span>deployment <span class="s2">"my-nginx-deployment"</span> rollout to finish: 1 out of 3 new replicas have been updated... Waiting <span class="k">for </span>deployment <span class="s2">"my-nginx-deployment"</span> rollout to finish: 2 out of 3 new replicas have been updated... Waiting <span class="k">for </span>deployment <span class="s2">"my-nginx-deployment"</span> rollout to finish: 2 out of 3 new replicas have been updated... Waiting <span class="k">for </span>deployment <span class="s2">"my-nginx-deployment"</span> rollout to finish: 2 out of 3 new replicas have been updated... Waiting <span class="k">for </span>deployment <span class="s2">"my-nginx-deployment"</span> rollout to finish: 2 out of 3 new replicas have been updated... Waiting <span class="k">for </span>deployment <span class="s2">"my-nginx-deployment"</span> rollout to finish: 1 old replicas are pending termination... Waiting <span class="k">for </span>deployment <span class="s2">"my-nginx-deployment"</span> rollout to finish: 1 old replicas are pending termination... deployment <span class="s2">"my-nginx-deployment"</span> successfully rolled out <span class="nv">$ </span>kubectl get deploy NAME READY UP-TO-DATE AVAILABLE AGE my-nginx-deployment 3/3 3 3 5m13s <span class="nv">$ </span>kubectl get rs NAME DESIRED CURRENT READY AGE my-nginx-deployment-677c645895 0 0 0 5m31s my-nginx-deployment-68b8b6c496 3 3 3 101s <span class="nv">$ </span>kubectl get po NAME READY STATUS RESTARTS AGE my-nginx-deployment-68b8b6c496-6p9jg 1/1 Running 0 118s my-nginx-deployment-68b8b6c496-mfcnj 1/1 Running 0 2m2s my-nginx-deployment-68b8b6c496-ngm4b 1/1 Running 0 2m <span class="nv">$ </span>kubectl get po/my-nginx-deployment-68b8b6c496-6p9jg <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.spec.containers[0].image}'</span> nginx:1.16.1 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl rollout <span class="nb">history </span>deployment/my-nginx-deployment deployment.apps/my-nginx-deployment REVISION CHANGE-CAUSE 1 &lt;none&gt; 2 &lt;none&gt; <span class="nv">$ </span>kubectl rollout <span class="nb">history </span>deployment/my-nginx-deployment <span class="nt">--revision</span><span class="o">=</span>2 deployment.apps/my-nginx-deployment with revision <span class="c">#2</span> Pod Template: Labels: <span class="nv">app</span><span class="o">=</span>my-nginx-deployment pod-template-hash<span class="o">=</span>68b8b6c496 Containers: nginx: Image: nginx:1.16.1 Port: 80/TCP Host Port: 0/TCP Environment: &lt;none&gt; Mounts: &lt;none&gt; Volumes: &lt;none&gt; Node-Selectors: &lt;none&gt; Tolerations: &lt;none&gt; <span class="nv">$ </span>kubectl rollout undo deployment/my-nginx-deployment <span class="nt">--to-revision</span><span class="o">=</span>1 deployment.apps/my-nginx-deployment rolled back <span class="nv">$ </span>kubectl rollout <span class="nb">history </span>deployment/my-nginx-deployment deployment.apps/my-nginx-deployment REVISION CHANGE-CAUSE 2 &lt;none&gt; 3 &lt;none&gt; <span class="nv">$ </span>kubectl get rs NAME DESIRED CURRENT READY AGE my-nginx-deployment-677c645895 3 3 3 11m my-nginx-deployment-68b8b6c496 0 0 0 7m11s <span class="nv">$ </span>kubectl get po NAME READY STATUS RESTARTS AGE my-nginx-deployment-677c645895-cr2vd 1/1 Running 0 71s my-nginx-deployment-677c645895-cxbpn 1/1 Running 0 73s my-nginx-deployment-677c645895-l67cc 1/1 Running 0 68s <span class="nv">$ </span>kubectl get po/my-nginx-deployment-677c645895-cr2vd <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.spec.containers[0].image}'</span> nginx </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl scale deployment/my-nginx-deployment <span class="nt">--replicas</span><span class="o">=</span>5 deployment.apps/my-nginx-deployment scaled <span class="nv">$ </span>kubectl get deploy NAME READY UP-TO-DATE AVAILABLE AGE my-nginx-deployment 5/5 5 5 14m <span class="nv">$ </span>kubectl get rs NAME DESIRED CURRENT READY AGE my-nginx-deployment-677c645895 5 5 5 14m my-nginx-deployment-68b8b6c496 0 0 0 10m <span class="nv">$ </span>kubectl get po NAME READY STATUS RESTARTS AGE my-nginx-deployment-677c645895-9zrmk 1/1 Running 0 21s my-nginx-deployment-677c645895-cr2vd 1/1 Running 0 4m34s my-nginx-deployment-677c645895-cxbpn 1/1 Running 0 4m36s my-nginx-deployment-677c645895-l67cc 1/1 Running 0 4m31s my-nginx-deployment-677c645895-qk4b5 1/1 Running 0 21s </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl rollout pause deployment/my-nginx-deployment deployment.apps/my-nginx-deployment paused <span class="nv">$ </span>kubectl get po NAME READY STATUS RESTARTS AGE my-nginx-deployment-677c645895-9zrmk 1/1 Running 0 3m14s my-nginx-deployment-677c645895-cr2vd 1/1 Running 0 7m27s my-nginx-deployment-677c645895-cxbpn 1/1 Running 0 7m29s my-nginx-deployment-677c645895-l67cc 1/1 Running 0 7m24s my-nginx-deployment-677c645895-qk4b5 1/1 Running 0 3m14s <span class="nv">$ </span>kubectl scale deployment/my-nginx-deployment <span class="nt">--replicas</span><span class="o">=</span>3 deployment.apps/my-nginx-deployment scaled <span class="nv">$ </span>kubectl get po NAME READY STATUS RESTARTS AGE my-nginx-deployment-677c645895-cr2vd 1/1 Running 0 8m28s my-nginx-deployment-677c645895-cxbpn 1/1 Running 0 8m30s my-nginx-deployment-677c645895-l67cc 1/1 Running 0 8m25s <span class="nv">$ </span>kubectl <span class="nb">set </span>image deployment/my-nginx-deployment <span class="nv">nginx</span><span class="o">=</span>nginx:1.17.2 deployment.apps/my-nginx-deployment image updated <span class="nv">$ </span>kubectl get po NAME READY STATUS RESTARTS AGE my-nginx-deployment-677c645895-cr2vd 1/1 Running 0 8m43s my-nginx-deployment-677c645895-cxbpn 1/1 Running 0 8m35s my-nginx-deployment-677c645895-l67cc 1/1 Running 0 8m30s <span class="nv">$ </span>kubectl rollout resume deployment/my-nginx-deployment deployment.apps/my-nginx-deployment resumed <span class="nv">$ </span>kubectl get po NAME READY STATUS RESTARTS AGE my-nginx-deployment-75c7c977bb-hwx6r 1/1 Running 0 32s my-nginx-deployment-75c7c977bb-qlfhc 1/1 Running 0 19s my-nginx-deployment-75c7c977bb-z7l59 1/1 Running 0 43s <span class="nv">$ </span>kubectl get po/my-nginx-deployment-75c7c977bb-hwx6r <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.spec.containers[0].image}'</span> nginx:1.17.2 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete deploy/my-nginx-deployment deployment.apps <span class="s2">"my-nginx-deployment"</span> deleted <span class="nv">$ </span>kubectl get deploy No resources found <span class="k">in </span>default namespace. <span class="nv">$ </span>kubectl get rs No resources found <span class="k">in </span>default namespace. <span class="nv">$ </span>kubectl get po No resources found <span class="k">in </span>default namespace. </code></pre> </div> <h4> Declarative way </h4> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># deployment-basic.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-nginx-deployment</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">3</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx:latest</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">80</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> deployment-basic.yaml deployment.apps/my-nginx-deployment created <span class="nv">$ </span>kubectl get deploy NAME READY UP-TO-DATE AVAILABLE AGE my-nginx-deployment 3/3 3 3 10s <span class="nv">$ </span>kubectl rollout status deployment/my-nginx-deployment deployment <span class="s2">"my-nginx-deployment"</span> successfully rolled out <span class="nv">$ </span>kubectl rollout status deployment/my-nginx-deployment deployment <span class="s2">"my-nginx-deployment"</span> successfully rolled out <span class="nv">$ </span>kubectl get rs NAME DESIRED CURRENT READY AGE my-nginx-deployment-96b9d695 3 3 3 31s <span class="nv">$ </span>kubectl get po NAME READY STATUS RESTARTS AGE my-nginx-deployment-96b9d695-7hgx5 1/1 Running 0 33s my-nginx-deployment-96b9d695-nvb6h 1/1 Running 0 33s my-nginx-deployment-96b9d695-r5t55 1/1 Running 0 33s <span class="nv">$ </span>kubectl delete <span class="nt">-f</span> deployment-basic.yaml deployment.apps <span class="s2">"my-nginx-deployment"</span> deleted </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-conf</span> <span class="na">data</span><span class="pi">:</span> <span class="na">nginx.conf</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">user nginx;</span> <span class="s">worker_processes 1;</span> <span class="s">events {</span> <span class="s">worker_connections 10240;</span> <span class="s">}</span> <span class="s">http {</span> <span class="s">server {</span> <span class="s">listen 80;</span> <span class="s">server_name _;</span> <span class="s">location ~ ^/(healthz|readyz)$ {</span> <span class="s">add_header Content-Type text/plain;</span> <span class="s">return 200 'OK';</span> <span class="s">}</span> <span class="s">}</span> <span class="s">}</span> <span class="s">---</span> <span class="c1"># deployment-probes.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-nginx-deployment</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">my-nginx</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">progressDeadlineSeconds</span><span class="pi">:</span> <span class="m">600</span> <span class="c1"># Wait for a deployment to make progress before marking it as stalled</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">3</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">my-app</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">my-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-app-container</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx:latest</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/healthz</span> <span class="c1"># Endpoint for liveness checks</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">15</span> <span class="c1"># Wait 15 seconds before first liveness probe</span> <span class="na">periodSeconds</span><span class="pi">:</span> <span class="m">10</span> <span class="c1"># Check every 10 seconds</span> <span class="na">timeoutSeconds</span><span class="pi">:</span> <span class="m">5</span> <span class="c1"># Timeout after 5 seconds</span> <span class="na">failureThreshold</span><span class="pi">:</span> <span class="m">3</span> <span class="c1"># Restart container after 3 consecutive failures</span> <span class="na">readinessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/readyz</span> <span class="c1"># Endpoint for readiness checks</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">5</span> <span class="c1"># Wait 5 seconds before first readiness probe</span> <span class="na">periodSeconds</span><span class="pi">:</span> <span class="m">5</span> <span class="c1"># Check every 5 seconds</span> <span class="na">timeoutSeconds</span><span class="pi">:</span> <span class="m">3</span> <span class="c1"># Timeout after 3 seconds</span> <span class="na">failureThreshold</span><span class="pi">:</span> <span class="m">1</span> <span class="c1"># Consider not ready after 1 failure</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-conf</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/etc/nginx/nginx.conf</span> <span class="na">subPath</span><span class="pi">:</span> <span class="s">nginx.conf</span> <span class="na">readOnly</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-conf</span> <span class="na">configMap</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-conf</span> <span class="na">items</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s">nginx.conf</span> <span class="na">path</span><span class="pi">:</span> <span class="s">nginx.conf</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> deployment-probes.yaml configmap/nginx-conf created deployment.apps/my-nginx-deployment created <span class="nv">$ </span>kubectl get deploy NAME READY UP-TO-DATE AVAILABLE AGE my-nginx-deployment 3/3 3 3 12s <span class="nv">$ </span>kubectl get rs NAME DESIRED CURRENT READY AGE my-nginx-deployment-55bc8948d6 3 3 3 52s <span class="nv">$ </span>kubectl get po NAME READY STATUS RESTARTS AGE my-nginx-deployment-55bc8948d6-4lhdd 1/1 Running 0 64s my-nginx-deployment-55bc8948d6-mz5tx 1/1 Running 0 64s my-nginx-deployment-55bc8948d6-nfkkx 1/1 Running 0 64s <span class="nv">$ </span>kubectl delete <span class="nt">-f</span> deployment-probes.yaml configmap <span class="s2">"nginx-conf"</span> deleted deployment.apps <span class="s2">"my-nginx-deployment"</span> deleted </code></pre> </div> <h2> StatefulSet <a></a> </h2> <p>A <a href="https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/" rel="noopener noreferrer">StatefulSet</a> is a resource used to manage stateful applications by providing stable, unique network identifiers, persistent storage, and ordered, graceful deployment and scaling for pods. They are ideal for applications like databases that require each replica to have a predictable identity and persistent storage, unlike stateless applications managed by <code>Deployments</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create <span class="nt">-f</span> storageclass-local-path.yaml storageclass.storage.k8s.io/storageclass-redis created <span class="nv">$ </span>kubectl get sc NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE standard <span class="o">(</span>default<span class="o">)</span> rancher.io/local-path Delete WaitForFirstConsumer <span class="nb">false </span>115d storageclass-redis rancher.io/local-path Delete Immediate <span class="nb">false </span>43s </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># statefulset.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">StatefulSet</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">redis</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">serviceName</span><span class="pi">:</span> <span class="s">redis</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">3</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">redis</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">redis</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">redis</span> <span class="na">image</span><span class="pi">:</span> <span class="s">redis:latest</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">6379</span> <span class="na">name</span><span class="pi">:</span> <span class="s">redis</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">data</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/data</span> <span class="na">volumeClaimTemplates</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">data</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">accessModes</span><span class="pi">:</span> <span class="pi">[</span> <span class="s2">"</span><span class="s">ReadWriteOnce"</span> <span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">storage</span><span class="pi">:</span> <span class="s">0.5Gi</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> statefulset.yaml statefulset.apps/redis created <span class="nv">$ </span>kubectl get pvc NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS VOLUMEATTRIBUTESCLASS AGE data-redis-0 Bound pvc-948cc23d-c7a8-4caf-9206-1b52c8f31f75 512Mi RWO standard &lt;<span class="nb">unset</span><span class="o">&gt;</span> 3m31s data-redis-1 Bound pvc-f9ff0efa-dd70-44c6-8601-72f17430f848 512Mi RWO standard &lt;<span class="nb">unset</span><span class="o">&gt;</span> 2m36s data-redis-2 Bound pvc-b2079d26-8db5-4855-b81b-6f1c78aeab0e 512Mi RWO standard &lt;<span class="nb">unset</span><span class="o">&gt;</span> 98s <span class="nv">$ </span>kubectl get pv NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS VOLUMEATTRIBUTESCLASS REASON AGE pvc-948cc23d-c7a8-4caf-9206-1b52c8f31f75 512Mi RWO Delete Bound default/data-redis-0 standard &lt;<span class="nb">unset</span><span class="o">&gt;</span> 3m52s pvc-b2079d26-8db5-4855-b81b-6f1c78aeab0e 512Mi RWO Delete Bound default/data-redis-2 standard &lt;<span class="nb">unset</span><span class="o">&gt;</span> 2m pvc-f9ff0efa-dd70-44c6-8601-72f17430f848 512Mi RWO Delete Bound default/data-redis-1 standard &lt;<span class="nb">unset</span><span class="o">&gt;</span> 2m57s <span class="nv">$ </span>kubectl get statefulset/redis NAME READY AGE redis 3/3 4m19s <span class="nv">$ </span>kubectl get po NAME READY STATUS RESTARTS AGE redis-0 1/1 Running 0 4m55s redis-1 1/1 Running 0 4m redis-2 1/1 Running 0 3m2s <span class="nv">$ </span><span class="k">for </span>i <span class="k">in</span> <span class="o">{</span>0..2<span class="o">}</span><span class="p">;</span> <span class="k">do </span>kubectl <span class="nb">exec</span> <span class="s2">"redis-</span><span class="nv">$i</span><span class="s2">"</span> <span class="nt">--</span> sh <span class="nt">-c</span> <span class="s1">'hostname'</span><span class="p">;</span> <span class="k">done </span>redis-0 redis-1 redis-2 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete pod/redis-0 pod <span class="s2">"redis-0"</span> deleted <span class="nv">$ </span>kubectl get po NAME READY STATUS RESTARTS AGE redis-0 1/1 Running 0 4s redis-1 1/1 Running 0 13m redis-2 1/1 Running 0 12m </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl scale statefulset/redis <span class="nt">--replicas</span><span class="o">=</span>4 statefulset.apps/redis scaled <span class="nv">$ </span>kubectl get po NAME READY STATUS RESTARTS AGE redis-0 1/1 Running 0 2m53s redis-1 1/1 Running 0 16m redis-2 1/1 Running 0 15m redis-3 0/1 Pending 0 2s <span class="nv">$ </span>kubectl get po NAME READY STATUS RESTARTS AGE redis-0 1/1 Running 0 2m56s redis-1 1/1 Running 0 16m redis-2 1/1 Running 0 15m redis-3 0/1 ContainerCreating 0 5s <span class="nv">$ </span>kubectl get po NAME READY STATUS RESTARTS AGE redis-0 1/1 Running 0 2m58s redis-1 1/1 Running 0 16m redis-2 1/1 Running 0 15m redis-3 0/1 ContainerCreating 0 7s <span class="nv">$ </span>kubectl get po NAME READY STATUS RESTARTS AGE redis-0 1/1 Running 0 2m59s redis-1 1/1 Running 0 16m redis-2 1/1 Running 0 15m redis-3 1/1 Running 0 8s </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete statefulset/redis statefulset.apps <span class="s2">"redis"</span> deleted <span class="nv">$ </span>kubectl get po No resources found <span class="k">in </span>default namespace. <span class="nv">$ </span>kubectl get statefulsets No resources found <span class="k">in </span>default namespace. <span class="nv">$ </span>kubectl get pv NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS VOLUMEATTRIBUTESCLASS REASON AGE pvc-1b2cab34-7cce-4583-8cd3-3e7fce32f72c 512Mi RWO Delete Bound default/data-redis-3 standard &lt;<span class="nb">unset</span><span class="o">&gt;</span> 4m10s pvc-948cc23d-c7a8-4caf-9206-1b52c8f31f75 512Mi RWO Delete Bound default/data-redis-0 standard &lt;<span class="nb">unset</span><span class="o">&gt;</span> 21m pvc-b2079d26-8db5-4855-b81b-6f1c78aeab0e 512Mi RWO Delete Bound default/data-redis-2 standard &lt;<span class="nb">unset</span><span class="o">&gt;</span> 19m pvc-f9ff0efa-dd70-44c6-8601-72f17430f848 512Mi RWO Delete Bound default/data-redis-1 standard &lt;<span class="nb">unset</span><span class="o">&gt;</span> 20m <span class="nv">$ </span>kubectl get pvc NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS VOLUMEATTRIBUTESCLASS AGE data-redis-0 Bound pvc-948cc23d-c7a8-4caf-9206-1b52c8f31f75 512Mi RWO standard &lt;<span class="nb">unset</span><span class="o">&gt;</span> 22m data-redis-1 Bound pvc-f9ff0efa-dd70-44c6-8601-72f17430f848 512Mi RWO standard &lt;<span class="nb">unset</span><span class="o">&gt;</span> 21m data-redis-2 Bound pvc-b2079d26-8db5-4855-b81b-6f1c78aeab0e 512Mi RWO standard &lt;<span class="nb">unset</span><span class="o">&gt;</span> 20m data-redis-3 Bound pvc-1b2cab34-7cce-4583-8cd3-3e7fce32f72c 512Mi RWO standard &lt;<span class="nb">unset</span><span class="o">&gt;</span> 4m55s </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete sc/storageclass-redis storageclass.storage.k8s.io <span class="s2">"storageclass-redis"</span> deleted <span class="nv">$ </span>kubectl delete pvc data-redis-<span class="o">{</span>0,1,2,3<span class="o">}</span> persistentvolumeclaim <span class="s2">"data-redis-0"</span> deleted persistentvolumeclaim <span class="s2">"data-redis-1"</span> deleted persistentvolumeclaim <span class="s2">"data-redis-2"</span> deleted persistentvolumeclaim <span class="s2">"data-redis-3"</span> deleted <span class="nv">$ </span>kubectl get pvc No resources found <span class="k">in </span>default namespace. <span class="nv">$ </span>kubectl get pv No resources found </code></pre> </div> <h2> ServiceAccount <a></a> </h2> <p>A <a href="https://kubernetes.io/docs/concepts/security/service-accounts/" rel="noopener noreferrer">ServiceAccount</a> provides an identity for processes and applications running within a Kubernetes cluster. <code>ServiceAccounts</code> are designed for non-human entities like Pods, system components, or external tools that need to interact with the Kubernetes API.</p> <h3> Default ServiceAccount </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get sa NAME SECRETS AGE default 0 116d <span class="nv">$ </span>kubectl apply <span class="nt">-f</span> pod-basic.yaml pod/kubia created <span class="nv">$ </span>kubectl get pod/kubia <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.spec.serviceAccount}'</span> default <span class="nv">$ </span>kubectl delete <span class="nt">-f</span> pod-basic.yaml pod <span class="s2">"kubia"</span> deleted </code></pre> </div> <h3> Creating a ServiceAccount </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create sa my-sa serviceaccount/my-sa created <span class="nv">$ </span>kubectl get sa NAME SECRETS AGE default 0 116d my-sa 0 7s <span class="nv">$ </span>kubectl get sa/my-sa <span class="nt">-o</span> yaml apiVersion: v1 kind: ServiceAccount metadata: creationTimestamp: <span class="s2">"2025-11-10T10:27:44Z"</span> name: my-sa namespace: default resourceVersion: <span class="s2">"7002078"</span> uid: 487bd1fa-353a-420e-be95-6ee876a277f5 <span class="nv">$ </span>kubectl describe sa/my-sa Name: my-sa Namespace: default Labels: &lt;none&gt; Annotations: &lt;none&gt; Image pull secrets: &lt;none&gt; Mountable secrets: &lt;none&gt; Tokens: &lt;none&gt; Events: &lt;none&gt; </code></pre> </div> <h3> Associate a Secret with a ServiceAccount </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># secret-sa-token.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">type</span><span class="pi">:</span> <span class="s">kubernetes.io/service-account-token</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-sa-token</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">kubernetes.io/service-account.name</span><span class="pi">:</span> <span class="s">my-sa</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> secret-sa-token.yaml secret/my-sa-token created <span class="nv">$ </span>kubectl get secrets NAME TYPE DATA AGE my-sa-token kubernetes.io/service-account-token 3 24s <span class="nv">$ </span>kubectl describe secret/my-sa-token Name: my-sa-token Namespace: default Labels: &lt;none&gt; Annotations: kubernetes.io/service-account.name: my-sa kubernetes.io/service-account.uid: 487bd1fa-353a-420e-be95-6ee876a277f5 Type: kubernetes.io/service-account-token Data <span class="o">====</span> ca.crt: 1107 bytes namespace: 7 bytes token: eyJhbGciOiJSUzI1NiIsImtpZCI6IkxiTHE0d29pbFBiUXpXNkI1bWxoMHFQNVZCa2o1cFl1c3...HLmhPxTcMYPc3WNUWIS4t_8E3556087H4f1e-13y8B_dUYYzh-B7NJuOIOp31_eiAxhYzaQYGw <span class="nv">$ </span>kubectl get secret/my-sa-token <span class="nt">-o</span><span class="o">=</span><span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.data.token}'</span> | <span class="nb">base64</span> <span class="nt">--decode</span> eyJhbGciOiJSUzI1NiIsImtpZCI6IkxiTHE0d29pbFBiUXpXNkI1bWxoMHFQNVZCa2o1cFl1c3...HLmhPxTcMYPc3WNUWIS4t_8E3556087H4f1e-13y8B_dUYYzh-B7NJuOIOp31_eiAxhYzaQYGw <span class="nv">$ </span>kubectl describe sa/my-sa Name: my-sa Namespace: default Labels: &lt;none&gt; Annotations: &lt;none&gt; Image pull secrets: &lt;none&gt; Mountable secrets: &lt;none&gt; Tokens: my-sa-token Events: &lt;none&gt; </code></pre> </div> <h3> Assign a ServiceAccount to a Pod </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># pod-sa.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">curl</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">serviceAccountName</span><span class="pi">:</span> <span class="s">my-sa</span> <span class="na">automountServiceAccountToken</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">image</span><span class="pi">:</span> <span class="s">alpine/curl</span> <span class="na">name</span><span class="pi">:</span> <span class="s">curl</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">sleep"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">9999999"</span><span class="pi">]</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> pod-sa.yaml pod/curl created <span class="nv">$ </span>kubectl get po NAME READY STATUS RESTARTS AGE curl 1/1 Running 0 4s <span class="nv">$ </span>kubectl get pod/curl <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.spec.serviceAccount}'</span> my-sa <span class="nv">$ </span>kubectl <span class="nb">exec</span> <span class="nt">-it</span> pod/curl <span class="nt">--</span> <span class="nb">cat</span> /var/run/secrets/kubernetes.io/serviceaccount/token eyJhbGciOiJSUzI1NiIsImtpZCI6IkxiTHE0d29pbFBiUXpXNkI1bWxoMHFQNVZCa2o1cFl1c3...9Wd5ONTHu2VyrTfM6u1FAxC72hKWK0_5zpNg </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl <span class="nb">exec</span> <span class="nt">-it</span> pod/curl <span class="nt">--</span> sh / <span class="c"># NS=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)</span> / <span class="c"># TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)</span> / <span class="c"># export CURL_CA_BUNDLE=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt</span> / <span class="c"># curl -s https://kubernetes.default.svc.cluster.local/api/v1/namespaces/$NS/pods -H "Authorization: Bearer $TOKEN"</span> <span class="o">{</span> <span class="s2">"kind"</span>: <span class="s2">"Status"</span>, <span class="s2">"apiVersion"</span>: <span class="s2">"v1"</span>, <span class="s2">"metadata"</span>: <span class="o">{}</span>, <span class="s2">"status"</span>: <span class="s2">"Failure"</span>, <span class="s2">"message"</span>: <span class="s2">"pods is forbidden: User </span><span class="se">\"</span><span class="s2">system:serviceaccount:default:my-sa</span><span class="se">\"</span><span class="s2"> cannot list resource </span><span class="se">\"</span><span class="s2">pods</span><span class="se">\"</span><span class="s2"> in API group </span><span class="se">\"\"</span><span class="s2"> in the namespace </span><span class="se">\"</span><span class="s2">default</span><span class="se">\"</span><span class="s2">"</span>, <span class="s2">"reason"</span>: <span class="s2">"Forbidden"</span>, <span class="s2">"details"</span>: <span class="o">{</span> <span class="s2">"kind"</span>: <span class="s2">"pods"</span> <span class="o">}</span>, <span class="s2">"code"</span>: 403 <span class="o">}</span> </code></pre> </div> <h2> RBAC <a></a> </h2> <p>Role-Based Access Control (<a href="https://kubernetes.io/docs/reference/access-authn-authz/rbac/" rel="noopener noreferrer">RBAC</a>) is a security model that grants access to systems and data based on user roles, not individual users.</p> <h3> Role </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># rbac-role.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">pod-reader</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">pods"</span><span class="pi">]</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">get"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">watch"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">list"</span><span class="pi">]</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> rbac-role.yaml <span class="nt">-n</span> default role.rbac.authorization.k8s.io/pod-reader created <span class="nv">$ </span>kubectl get role <span class="nt">-n</span> default NAME CREATED AT pod-reader 2025-11-11T09:32:20Z </code></pre> </div> <h3> RoleBinding </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># rbac-rolebinding.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">RoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">read-pods-binding</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-sa</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">name</span><span class="pi">:</span> <span class="s">pod-reader</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> rbac-rolebinding.yaml <span class="nt">-n</span> default rolebinding.rbac.authorization.k8s.io/read-pods-binding created <span class="nv">$ </span>kubectl get rolebindings <span class="nt">-n</span> default NAME ROLE AGE read-pods-binding Role/pod-reader 35s </code></pre> </div> <h4> Validate ServiceAccount access </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl <span class="nb">exec</span> <span class="nt">-it</span> pod/curl <span class="nt">--</span> sh / <span class="c"># NS=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)</span> / <span class="c"># TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)</span> / <span class="c"># export CURL_CA_BUNDLE=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt</span> / <span class="c"># curl -s https://kubernetes.default.svc.cluster.local/api/v1/namespaces/$NS/pods -H "Authorization: Bearer $TOKEN"</span> <span class="o">{</span> <span class="s2">"kind"</span>: <span class="s2">"PodList"</span>, <span class="s2">"apiVersion"</span>: <span class="s2">"v1"</span>, <span class="s2">"metadata"</span>: <span class="o">{</span> <span class="s2">"resourceVersion"</span>: <span class="s2">"7148388"</span> <span class="o">}</span>, <span class="s2">"items"</span>: <span class="o">[</span> <span class="o">{</span> <span class="s2">"metadata"</span>: <span class="o">{</span> <span class="s2">"name"</span>: <span class="s2">"curl"</span>, <span class="s2">"namespace"</span>: <span class="s2">"default"</span>, <span class="s2">"uid"</span>: <span class="s2">"4fc1f8e7-9884-42c3-941e-9e27df563592"</span>, <span class="s2">"resourceVersion"</span>: <span class="s2">"7007001"</span>, <span class="s2">"generation"</span>: 1, <span class="s2">"creationTimestamp"</span>: <span class="s2">"2025-11-10T11:13:48Z"</span>, ... <span class="o">}</span> <span class="o">]</span> <span class="o">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete <span class="nt">-f</span> rbac-rolebinding.yaml <span class="nt">-n</span> default rolebinding.rbac.authorization.k8s.io <span class="s2">"read-pods-binding"</span> deleted <span class="nv">$ </span>kubectl get rolebindings <span class="nt">-n</span> default No resources found <span class="k">in </span>default namespace. <span class="nv">$ </span>kubectl delete role/pod-reader role.rbac.authorization.k8s.io <span class="s2">"pod-reader"</span> deleted <span class="nv">$ </span>kubectl get roles No resources found <span class="k">in </span>default namespace. </code></pre> </div> <h3> ClusterRole </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># rbac-clusterrole.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">pv-reader</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">persistentvolumes"</span><span class="pi">]</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">get"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">list"</span><span class="pi">]</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> rbac-clusterrole.yaml clusterrole.rbac.authorization.k8s.io/pv-reader created <span class="nv">$ </span>kubectl describe clusterrole/pv-reader Name: pv-reader Labels: &lt;none&gt; Annotations: &lt;none&gt; PolicyRule: Resources Non-Resource URLs Resource Names Verbs <span class="nt">---------</span> <span class="nt">-----------------</span> <span class="nt">--------------</span> <span class="nt">-----</span> persistentvolumes <span class="o">[]</span> <span class="o">[]</span> <span class="o">[</span>get list] </code></pre> </div> <h3> ClusterRoleBinding </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># rbac-clusterrolebinding.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">read-pv-binding</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-sa</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">name</span><span class="pi">:</span> <span class="s">pv-reader</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> rbac-clusterrolebinding.yaml clusterrolebinding.rbac.authorization.k8s.io/read-pv-binding created <span class="nv">$ </span>kubectl describe clusterrolebinding/read-pv-binding Name: read-pv-binding Labels: &lt;none&gt; Annotations: &lt;none&gt; Role: Kind: ClusterRole Name: pv-reader Subjects: Kind Name Namespace <span class="nt">----</span> <span class="nt">----</span> <span class="nt">---------</span> ServiceAccount my-sa default </code></pre> </div> <h4> Validate ServiceAccount access </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl <span class="nb">exec</span> <span class="nt">-it</span> pod/curl <span class="nt">--</span> sh / <span class="c"># NS=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)</span> / <span class="c"># TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)</span> / <span class="c"># export CURL_CA_BUNDLE=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt</span> / <span class="c"># curl -s https://kubernetes.default.svc.cluster.local/api/v1/persistentvolumes -H "Authorization: Bearer $TOKEN"</span> <span class="o">{</span> <span class="s2">"kind"</span>: <span class="s2">"PersistentVolumeList"</span>, <span class="s2">"apiVersion"</span>: <span class="s2">"v1"</span>, <span class="s2">"metadata"</span>: <span class="o">{</span> <span class="s2">"resourceVersion"</span>: <span class="s2">"7162702"</span> <span class="o">}</span>, <span class="s2">"items"</span>: <span class="o">[]</span> <span class="o">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete sa/my-sa serviceaccount <span class="s2">"my-sa"</span> deleted <span class="nv">$ </span>kubectl delete clusterrolebinding/read-pv-binding clusterrolebinding.rbac.authorization.k8s.io <span class="s2">"read-pv-binding"</span> deleted <span class="nv">$ </span>kubectl delete clusterrole/pv-reader clusterrole.rbac.authorization.k8s.io <span class="s2">"pv-reader"</span> deleted <span class="nv">$ </span>kubectl delete po/curl pod <span class="s2">"curl"</span> deleted </code></pre> </div> <h2> Pod Security <a></a> </h2> <p>The <a href="https://kubernetes.io/docs/concepts/security/pod-security-admission/" rel="noopener noreferrer">Pod Security Admission</a> (PSA) enforces the <a href="https://kubernetes.io/docs/concepts/security/pod-security-standards/" rel="noopener noreferrer">Pod Security Standards</a> (PSS).</p> <p>Kubernetes defines a set of labels that you can set to define which of the predefined <code>PSS</code> levels you want to use for a namespace.</p> <p>The per-mode level label indicates which policy level (<code>privileged</code>, <code>baseline</code>, or <code>restricted</code>) to apply for the mode (<code>enforce</code>, <code>audit</code>, or <code>warn</code>).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">pod-security.kubernetes.io/&lt;mode&gt;</span><span class="pi">:</span> <span class="s">&lt;level&gt;</span> </code></pre> </div> <h3> Restricted level with warn mode </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># ns-psa-warn-restricted.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Namespace</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">psa-warn-restricted</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">pod-security.kubernetes.io/warn</span><span class="pi">:</span> <span class="s">restricted</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> ns-psa-warn-restricted.yaml namespace/psa-warn-restricted created </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># pod-warn-restricted.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">busybox</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">psa-warn-restricted</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">image</span><span class="pi">:</span> <span class="s">busybox:1.35.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">busybox</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">sh"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">-c"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">sleep</span><span class="nv"> </span><span class="s">1h"</span><span class="pi">]</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> pod-warn-restricted.yaml Warning: would violate PodSecurity <span class="s2">"restricted:latest"</span>: allowPrivilegeEscalation <span class="o">!=</span> <span class="nb">false</span> <span class="o">(</span>container <span class="s2">"busybox"</span> must <span class="nb">set </span>securityContext.allowPrivilegeEscalation<span class="o">=</span><span class="nb">false</span><span class="o">)</span>, unrestricted capabilities <span class="o">(</span>container <span class="s2">"busybox"</span> must <span class="nb">set </span>securityContext.capabilities.drop<span class="o">=[</span><span class="s2">"ALL"</span><span class="o">])</span>, runAsNonRoot <span class="o">!=</span> <span class="nb">true</span> <span class="o">(</span>pod or container <span class="s2">"busybox"</span> must <span class="nb">set </span>securityContext.runAsNonRoot<span class="o">=</span><span class="nb">true</span><span class="o">)</span>, seccompProfile <span class="o">(</span>pod or container <span class="s2">"busybox"</span> must <span class="nb">set </span>securityContext.seccompProfile.type to <span class="s2">"RuntimeDefault"</span> or <span class="s2">"Localhost"</span><span class="o">)</span> pod/busybox created <span class="nv">$ </span>kubectl get po <span class="nt">-n</span> psa-warn-restricted NAME READY STATUS RESTARTS AGE busybox 1/1 Running 0 32s </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete ns/psa-warn-restricted namespace <span class="s2">"psa-warn-restricted"</span> deleted <span class="nv">$ </span>kubectl get po <span class="nt">-n</span> psa-warn-restricted No resources found <span class="k">in </span>psa-warn-restricted namespace. </code></pre> </div> <h3> Restricted level with enforce mode </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># ns-psa-enforce-restricted.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Namespace</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">psa-enforce-restricted</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">pod-security.kubernetes.io/enforce</span><span class="pi">:</span> <span class="s">restricted</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> ns-psa-enforce-restricted.yaml namespace/psa-enforce-restricted created </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># pod-enforce-restricted.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">busybox</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">psa-enforce-restricted</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">image</span><span class="pi">:</span> <span class="s">busybox:1.35.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">busybox</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">sh"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">-c"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">sleep</span><span class="nv"> </span><span class="s">1h"</span><span class="pi">]</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> pod-enforce-restricted.yaml Error from server <span class="o">(</span>Forbidden<span class="o">)</span>: error when creating <span class="s2">"pod-enforce-restricted.yaml"</span>: pods <span class="s2">"busybox"</span> is forbidden: violates PodSecurity <span class="s2">"restricted:latest"</span>: allowPrivilegeEscalation <span class="o">!=</span> <span class="nb">false</span> <span class="o">(</span>container <span class="s2">"busybox"</span> must <span class="nb">set </span>securityContext.allowPrivilegeEscalation<span class="o">=</span><span class="nb">false</span><span class="o">)</span>, unrestricted capabilities <span class="o">(</span>container <span class="s2">"busybox"</span> must <span class="nb">set </span>securityContext.capabilities.drop<span class="o">=[</span><span class="s2">"ALL"</span><span class="o">])</span>, runAsNonRoot <span class="o">!=</span> <span class="nb">true</span> <span class="o">(</span>pod or container <span class="s2">"busybox"</span> must <span class="nb">set </span>securityContext.runAsNonRoot<span class="o">=</span><span class="nb">true</span><span class="o">)</span>, seccompProfile <span class="o">(</span>pod or container <span class="s2">"busybox"</span> must <span class="nb">set </span>securityContext.seccompProfile.type to <span class="s2">"RuntimeDefault"</span> or <span class="s2">"Localhost"</span><span class="o">)</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># pod-enforce-restricted-v2.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">busybox</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">psa-enforce-restricted</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">image</span><span class="pi">:</span> <span class="s">busybox:1.35.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">busybox</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">sh"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">-c"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">sleep</span><span class="nv"> </span><span class="s">1h"</span><span class="pi">]</span> <span class="na">securityContext</span><span class="pi">:</span> <span class="na">allowPrivilegeEscalation</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">capabilities</span><span class="pi">:</span> <span class="na">drop</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">ALL"</span><span class="pi">]</span> <span class="na">runAsNonRoot</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">runAsUser</span><span class="pi">:</span> <span class="m">2000</span> <span class="na">runAsGroup</span><span class="pi">:</span> <span class="m">3000</span> <span class="na">seccompProfile</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">RuntimeDefault</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> pod-enforce-restricted-v2.yaml pod/busybox created <span class="nv">$ </span>kubectl get po <span class="nt">-n</span> psa-enforce-restricted NAME READY STATUS RESTARTS AGE busybox 1/1 Running 0 71s </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete ns/psa-enforce-restricted namespace <span class="s2">"psa-enforce-restricted"</span> deleted <span class="nv">$ </span>kubectl get po <span class="nt">-n</span> psa-enforce-restricted No resources found <span class="k">in </span>psa-enforce-restricted namespace. </code></pre> </div> <h3> Baseline level with enforce mode </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># ns-psa-enforce-baseline.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Namespace</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">psa-enforce-baseline</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">pod-security.kubernetes.io/enforce</span><span class="pi">:</span> <span class="s">baseline</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> ns-psa-enforce-baseline.yaml namespace/psa-enforce-baseline created </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># pod-enforce-baseline.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">busybox</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">psa-enforce-baseline</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">hostNetwork</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">image</span><span class="pi">:</span> <span class="s">busybox:1.35.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">busybox</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">sh"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">-c"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">sleep</span><span class="nv"> </span><span class="s">1h"</span><span class="pi">]</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> pod-enforce-baseline.yaml Error from server <span class="o">(</span>Forbidden<span class="o">)</span>: error when creating <span class="s2">"pod-enforce-baseline.yaml"</span>: pods <span class="s2">"busybox"</span> is forbidden: violates PodSecurity <span class="s2">"baseline:latest"</span>: host namespaces <span class="o">(</span><span class="nv">hostNetwork</span><span class="o">=</span><span class="nb">true</span><span class="o">)</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete <span class="nt">-f</span> ns-psa-enforce-baseline.yaml namespace <span class="s2">"psa-enforce-baseline"</span> deleted </code></pre> </div> <h3> Privileged level with enforce mode </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># ns-psa-enforce-privileged.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Namespace</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">psa-enforce-privileged</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">pod-security.kubernetes.io/enforce</span><span class="pi">:</span> <span class="s">privileged</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> ns-psa-enforce-privileged.yaml namespace/psa-enforce-privileged created </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># pod-enforce-privileged.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">busybox</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">psa-enforce-privileged</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">hostNetwork</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">hostPID</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">hostIPC</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">securityContext</span><span class="pi">:</span> <span class="na">runAsUser</span><span class="pi">:</span> <span class="m">0</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">image</span><span class="pi">:</span> <span class="s">busybox:1.35.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">busybox</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">sh"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">-c"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">sleep</span><span class="nv"> </span><span class="s">1h"</span><span class="pi">]</span> <span class="na">securityContext</span><span class="pi">:</span> <span class="na">privileged</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> pod-enforce-privileged.yaml pod/busybox created <span class="nv">$ </span>kubectl <span class="nb">exec</span> <span class="nt">-ti</span> pod/busybox <span class="nt">-n</span> psa-enforce-privileged <span class="nt">--</span> ps PID USER TIME COMMAND 1 root 0:54 <span class="o">{</span>systemd<span class="o">}</span> /sbin/init 116 root 1h50 /usr/local/bin/containerd 185 root 5h06 /usr/bin/kubelet <span class="nt">--bootstrap-kubeconfig</span><span class="o">=</span>/etc/kubernetes/bootstrap-kubelet.conf <span class="nt">--kubeconfig</span><span class="o">=</span>/etc/kubernetes/kubelet.conf <span class="nt">--config</span><span class="o">=</span>/var/lib/kubelet/config.yaml <span class="nt">--container-runtime-endpoint</span><span class="o">=</span>unix:///run/containerd/containerd.sock <span class="nt">--node-ip</span><span class="o">=</span>172.18.0.3 <span class="nt">--node-labels</span><span class="o">=</span> <span class="nt">--pod-infra-container-image</span><span class="o">=</span>registry.k8s.io/pause:3.10 <span class="nt">--provider-id</span><span class="o">=</span>kind://docker/kind/kind-worker3 <span class="nt">--runtime-cgroups</span><span class="o">=</span>/system.slice/containerd.service 358 root 5:49 /usr/local/bin/containerd-shim-runc-v2 <span class="nt">-namespace</span> k8s.io <span class="nt">-id</span> abfaf0f18c5ce3d14ba5236c34ed8048486151649c0183c0d5228240a64cdc39 <span class="nt">-address</span> /run/containerd/containerd.sock 436 root 4:56 /usr/local/bin/containerd-shim-runc-v2 <span class="nt">-namespace</span> k8s.io <span class="nt">-id</span> 0c430d300ff99ed691cc7daca4b6276b41621c19739462c7fe1275abf8cd4f93 <span class="nt">-address</span> /run/containerd/containerd.sock 494 65535 0:00 /pause 554 65535 0:00 /pause 665 root 5:38 /usr/local/bin/kube-proxy <span class="nt">--config</span><span class="o">=</span>/var/lib/kube-proxy/config.conf <span class="nt">--hostname-override</span><span class="o">=</span>kind-worker3 698 root 8:15 /bin/kindnetd 151332 root 0:01 /lib/systemd/systemd-journald 336224 root 0:00 /usr/local/bin/containerd-shim-runc-v2 <span class="nt">-namespace</span> k8s.io <span class="nt">-id</span> 6b7c911e749486aca30a8e963ee6d4781391f73b63490e98cbdbb537fe4b538b <span class="nt">-address</span> /run/containerd/containerd.sock 336248 root 0:00 /pause 336274 root 0:00 <span class="nb">sleep </span>1h 336627 root 0:00 ps </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete <span class="nt">-f</span> ns-psa-enforce-privileged.yaml namespace <span class="s2">"psa-enforce-privileged"</span> deleted </code></pre> </div> <h2> NetworkPolicy <a></a> </h2> <p>In contexts like Kubernetes, <a href="https://kubernetes.io/docs/concepts/services-networking/network-policies/" rel="noopener noreferrer">Network Policies</a> are used to control communication between pods, while broader network policies can be applied to devices like switches and routers to align the network with business needs.</p> <p>The <code>kind</code> does not support the <a href="https://github.com/kubernetes-sigs/kind/issues/842" rel="noopener noreferrer">NetworkPolicy</a> by default, as it comes with a simple networking implementation <code>kindnetd</code> as <a href="https://kind.sigs.k8s.io/docs/user/configuration/#disable-default-cni" rel="noopener noreferrer">default CNI pluging</a>.</p> <h3> Install a CNI Networking Plugin </h3> <h4> Recreating a cluster </h4> <p>Therefore, it is necessary recreate the <code>kind</code> cluster using the CNI <a href="https://github.com/projectcalico/calico" rel="noopener noreferrer">Calico</a> plugin.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kind delete cluster Deleting cluster <span class="s2">"kind"</span> ... Deleted nodes: <span class="o">[</span><span class="s2">"kind-worker"</span> <span class="s2">"kind-control-plane"</span> <span class="s2">"kind-worker3"</span> <span class="s2">"kind-worker2"</span><span class="o">]</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># kind-cluster-cni.yaml</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Cluster</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kind.x-k8s.io/v1alpha4</span> <span class="na">networking</span><span class="pi">:</span> <span class="na">disableDefaultCNI</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">podSubnet</span><span class="pi">:</span> <span class="s">192.168.0.0/16</span> <span class="na">nodes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">role</span><span class="pi">:</span> <span class="s">control-plane</span> <span class="pi">-</span> <span class="na">role</span><span class="pi">:</span> <span class="s">worker</span> <span class="pi">-</span> <span class="na">role</span><span class="pi">:</span> <span class="s">worker</span> <span class="pi">-</span> <span class="na">role</span><span class="pi">:</span> <span class="s">worker</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kind create cluster <span class="nt">--config</span> kind-cluster-cni.yaml <span class="nt">--name</span><span class="o">=</span>kind-calico Creating cluster <span class="s2">"kind-calico"</span> ... • Ensuring node image <span class="o">(</span>kindest/node:v1.33.1<span class="o">)</span> 🖼 ... ✓ Ensuring node image <span class="o">(</span>kindest/node:v1.33.1<span class="o">)</span> 🖼 • Preparing nodes 📦 📦 📦 📦 ... ✓ Preparing nodes 📦 📦 📦 📦 • Writing configuration 📜 ... ✓ Writing configuration 📜 • Starting control-plane 🕹️ ... ✓ Starting control-plane 🕹️ • Installing StorageClass 💾 ... ✓ Installing StorageClass 💾 • Joining worker nodes 🚜 ... ✓ Joining worker nodes 🚜 Set kubectl context to <span class="s2">"kind-kind-calico"</span> You can now use your cluster with: kubectl cluster-info <span class="nt">--context</span> kind-kind-calico Thanks <span class="k">for </span>using kind! 😊 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get no NAME STATUS ROLES AGE VERSION kind-calico-control-plane NotReady control-plane 3m43s v1.33.1 kind-calico-worker NotReady &lt;none&gt; 3m30s v1.33.1 kind-calico-worker2 NotReady &lt;none&gt; 3m30s v1.33.1 kind-calico-worker3 NotReady &lt;none&gt; 3m30s v1.33.1 </code></pre> </div> <h4> Installing Calico plugin </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create <span class="nt">-f</span> https://raw.githubusercontent.com/projectcalico/calico/v3.28.3/manifests/calico.yaml poddisruptionbudget.policy/calico-kube-controllers created serviceaccount/calico-kube-controllers created serviceaccount/calico-node created serviceaccount/calico-cni-plugin created configmap/calico-config created customresourcedefinition.apiextensions.k8s.io/bgpconfigurations.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/bgpfilters.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/bgppeers.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/blockaffinities.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/caliconodestatuses.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/clusterinformations.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/felixconfigurations.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/globalnetworkpolicies.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/globalnetworksets.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/hostendpoints.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/ipamblocks.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/ipamconfigs.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/ipamhandles.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/ippools.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/ipreservations.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/kubecontrollersconfigurations.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/networkpolicies.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/networksets.crd.projectcalico.org created clusterrole.rbac.authorization.k8s.io/calico-kube-controllers created clusterrole.rbac.authorization.k8s.io/calico-node created clusterrole.rbac.authorization.k8s.io/calico-cni-plugin created clusterrolebinding.rbac.authorization.k8s.io/calico-kube-controllers created clusterrolebinding.rbac.authorization.k8s.io/calico-node created clusterrolebinding.rbac.authorization.k8s.io/calico-cni-plugin created daemonset.apps/calico-node created deployment.apps/calico-kube-controllers created </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get pods <span class="nt">-l</span> k8s-app<span class="o">=</span>calico-node <span class="nt">-A</span> <span class="nt">--watch</span> NAMESPACE NAME READY STATUS RESTARTS AGE kube-system calico-node-c264z 0/1 Init:2/3 0 61s kube-system calico-node-d98t7 0/1 Init:2/3 0 61s kube-system calico-node-sps7w 0/1 Init:2/3 0 61s kube-system calico-node-ssd8q 0/1 Init:2/3 0 61s kube-system calico-node-ssd8q 0/1 PodInitializing 0 89s kube-system calico-node-d98t7 0/1 PodInitializing 0 89s kube-system calico-node-c264z 0/1 Init:2/3 0 89s kube-system calico-node-sps7w 0/1 PodInitializing 0 90s kube-system calico-node-ssd8q 0/1 Running 0 90s kube-system calico-node-d98t7 0/1 Running 0 90s kube-system calico-node-c264z 0/1 PodInitializing 0 90s kube-system calico-node-sps7w 0/1 Running 0 91s kube-system calico-node-c264z 0/1 Running 0 91s kube-system calico-node-d98t7 1/1 Running 0 101s kube-system calico-node-ssd8q 1/1 Running 0 102s kube-system calico-node-c264z 1/1 Running 0 102s kube-system calico-node-sps7w 1/1 Running 0 103s <span class="nv">$ </span>kubectl get no NAME STATUS ROLES AGE VERSION kind-calico-control-plane Ready control-plane 4m28s v1.33.1 kind-calico-worker Ready &lt;none&gt; 4m15s v1.33.1 kind-calico-worker2 Ready &lt;none&gt; 4m15s v1.33.1 kind-calico-worker3 Ready &lt;none&gt; 4m15s v1.33.1 </code></pre> </div> <h4> Setup a NetworkPolicy </h4> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># ns-foo-bar.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Namespace</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">foo</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">tenant</span><span class="pi">:</span> <span class="s">foo</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Namespace</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">bar</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">tenant</span><span class="pi">:</span> <span class="s">bar</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> ns-foo-bar.yaml namespace/foo created namespace/bar created </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># pod-ns-foo-bar.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-foo</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">foo</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">tier</span><span class="pi">:</span> <span class="s">foo</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx:latest</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-foo</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-bar</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">bar</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">tier</span><span class="pi">:</span> <span class="s">bar</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx:latest</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-bar</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> pod-ns-foo-bar.yaml pod/nginx-foo created pod/nginx-bar created </code></pre> </div> <h5> Ingress </h5> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get po <span class="nt">-n</span> bar <span class="nt">-o</span> wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES nginx-bar 1/1 Running 0 2m16s 192.168.52.65 kind-calico-worker2 &lt;none&gt; &lt;none&gt; <span class="nv">$ </span>kubectl <span class="nb">exec </span>pod/nginx-foo <span class="nt">-n</span> foo <span class="nt">--</span> curl <span class="nt">-sI</span> http://192.168.52.65:80 HTTP/1.1 200 OK Server: nginx/1.29.3 Date: Sat, 15 Nov 2025 12:34:19 GMT Content-Type: text/html Content-Length: 615 Last-Modified: Tue, 28 Oct 2025 12:05:10 GMT Connection: keep-alive ETag: <span class="s2">"6900b176-267"</span> Accept-Ranges: bytes </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># networkpolicy-ingress.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">NetworkPolicy</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">deny-all</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">bar</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">podSelector</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">policyTypes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">Ingress</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> networkpolicy-ingress.yaml networkpolicy.networking.k8s.io/deny-all created <span class="nv">$ </span>kubectl get networkpolicy <span class="nt">-n</span> bar NAME POD-SELECTOR AGE deny-all &lt;none&gt; 41s <span class="nv">$ </span>kubectl <span class="nb">exec </span>pod/nginx-foo <span class="nt">-n</span> foo <span class="nt">--</span> curl <span class="nt">-svI</span> http://192.168.52.65:80 <span class="k">*</span> Trying 192.168.52.65:80... <span class="k">*</span> connect to 192.168.52.65 port 80 from 192.168.28.193 port 43618 failed: Connection timed out <span class="k">*</span> Failed to connect to 192.168.52.65 port 80 after 135435 ms: Could not connect to server <span class="k">*</span> closing connection <span class="c">#0</span> <span class="nb">command </span>terminated with <span class="nb">exit </span>code 28 </code></pre> </div> <h5> Ingress </h5> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get po <span class="nt">-n</span> foo <span class="nt">-o</span> wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES nginx-foo 1/1 Running 0 15m 192.168.28.193 kind-calico-worker3 &lt;none&gt; &lt;none&gt; <span class="nv">$ </span>kubectl <span class="nb">exec </span>pod/nginx-bar <span class="nt">-n</span> bar <span class="nt">--</span> curl <span class="nt">-sI</span> http://192.168.28.193:80 HTTP/1.1 200 OK Server: nginx/1.29.3 Date: Sat, 15 Nov 2025 12:46:20 GMT Content-Type: text/html Content-Length: 615 Last-Modified: Tue, 28 Oct 2025 12:05:10 GMT Connection: keep-alive ETag: <span class="s2">"6900b176-267"</span> Accept-Ranges: bytes </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># networkpolicy-egress.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">NetworkPolicy</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">deny-pod-bar-egress</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">bar</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">podSelector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">tier</span><span class="pi">:</span> <span class="s">bar</span> <span class="na">policyTypes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">Egress</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> networkpolicy-egress.yaml networkpolicy.networking.k8s.io/deny-pod-bar-egress created <span class="nv">$ </span>kubectl get networkpolicy <span class="nt">-n</span> bar NAME POD-SELECTOR AGE deny-all &lt;none&gt; 18m deny-pod-bar-egress <span class="nv">tier</span><span class="o">=</span>bar 8s <span class="nv">$ </span>kubectl <span class="nb">exec </span>pod/nginx-bar <span class="nt">-n</span> bar <span class="nt">--</span> curl <span class="nt">-svI</span> http://192.168.28.193:80 <span class="k">*</span> Trying 192.168.28.193:80... <span class="k">*</span> connect to 192.168.28.193 port 80 from 192.168.52.65 port 58978 failed: Connection timed out <span class="k">*</span> Failed to connect to 192.168.28.193 port 80 after 135323 ms: Could not connect to server <span class="k">*</span> closing connection <span class="c">#0</span> <span class="nb">command </span>terminated with <span class="nb">exit </span>code 28 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete <span class="nt">-n</span> bar networkpolicies deny-all deny-pod-bar-egress networkpolicy.networking.k8s.io <span class="s2">"deny-all"</span> deleted networkpolicy.networking.k8s.io <span class="s2">"deny-pod-bar-egress"</span> deleted <span class="nv">$ </span>kubectl delete ns foo bar namespace <span class="s2">"foo"</span> deleted namespace <span class="s2">"bar"</span> deleted </code></pre> </div> <h2> LimitRange <a></a> </h2> <p>A <a href="https://kubernetes.io/docs/concepts/policy/limit-range/" rel="noopener noreferrer">LimitRange</a> is a policy defined within a specific namespace to constrain resource allocations for Pods and Containers.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> ns-foo-bar.yaml namespace/foo created namespace/bar created </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># pod-resource-requests-limits.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx:latest</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">200m</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">10Mi</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="m">1</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">2Gi</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> pod-resource-requests-limits.yaml <span class="nt">-n</span> foo pod/nginx created </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># limitrange.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">LimitRange</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">resource-constraints</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">limits</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">max</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">2Gi</span> <span class="na">cpu</span><span class="pi">:</span> <span class="m">1</span> <span class="na">min</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">50Mi</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">200m</span> <span class="pi">-</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Container</span> <span class="na">default</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="m">0.5</span> <span class="na">defaultRequest</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="m">0.2</span> <span class="na">max</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">1Gi</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">800m</span> <span class="na">min</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">50Mi</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">100m</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> limitrange.yaml <span class="nt">-n</span> bar limitrange/resource-constraints created <span class="nv">$ </span>kubectl get limitranges <span class="nt">-n</span> bar NAME CREATED AT resource-constraints 2025-11-17T23:06:33Z <span class="nv">$ </span>kubectl apply <span class="nt">-f</span> pod-resource-requests-limits.yaml <span class="nt">-n</span> bar Error from server <span class="o">(</span>Forbidden<span class="o">)</span>: error when creating <span class="s2">"pod-resource-requests-limits.yaml"</span>: pods <span class="s2">"nginx"</span> is forbidden: <span class="o">[</span>minimum memory usage per Pod is 50Mi, but request is 10Mi, minimum memory usage per Container is 50Mi, but request is 10Mi, maximum cpu usage per Container is 800m, but limit is 1, maximum memory usage per Container is 1Gi, but limit is 2Gi] </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># pod-basic.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubia</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">image</span><span class="pi">:</span> <span class="s">luksa/kubia</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubia</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> pod-basic.yaml <span class="nt">-n</span> bar pod/kubia created <span class="nv">$ </span>kubectl get pod/kubia <span class="nt">-n</span> bar <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">={</span>.spec.containers[0].resources<span class="o">}</span> <span class="o">{</span><span class="s2">"limits"</span>:<span class="o">{</span><span class="s2">"cpu"</span>:<span class="s2">"500m"</span>,<span class="s2">"memory"</span>:<span class="s2">"1Gi"</span><span class="o">}</span>,<span class="s2">"requests"</span>:<span class="o">{</span><span class="s2">"cpu"</span>:<span class="s2">"200m"</span>,<span class="s2">"memory"</span>:<span class="s2">"1Gi"</span><span class="o">}}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete <span class="nt">-f</span> ns-foo-bar.yaml namespace <span class="s2">"foo"</span> deleted namespace <span class="s2">"bar"</span> deleted </code></pre> </div> <h2> ResourceQuota <a></a> </h2> <p>A <a href="https://kubernetes.io/docs/concepts/policy/resource-quotas/" rel="noopener noreferrer">ResourceQuota</a> is an object that allows cluster administrators to limit the aggregated consumption of compute resources (CPU, memory, storage) and the number of API objects within a specific namespace.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create namespace baz namespace/baz created </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># quota.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ResourceQuota</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">compute-resources-quota</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">hard</span><span class="pi">:</span> <span class="na">requests.cpu</span><span class="pi">:</span> <span class="s">500m</span> <span class="na">requests.memory</span><span class="pi">:</span> <span class="s">1Gi</span> <span class="na">limits.cpu</span><span class="pi">:</span> <span class="m">2</span> <span class="na">limits.memory</span><span class="pi">:</span> <span class="s">2Gi</span> <span class="na">pods</span><span class="pi">:</span> <span class="m">3</span> <span class="na">secrets</span><span class="pi">:</span> <span class="m">10</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create <span class="nt">-f</span> quota.yaml <span class="nt">-n</span> baz resourcequota/compute-resources-quota created <span class="nv">$ </span>kubectl describe <span class="nt">-n</span> baz quota Name: compute-resources-quota Namespace: baz Resource Used Hard <span class="nt">--------</span> <span class="nt">----</span> <span class="nt">----</span> limits.cpu 0 2 limits.memory 0 2Gi pods 0 3 requests.cpu 0 500m requests.memory 0 1Gi secrets 0 10 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># rs-resource-requests-limits.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ReplicaSet</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">1</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx:latest</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">200m</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">10Mi</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="m">1</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">2Gi</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create <span class="nt">-f</span> rs-resource-requests-limits.yaml <span class="nt">-n</span> baz replicaset.apps/nginx created <span class="nv">$ </span>kubectl describe <span class="nt">-n</span> baz quota Name: compute-resources-quota Namespace: baz Resource Used Hard <span class="nt">--------</span> <span class="nt">----</span> <span class="nt">----</span> limits.cpu 1 2 limits.memory 2Gi 2Gi pods 1 3 requests.cpu 200m 500m requests.memory 10Mi 1Gi secrets 0 10 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl scale <span class="nt">-n</span> baz rs/nginx <span class="nt">--replicas</span> 3 replicaset.apps/nginx scaled <span class="nv">$ </span>kubectl describe <span class="nt">-n</span> baz quota Name: compute-resources-quota Namespace: baz Resource Used Hard <span class="nt">--------</span> <span class="nt">----</span> <span class="nt">----</span> limits.cpu 1 2 limits.memory 2Gi 2Gi pods 1 3 requests.cpu 200m 500m requests.memory 10Mi 1Gi secrets 0 10 <span class="nv">$ </span>kubectl get rs <span class="nt">-n</span> baz NAME DESIRED CURRENT READY AGE nginx 3 1 1 1m52s <span class="nv">$ </span>kubectl events <span class="nt">-n</span> baz rs/nginx LAST SEEN TYPE REASON OBJECT MESSAGE 111s Normal Scheduled Pod/nginx-rwqnq Successfully assigned baz/nginx-rwqnq to kind-calico-worker2 111s Normal SuccessfulCreate ReplicaSet/nginx Created pod: nginx-rwqnq 110s Normal Pulling Pod/nginx-rwqnq Pulling image <span class="s2">"nginx:latest"</span> 109s Normal Started Pod/nginx-rwqnq Started container nginx 109s Normal Created Pod/nginx-rwqnq Created container: nginx 109s Normal Pulled Pod/nginx-rwqnq Successfully pulled image <span class="s2">"nginx:latest"</span> <span class="k">in </span>1.257s <span class="o">(</span>1.257s including waiting<span class="o">)</span><span class="nb">.</span> Image size: 59774010 bytes. 27s Warning FailedCreate ReplicaSet/nginx Error creating: pods <span class="s2">"nginx-rvzhm"</span> is forbidden: exceeded quota: compute-resources-quota, requested: limits.memory<span class="o">=</span>2Gi, used: limits.memory<span class="o">=</span>2Gi, limited: limits.memory<span class="o">=</span>2Gi 27s Warning FailedCreate ReplicaSet/nginx Error creating: pods <span class="s2">"nginx-64g4w"</span> is forbidden: exceeded quota: compute-resources-quota, requested: limits.memory<span class="o">=</span>2Gi, used: limits.memory<span class="o">=</span>2Gi, limited: limits.memory<span class="o">=</span>2Gi 27s Warning FailedCreate ReplicaSet/nginx Error creating: pods <span class="s2">"nginx-lgkm2"</span> is forbidden: exceeded quota: compute-resources-quota, requested: limits.memory<span class="o">=</span>2Gi, used: limits.memory<span class="o">=</span>2Gi, limited: limits.memory<span class="o">=</span>2Gi 27s Warning FailedCreate ReplicaSet/nginx Error creating: pods <span class="s2">"nginx-4776k"</span> is forbidden: exceeded quota: compute-resources-quota, requested: limits.memory<span class="o">=</span>2Gi, used: limits.memory<span class="o">=</span>2Gi, limited: limits.memory<span class="o">=</span>2Gi 27s Warning FailedCreate ReplicaSet/nginx Error creating: pods <span class="s2">"nginx-2trm4"</span> is forbidden: exceeded quota: compute-resources-quota, requested: limits.memory<span class="o">=</span>2Gi, used: limits.memory<span class="o">=</span>2Gi, limited: limits.memory<span class="o">=</span>2Gi 27s Warning FailedCreate ReplicaSet/nginx Error creating: pods <span class="s2">"nginx-c5t9z"</span> is forbidden: exceeded quota: compute-resources-quota, requested: limits.memory<span class="o">=</span>2Gi, used: limits.memory<span class="o">=</span>2Gi, limited: limits.memory<span class="o">=</span>2Gi 27s Warning FailedCreate ReplicaSet/nginx Error creating: pods <span class="s2">"nginx-8jkkk"</span> is forbidden: exceeded quota: compute-resources-quota, requested: limits.memory<span class="o">=</span>2Gi, used: limits.memory<span class="o">=</span>2Gi, limited: limits.memory<span class="o">=</span>2Gi 26s Warning FailedCreate ReplicaSet/nginx Error creating: pods <span class="s2">"nginx-44vv6"</span> is forbidden: exceeded quota: compute-resources-quota, requested: limits.memory<span class="o">=</span>2Gi, used: limits.memory<span class="o">=</span>2Gi, limited: limits.memory<span class="o">=</span>2Gi 26s Warning FailedCreate ReplicaSet/nginx Error creating: pods <span class="s2">"nginx-4m8jm"</span> is forbidden: exceeded quota: compute-resources-quota, requested: limits.memory<span class="o">=</span>2Gi, used: limits.memory<span class="o">=</span>2Gi, limited: limits.memory<span class="o">=</span>2Gi 7s <span class="o">(</span>x4 over 24s<span class="o">)</span> Warning FailedCreate ReplicaSet/nginx <span class="o">(</span>combined from similar events<span class="o">)</span>: Error creating: pods <span class="s2">"nginx-k65jl"</span> is forbidden: exceeded quota: compute-resources-quota, requested: limits.memory<span class="o">=</span>2Gi, used: limits.memory<span class="o">=</span>2Gi, limited: limits.memory<span class="o">=</span>2Gi </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete ns/baz namespace <span class="s2">"baz"</span> deleted </code></pre> </div> <h2> HorizontalPodAutoscaler <a></a> </h2> <p><a href="https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/" rel="noopener noreferrer">Horizontal Pod Autoscaler</a> is a component that automatically scales the number of <code>Pod</code> replicas in a <code>Deployment</code>, <code>ReplicaSet</code>, or <code>StatefulSet</code> based on observed metrics.</p> <h3> Installing the Metrics Server </h3> <p><a href="https://github.com/kubernetes-sigs/metrics-server/" rel="noopener noreferrer">Metrics Server</a> is a scalable, efficient source of container resource metrics for built-in autoscaling pipelines.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml serviceaccount/metrics-server created clusterrole.rbac.authorization.k8s.io/system:aggregated-metrics-reader created clusterrole.rbac.authorization.k8s.io/system:metrics-server created rolebinding.rbac.authorization.k8s.io/metrics-server-auth-reader created clusterrolebinding.rbac.authorization.k8s.io/metrics-server:system:auth-delegator created clusterrolebinding.rbac.authorization.k8s.io/system:metrics-server created service/metrics-server created deployment.apps/metrics-server created apiservice.apiregistration.k8s.io/v1beta1.metrics.k8s.io created <span class="nv">$ </span>kubectl patch <span class="nt">-n</span> kube-system deployment metrics-server <span class="nt">--type</span><span class="o">=</span>json <span class="nt">-p</span> <span class="s1">'[{"op":"add","path":"/spec/template/spec/containers/0/args/-","value":"--kubelet-insecure-tls"}]'</span> deployment.apps/metrics-server patched </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get apiservices | <span class="nb">grep </span>metrics.k8s.io v1beta1.metrics.k8s.io kube-system/metrics-server True 97s <span class="nv">$ </span>kubectl top node NAME CPU<span class="o">(</span>cores<span class="o">)</span> CPU% MEMORY<span class="o">(</span>bytes<span class="o">)</span> MEMORY% kind-calico-control-plane 146m 3% 1102Mi 13% kind-calico-worker 52m 1% 426Mi 5% kind-calico-worker2 49m 1% 303Mi 3% kind-calico-worker3 49m 1% 383Mi 4% </code></pre> </div> <h3> Setup the HPA </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># nginx-service.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">run</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">run</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx:latest</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">500m</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">100m</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">run</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">run</span><span class="pi">:</span> <span class="s">nginx</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> nginx-service.yaml deployment.apps/nginx created service/nginx created <span class="nv">$ </span>kubectl get po NAME READY STATUS RESTARTS AGE nginx-54ff6b8849-lnsn6 1/1 Running 0 16s </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># hpa.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">autoscaling/v2</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">HorizontalPodAutoscaler</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-hpa</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">scaleTargetRef</span><span class="pi">:</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">minReplicas</span><span class="pi">:</span> <span class="m">1</span> <span class="na">maxReplicas</span><span class="pi">:</span> <span class="m">5</span> <span class="na">metrics</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Resource</span> <span class="na">resource</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cpu</span> <span class="na">target</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Utilization</span> <span class="na">averageUtilization</span><span class="pi">:</span> <span class="m">30</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> hpa.yaml horizontalpodautoscaler.autoscaling/nginx-hpa created <span class="nv">$ </span>kubectl get hpa NAME REFERENCE TARGETS MINPODS MAXPODS REPLICAS AGE nginx-hpa Deployment/nginx cpu: 0%/30% 1 5 1 16 <span class="nv">$ </span>kubectl get deployment NAME READY UP-TO-DATE AVAILABLE AGE nginx 1/1 1 1 83s </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl run <span class="nt">-ti</span> <span class="nt">--rm</span> load-generator <span class="nt">--image</span><span class="o">=</span>alpine/curl <span class="nt">--restart</span><span class="o">=</span>Never <span class="nt">--pod-running-timeout</span><span class="o">=</span>10m <span class="nt">--</span> /bin/sh <span class="nt">-c</span> <span class="s2">"while true; do curl -sI http://nginx:80; done"</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get hpa nginx-hpa <span class="nt">--watch</span> NAME REFERENCE TARGETS MINPODS MAXPODS REPLICAS AGE nginx-hpa Deployment/nginx cpu: 0%/30% 1 5 1 62s nginx-hpa Deployment/nginx cpu: 10%/30% 1 5 1 91s nginx-hpa Deployment/nginx cpu: 53%/30% 1 5 1 106s nginx-hpa Deployment/nginx cpu: 48%/30% 1 5 2 2m1s nginx-hpa Deployment/nginx cpu: 29%/30% 1 5 2 2m16s nginx-hpa Deployment/nginx cpu: 25%/30% 1 5 2 2m31s nginx-hpa Deployment/nginx cpu: 24%/30% 1 5 2 3m1s nginx-hpa Deployment/nginx cpu: 25%/30% 1 5 2 3m16s </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete po load-generator pod <span class="s2">"load-generator"</span> deleted <span class="nv">$ </span>kubectl get hpa nginx-hpa <span class="nt">--watch</span> NAME REFERENCE TARGETS MINPODS MAXPODS REPLICAS AGE nginx-hpa Deployment/nginx cpu: 25%/30% 1 5 2 4m3s nginx-hpa Deployment/nginx cpu: 12%/30% 1 5 2 4m16s nginx-hpa Deployment/nginx cpu: 8%/30% 1 5 2 4m31s nginx-hpa Deployment/nginx cpu: 0%/30% 1 5 2 4m46s nginx-hpa Deployment/nginx cpu: 0%/30% 1 5 2 9m1s nginx-hpa Deployment/nginx cpu: 0%/30% 1 5 1 9m16s </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete deployments/nginx deployment.apps <span class="s2">"nginx"</span> deleted <span class="nv">$ </span>kubectl delete hpa/nginx-hpa horizontalpodautoscaler.autoscaling <span class="s2">"nginx-hpa"</span> deleted </code></pre> </div> <h2> PodDisruptionBudget <a></a> </h2> <p>A <a href="https://kubernetes.io/docs/concepts/workloads/pods/disruptions/#pod-disruption-budgets" rel="noopener noreferrer">PodDisruptionBudget</a> is an object that ensures a specified minimum number or percentage of pods remain available during voluntary disruptions.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create deployment nginx <span class="nt">--image</span><span class="o">=</span>nginx <span class="nt">--replicas</span><span class="o">=</span>1 deployment.apps/nginx created <span class="nv">$ </span>kubectl get deployments.apps nginx NAME READY UP-TO-DATE AVAILABLE AGE nginx 1/1 1 1 21s </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># pdb.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">policy/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">PodDisruptionBudget</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-pdb</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">minAvailable</span><span class="pi">:</span> <span class="m">2</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create <span class="nt">-f</span> pdb.yaml poddisruptionbudget.policy/nginx-pdb created <span class="nv">$ </span>kubectl get pdb NAME MIN AVAILABLE MAX UNAVAILABLE ALLOWED DISRUPTIONS AGE nginx-pdb 2 N/A 0 29s </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get po <span class="nt">-o</span> wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES nginx-5869d7778c-cftzp 1/1 Running 0 11m 192.168.52.77 kind-calico-worker2 &lt;none&gt; &lt;none&gt; <span class="nv">$ </span>kubectl drain kind-calico-worker2 <span class="nt">--ignore-daemonsets</span> node/kind-calico-worker2 cordoned Warning: ignoring DaemonSet-managed Pods: kube-system/calico-node-9ghkn, kube-system/kube-proxy-zcrm6 evicting pod default/nginx-5869d7778c-cftzp error when evicting pods/<span class="s2">"nginx-5869d7778c-cftzp"</span> <span class="nt">-n</span> <span class="s2">"default"</span> <span class="o">(</span>will retry after 5s<span class="o">)</span>: Cannot evict pod as it would violate the pod<span class="s1">'s disruption budget. </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get no NAME STATUS ROLES AGE VERSION kind-calico-control-plane Ready control-plane 116m v1.33.1 kind-calico-worker Ready &lt;none&gt; 115m v1.33.1 kind-calico-worker2 Ready,SchedulingDisabled &lt;none&gt; 115m v1.33.1 kind-calico-worker3 Ready &lt;none&gt; 115m v1.33.1 <span class="nv">$ </span>kubectl get po <span class="nt">-o</span> wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES nginx-5869d7778c-cftzp 1/1 Running 0 16m 192.168.52.77 kind-calico-worker2 &lt;none&gt; &lt;none&gt; </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl uncordon kind-calico-worker2 node/kind-calico-worker2 uncordoned <span class="nv">$ </span>kubectl get no NAME STATUS ROLES AGE VERSION kind-calico-control-plane Ready control-plane 116m v1.33.1 kind-calico-worker Ready &lt;none&gt; 116m v1.33.1 kind-calico-worker2 Ready &lt;none&gt; 116m v1.33.1 kind-calico-worker3 Ready &lt;none&gt; 116m v1.33.1 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete pdb/nginx-pdb poddisruptionbudget.policy <span class="s2">"nginx-pdb"</span> deleted <span class="nv">$ </span>kubectl delete deployments.apps/nginx deployment.apps <span class="s2">"nginx"</span> deleted </code></pre> </div> <h2> Taints and Tolerations <a></a> </h2> <p><a href="https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/" rel="noopener noreferrer">Taints and Tolerations</a> are mechanisms that work together to control pod placement on nodes.</p> <h3> Taints </h3> <p>A <code>taint</code> is applied to a node to indicate that the node should not accept certain pods. <code>Taints</code> are key-value pairs with an associated effect.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get nodes NAME STATUS ROLES AGE VERSION kind-calico-control-plane Ready control-plane 4d12h v1.33.1 kind-calico-worker Ready &lt;none&gt; 4d12h v1.33.1 kind-calico-worker2 Ready &lt;none&gt; 4d12h v1.33.1 kind-calico-worker3 Ready &lt;none&gt; 4d12h v1.33.1 <span class="nv">$ </span>kubectl get node/kind-calico-control-plane <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.spec.taints}'</span> <span class="o">[{</span><span class="s2">"effect"</span>:<span class="s2">"NoSchedule"</span>,<span class="s2">"key"</span>:<span class="s2">"node-role.kubernetes.io/control-plane"</span><span class="o">}]</span> <span class="nv">$ </span>kubectl get node/kind-calico-worker <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.spec.taints}'</span> <span class="err">$</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl taint node kind-calico-worker node-type<span class="o">=</span>production:NoSchedule node/kind-calico-worker tainted <span class="nv">$ </span>kubectl get node/kind-calico-worker <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.spec.taints}'</span> <span class="o">[{</span><span class="s2">"effect"</span>:<span class="s2">"NoSchedule"</span>,<span class="s2">"key"</span>:<span class="s2">"node-type"</span>,<span class="s2">"value"</span>:<span class="s2">"production"</span><span class="o">}]</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create deploy nginx <span class="nt">--image</span> nginx <span class="nt">--replicas</span><span class="o">=</span>5 deployment.apps/nginx created <span class="nv">$ </span>kubectl get po <span class="nt">-o</span> custom-columns<span class="o">=</span>NAME:.metadata.name,NODE:.spec.nodeName,STATUS:.status.phase NAME NODE STATUS nginx-5869d7778c-cxngx kind-calico-worker2 Running nginx-5869d7778c-d8fm2 kind-calico-worker3 Running nginx-5869d7778c-lpfjl kind-calico-worker2 Running nginx-5869d7778c-mmwhl kind-calico-worker3 Running nginx-5869d7778c-mqt2k kind-calico-worker2 Running </code></pre> </div> <h3> Tolerations </h3> <p>A <code>toleration</code> is applied to a pod and allows that pod to be scheduled on a node with a matching taint.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># deployment-tolerations.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">5</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">tolerations</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s">node-type</span> <span class="na">operator</span><span class="pi">:</span> <span class="s">Equal</span> <span class="na">value</span><span class="pi">:</span> <span class="s">production</span> <span class="na">effect</span><span class="pi">:</span> <span class="s">NoSchedule</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> deployment-tolerations.yaml Warning: resource deployments/nginx is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create <span class="nt">--save-config</span> or kubectl apply. The missing annotation will be patched automatically. deployment.apps/nginx configured <span class="nv">$ </span>kubectl get po NAME READY STATUS RESTARTS AGE nginx-6cd5747b88-75vfn 1/1 Running 0 3m40s nginx-6cd5747b88-gr7r8 1/1 Running 0 3m40s nginx-6cd5747b88-pqv6s 1/1 Running 0 3m37s nginx-6cd5747b88-xzpjl 1/1 Running 0 3m36s nginx-6cd5747b88-zzf7h 1/1 Running 0 3m39s <span class="nv">$ </span>kubectl get po <span class="nt">-o</span> custom-columns<span class="o">=</span>NAME:.metadata.name,NODE:.spec.nodeName,STATUS:.status.phase NAME NODE STATUS nginx-6cd5747b88-75vfn kind-calico-worker Running nginx-6cd5747b88-gr7r8 kind-calico-worker3 Running nginx-6cd5747b88-pqv6s kind-calico-worker Running nginx-6cd5747b88-xzpjl kind-calico-worker3 Running nginx-6cd5747b88-zzf7h kind-calico-worker2 Running </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl taint node kind-calico-worker2 node-type<span class="o">=</span>development:NoExecute node/kind-calico-worker2 tainted <span class="nv">$ </span>kubectl get po <span class="nt">-o</span> custom-columns<span class="o">=</span>NAME:.metadata.name,NODE:.spec.nodeName,STATUS:.status.phase NAME NODE STATUS nginx-6cd5747b88-6k6s2 kind-calico-worker3 Running nginx-6cd5747b88-75vfn kind-calico-worker Running nginx-6cd5747b88-gr7r8 kind-calico-worker3 Running nginx-6cd5747b88-pqv6s kind-calico-worker Running nginx-6cd5747b88-xzpjl kind-calico-worker3 Running </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete deployments.apps nginx deployment.apps <span class="s2">"nginx"</span> deleted <span class="nv">$ </span>kubectl taint node kind-calico-worker2 node-type<span class="o">=</span>development:NoExecute- node/kind-calico-worker2 untainted <span class="nv">$ </span>kubectl taint node kind-calico-worker node-type<span class="o">=</span>production:NoSchedule- node/kind-calico-worker untainted </code></pre> </div> <h2> Affinity <a></a> </h2> <p>Kubernetes <a href="https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity" rel="noopener noreferrer">affinity</a> is a powerful feature that allows for more expressive and flexible control over how pods are scheduled onto nodes within a cluster. It provides a more advanced alternative to <code>nodeSelector</code> for directing pod placement.</p> <h3> Node affinity </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get no NAME STATUS ROLES AGE VERSION kind-calico-control-plane Ready control-plane 5d11h v1.33.1 kind-calico-worker Ready &lt;none&gt; 5d11h v1.33.1 kind-calico-worker2 Ready &lt;none&gt; 5d11h v1.33.1 kind-calico-worker3 Ready &lt;none&gt; 5d11h v1.33.1 <span class="nv">$ </span>kubectl label node kind-calico-worker <span class="nv">disktype</span><span class="o">=</span>ssd node/kind-calico-worker labeled <span class="nv">$ </span>kubectl get no <span class="nt">-L</span> disktype NAME STATUS ROLES AGE VERSION DISKTYPE kind-calico-control-plane Ready control-plane 5d11h v1.33.1 kind-calico-worker Ready &lt;none&gt; 5d11h v1.33.1 ssd kind-calico-worker2 Ready &lt;none&gt; 5d11h v1.33.1 kind-calico-worker3 Ready &lt;none&gt; 5d11h v1.33.1 </code></pre> </div> <h4> Schedule a Pod using required node affinity </h4> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># deployment-required-nodeaffinity.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">5</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">affinity</span><span class="pi">:</span> <span class="na">nodeAffinity</span><span class="pi">:</span> <span class="na">requiredDuringSchedulingIgnoredDuringExecution</span><span class="pi">:</span> <span class="na">nodeSelectorTerms</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">matchExpressions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s">disktype</span> <span class="na">operator</span><span class="pi">:</span> <span class="s">In</span> <span class="na">values</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ssd</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get po No resources found <span class="k">in </span>default namespace. <span class="nv">$ </span>kubectl apply <span class="nt">-f</span> deployment-required-nodeaffinity.yaml deployment.apps/nginx created <span class="nv">$ </span>kubectl get po <span class="nt">-o</span> custom-columns<span class="o">=</span>NAME:.metadata.name,NODE:.spec.nodeName,STATUS:.status.phase NAME NODE STATUS nginx-7bdd94c84c-6hxgp kind-calico-worker Running nginx-7bdd94c84c-kcbhv kind-calico-worker Running nginx-7bdd94c84c-kh2f7 kind-calico-worker Running nginx-7bdd94c84c-qshhl kind-calico-worker Running nginx-7bdd94c84c-thspc kind-calico-worker Running </code></pre> </div> <h4> Schedule a Pod using preferred node affinity </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl label node kind-calico-worker<span class="o">{</span>2,3<span class="o">}</span> <span class="nv">gpu</span><span class="o">=</span><span class="nb">true </span>node/kind-calico-worker2 labeled node/kind-calico-worker3 labeled <span class="nv">$ </span>kubectl get no <span class="nt">-L</span> disktype,gpu NAME STATUS ROLES AGE VERSION DISKTYPE GPU kind-calico-control-plane Ready control-plane 5d12h v1.33.1 kind-calico-worker Ready &lt;none&gt; 5d12h v1.33.1 ssd kind-calico-worker2 Ready &lt;none&gt; 5d12h v1.33.1 <span class="nb">true </span>kind-calico-worker3 Ready &lt;none&gt; 5d12h v1.33.1 <span class="nb">true</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># deployment-preffered-nodeaffinity.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">5</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">affinity</span><span class="pi">:</span> <span class="na">nodeAffinity</span><span class="pi">:</span> <span class="na">preferredDuringSchedulingIgnoredDuringExecution</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">weight</span><span class="pi">:</span> <span class="m">80</span> <span class="na">preference</span><span class="pi">:</span> <span class="na">matchExpressions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s">disktype</span> <span class="na">operator</span><span class="pi">:</span> <span class="s">In</span> <span class="na">values</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ssd</span> <span class="pi">-</span> <span class="na">weight</span><span class="pi">:</span> <span class="m">20</span> <span class="na">preference</span><span class="pi">:</span> <span class="na">matchExpressions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s">gpu</span> <span class="na">operator</span><span class="pi">:</span> <span class="s">In</span> <span class="na">values</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">true"</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> deployment-preffered-nodeaffinity.yaml deployment.apps/nginx configured <span class="nv">$ </span>kubectl get po <span class="nt">-o</span> custom-columns<span class="o">=</span>NAME:.metadata.name,NODE:.spec.nodeName,STATUS:.status.phase NAME NODE STATUS nginx-5898d5cc8d-46z7p kind-calico-worker2 Running nginx-5898d5cc8d-5q8rw kind-calico-worker Running nginx-5898d5cc8d-kkmdz kind-calico-worker Running nginx-5898d5cc8d-q95zw kind-calico-worker Running nginx-5898d5cc8d-r27b5 kind-calico-worker3 Running </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete deployments.apps nginx deployment.apps <span class="s2">"nginx"</span> deleted </code></pre> </div> <h3> Pod affinity and anti-affinity </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl run backend <span class="nt">-l</span> <span class="nv">app</span><span class="o">=</span>backend <span class="nt">--image</span> busybox <span class="nt">--</span> <span class="nb">sleep </span>999999 pod/backend created <span class="nv">$ </span>kubectl get po <span class="nt">-o</span> custom-columns<span class="o">=</span>NAME:.metadata.name,NODE:.spec.nodeName,STATUS:.status.phase NAME NODE STATUS backend kind-calico-worker3 Running </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># deployment-required-podaffinity.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">frontend</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">5</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">affinity</span><span class="pi">:</span> <span class="na">podAffinity</span><span class="pi">:</span> <span class="na">requiredDuringSchedulingIgnoredDuringExecution</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">labelSelector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">backend</span> <span class="na">topologyKey</span><span class="pi">:</span> <span class="s">kubernetes.io/hostname</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> deployment-required-podaffinity.yaml deployment.apps/frontend created <span class="nv">$ </span>kubectl get po <span class="nt">-o</span> custom-columns<span class="o">=</span>NAME:.metadata.name,NODE:.spec.nodeName,STATUS:.status.phase NAME NODE STATUS backend kind-calico-worker3 Running frontend-67c67944bf-lnw56 kind-calico-worker3 Pending frontend-67c67944bf-wc7j5 kind-calico-worker3 Pending frontend-67c67944bf-wxj65 kind-calico-worker3 Pending frontend-67c67944bf-xlc9r kind-calico-worker3 Running frontend-67c67944bf-xs79k kind-calico-worker3 Running </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># deployment-required-podantiaffinity.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">frontend</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">5</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">affinity</span><span class="pi">:</span> <span class="na">podAntiAffinity</span><span class="pi">:</span> <span class="na">requiredDuringSchedulingIgnoredDuringExecution</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">labelSelector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">backend</span> <span class="na">topologyKey</span><span class="pi">:</span> <span class="s">kubernetes.io/hostname</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> deployment-required-podaffinity.yaml deployment.apps/frontend created <span class="nv">$ </span>kubectl get po <span class="nt">-o</span> custom-columns<span class="o">=</span>NAME:.metadata.name,NODE:.spec.nodeName,STATUS:.status.phase NAME NODE STATUS backend kind-calico-worker3 Running frontend-6dd9b5dbb9-cnswz kind-calico-worker Running frontend-6dd9b5dbb9-f8lmq kind-calico-worker Running frontend-6dd9b5dbb9-lph98 kind-calico-worker2 Running frontend-6dd9b5dbb9-m424v kind-calico-worker2 Running frontend-6dd9b5dbb9-mbqmm kind-calico-worker2 Running </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete deployments.apps frontend deployment.apps <span class="s2">"frontend"</span> deleted <span class="nv">$ </span>kubectl delete pod/backend pod <span class="s2">"backend"</span> deleted </code></pre> </div> <h3> Cleanup </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kind delete clusters kind-calico Deleted nodes: <span class="o">[</span><span class="s2">"kind-calico-worker"</span> <span class="s2">"kind-calico-worker3"</span> <span class="s2">"kind-calico-worker2"</span> <span class="s2">"kind-calico-control-plane"</span><span class="o">]</span> Deleted clusters: <span class="o">[</span><span class="s2">"kind-calico"</span><span class="o">]</span> </code></pre> </div> kubernetes kind devops Configure TLS in Redis Cluster Ježek Wed, 09 Apr 2025 18:32:08 +0000 https://dev.to/hedgehog/configure-tls-in-redis-cluster-50ec https://dev.to/hedgehog/configure-tls-in-redis-cluster-50ec <p><a href="https://ru.wikipedia.org/wiki/TLS" rel="noopener noreferrer">Transport Layer Security (TLS)</a> is a cryptographic protocol designed to provide communications security over a computer network, such as the Internet. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.</p> <p><a href="http://redis.io/" rel="noopener noreferrer">Redis</a>® also supports TLS by design.</p> <p>This article shows how to configure TLS in a Redis Cluster</p> <h2> Prerequisites </h2> <ul> <li>You have installed Redis Cluster in accordance with article <a href="https://dev.to/hedgehog/setup-a-redis-cluster-using-redis-stack-4jdl">Setup a Redis Cluster with using Redis Stack</a> </li> <li>You have been issued certificates for the servers of your cluster nodes</li> </ul> <h2> Configure Redis configuration files </h2> <p>On all nodes add following mandatory settings into <code>redis_7000.conf</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="c"># By default, TLS/SSL is disabled. To enable it, the "tls-port" configuration # directive can be used to define TLS-listening ports. To enable TLS on the default port, use: # </span><span class="err">port</span> <span class="err">0</span> <span class="err">tls-port</span> <span class="err">7000</span> <span class="c"># The cluster port is the port that the cluster bus will listen for inbound connections on. When set # to the default value, 0, it will be bound to the command port + 10000. Setting this value requires # you to specify the cluster bus port when executing cluster meet. # </span><span class="err">cluster-port</span> <span class="err">17000</span> <span class="c"># Configure a X.509 certificate and private key to use for authenticating the # server to connected clients, masters or cluster peers. These files should be PEM formatted. # </span><span class="err">tls-cert-file</span> <span class="err">redis.crt</span> <span class="err">tls-key-file</span> <span class="err">redis.key</span> <span class="c"># Configure a CA certificate(s) bundle or directory to authenticate TLS/SSL clients and peers. # </span><span class="err">tls-ca-cert-dir</span> <span class="err">/etc/ssl/certs</span> <span class="c"># By default, clients (including replica servers) on a TLS port are required # to authenticate using valid client side certificates. # If "no" is specified, client certificates are not required and not accepted. # If "optional" is specified, client certificates are accepted and must be # valid if provided, but are not required. # </span><span class="err">tls-auth-clients</span> <span class="err">yes</span> <span class="c"># By default, a Redis replica does not attempt to establish a TLS connection with its master. # Use the following directive to enable TLS on replication links. # </span><span class="err">tls-replication</span> <span class="err">yes</span> <span class="c"># By default, the Redis Cluster bus uses a plain TCP connection. To enable # TLS for the bus protocol, use the following directive: # </span><span class="err">tls-cluster</span> <span class="err">yes</span> <span class="c"># By default, only TLSv1.2 and TLSv1.3 are enabled and it is highly recommended # that older formally deprecated versions are kept disabled to reduce the attack surface. # You can explicitly specify TLS versions to support. # Allowed values are case insensitive and include "TLSv1", "TLSv1.1", "TLSv1.2", # "TLSv1.3" (OpenSSL &gt;= 1.1.1) or any combination. # </span><span class="err">tls-protocols</span> <span class="err">"TLSv1.2"</span> <span class="c"># Configure allowed ciphers. See the ciphers(1ssl) manpage for more information about the syntax of this string. # Note: this configuration applies only to &lt;= TLSv1.2. # </span><span class="err">tls-ciphers</span> <span class="err">DEFAULT:!MEDIUM</span> <span class="c"># When choosing a cipher, use the server's preference instead of the client # preference. By default, the server follows the client's preference. # </span><span class="err">tls-prefer-server-ciphers</span> <span class="err">yes</span> <span class="c"># Enable TLS session caching to allow faster and less expensive # reconnections by clients that support it. # </span><span class="err">tls-session-caching</span> <span class="err">yes</span> <span class="c"># Change the default number of TLS sessions cached. A zero value sets the cache # to unlimited size. The default size is 20480. # </span><span class="err">tls-session-cache-size</span> <span class="err">20480</span> <span class="c"># Change the default timeout of cached TLS sessions. The default timeout is 300 seconds. # </span><span class="err">tls-session-cache-timeout</span> <span class="err">300</span> </code></pre> </div> <p>Apply same relevant mandatory settings in <code>redis_7001.conf</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="err">port</span> <span class="err">0</span> <span class="err">tls-port</span> <span class="err">7001</span> <span class="err">cluster-port</span> <span class="err">17001</span> <span class="err">tls-cert-file</span> <span class="err">redis.crt</span> <span class="err">tls-key-file</span> <span class="err">redis.key</span> <span class="err">tls-ca-cert-dir</span> <span class="err">/etc/ssl/certs</span> <span class="err">tls-auth-clients</span> <span class="err">yes</span> <span class="err">tls-replication</span> <span class="err">yes</span> <span class="err">tls-cluster</span> <span class="err">yes</span> <span class="err">tls-protocols</span> <span class="err">"TLSv1.2"</span> <span class="err">tls-ciphers</span> <span class="err">DEFAULT:!MEDIUM</span> <span class="err">tls-prefer-server-ciphers</span> <span class="err">yes</span> <span class="err">tls-session-caching</span> <span class="err">yes</span> <span class="err">tls-session-cache-size</span> <span class="err">20480</span> <span class="err">tls-session-cache-timeout</span> <span class="err">300</span> </code></pre> </div> <h2> Redis commands with TLS </h2> <ul> <li> <p>Create a cluster:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span>redis-cli <span class="nt">--cluster</span> create <span class="se">\</span> 10.0.0.124:7000 10.0.0.125:7000 10.0.0.126:7000 <span class="se">\</span> 10.0.0.124:7001 10.0.0.125:7001 10.0.0.126:7001 <span class="se">\</span> <span class="nt">--cluster-replicas</span> 1 <span class="nt">--askpass</span> <span class="se">\</span> <span class="nt">--tls</span> <span class="nt">--cert</span> redis.crt <span class="nt">--key</span> redis.key </code></pre> </li> <li> <p>List the cluster nodes:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span>redis-cli <span class="nt">-c</span> <span class="nt">-h</span> 10.0.0.124 <span class="nt">-p</span> 7000 <span class="nt">--askpass</span> <span class="se">\</span> <span class="nt">--tls</span> <span class="nt">--cert</span> redis.crt <span class="nt">--key</span> redis.key <span class="se">\</span> cluster nodes </code></pre> </li> <li> <p>Check the cluster:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span>redis-cli <span class="nt">--cluster</span> check 10.0.0.124:7000 <span class="nt">--askpass</span> <span class="se">\</span> <span class="nt">--tls</span> <span class="nt">--cert</span> redis.crt <span class="nt">--key</span> redis.key </code></pre> </li> <li> <p>Interactive mode:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span>redis-cli <span class="nt">-c</span> <span class="nt">-h</span> 10.0.0.124 <span class="nt">-p</span> 7000 <span class="nt">--askpass</span> <span class="se">\</span> <span class="nt">--tls</span> <span class="nt">--cert</span> redis.crt <span class="nt">--key</span> redis.key </code></pre> </li> </ul> redis tls ssl Comprehensive guide to Ježek Tue, 01 Apr 2025 09:35:24 +0000 https://dev.to/hedgehog/-3n2e https://dev.to/hedgehog/-3n2e <div class="ltag__link--embedded"> <div class="crayons-story "> <a href="https://dev.to/hedgehog/setup-a-redis-cluster-using-redis-stack-4jdl" class="crayons-story__hidden-navigation-link">Setup a Redis Cluster with using Redis Stack</a> <div class="crayons-story__body crayons-story__body-full_post"> <div class="crayons-story__top"> <div class="crayons-story__meta"> <div class="crayons-story__author-pic"> <a href="/hedgehog" class="crayons-avatar crayons-avatar--l "> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1712568%2Fc283581e-f5d4-4b95-827f-ea64399009b9.jpeg" alt="hedgehog profile" class="crayons-avatar__image"> </a> </div> <div> <div> <a href="/hedgehog" class="crayons-story__secondary fw-medium m:hidden"> Ježek </a> <div class="profile-preview-card relative mb-4 s:mb-0 fw-medium hidden m:inline-block"> Ježek <div id="story-author-preview-content-2358576" class="profile-preview-card__content crayons-dropdown branded-7 p-4 pt-0"> <div class="gap-4 grid"> <div class="-mt-4"> <a href="/hedgehog" class="flex"> <span class="crayons-avatar crayons-avatar--xl mr-2 shrink-0"> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1712568%2Fc283581e-f5d4-4b95-827f-ea64399009b9.jpeg" class="crayons-avatar__image" alt=""> </span> <span class="crayons-link crayons-subtitle-2 mt-5">Ježek</span> </a> </div> <div class="print-hidden"> Follow </div> <div class="author-preview-metadata-container"></div> </div> </div> </div> </div> <a href="https://dev.to/hedgehog/setup-a-redis-cluster-using-redis-stack-4jdl" class="crayons-story__tertiary fs-xs"><time>Mar 27 '25</time><span class="time-ago-indicator-initial-placeholder"></span></a> </div> </div> </div> <div class="crayons-story__indention"> <h2 class="crayons-story__title crayons-story__title-full_post"> <a href="https://dev.to/hedgehog/setup-a-redis-cluster-using-redis-stack-4jdl" id="article-link-2358576"> Setup a Redis Cluster with using Redis Stack </a> </h2> <div class="crayons-story__tags"> <a class="crayons-tag crayons-tag--monochrome " href="/t/redis"><span class="crayons-tag__prefix">#</span>redis</a> <a class="crayons-tag crayons-tag--monochrome " href="/t/devops"><span class="crayons-tag__prefix">#</span>devops</a> </div> <div class="crayons-story__bottom"> <div class="crayons-story__details"> <a href="https://dev.to/hedgehog/setup-a-redis-cluster-using-redis-stack-4jdl" class="crayons-btn crayons-btn--s crayons-btn--ghost crayons-btn--icon-left"> <div class="multiple_reactions_aggregate"> <span class="multiple_reactions_icons_container"> <span class="crayons_icon_container"> <img src="https://assets.dev.to/assets/sparkle-heart-5f9bee3767e18deb1bb725290cb151c25234768a0e9a2bd39370c382d02920cf.svg" width="18" height="18"> </span> </span> <span class="aggregate_reactions_counter">6<span class="hidden s:inline"> reactions</span></span> </div> </a> <a href="https://dev.to/hedgehog/setup-a-redis-cluster-using-redis-stack-4jdl#comments" class="crayons-btn crayons-btn--s crayons-btn--ghost crayons-btn--icon-left flex items-center"> Comments 2<span class="hidden s:inline"> comments</span> </a> </div> <div class="crayons-story__save"> <small class="crayons-story__tertiary fs-xs mr-2"> 8 min read </small> <span class="bm-initial"> </span> <span class="bm-success"> </span> </div> </div> </div> </div> </div> </div> redis Setup a Redis Cluster with using Redis Stack Ježek Thu, 27 Mar 2025 03:35:12 +0000 https://dev.to/hedgehog/setup-a-redis-cluster-using-redis-stack-4jdl https://dev.to/hedgehog/setup-a-redis-cluster-using-redis-stack-4jdl <p><a href="http://redis.io/" rel="noopener noreferrer">Redis</a>® Cluster is a fully distributed implementation with automated sharding capabilities (horizontal scaling capabilities), designed for high performance and linear scaling up to 1000 nodes.</p> <p>This article shows how to set up a Redis Cluster using <a href="https://redis.io/about/about-stack/" rel="noopener noreferrer">Redis Stack</a>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvpuw27lta056dlge4tmb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvpuw27lta056dlge4tmb.png" alt=" " width="800" height="485"></a></p> <h2> Prerequisites </h2> <p>Linux preinstalled servers, e.g.:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Host name</th> <th>IP</th> </tr> </thead> <tbody> <tr> <td>redis-1</td> <td>10.0.0.124</td> </tr> <tr> <td>redis-2</td> <td>10.0.0.125</td> </tr> <tr> <td>redis-3</td> <td>10.0.0.126</td> </tr> </tbody> </table></div> <p>Cluster topology:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>redis-1</th> <th>redis-2</th> <th>redis-3</th> </tr> </thead> <tbody> <tr> <td>Primary M1 (port 7000)</td> <td>Primary M2 (port 7000)</td> <td>Primary M3 (port 7000)</td> </tr> <tr> <td>Replica S3 (port 7001)</td> <td>Replica S1 (port 7001)</td> <td>Replica S2 (port 7001)</td> </tr> </tbody> </table></div> <h2> Setup Redis Cluster </h2> <h3> Install and configure three Redis nodes of the cluster </h3> <ol> <li>Connect to all hosts.</li> <li> <p>Create the file <code>/etc/yum.repos.d/redis.repo</code> with the following contents:<br> </p> <pre class="highlight ini"><code><span class="nn">[Redis]</span> <span class="py">name</span><span class="p">=</span><span class="s">Redis</span> <span class="py">baseurl</span><span class="p">=</span><span class="s">http://packages.redis.io/rpm/rhel9 # replace rhel7 with the appropriate value for your platform</span> <span class="py">enabled</span><span class="p">=</span><span class="s">1</span> <span class="py">gpgcheck</span><span class="p">=</span><span class="s">1</span> </code></pre> </li> <li> <p>Run the following commands to install <code>Redis Stack</code>:<br> </p> <pre class="highlight shell"><code>curl <span class="nt">-fsSL</span> https://packages.redis.io/gpg <span class="o">&gt;</span> /tmp/redis.key <span class="nb">sudo </span>rpm <span class="nt">--import</span> /tmp/redis.key <span class="nb">sudo </span>yum <span class="nb">install </span>epel-release <span class="nb">sudo </span>yum <span class="nb">install </span>redis-stack-server <span class="nb">sudo </span>systemctl disable redis-stack-server.service </code></pre> <p><em>Note</em>: in order to start the <code>redis-stack-server</code> service, you may need to install the <code>libssl</code> module (e.g. <code>libssl.so.10</code>):<br> </p> <pre class="highlight shell"><code><span class="nb">sudo </span>yum compat-openssl10.x86-64 </code></pre> </li> <li> <p>Create and edit the <code>/etc/rc.local</code>, add the following content to the file:<br> </p> <pre class="highlight plaintext"><code>#!/bin/sh -e echo never &gt; /sys/kernel/mm/transparent_hugepage/enabled sysctl -w net.core.somaxconn=65535 exit 0 </code></pre> </li> <li> <p>Give executable permissions to the <code>/etc/rc.local</code> file by running the following command:<br> </p> <pre class="highlight shell"><code><span class="nb">sudo chmod</span> +x /etc/rc.local </code></pre> </li> <li> <p>Edit the <code>/etc/sysctl.conf</code> file, add the following line at the end of the file:<br> </p> <pre class="highlight ini"><code><span class="py">vm.overcommit_memory</span><span class="p">=</span><span class="s">1</span> </code></pre> </li> <li> <p>Set <code>ulimit</code> values to ensure optimal compatibility and performance for Redis. Create the file <code>/etc/security/limits.d/90-redis.conf</code> with the following content:<br> </p> <pre class="highlight ini"><code><span class="err">@redis</span> <span class="err">-</span> <span class="err">nofile</span> <span class="err">20480</span> <span class="err">@redis</span> <span class="err">-</span> <span class="err">stack</span> <span class="err">10240</span> <span class="err">@redis</span> <span class="err">-</span> <span class="err">nproc</span> <span class="err">10240</span> </code></pre> </li> <li> <p>Create the necessary folders by running the following commands:<br> </p> <pre class="highlight shell"><code><span class="nb">sudo mkdir</span> <span class="nt">-p</span> /etc/redis/cluster/<span class="o">{</span>7000,7001<span class="o">}</span> <span class="nb">sudo mkdir</span> <span class="nt">-p</span> /var/lib/redis/<span class="o">{</span>7000,7001<span class="o">}</span> <span class="nb">sudo mkdir</span> <span class="nt">-p</span> /var/<span class="o">{</span>run,log<span class="o">}</span>/redis </code></pre> </li> <li> <p>Create the file <code>/etc/redis/cluster/7000/redis_7000.conf</code> with the following content:<br> </p> <pre class="highlight ini"><code><span class="err">protected-mode</span> <span class="err">no</span> <span class="err">port</span> <span class="err">7000</span> <span class="err">bind</span> <span class="err">0.0.0.0</span> <span class="err">loadmodule</span> <span class="err">/opt/redis-stack/lib/rediscompat.so</span> <span class="err">loadmodule</span> <span class="err">/opt/redis-stack/lib/redisearch.so</span> <span class="err">loadmodule</span> <span class="err">/opt/redis-stack/lib/redistimeseries.so</span> <span class="err">loadmodule</span> <span class="err">/opt/redis-stack/lib/rejson.so</span> <span class="err">loadmodule</span> <span class="err">/opt/redis-stack/lib/redisbloom.so</span> <span class="err">loadmodule</span> <span class="err">/opt/redis-stack/lib/redisgears.so</span> <span class="err">v8-plugin-path</span> <span class="err">/opt/redis-stack/lib/libredisgears_v8_plugin.so</span> <span class="err">dir</span> <span class="err">/var/lib/redis/7000/</span> <span class="err">appendonly</span> <span class="err">yes</span> <span class="err">cluster-enabled</span> <span class="err">yes</span> <span class="err">cluster-node-timeout</span> <span class="err">5000</span> <span class="err">cluster-config-file</span> <span class="err">/etc/redis/cluster/7000/nodes_7000.conf</span> <span class="err">pidfile</span> <span class="err">/var/run/redis/redis_7000.pid</span> <span class="err">logfile</span> <span class="err">/var/log/redis/redis_7000.log</span> <span class="err">loglevel</span> <span class="err">notice</span> <span class="err">requirepass</span> <span class="nn">[ACCESSKEY]</span> <span class="err">masterauth</span> <span class="nn">[ACCESSKEY]</span> <span class="err">enable-debug-command</span> <span class="err">local</span> </code></pre> </li> <li> <p>Create the file <code>/etc/redis/cluster/7001/redis_7001.conf</code> with the following content:<br> </p> <pre class="highlight ini"><code><span class="err">protected-mode</span> <span class="err">no</span> <span class="err">port</span> <span class="err">7001</span> <span class="err">bind</span> <span class="err">0.0.0.0</span> <span class="err">loadmodule</span> <span class="err">/opt/redis-stack/lib/rediscompat.so</span> <span class="err">loadmodule</span> <span class="err">/opt/redis-stack/lib/redisearch.so</span> <span class="err">loadmodule</span> <span class="err">/opt/redis-stack/lib/redistimeseries.so</span> <span class="err">loadmodule</span> <span class="err">/opt/redis-stack/lib/rejson.so</span> <span class="err">loadmodule</span> <span class="err">/opt/redis-stack/lib/redisbloom.so</span> <span class="err">loadmodule</span> <span class="err">/opt/redis-stack/lib/redisgears.so</span> <span class="err">v8-plugin-path</span> <span class="err">/opt/redis-stack/lib/libredisgears_v8_plugin.so</span> <span class="err">dir</span> <span class="err">/var/lib/redis/7001/</span> <span class="err">appendonly</span> <span class="err">yes</span> <span class="err">cluster-enabled</span> <span class="err">yes</span> <span class="err">cluster-node-timeout</span> <span class="err">5000</span> <span class="err">cluster-config-file</span> <span class="err">/etc/redis/cluster/7001/nodes_7001.conf</span> <span class="err">pidfile</span> <span class="err">/var/run/redis/redis_7001.pid</span> <span class="err">logfile</span> <span class="err">/var/log/redis/redis_7001.log</span> <span class="err">loglevel</span> <span class="err">notice</span> <span class="err">requirepass</span> <span class="nn">[ACCESSKEY]</span> <span class="err">masterauth</span> <span class="nn">[ACCESSKEY]</span> <span class="err">enable-debug-command</span> <span class="err">local</span> </code></pre> </li> <li> <p>Create a <code>redis</code> user and a <code>redis</code> group for the Redis services and give them the correct permissions by running the following commands:<br> </p> <pre class="highlight shell"><code><span class="nb">sudo chown </span>redis:redis <span class="nt">-R</span> /var/lib/redis <span class="nb">sudo chmod </span>770 <span class="nt">-R</span> /var/lib/redis <span class="nb">sudo chown </span>redis:redis <span class="nt">-R</span> /etc/redis <span class="nb">sudo chown </span>redis:redis /var/<span class="o">{</span>run,log<span class="o">}</span>/redis </code></pre> </li> <li> <p>Create the file <code>/etc/systemd/system/redis_7000.service</code> with the following content:<br> </p> <pre class="highlight ini"><code><span class="nn">[Unit]</span> <span class="py">Description</span><span class="p">=</span><span class="s">Redis key-value database on 7000</span> <span class="py">Wants</span><span class="p">=</span><span class="s">network-online.target</span> <span class="py">After</span><span class="p">=</span><span class="s">network-online.target</span> <span class="nn">[Service]</span> <span class="py">ExecStart</span><span class="p">=</span><span class="s">/opt/redis-stack/bin/redis-server /etc/redis/cluster/7000/redis_7000.conf --daemonize no --supervised no</span> <span class="py">Type</span><span class="p">=</span><span class="s">simple</span> <span class="py">User</span><span class="p">=</span><span class="s">redis</span> <span class="py">Group</span><span class="p">=</span><span class="s">redis</span> <span class="py">RuntimeDirectory</span><span class="p">=</span><span class="s">redis</span> <span class="py">RuntimeDirectoryMode</span><span class="p">=</span><span class="s">0755</span> <span class="nn">[Install]</span> <span class="py">WantedBy</span><span class="p">=</span><span class="s">multi-user.target</span> </code></pre> </li> <li> <p>Create the file <code>/etc/systemd/system/redis_7001.service</code> with the following content:<br> </p> <pre class="highlight ini"><code><span class="nn">[Unit]</span> <span class="py">Description</span><span class="p">=</span><span class="s">Redis key-value database on 7001</span> <span class="py">Wants</span><span class="p">=</span><span class="s">network-online.target</span> <span class="py">After</span><span class="p">=</span><span class="s">network-online.target</span> <span class="nn">[Service]</span> <span class="py">ExecStart</span><span class="p">=</span><span class="s">/usr/bin/redis-server /etc/redis/cluster/7001/redis_7001.conf --daemonize no --supervised no</span> <span class="py">Type</span><span class="p">=</span><span class="s">simple</span> <span class="py">User</span><span class="p">=</span><span class="s">redis</span> <span class="py">Group</span><span class="p">=</span><span class="s">redis</span> <span class="py">RuntimeDirectory</span><span class="p">=</span><span class="s">redis</span> <span class="py">RuntimeDirectoryMode</span><span class="p">=</span><span class="s">0755</span> <span class="nn">[Install]</span> <span class="py">WantedBy</span><span class="p">=</span><span class="s">multi-user.target</span> </code></pre> </li> <li> <p>Tell <code>systemd</code> to start the two services <code>redis_7000.service</code> and <code>redis_7001.service</code> automatically at server boot by running the following commands:<br> </p> <pre class="highlight shell"><code><span class="nb">sudo </span>systemctl <span class="nb">enable</span> /etc/systemd/system/redis_7000.service <span class="nb">sudo </span>systemctl <span class="nb">enable</span> /etc/systemd/system/redis_7001.service </code></pre> </li> <li> <p>Reboot the server:<br> </p> <pre class="highlight shell"><code><span class="nb">sudo </span>reboot </code></pre> </li> </ol> <h3> Validate the installation of the Redis services </h3> <ol> <li> <p>Check the status of the <code>redis_7000</code> and <code>redis_7001</code> services by running the following command:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo </span>systemctl status redis_7000 ● redis_7000.service - Redis key-value database on 7000 Loaded: loaded <span class="o">(</span>/etc/systemd/system/redis_7000.service<span class="p">;</span> enabled<span class="p">;</span> vendor preset: disabled<span class="o">)</span> Active: active <span class="o">(</span>running<span class="o">)</span> since Thu 2025-03-27 03:42:15 UTC<span class="p">;</span> 22min ago Main PID: 727 <span class="o">(</span>redis-server<span class="o">)</span> Tasks: 7 <span class="o">(</span>limit: 4650<span class="o">)</span> Memory: 18.9M CPU: 3.365s CGroup: /system.slice/redis_7000.service └─ 727 <span class="s2">"/opt/redis-stack/bin/redis-server *:7000 [cluster]"</span> </code></pre> </li> <li> <p>Check the <code>redis_7000</code> and <code>redis_7001</code> logs on all servers:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">tail</span> <span class="nt">-n</span> 3 /var/log/redis/redis_7000.log 727:M 27 Mar 2025 03:42:17.641 <span class="k">*</span> DB loaded from append only file: 0.312 seconds 727:M 27 Mar 2025 03:42:17.641 <span class="k">*</span> Opening AOF incr file appendonly.aof.1.incr.aof on server start 727:M 27 Mar 2025 03:42:17.642 <span class="k">*</span> Ready to accept connections tcp </code></pre> </li> </ol> <p>You shouldn't have any warnings in log files.</p> <p>After checking that all servers are well configured, you can proceed with the Redis cluster configuration.</p> <h2> Set up the Redis Cluster </h2> <h3> Configure the cluster </h3> <ol> <li>Connect to one of the Redis server.</li> <li> <p>To create a cluster run the following command:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span>redis-cli <span class="nt">--cluster</span> create <span class="se">\</span> 10.0.0.124:7000 10.0.0.125:7000 10.0.0.126:7000 <span class="se">\</span> 10.0.0.124:7001 10.0.0.125:7001 10.0.0.126:7001 <span class="se">\</span> <span class="nt">--cluster-replicas</span> 1 <span class="nt">-a</span> <span class="o">[</span>ACCESSKEY] </code></pre> <p>The output should be similar to the following:<br> </p> <pre class="highlight plaintext"><code>&gt;&gt;&gt; Performing hash slots allocation on 6 nodes... Master[0] -&gt; Slots 0 - 5460 Master[1] -&gt; Slots 5461 - 10922 Master[2] -&gt; Slots 10923 - 16383 Adding replica 10.0.0.125:7001 to 10.0.0.124:7000 Adding replica 10.0.0.126:7001 to 10.0.0.125:7000 Adding replica 10.0.0.124:7001 to 10.0.0.126:7000 M: 41b58d5cea81103d296ee70e31aa56dfa0f1aa30 10.0.0.124:7000 slots:[0-5460] (5461 slots) master M: 2ae13d480218fc91235bdc727c57edef941817a7 10.0.0.125:7000 slots:[5461-10922] (5462 slots) master M: 0848285de9827407af8ee8da81bcc645be57793c 10.0.0.126:7000 slots:[10923-16383] (5461 slots) master S: 779283793850c6c8a30425ae2ef780114585a64e 10.0.0.124:7001 replicates 0848285de9827407af8ee8da81bcc645be57793c S: b2fa3c3902639db13e0a245a4f08f8657a4d06ac 10.0.0.125:7001 replicates 41b58d5cea81103d296ee70e31aa56dfa0f1aa30 S: 095098c7e15b2e1021e215abe0ace4fd0f841328 10.0.0.126:7001 replicates 2ae13d480218fc91235bdc727c57edef941817a7 Can I set the above configuration? (type 'yes' to accept): </code></pre> </li> <li> <p>Type <code>yes</code> and press <code>Enter</code> to accept the proposed configuration. <br> You get the configuration details in the output:<br> </p> <pre class="highlight plaintext"><code>Can I set the above configuration? (type 'yes' to accept): yes &gt;&gt;&gt; Nodes configuration updated &gt;&gt;&gt; Assign a different config epoch to each node &gt;&gt;&gt; Sending CLUSTER MEET messages to join the cluster Waiting for the cluster to join . &gt;&gt;&gt; Performing Cluster Check (using node 10.0.0.124:7000) M: 41b58d5cea81103d296ee70e31aa56dfa0f1aa30 10.0.0.124:7000 slots:[0-5460] (5461 slots) master 1 additional replica(s) M: 2ae13d480218fc91235bdc727c57edef941817a7 10.0.0.125:7000 slots:[5461-10922] (5462 slots) master 1 additional replica(s) S: 095098c7e15b2e1021e215abe0ace4fd0f841328 10.0.0.126:7001 slots: (0 slots) slave replicates 2ae13d480218fc91235bdc727c57edef941817a7 S: 779283793850c6c8a30425ae2ef780114585a64e 10.0.0.124:7001 slots: (0 slots) slave replicates 0848285de9827407af8ee8da81bcc645be57793c S: b2fa3c3902639db13e0a245a4f08f8657a4d06ac 10.0.0.125:7001 slots: (0 slots) slave replicates 41b58d5cea81103d296ee70e31aa56dfa0f1aa30 M: 0848285de9827407af8ee8da81bcc645be57793c 10.0.0.126:7000 slots:[10923-16383] (5461 slots) master 1 additional replica(s) [OK] All nodes agree about slots configuration. &gt;&gt;&gt; Check for open slots... &gt;&gt;&gt; Check slots coverage... [OK] All 16384 slots covered. </code></pre> </li> </ol> <h3> Checking the Redis Cluster </h3> <ol> <li> <p>Run the following command:<br> </p> <pre class="highlight shell"><code>redis-cli <span class="nt">-c</span> <span class="nt">-h</span> 10.0.0.124 <span class="nt">-p</span> 7000 <span class="nt">-a</span> <span class="o">[</span>ACCESSKEY] cluster nodes </code></pre> <p>The output should be similar to the following:<br> </p> <pre class="highlight plaintext"><code>2ae13d480218fc91235bdc727c57edef941817a7 10.0.0.125:7000@17000 master - 0 1743042394000 2 connected 5461-10922 095098c7e15b2e1021e215abe0ace4fd0f841328 10.0.0.126:7001@17001 slave 2ae13d480218fc91235bdc727c57edef941817a7 0 1743042394892 2 connected 779283793850c6c8a30425ae2ef780114585a64e 10.0.0.124:7001@17001 slave 0848285de9827407af8ee8da81bcc645be57793c 0 1743042394587 3 connected b2fa3c3902639db13e0a245a4f08f8657a4d06ac 10.0.0.125:7001@17001 slave 41b58d5cea81103d296ee70e31aa56dfa0f1aa30 0 1743042394586 1 connected 41b58d5cea81103d296ee70e31aa56dfa0f1aa30 10.0.0.124:7000@17000 myself,master - 0 0 1 connected 0-5460 0848285de9827407af8ee8da81bcc645be57793c 10.0.0.126:7000@17000 master - 0 1743042393568 3 connected 10923-16383 </code></pre> <p>Since everything looks OK, perform a several <code>SET</code> and <code>GET</code> commands to test if the Redis Cluster behaves as expected.</p> </li> <li> <p>Connect to Redis Master:<br> </p> <pre class="highlight shell"><code>redis-cli <span class="nt">-c</span> <span class="nt">-h</span> 10.0.0.124 <span class="nt">-p</span> 7000 <span class="nt">-a</span> <span class="o">[</span>ACCESSKEY] </code></pre> </li> <li> <p>Run a several <code>SET</code> and <code>GET</code> commands to check the behavior of the Redis Cluster:<br> </p> <pre class="highlight shell"><code>10.0.0.124:7000&gt; SET foo bar -&gt; Redirected to slot <span class="o">[</span>12182] located at 10.0.0.126:7000 OK 10.0.0.124:7000&gt; GET foo <span class="s2">"bar"</span> </code></pre> <p>As you can see the Redis sends the key to the correct hash slot.</p> </li> </ol> <h2> Testing the failover </h2> <p>This section shows how to test the failover behavior of a Redis Cluster.</p> <h3> Master node failure </h3> <ol> <li> <p>Run the following command on Master node:<br> </p> <pre class="highlight shell"><code>redis-cli <span class="nt">-c</span> <span class="nt">-h</span> 127.0.0.0 <span class="nt">-p</span> 7000 <span class="nt">-a</span> <span class="o">[</span>ACCESSKEY] DEBUG <span class="nb">sleep </span>40 </code></pre> <p>This command makes this Master unreachable by the replicas during 40 seconds, forcing the associated Replica (port 7001) on server <code>redis-2</code> to take over and change its role to Master.</p> </li> <li> <p>Check roles:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span>redis-cli <span class="nt">-c</span> <span class="nt">-h</span> 127.0.0.0 <span class="nt">-p</span> 7000 <span class="nt">-a</span> <span class="o">[</span>ACCESSKEY] info replication <span class="c"># Replication</span> role:slave master_host:10.0.0.125 master_port:7001 ... <span class="nv">$ </span>redis-cli <span class="nt">-c</span> <span class="nt">-h</span> 10.0.0.125 <span class="nt">-p</span> 7000 <span class="nt">-a</span> <span class="o">[</span>ACCESSKEY] info replication <span class="c"># Replication</span> role:master connected_slaves:1 slave0:ip<span class="o">=</span>10.0.0.126,port<span class="o">=</span>7001,state<span class="o">=</span>online,offset<span class="o">=</span>3410,lag<span class="o">=</span>1 <span class="nv">$ </span>redis-cli <span class="nt">-c</span> <span class="nt">-h</span> 10.0.0.124 <span class="nt">-p</span> 7000 <span class="nt">-a</span> <span class="o">[</span>ACCESSKEY] cluster nodes 41b58d5cea81103d296ee70e31aa56dfa0f1aa30 10.0.0.124:7000@17000 myself,slave b2fa3c3902639db13e0a245a4f08f8657a4d06ac 0 0 7 connected 2ae13d480218fc91235bdc727c57edef941817a7 10.0.0.125:7000@17000 master - 0 1743045119565 2 connected 5461-10922 0848285de9827407af8ee8da81bcc645be57793c 10.0.0.126:7000@17000 master - 0 1743045118000 3 connected 10923-16383 779283793850c6c8a30425ae2ef780114585a64e 10.0.0.124:7001@17001 slave 0848285de9827407af8ee8da81bcc645be57793c 0 1743045119564 3 connected b2fa3c3902639db13e0a245a4f08f8657a4d06ac 10.0.0.125:7001@17001 master - 0 1743045119053 7 connected 0-5460 095098c7e15b2e1021e215abe0ace4fd0f841328 10.0.0.126:7001@17001 slave 2ae13d480218fc91235bdc727c57edef941817a7 0 1743045118035 2 connected </code></pre> <p>From the output, you can see that the Replica running in <code>redis-2</code> got promoted to Master.</p> </li> </ol> <h3> Replica node failure </h3> <ol> <li> <p>Run the following command on Replica in server <code>redis-3</code>:<br> </p> <pre class="highlight shell"><code>redis-cli <span class="nt">-c</span> <span class="nt">-h</span> 127.0.0.0 <span class="nt">-p</span> 7001 <span class="nt">-a</span> <span class="o">[</span>ACCESSKEY] DEBUG <span class="nb">sleep </span>40 </code></pre> </li> <li> <p>Check roles in the cluster:<br> </p> <pre class="highlight shell"><code>redis-cli <span class="nt">-c</span> <span class="nt">-h</span> 10.0.0.126 <span class="nt">-p</span> 7000 <span class="nt">-a</span> <span class="o">[</span>ACCESSKEY] cluster nodes 41b58d5cea81103d296ee70e31aa56dfa0f1aa30 10.0.0.124:7000@17000 slave b2fa3c3902639db13e0a245a4f08f8657a4d06ac 0 1743046096000 7 connected 779283793850c6c8a30425ae2ef780114585a64e 10.0.0.124:7001@17001 slave 0848285de9827407af8ee8da81bcc645be57793c 0 1743046097459 3 connected 2ae13d480218fc91235bdc727c57edef941817a7 10.0.0.125:7000@17000 master - 0 1743046097900 2 connected 5461-10922 b2fa3c3902639db13e0a245a4f08f8657a4d06ac 10.0.0.125:7001@17001 master - 0 1743046096395 7 connected 0-5460 0848285de9827407af8ee8da81bcc645be57793c 10.0.0.126:7000@17000 myself,master - 0 0 3 connected 10923-16383 095098c7e15b2e1021e215abe0ace4fd0f841328 10.0.0.126:7001@17001 slave 2ae13d480218fc91235bdc727c57edef941817a7 0 1743046095519 2 connected </code></pre> <p>As you can see, the cluster topology isn't changed. </p> </li> </ol> <p>Congrats! You have configured the Redis Cluster.</p> <h2> Summary </h2> <p>In this post, we have seen:</p> <ul> <li>how to install the Redis Stack Server</li> <li>how to set up the Redis Cluster</li> <li>hot to test the failover of a cluster.</li> </ul> <h2> References </h2> <ul> <li><a href="https://dev.toInstall%20Redis%20Stack%20on%20Linux">Install Redis Stack on Linux</a></li> <li><a href="https://success.outsystems.com/documentation/how_to_guides/infrastructure/configuring_outsystems_with_redis_in_memory_session_storage/set_up_a_redis_cluster_for_production_environments/" rel="noopener noreferrer">Set up a Redis Cluster for Production environments</a></li> <li><a href="https://severalnines.com/blog/installing-redis-cluster-cluster-mode-enabled-auto-failover/" rel="noopener noreferrer">Installing Redis Cluster (cluster mode enabled) with auto failover</a></li> </ul> redis devops Setup a Docker Swarm cluster using Vagrant Ježek Mon, 21 Oct 2024 23:48:00 +0000 https://dev.to/hedgehog/setup-a-docker-swarm-cluster-mkn https://dev.to/hedgehog/setup-a-docker-swarm-cluster-mkn <p>Docker includes <a href="https://docs.docker.com/engine/swarm/" rel="noopener noreferrer">Swarm mode</a> for natively managing a cluster of Docker Engines called a swarm.</p> <p>There is excellent tutorial <a href="https://docs.docker.com/engine/swarm/swarm-tutorial/" rel="noopener noreferrer">Getting started with Swarm mode</a>, this tutorial describes how to create docker swarm cluster with 1 manager and 2 worker nodes. </p> <p>This article shows how to setup high-availability (HA) Docker Swarm cluster using <a href="https://developer.hashicorp.com/vagrant" rel="noopener noreferrer">Vagrant</a>.</p> <h2> Preconditions </h2> <ul> <li>You have a computer with at least 12 GB of free RAM</li> <li>You have installed <a href="https://developer.hashicorp.com/vagrant" rel="noopener noreferrer">Vagrant</a> on this computer</li> <li>Install a virtualization product such as <a href="https://www.virtualbox.org/" rel="noopener noreferrer">VirtualBox</a> </li> </ul> <h2> Setup </h2> <h3> Initialize a project directory </h3> <p>Make a new directory for the project you will work:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">mkdir </span>docker-swarm-ha <span class="nv">$ </span><span class="nb">cd </span>docker-swarm-ha </code></pre> </div> <h3> Inventory file </h3> <p>Create an <code>inventory.yaml</code> file in your current directory, and open the file in you favorite editor:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">touch </span>inventory.yaml <span class="c"># vim inventory.yaml</span> </code></pre> </div> <p>Fill the file like this one:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="pi">-</span> <span class="na">role</span><span class="pi">:</span> <span class="s">Manager</span> <span class="na">availability</span><span class="pi">:</span> <span class="s">drain</span> <span class="na">hostname</span><span class="pi">:</span> <span class="s">manager-1</span> <span class="na">ip</span><span class="pi">:</span> <span class="s">192.168.100.10</span> <span class="na">image</span><span class="pi">:</span> <span class="s">centos/8</span> <span class="na">ram</span><span class="pi">:</span> <span class="m">2048</span> <span class="na">cpus</span><span class="pi">:</span> <span class="m">1</span> <span class="pi">-</span> <span class="na">role</span><span class="pi">:</span> <span class="s">Manager</span> <span class="na">availability</span><span class="pi">:</span> <span class="s">drain</span> <span class="na">hostname</span><span class="pi">:</span> <span class="s">manager-2</span> <span class="na">ip</span><span class="pi">:</span> <span class="s">192.168.100.11</span> <span class="na">image</span><span class="pi">:</span> <span class="s">centos/8</span> <span class="na">ram</span><span class="pi">:</span> <span class="m">2048</span> <span class="na">cpus</span><span class="pi">:</span> <span class="m">1</span> <span class="pi">-</span> <span class="na">role</span><span class="pi">:</span> <span class="s">Manager</span> <span class="na">availability</span><span class="pi">:</span> <span class="s">drain</span> <span class="na">hostname</span><span class="pi">:</span> <span class="s">manager-3</span> <span class="na">ip</span><span class="pi">:</span> <span class="s">192.168.100.12</span> <span class="na">image</span><span class="pi">:</span> <span class="s">centos/8</span> <span class="na">ram</span><span class="pi">:</span> <span class="m">2048</span> <span class="na">cpus</span><span class="pi">:</span> <span class="m">1</span> <span class="pi">-</span> <span class="na">role</span><span class="pi">:</span> <span class="s">Worker</span> <span class="na">availability</span><span class="pi">:</span> <span class="s">active</span> <span class="na">hostname</span><span class="pi">:</span> <span class="s">worker-1</span> <span class="na">ip</span><span class="pi">:</span> <span class="s">192.168.100.13</span> <span class="na">image</span><span class="pi">:</span> <span class="s">centos/8</span> <span class="na">ram</span><span class="pi">:</span> <span class="m">4096</span> <span class="na">cpus</span><span class="pi">:</span> <span class="m">1</span> <span class="pi">-</span> <span class="na">role</span><span class="pi">:</span> <span class="s">Worker</span> <span class="na">availability</span><span class="pi">:</span> <span class="s">active</span> <span class="na">hostname</span><span class="pi">:</span> <span class="s">worker-2</span> <span class="na">ip</span><span class="pi">:</span> <span class="s">192.168.100.14</span> <span class="na">image</span><span class="pi">:</span> <span class="s">centos/8</span> <span class="na">ram</span><span class="pi">:</span> <span class="m">4096</span> <span class="na">cpus</span><span class="pi">:</span> <span class="m">1</span> <span class="pi">-</span> <span class="na">role</span><span class="pi">:</span> <span class="s">Worker</span> <span class="na">availability</span><span class="pi">:</span> <span class="s">active</span> <span class="na">hostname</span><span class="pi">:</span> <span class="s">worker-3</span> <span class="na">ip</span><span class="pi">:</span> <span class="s">192.168.100.15</span> <span class="na">image</span><span class="pi">:</span> <span class="s">centos/8</span> <span class="na">ram</span><span class="pi">:</span> <span class="m">4096</span> <span class="na">cpus</span><span class="pi">:</span> <span class="m">1</span> </code></pre> </div> <p>This is inventory file of your docker swarm cluster with relevant virtual machine (VM) characteristics.</p> <h3> Vagrant file </h3> <p>Create a Vagrantfile in your current directory, and open the file in you favorite editor:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">touch </span>Vagrantfile <span class="c"># code .</span> </code></pre> </div> <p>Now, it's time to code Vagrantfile using Ruby language...</p> <h4> On top of the file add following code </h4> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="c1"># -*- mode: ruby -*-</span> <span class="c1"># vi: set ft=ruby :</span> <span class="nb">require</span> <span class="s1">'yaml'</span> <span class="n">current_dir</span> <span class="o">=</span> <span class="no">File</span><span class="p">.</span><span class="nf">dirname</span><span class="p">(</span><span class="no">File</span><span class="p">.</span><span class="nf">expand_path</span><span class="p">(</span><span class="kp">__FILE__</span><span class="p">))</span> <span class="n">servers</span> <span class="o">=</span> <span class="no">YAML</span><span class="p">.</span><span class="nf">load_file</span><span class="p">(</span><span class="s2">"</span><span class="si">#{</span><span class="n">current_dir</span><span class="si">}</span><span class="s2">/inventory.yaml"</span><span class="p">)</span> <span class="n">leader</span> <span class="o">=</span> <span class="n">servers</span><span class="p">.</span><span class="nf">find</span> <span class="p">{</span> <span class="o">|</span><span class="n">favor</span><span class="o">|</span> <span class="n">favor</span><span class="p">[</span><span class="s1">'hostname'</span><span class="p">]</span> <span class="o">==</span> <span class="s1">'manager-1'</span> <span class="p">}</span> <span class="n">group</span> <span class="o">=</span> <span class="s2">"Docker Swarm"</span> </code></pre> </div> <p>Here, we load the inventory file, and then we define a leader node in the cluster. This node is used to initialize docker swarm. <br> Also we defined <code>Docker Swarm</code> as a group of VMs in VirtualBox GUI.</p> <h4> Add Vagrant configuration below </h4> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="no">Vagrant</span><span class="p">.</span><span class="nf">configure</span><span class="p">(</span><span class="s2">"2"</span><span class="p">)</span> <span class="k">do</span> <span class="o">|</span><span class="n">config</span><span class="o">|</span> <span class="k">end</span> </code></pre> </div> <p>The <code>"2"</code> in <code>Vagrant.configure</code> configures the configuration version.<br> Inside this block is the place where the main code will be placed. </p> <h4> Define all VMs in accordance with inventory file </h4> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code> <span class="n">servers</span><span class="p">.</span><span class="nf">each</span> <span class="k">do</span> <span class="o">|</span><span class="n">machine</span><span class="o">|</span> <span class="n">config</span><span class="p">.</span><span class="nf">vm</span><span class="p">.</span><span class="nf">define</span> <span class="n">machine</span><span class="p">[</span><span class="s1">'hostname'</span><span class="p">]</span> <span class="k">do</span> <span class="o">|</span><span class="n">node</span><span class="o">|</span> <span class="n">node</span><span class="p">.</span><span class="nf">vm</span><span class="p">.</span><span class="nf">box</span> <span class="o">=</span> <span class="n">machine</span><span class="p">[</span><span class="s1">'image'</span><span class="p">]</span> <span class="n">node</span><span class="p">.</span><span class="nf">vm</span><span class="p">.</span><span class="nf">hostname</span> <span class="o">=</span> <span class="n">machine</span><span class="p">[</span><span class="s1">'hostname'</span><span class="p">]</span> <span class="n">node</span><span class="p">.</span><span class="nf">vm</span><span class="p">.</span><span class="nf">network</span> <span class="ss">:private_network</span><span class="p">,</span> <span class="ss">ip: </span><span class="n">machine</span><span class="p">[</span><span class="s1">'ip'</span><span class="p">]</span> <span class="n">node</span><span class="p">.</span><span class="nf">vm</span><span class="p">.</span><span class="nf">provider</span> <span class="ss">:virtualbox</span> <span class="k">do</span> <span class="o">|</span><span class="n">vb</span><span class="o">|</span> <span class="n">vb</span><span class="p">.</span><span class="nf">customize</span> <span class="p">[</span><span class="s2">"modifyvm"</span><span class="p">,</span> <span class="ss">:id</span><span class="p">,</span> <span class="s2">"--groups"</span><span class="p">,</span> <span class="s2">"/</span><span class="si">#{</span><span class="n">group</span><span class="si">}</span><span class="s2">/</span><span class="si">#{</span><span class="n">machine</span><span class="p">[</span><span class="s1">'role'</span><span class="p">]</span><span class="si">}</span><span class="s2">"</span><span class="p">]</span> <span class="n">vb</span><span class="p">.</span><span class="nf">name</span> <span class="o">=</span> <span class="n">machine</span><span class="p">[</span><span class="s1">'hostname'</span><span class="p">]</span> <span class="n">vb</span><span class="p">.</span><span class="nf">memory</span> <span class="o">=</span> <span class="n">machine</span><span class="p">[</span><span class="s1">'ram'</span><span class="p">]</span> <span class="n">vb</span><span class="p">.</span><span class="nf">cpus</span> <span class="o">=</span> <span class="n">machine</span><span class="p">[</span><span class="s1">'cpus'</span><span class="p">]</span> <span class="k">end</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </div> <h4> Define hosts file on all VMs </h4> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code> <span class="n">servers</span><span class="p">.</span><span class="nf">each</span> <span class="k">do</span> <span class="o">|</span><span class="n">machine</span><span class="o">|</span> <span class="n">config</span><span class="p">.</span><span class="nf">vm</span><span class="p">.</span><span class="nf">provision</span> <span class="s2">"Setup hosts"</span><span class="p">,</span> <span class="ss">type: :shell</span><span class="p">,</span> <span class="ss">:args</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="n">machine</span><span class="p">[</span><span class="s1">'ip'</span><span class="p">],</span> <span class="n">machine</span><span class="p">[</span><span class="s1">'hostname'</span><span class="p">]],</span> <span class="ss">inline: </span><span class="o">&lt;&lt;-</span><span class="no">SHELL</span><span class="sh"> sudo echo "$1 $2" &gt;&gt; /etc/hosts </span><span class="no"> SHELL</span> <span class="k">end</span> </code></pre> </div> <h4> Setup Linux package repositories </h4> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code> <span class="n">config</span><span class="p">.</span><span class="nf">vm</span><span class="p">.</span><span class="nf">provision</span> <span class="s2">"Setup repositories"</span><span class="p">,</span> <span class="ss">type: :shell</span><span class="p">,</span> <span class="ss">privileged: </span><span class="kp">true</span><span class="p">,</span> <span class="ss">inline: </span><span class="o">&lt;&lt;-</span><span class="no">SHELL</span><span class="sh"> sed -i s/mirror.centos.org/vault.centos.org/g /etc/yum.repos.d/CentOS-*.repo sed -i s/^mirrorlist=http/#mirrorlist=http/g /etc/yum.repos.d/CentOS-*.repo sed -i s/^#.*baseurl=http/baseurl=http/g /etc/yum.repos.d/CentOS-*.repo yum clean all </span><span class="no"> SHELL</span> </code></pre> </div> <h4> Install Docker Engine on all VMs </h4> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="n">config</span><span class="p">.</span><span class="nf">vm</span><span class="p">.</span><span class="nf">provision</span> <span class="s2">"Install Docker"</span><span class="p">,</span> <span class="ss">type: :docker</span> </code></pre> </div> <h4> Install Redis as a cache in docker container </h4> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code> <span class="n">config</span><span class="p">.</span><span class="nf">vm</span><span class="p">.</span><span class="nf">provision</span> <span class="s2">"Run Redis cache"</span><span class="p">,</span> <span class="ss">type: :docker</span> <span class="k">do</span> <span class="o">|</span><span class="n">d</span><span class="o">|</span> <span class="n">d</span><span class="p">.</span><span class="nf">run</span> <span class="s2">"redis"</span><span class="p">,</span> <span class="ss">cmd: </span><span class="s2">"--bind 0.0.0.0"</span><span class="p">,</span> <span class="ss">args: </span><span class="s2">"-p 0.0.0.0:6379:6379"</span> <span class="k">end</span> </code></pre> </div> <p>In our case, Redis cache is used to temporary store docker swarm join tokens.</p> <h4> Initialize docker swarm </h4> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code> <span class="n">config</span><span class="p">.</span><span class="nf">vm</span><span class="p">.</span><span class="nf">define</span> <span class="s2">"manager-1"</span> <span class="k">do</span> <span class="o">|</span><span class="n">node</span><span class="o">|</span> <span class="n">node</span><span class="p">.</span><span class="nf">vm</span><span class="p">.</span><span class="nf">provision</span> <span class="s2">"Swarm init"</span><span class="p">,</span> <span class="ss">type: :shell</span><span class="p">,</span> <span class="ss">privileged: </span><span class="kp">true</span><span class="p">,</span> <span class="ss">:args</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="n">leader</span><span class="p">[</span><span class="s1">'ip'</span><span class="p">],</span> <span class="n">leader</span><span class="p">[</span><span class="s1">'availability'</span><span class="p">]],</span> <span class="ss">inline: </span><span class="s2">"docker swarm init --advertise-addr $1 --availability $2 || true"</span> <span class="n">node</span><span class="p">.</span><span class="nf">vm</span><span class="p">.</span><span class="nf">provision</span> <span class="s2">"Save join-tokens"</span><span class="p">,</span> <span class="ss">type: :shell</span><span class="p">,</span> <span class="ss">privileged: </span><span class="kp">true</span><span class="p">,</span> <span class="ss">inline: </span><span class="o">&lt;&lt;-</span><span class="no">SHELL</span><span class="sh"> docker exec redis redis-cli set manager-join-token $(docker swarm join-token manager -q) docker exec redis redis-cli set worker-join-token $(docker swarm join-token worker -q) </span><span class="no"> SHELL</span> <span class="k">end</span> </code></pre> </div> <p>As you can see above, join tokens are saved into Redis cache.</p> <h4> And finally join all VMs to the docker swarm cluster </h4> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code> <span class="n">servers</span><span class="p">.</span><span class="nf">select</span> <span class="p">{</span> <span class="o">|</span><span class="n">favor</span><span class="o">|</span> <span class="n">favor</span><span class="p">[</span><span class="s1">'hostname'</span><span class="p">]</span> <span class="o">!=</span> <span class="s1">'manager-1'</span> <span class="p">}.</span><span class="nf">each</span> <span class="k">do</span> <span class="o">|</span><span class="n">machine</span><span class="o">|</span> <span class="n">config</span><span class="p">.</span><span class="nf">vm</span><span class="p">.</span><span class="nf">define</span> <span class="n">machine</span><span class="p">[</span><span class="s1">'hostname'</span><span class="p">]</span> <span class="k">do</span> <span class="o">|</span><span class="n">node</span><span class="o">|</span> <span class="n">node</span><span class="p">.</span><span class="nf">vm</span><span class="p">.</span><span class="nf">provision</span> <span class="s2">"Add a </span><span class="si">#{</span><span class="n">machine</span><span class="p">[</span><span class="s1">'role'</span><span class="p">]</span><span class="si">}</span><span class="s2"> to the swarm"</span><span class="p">,</span> <span class="ss">type: :shell</span><span class="p">,</span> <span class="ss">privileged: </span><span class="kp">true</span><span class="p">,</span> <span class="ss">:args</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="n">leader</span><span class="p">[</span><span class="s1">'ip'</span><span class="p">],</span> <span class="n">machine</span><span class="p">[</span><span class="s1">'role'</span><span class="p">].</span><span class="nf">downcase</span><span class="p">,</span> <span class="n">machine</span><span class="p">[</span><span class="s1">'availability'</span><span class="p">]],</span> <span class="ss">inline: </span><span class="o">&lt;&lt;-</span><span class="no">SHELL</span><span class="sh"> token=$(docker exec redis redis-cli -h $1 get $2-join-token) docker swarm join --availability $3 --token $token $1 || true </span><span class="no"> SHELL</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </div> <h2> Boot an environment </h2> <h3> Bring up a virtual machine </h3> <p>Run the following from your terminal:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>vagrant up </code></pre> </div> <p>This command will finish and you will have VMs running with docker swarm.</p> <h3> Check swarm nodes </h3> <p>Connect to a master node using SSH:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>vagrant ssh manager-1 <span class="o">[</span>vagrant@manager-1 ~]<span class="err">$</span> </code></pre> </div> <p>Finally, verify the status of the cluster nodes using the following command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>vagrant@manager-1 ~]<span class="nv">$ </span>docker node <span class="nb">ls </span>ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS ENGINE VERSION illxi93is8446ghgl86lihg1f <span class="k">*</span> manager-1 Ready Drain Leader 26.1.3 es0ktcmq5d9403p16b688knat manager-2 Ready Drain Reachable 26.1.3 j1wnwxnysm763eex9r024h8if manager-3 Ready Drain Reachable 26.1.3 comemxromzh4y8a6ciou6smk8 worker-1 Ready Active 26.1.3 smz5sf6vdbzszc850zxwddfie worker-2 Ready Active 26.1.3 p7r1khx4h8famoi9fb0itx8kg worker-3 Ready Active 26.1.3 </code></pre> </div> <h3> VirualBox GUI </h3> <p>Now VirualBox GUI should looks like this:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu6305xae6wni5sqpepqm.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu6305xae6wni5sqpepqm.png" alt="VirualBox GUI" width="770" height="554"></a></p> <h2> Deploy a service </h2> <p>In order to verify that everything is OK, we will deploy the simplest docker service to a swarm:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>docker service create <span class="nt">--name</span> my_web <span class="se">\</span> <span class="nt">--replicas</span> 3 <span class="se">\</span> <span class="nt">--publish</span> <span class="nv">published</span><span class="o">=</span>8080,target<span class="o">=</span>80 <span class="se">\</span> nginx:latest </code></pre> </div> <p>The service is scheduled on available nodes. To confirm that the service was created and started successfully, use the <code>docker service ls</code> command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>vagrant@manager-1 ~]<span class="nv">$ </span>docker service create <span class="nt">--name</span> my_web <span class="se">\</span> <span class="o">&gt;</span> <span class="nt">--replicas</span> 3 <span class="se">\</span> <span class="o">&gt;</span> <span class="nt">--publish</span> <span class="nv">published</span><span class="o">=</span>8080,target<span class="o">=</span>80 <span class="se">\</span> <span class="o">&gt;</span> nginx:latest s3vgnoaca0p14jgd27ag52th4 overall progress: 3 out of 3 tasks 1/3: running <span class="o">[==================================================&gt;]</span> 2/3: running <span class="o">[==================================================&gt;]</span> 3/3: running <span class="o">[==================================================&gt;]</span> verify: Service s3vgnoaca0p14jgd27ag52th4 converged <span class="o">[</span>vagrant@manager-1 ~]<span class="nv">$ </span>docker service <span class="nb">ls </span>ID NAME MODE REPLICAS IMAGE PORTS s3vgnoaca0p1 my_web replicated 3/3 nginx:latest <span class="k">*</span>:8080-&gt;80/tcp </code></pre> </div> <p>Now, you may open just deployed nginx service in web browser using one of the VM's IP:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2u0bkhuawjjap8vhi2hu.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2u0bkhuawjjap8vhi2hu.png" alt="Nginx Welcome page" width="800" height="423"></a></p> <h2> Cleanup </h2> <p>To delete docker service, use the <code>docker service rm</code> command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>vagrant@manager-1 ~]<span class="nv">$ </span>docker service <span class="nb">rm </span>my_web my_web <span class="o">[</span>vagrant@manager-1 ~]<span class="nv">$ </span>docker service <span class="nb">ls </span>ID NAME MODE REPLICAS IMAGE PORTS </code></pre> </div> <p>To stop VMs that Vagrant is managing and remove all the resources created during the machine-creation process, use the <code>vagrant destroy</code> command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>vagrant destroy worker-3: Are you sure you want to destroy the <span class="s1">'worker-3'</span> VM? <span class="o">[</span>y/N] </code></pre> </div> <p>To gracefully shut down the VMs, use the <code>vagrant halt</code> command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>vagrant halt <span class="o">==&gt;</span> worker-3: Attempting graceful shutdown of VM... <span class="o">==&gt;</span> worker-2: Attempting graceful shutdown of VM... <span class="o">==&gt;</span> worker-2: Forcing shutdown of VM... <span class="o">==&gt;</span> worker-1: Attempting graceful shutdown of VM... <span class="o">==&gt;</span> manager-3: Attempting graceful shutdown of VM... <span class="o">==&gt;</span> manager-2: Attempting graceful shutdown of VM... <span class="o">==&gt;</span> manager-1: Attempting graceful shutdown of VM... </code></pre> </div> <h2> Summary </h2> <p>In this post, we’ve seen:</p> <ul> <li>how to easily setup high-availability (HA) Docker Swarm cluster using <a href="https://developer.hashicorp.com/vagrant" rel="noopener noreferrer">Vagrant</a> </li> <li>how to deploy docker service to a swarm cluster</li> <li>how to clean up environment.</li> </ul> <p>The codebase for this article can be found <a href="https://github.com/viastakhov/vagrants/blob/master/docker-swarm/" rel="noopener noreferrer">here</a>.</p> docker swarm vagrant devops Run Ansible on Windows without WSL Ježek Wed, 25 Sep 2024 11:47:49 +0000 https://dev.to/hedgehog/run-ansible-on-windows-without-wsl-5hd3 https://dev.to/hedgehog/run-ansible-on-windows-without-wsl-5hd3 <p>Can Ansible run on Windows?<br> There is the simple, uncomplicated answer in <a href="https://docs.ansible.com/ansible/latest/os_guide/windows_faq.html#can-ansible-run-on-windows" rel="noopener noreferrer">ansible.com</a>:</p> <blockquote> <p><em>No, Ansible can only manage Windows hosts. Ansible cannot run on a Windows host natively, though it can run under the Windows Subsystem for Linux (WSL).</em></p> </blockquote> <p>My friend, now I going to show you how you can run Ansible without WSL. Go ahead!</p> <p>First of all in order to run Ansible on Windows without WSL you have to install <a href="https://www.cygwin.com/install.html" rel="noopener noreferrer">Cygwin</a>.</p> <p>Once you have installed Cygwin for Windows you should to install relevant Cygwin packages for Ansible.</p> <h2> Install from the Internet </h2> <p>This is the easiest way to install Cygwin packages. </p> <ol> <li><p>Run <code>cygwin-setup-x86_64.exe</code>:<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwtt74clt1sr8rybq8rho.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwtt74clt1sr8rybq8rho.png" alt="Cygwin #1" width="708" height="483"></a></p></li> <li><p>Press <code>Next</code></p></li> <li><p>Choose <code>Install from Internet</code>, and press twice <code>Next</code>:<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy3y2sjg7yexprexswbnt.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy3y2sjg7yexprexswbnt.png" alt="Cygwin #2" width="708" height="483"></a></p></li> <li><p>Select a local package directory, and press <code>Next</code>: <br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq72fakw319tx7bx59tl5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq72fakw319tx7bx59tl5.png" alt="Cygwin #3" width="708" height="483"></a></p></li> <li><p>Select appropriate connection type, and press <code>Next</code>:<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1s4ozsmu0lzz399rai8b.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1s4ozsmu0lzz399rai8b.png" alt="Cygwin #4" width="708" height="483"></a></p></li> <li><p>Choose appropriate download site, and press <code>Next</code>:<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv3satl2y8wc9rdl259uj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv3satl2y8wc9rdl259uj.png" alt="Cygwin #5" width="708" height="483"></a></p></li> <li><p>Select <code>ansible</code> and required for you packages, then press twice <code>Next</code>:<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0kczkezdikwao8bkayo9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0kczkezdikwao8bkayo9.png" alt="Cygwin #6" width="800" height="474"></a></p></li> <li><p>Wait for installation succeed<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsi62j9bqm622ukomu8xp.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsi62j9bqm622ukomu8xp.png" alt="Cygwin #7" width="708" height="483"></a></p></li> <li> <p>Run installed <code>Cygwin64 Terminal</code>, and check <code>ansible</code> version:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span>ansible <span class="nt">--version</span> ansible 2.8.4 </code></pre> </li> <li> <p>Test whether <code>ansible</code> is working correctly:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span>ansible 127.0.0.1 <span class="nt">-m</span> shell <span class="nt">-a</span> <span class="s1">'echo Hello world!'</span> 127.0.0.1 | CHANGED | <span class="nv">rc</span><span class="o">=</span>0 <span class="o">&gt;&gt;</span> Hello world! </code></pre> </li> </ol> <p>Congrats, my friend, you have installed <code>Ansible</code> on Windows without WSL!</p> <h2> Install from the local directory (portable) </h2> <p>This installation option is useful for those who do not have Internet access.</p> <ol> <li><p>First of all, you have to archive a folder where you have installed <code>cygwin</code> packages (in my case: <code>c:\cygwin-packages\</code>)</p></li> <li><p>Copy <code>cygwin-setup-x86_64.exe</code> and the archive to a computer w/o Internet access</p></li> <li><p>Extract archive to appropriate folders</p></li> <li><p>Run <code>cygwin-setup-x86_64.exe</code>, and press <code>Next</code></p></li> <li><p>Choose <code>Install from Local Directory</code>, and press twice <code>Next</code>:<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcrjxgzj87y9211p3szl3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcrjxgzj87y9211p3szl3.png" alt="Cygwin #2-1" width="708" height="483"></a></p></li> <li><p>Select a local package directory where you have extracted the archive with packages, and press <code>Next</code>: <br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqmksmr93fu9vq8q0d4wq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqmksmr93fu9vq8q0d4wq.png" alt="Cygwin #2-2" width="708" height="483"></a></p></li> <li><p>Select <code>ansible</code> and required for you packages, then press twice <code>Next</code>:<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk52b7532pmi3ynpkhib7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk52b7532pmi3ynpkhib7.png" alt="Cygwin #2-3" width="708" height="483"></a></p></li> <li><p>Wait for installation succeed</p></li> <li> <p>Run installed <code>Cygwin64 Terminal</code>, and check <code>ansible</code> version:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span>ansible <span class="nt">--version</span> ansible 2.8.4 </code></pre> </li> <li> <p>Test whether <code>ansible</code> is working correctly:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span>ansible 127.0.0.1 <span class="nt">-m</span> shell <span class="nt">-a</span> <span class="s1">'echo Hello world!'</span> 127.0.0.1 | CHANGED | <span class="nv">rc</span><span class="o">=</span>0 <span class="o">&gt;&gt;</span> Hello world! </code></pre> </li> </ol> <p>Congrats, my friend, you have installed <code>Ansible</code> on Windows without WSL and Internet access on a computer!</p> <h2> Summary </h2> <p>In this post, we have seen:</p> <ul> <li>how to install <em>Ansible</em> on Windows w/o WSL using Internet access</li> <li>how to install <em>Ansible</em> on Windows w/o WSL and w/o Internet access</li> </ul> <p>I hope this post was useful for you.<br> See you soon!</p> ansible cygwin devops Set up Redis diskless replication Ježek Tue, 24 Sep 2024 20:16:12 +0000 https://dev.to/hedgehog/set-up-redis-diskless-replication-359 https://dev.to/hedgehog/set-up-redis-diskless-replication-359 <p>If you are building a production-grade application and your application uses Redis database (RDB) then you should replicate your data, so that in case of any disaster for your master data you can still use the replicated data.</p> <p>Redis provides replication in two ways:</p> <ul> <li>Master-Slave replication</li> <li>Redis Cluster Replication</li> </ul> <p>The most basic form of replication in Redis is Master-Slave replication. Data from the Master node is replicated to one or more Slave nodes (Replicas). Replicas can serve read operations, but all write operations are performed on the Master.</p> <p>Master-Slave replication is a method of replicating RDB in order to improve performance and redundancy. The system has a Master that acts as the interface to the outside world, handling all external read and write requests. Whenever a change is made to the Master RDB, the change is propagated to the Replica connected to the Master. Master-Slave replication can be synchronous (in which changes to the replica RDB are made instantaneously) or asynchronous (in which changes are made only after some time).</p> <p>The use cases of Master-Slave replication include:</p> <ul> <li>Improving performance by scaling out the workload to multiple slave RDB.</li> <li>Creating backups from the replica RDB, without disrupting the master RDB.</li> <li>Running BI and analytics workloads on the slave RDB, without disrupting the master RDB.</li> </ul> <p>By default, Master-Slave replication in Redis is asynchronous. Redis Master-Slave replication is non-blocking, which means that the Master can continue to operate while the Replica synchronize the data. In addition, Replica will be able to handle queries using the out-of-date version of the RDB, except for a brief period during which the new data is loaded.</p> <p>Redis Replicas are able to perform a partial resynchronization with the Master if the replication link is lost for a relatively small amount of time. New Replicas and reconnecting Replicas that are not able to continue the replication process just receiving differences, need to do what is called a "full synchronization". An RDB file is transmitted from the Master to the Replicas.</p> <p>The transmission can happen in two different ways:</p> <ul> <li>disk-backed: the Master creates a new process <code>redis-rdb-bgsave</code> that writes the RDB file on disk. Later the file is transferred by the parent process <code>redis-server</code> to the Replicas incrementally.</li> <li>diskless: the Master creates a new process <code>redis-rdb-to-slaves</code> that directly writes the RDB file to replica sockets, without touching the disk at all.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff6z3wklkh6x4zteu4p8a.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff6z3wklkh6x4zteu4p8a.png" alt="Replication strategy" width="800" height="352"></a></p> <p>With slow disks and fast (large bandwidth) networks, diskless replication works better: this can provide faster synchronization times.</p> <h2> The problem </h2> <p>In order to persist the RDB on disk you have to define <code>save</code> directives in <code>redis.conf</code> configuration file, also you can run <code>BGSAVE</code> command manually.</p> <p>According to <a href="https://redis.io/docs/manual/persistence/#rdb-disadvantages" rel="noopener noreferrer">Redis RDB disadvantages</a>:</p> <blockquote> <p>RDB needs to fork() often in order to persist on disk using a child process. fork() can be time consuming if the dataset is big, and may result in Redis stopping serving clients for some milliseconds or even for one second if the dataset is very big and the CPU performance is not great.</p> </blockquote> <p>The name of the child process is <code>redis-rdb-bgsave</code>.</p> <p>According to the <a href="https://linux.die.net/man/2/fork" rel="noopener noreferrer">Linux man page</a>:</p> <blockquote> <p>fork() creates a new process by duplicating the calling process. The new process, referred to as the child, is an exact duplicate of the calling process, referred to as the parent. Under Linux, fork() is implemented using copy-on-write pages, so the only penalty that it incurs is the time and memory required to duplicate the parent's page tables, and to create a unique task structure for the child.</p> </blockquote> <p>Thus, fork() can cause the Master to freeze when performing BGSAVE, the related problem is described in the issue <a href="https://github.com/redis/redis/issues/9503" rel="noopener noreferrer">#9503</a> and <code>antirez</code> blog posts <a href="http://antirez.com/news/83" rel="noopener noreferrer">#83</a>, <a href="http://antirez.com/news/84" rel="noopener noreferrer">#84</a>.</p> <p>The <code>diskless replication</code> is an option to mitigate the problem.</p> <h2> Prerequisites </h2> <p>You have installed Redis with Sentinel in accordance with article <a href="https://dev.to/hedgehog/set-up-a-redis-sentinel-3m50">Set up a Redis Sentinel</a></p> <h2> Configuring the diskless replication </h2> <ol> <li> <p>In order to disable forking the child process <code>redis-rdb-bgsave</code> you have to disable RDB persistence by commenting out all "save" lines in <code>/etc/redis/redis.conf</code> on all nodes:<br> </p> <pre class="highlight plaintext"><code># save 900 1 # save 300 10 # save 60 10000 </code></pre> </li> <li> <p>To enable the diskless replication set following mandatory parameters on all nodes:<br> </p> <pre class="highlight plaintext"><code>repl-diskless-sync yes repl-diskless-sync-delay 5 repl-diskless-load on-empty-db </code></pre> <blockquote> <p><code>repl-diskless-sync-delay 5</code>: the delay in seconds the server waits in order to spawn the child that transfers the RDB via socket to the replicas.<br> <code>repl-diskless-load on-empty-db</code>: use diskless loading the RDB directly from the socket only when it is completely safe for Replica.</p> </blockquote> </li> </ol> <p>When the diskless replication is enabled there are several scenarios could occur:</p> <ol> <li> <p>Slave node is rebooted:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fff1dy4fg4ip4wwwtwqgf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fff1dy4fg4ip4wwwtwqgf.png" alt="Scenario #1" width="568" height="653"></a></p> <p>This scenario is not abnormal. After Slave node rebooted Master performs "full synchronization" with Replica. </p> </li> <li> <p>Master node is powered off:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb9wy2hc46d5rgycuke5p.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb9wy2hc46d5rgycuke5p.png" alt="Scenario #2" width="561" height="661"></a></p> <p>This scenario is also not abnormal as well, because of sometimes shutting down a node is required for a long time due to maintenance tasks. In this case, Sentinel promotes Replica node to Master, and Replica's RDB in memory remains the same as before the failover. </p> <p>After the old Master node is loaded, it will become a Replica and "full synchronization" will be performed in accordance with Scenario #1</p> </li> <li> <p>The process "redis-server" has been killed on Master node</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwn0ysmyxdmeyjb41dhwk.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwn0ysmyxdmeyjb41dhwk.png" alt="Scenario #3a" width="798" height="951"></a></p> <p>This scenario is dangerous because of the risk of data loss on all nodes as described in <code>antirez</code> blog post <a href="http://antirez.com/news/80" rel="noopener noreferrer">#80</a>.</p> </li> </ol> <p>To eliminate the possibility of the dangerous scenario #3, it is necessary to add a delay before starting the 'redis-server' process on the Master node so that Sentinel would promote one of the Replicas to Master:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7idelefz5lwh59ihfla7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7idelefz5lwh59ihfla7.png" alt="Scenario #3b" width="733" height="1275"></a></p> <ol> <li> <p>Save the following bash-script on all nodes as <code>redis-wait-for-slave-role.sh</code> to the folder <code>/usr/local/bin/</code>:<br> </p> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="k">if</span> <span class="o">[[</span> <span class="nv">$# </span><span class="nt">-ne</span> 2 <span class="o">]]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Illegal number of parameters"</span> <span class="o">&gt;</span>&amp;2 <span class="nb">exit </span>2 <span class="k">fi </span><span class="nv">IFS</span><span class="o">=</span><span class="s2">","</span> <span class="nv">TIME_OUT_COMMAND</span><span class="o">=</span>5s <span class="nv">redis_conf_path</span><span class="o">=</span><span class="s2">"</span><span class="nv">$1</span><span class="s2">"</span> <span class="nv">hosts_ip</span><span class="o">=</span><span class="s2">"</span><span class="nv">$2</span><span class="s2">"</span> <span class="nv">my_ip</span><span class="o">=</span><span class="si">$(</span><span class="nb">hostname</span> <span class="nt">--ip-address</span><span class="si">)</span> <span class="nv">password</span><span class="o">=</span><span class="si">$(</span><span class="nb">awk</span> <span class="s1">'/^requirepass/ {print $2}'</span> <span class="nv">$redis_conf_path</span> | <span class="nb">tr</span> <span class="nt">-d</span> <span class="s1">'\"'</span><span class="si">)</span> get_role<span class="o">()</span> <span class="o">{</span> <span class="nb">echo</span> <span class="nt">-n</span> <span class="s2">"Getting a role from the node '</span><span class="nv">$host</span><span class="s2">' ... "</span> 1&gt;&amp;2 <span class="nb">local </span><span class="nv">role</span><span class="o">=</span><span class="si">$(</span><span class="nb">timeout</span> <span class="nv">$TIME_OUT_COMMAND</span> <span class="se">\</span> redis-cli <span class="nt">-h</span> <span class="nv">$host</span> <span class="nt">-p</span> 6379 <span class="nt">--pass</span> <span class="nv">$password</span> <span class="nt">--no-auth-warning</span> info replication | <span class="se">\</span> <span class="nb">awk</span> <span class="s1">'/^role/ {split($0,a,":");print a[2]}'</span> | <span class="se">\</span> <span class="nb">tr</span> <span class="nt">-d</span> <span class="s1">'\r'</span><span class="si">)</span> <span class="nb">echo</span> <span class="nv">$role</span> 1&gt;&amp;2 <span class="nb">echo</span> <span class="nv">$role</span> <span class="o">}</span> <span class="k">while</span> :<span class="p">;</span> <span class="k">do for </span>host <span class="k">in</span> <span class="nv">$hosts_ip</span><span class="p">;</span> <span class="k">do if</span> <span class="o">[</span> <span class="nv">$host</span> <span class="o">!=</span> <span class="nv">$my_ip</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nv">role</span><span class="o">=</span><span class="si">$(</span>get_role<span class="si">)</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="nv">$role</span><span class="s2">"</span> <span class="o">=</span> <span class="s1">'master'</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">break </span>2 <span class="k">fi fi done </span><span class="nb">sleep </span>1 <span class="k">done</span> </code></pre> </li> <li> <p>Make the file executable:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo chmod</span> +x /usr/local/bin/redis-wait-for-slave-role.sh </code></pre> </li> <li> <p>Run the following command on all nodes:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo </span>systemctl edit redis-server.service </code></pre> </li> <li> <p>Add new <code>Service</code> section:<br> </p> <pre class="highlight plaintext"><code>[Service] ExecStartPre=/usr/local/bin/redis-wait-for-slave-role.sh /etc/redis/redis.conf 10.0.0.21,10.0.0.22,10.0.0.23 TimeoutStartSec=infinity </code></pre> <blockquote> <p><code>10.0.0.21,10.0.0.22,10.0.0.23</code>: IPs of Master and Slave nodes<br> <code>TimeoutStartSec=infinity</code>: if you are using a version of <code>systemd</code> older than <code>229</code>, you will need to use <code>0</code> instead of <code>infinity</code> to disable the timeout. </p> </blockquote> </li> <li> <p>Restart <code>redis-server</code> service on all <strong>Slave</strong> nodes only:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo </span>systemctl restart redis-server.service </code></pre> </li> <li> <p>Check <code>redis-server</code> service started:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo </span>systemctl status redis-server.service ● redis-server.service - Advanced key-value store Loaded: loaded <span class="o">(</span>/lib/systemd/system/redis-server.service<span class="p">;</span> enabled<span class="p">;</span> vendor preset: enabled<span class="o">)</span> Drop-In: /etc/systemd/system/redis-server.service.d └─override.conf Active: active <span class="o">(</span>running<span class="o">)</span> since Tue 2024-09-24 14:53:07 MSK<span class="p">;</span> 17s ago Docs: http://redis.io/documentation, man:redis-server<span class="o">(</span>1<span class="o">)</span> Process: 390540 <span class="nv">ExecStartPre</span><span class="o">=</span>/usr/local/bin/redis-wait-for-slave-role.sh /etc/redis/redis.conf 10.0.0.21,10.0.0.22,10.0.0.23 <span class="o">(</span><span class="nv">code</span><span class="o">=</span>exited, <span class="nv">status</span><span class="o">=</span>0/SUCCESS<span class="o">)</span> Main PID: 390549 <span class="o">(</span>redis-server<span class="o">)</span> Status: <span class="s2">"MASTER &lt;-&gt; REPLICA sync: Finished with success. Ready to accept connections in read-write mode."</span> Tasks: 5 <span class="o">(</span>limit: 7057<span class="o">)</span> Memory: 2.2G CPU: 6.536s CGroup: /system.slice/redis-server.service └─390549 /usr/bin/redis-server 0.0.0.0:6379 Sep 24 14:53:06 redis-3 systemd[1]: Starting Advanced key-value store... Sep 24 14:53:06 redis-3 redis-wait-for-slave-role.sh[390543]: Getting a role from the node <span class="s1">'10.0.0.21'</span> ... master Sep 24 14:53:07 redis-3 systemd[1]: Started Advanced key-value store. </code></pre> </li> <li> <p>Restart <code>redis-server</code> service on the old <strong>Master</strong> node:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo </span>systemctl restart redis-server.service </code></pre> </li> <li> <p>Check <code>redis-server</code> service started:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo </span>systemctl status redis-server.service ● redis-server.service - Advanced key-value store Loaded: loaded <span class="o">(</span>/lib/systemd/system/redis-server.service<span class="p">;</span> enabled<span class="p">;</span> vendor preset: enabled<span class="o">)</span> Drop-In: /etc/systemd/system/redis-server.service.d └─override.conf Active: active <span class="o">(</span>running<span class="o">)</span> since Tue 2024-09-24 14:58:33 MSK<span class="p">;</span> 6min ago Docs: http://redis.io/documentation, man:redis-server<span class="o">(</span>1<span class="o">)</span> Process: 27935 <span class="nv">ExecStartPre</span><span class="o">=</span>/usr/local/bin/redis-wait-for-slave-role.sh /etc/redis/redis.conf 10.0.0.21,10.0.0.22,10.0.0.23 <span class="o">(</span><span class="nv">code</span><span class="o">=</span>exited, <span class="nv">status</span><span class="o">=</span>0/SUCCESS<span class="o">)</span> Main PID: 28014 <span class="o">(</span>redis-server<span class="o">)</span> Status: <span class="s2">"MASTER &lt;-&gt; REPLICA sync: Finished with success. Ready to accept connections in read-write mode."</span> Tasks: 5 <span class="o">(</span>limit: 7057<span class="o">)</span> Memory: 2.2G CPU: 9.343s CGroup: /system.slice/redis-server.service └─28014 /usr/bin/redis-server 0.0.0.0:6379 Sep 24 14:58:16 redis-1 redis-wait-for-slave-role.sh[27969]: Getting a role from the node <span class="s1">'10.0.0.22'</span> ... slave Sep 24 14:58:19 redis-1 redis-wait-for-slave-role.sh[27976]: Getting a role from the node <span class="s1">'10.0.0.23'</span> ... slave Sep 24 14:58:25 redis-1 redis-wait-for-slave-role.sh[27984]: Getting a role from the node <span class="s1">'10.0.0.22'</span> ... slave Sep 24 14:58:25 redis-1 redis-wait-for-slave-role.sh[27991]: Getting a role from the node <span class="s1">'10.0.0.23'</span> ... slave Sep 24 14:58:31 redis-1 redis-wait-for-slave-role.sh[27999]: Getting a role from the node <span class="s1">'10.0.0.22'</span> ... slave Sep 24 14:58:31 redis-1 redis-wait-for-slave-role.sh[28007]: Getting a role from the node <span class="s1">'10.0.0.23'</span> ... master Sep 24 14:58:33 redis-1 systemd[1]: Started Advanced key-value store. </code></pre> </li> </ol> <h2> Testing the failover </h2> <p>This section shows to test the failover of the high availability Redis using Sentinel with enabled diskless replication.</p> <ol> <li> <p>Find new Master node by running the following command on a Sentinel node:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span>redis-cli <span class="nt">-p</span> 26379 <span class="nt">--askpass</span> sentinel get-master-addr-by-name mymaster Please input password: <span class="k">****************</span> 1<span class="o">)</span> <span class="s2">"10.0.0.23"</span> 2<span class="o">)</span> <span class="s2">"6379"</span> </code></pre> </li> <li> <p>Set new test key in Master:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span>redis-cli <span class="nt">-h</span> 10.0.0.23 <span class="nt">-p</span> 6379 <span class="nt">--askpass</span> <span class="nb">set </span>test_key Hello! Please input password: <span class="k">****************</span> OK </code></pre> </li> <li> <p>Check the value of this key on all Replicas:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span>redis-cli <span class="nt">-h</span> 10.0.0.21 <span class="nt">-p</span> 6379 <span class="nt">--askpass</span> get test_key Please input password: <span class="k">****************</span> <span class="s2">"Hello!"</span> <span class="nv">$ </span>redis-cli <span class="nt">-h</span> 10.0.0.22 <span class="nt">-p</span> 6379 <span class="nt">--askpass</span> get test_key Please input password: <span class="k">****************</span> <span class="s2">"Hello!"</span> </code></pre> </li> <li> <p>Execute the failover manually running following command:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span>redis-cli <span class="nt">-p</span> 26379 <span class="nt">--askpass</span> sentinel failover mymaster Please input password: <span class="k">****************</span> OK </code></pre> </li> <li> <p>Find new Master node by running the following command on a Sentinel node:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span>redis-cli <span class="nt">-p</span> 26379 <span class="nt">--askpass</span> sentinel get-master-addr-by-name mymaster Please input password: <span class="k">****************</span> 1<span class="o">)</span> <span class="s2">"10.0.0.21"</span> 2<span class="o">)</span> <span class="s2">"6379"</span> </code></pre> </li> <li> <p>Check the value of the test key on the new Master and all Replicas:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span>redis-cli <span class="nt">-h</span> 10.0.0.21 <span class="nt">-p</span> 6379 <span class="nt">--askpass</span> get test_key Please input password: <span class="k">****************</span> <span class="s2">"Hello!"</span> <span class="nv">$ </span>redis-cli <span class="nt">-h</span> 10.0.0.22 <span class="nt">-p</span> 6379 <span class="nt">--askpass</span> get test_key Please input password: <span class="k">****************</span> <span class="s2">"Hello!"</span> <span class="nv">$ </span>redis-cli <span class="nt">-h</span> 10.0.0.23 <span class="nt">-p</span> 6379 <span class="nt">--askpass</span> get test_key Please input password: <span class="k">****************</span> <span class="s2">"Hello!"</span> </code></pre> </li> <li> <p>Delete the RDB file on the Master node (don't do this on production environment):<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">rm</span> /var/lib/redis/dump.rdb </code></pre> </li> <li> <p>Kill the <code>redis-server</code> process on the Master node:<br> </p> <pre class="highlight shell"><code>pkill <span class="s1">'redis-server'</span> </code></pre> </li> <li> <p>Wait for the <code>redis-server</code> process to start:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span>systemctl status redis-server.service ● redis-server.service - Advanced key-value store Loaded: loaded <span class="o">(</span>/lib/systemd/system/redis-server.service<span class="p">;</span> enabled<span class="p">;</span> vendor preset: enabled<span class="o">)</span> Drop-In: /etc/systemd/system/redis-server.service.d └─override.conf Active: active <span class="o">(</span>running<span class="o">)</span> since Tue 2024-09-24 21:42:13 MSK<span class="p">;</span> 23s ago Docs: http://redis.io/documentation, man:redis-server<span class="o">(</span>1<span class="o">)</span> Process: 63631 <span class="nv">ExecStartPre</span><span class="o">=</span>/usr/local/bin/redis-wait-for-slave-role.sh /etc/redis/redis.conf 10.0.0.21,10.0.0.22,10.0.0.23 <span class="o">(</span><span class="nv">code</span><span class="o">=</span>exited, <span class="nv">status</span><span class="o">=</span>0/SUCCESS<span class="o">)</span> Main PID: 64578 <span class="o">(</span>redis-server<span class="o">)</span> Status: <span class="s2">"Ready to accept connections"</span> Tasks: 5 <span class="o">(</span>limit: 7057<span class="o">)</span> Memory: 69.1M CPU: 1.163s CGroup: /system.slice/redis-server.service └─64578 /usr/bin/redis-server 0.0.0.0:6379 </code></pre> </li> <li> <p>Check the value of the test key on the new Master and all Replicas:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span>redis-cli <span class="nt">-h</span> 10.0.0.21 <span class="nt">-p</span> 6379 <span class="nt">--askpass</span> get test_key Please input password: <span class="k">****************</span> <span class="s2">"Hello!"</span> <span class="nv">$ </span>redis-cli <span class="nt">-h</span> 10.0.0.22 <span class="nt">-p</span> 6379 <span class="nt">--askpass</span> get test_key Please input password: <span class="k">****************</span> <span class="s2">"Hello!"</span> <span class="nv">$ </span>redis-cli <span class="nt">-h</span> 10.0.0.23 <span class="nt">-p</span> 6379 <span class="nt">--askpass</span> get test_key Please input password: <span class="k">****************</span> <span class="s2">"Hello!"</span> </code></pre> </li> </ol> <h2> Summary </h2> <p>The concept of replication without persistence is obviously impressive and causes anxiety and even wariness. Supporting diskless replication removes undesirable side-effect of disks (since disk I/O is slow and lazy), also it eliminates heavy forking a child process, being used for RDB persistence, with large datasets in memory.</p> redis Set up a Redis Sentinel Ježek Wed, 18 Sep 2024 21:59:49 +0000 https://dev.to/hedgehog/set-up-a-redis-sentinel-3m50 https://dev.to/hedgehog/set-up-a-redis-sentinel-3m50 <p><a href="http://redis.io/" rel="noopener noreferrer">Redis</a>® Sentinel provides high availability for Redis. Redis Sentinel also provides other collateral tasks such as monitoring, notifications and acts as a configuration provider for clients.</p> <p>This article shows how to set up a high-availability architecture for Redis using Sentinel in Debian GNU/Linux:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyr41eqttzsgp8f0xur9g.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyr41eqttzsgp8f0xur9g.png" alt="Redis Sentinel" width="800" height="889"></a></p> <h2> Prerequisites </h2> <p>Debian preinstalled servers, e.g.:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Host name</th> <th>IP</th> <th>Role</th> </tr> </thead> <tbody> <tr> <td>redis-1</td> <td>10.0.0.21</td> <td>Master node</td> </tr> <tr> <td>redis-2</td> <td>10.0.0.22</td> <td>Slave node</td> </tr> <tr> <td>redis-3</td> <td>10.0.0.23</td> <td>Slave node</td> </tr> <tr> <td>sentinel-1</td> <td>10.0.0.24</td> <td>Sentinel node</td> </tr> <tr> <td>sentinel-2</td> <td>10.0.0.25</td> <td>Sentinel node</td> </tr> <tr> <td>sentinel-3</td> <td>10.0.0.26</td> <td>Sentinel node</td> </tr> </tbody> </table></div> <h2> Setup Redis replication </h2> <h3> Install Redis </h3> <ol> <li>Connect to hosts with roles: <code>Master node</code>, <code>Slave node</code> </li> <li> <p>Run the following commands:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo </span>apt-get update <span class="nv">$ </span><span class="nb">sudo </span>apt-get <span class="nb">install</span> <span class="nt">-y</span> redis-server </code></pre> </li> <li> <p>Activate the redis-server service to start when Redis server boots:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo </span>systemctl <span class="nb">enable </span>redis-server </code></pre> </li> <li> <p>Check redis-server status:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span>systemctl status redis-server ● redis-server.service - Advanced key-value store Loaded: loaded <span class="o">(</span>/lib/systemd/system/redis-server.service<span class="p">;</span> enabled<span class="p">;</span> vendor <span class="o">&gt;</span> Active: active <span class="o">(</span>running<span class="o">)</span> since Mon 2024-09-16 21:06:13<span class="p">;</span> 19min ago Docs: http://redis.io/documentation, man:redis-server<span class="o">(</span>1<span class="o">)</span> Main PID: 3057 <span class="o">(</span>redis-server<span class="o">)</span> Status: <span class="s2">"Ready to accept connections"</span> Tasks: 5 <span class="o">(</span>limit: 2307<span class="o">)</span> Memory: 9.2M CPU: 2.146s CGroup: /system.slice/redis-server.service └─3057 /usr/bin/redis-server 127.0.0.1:6379 </code></pre> <p>Service runs and ready to accept connections.</p> </li> </ol> <h3> Set up the Master node </h3> <ol> <li>Open the configuration file at <code>/etc/redis/redis.conf</code> </li> <li> <p>Set following mandatory parameters:<br> </p> <pre class="highlight plaintext"><code>protected-mode yes bind &lt;masterip: 10.0.0.21&gt; 127.0.0.1 requirepass &lt;master-password&gt; masterauth &lt;master-password&gt; </code></pre> </li> <li> <p>Restart the redis-server service:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo </span>systemctl restart redis-server </code></pre> </li> <li> <p>Make sure that Redis accepts connections with authentication:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span>redis-cli <span class="nt">--askpass</span> info </code></pre> </li> </ol> <h3> Set up the Slave nodes </h3> <ol> <li>Open the configuration file at <code>/etc/redis/redis.conf</code> </li> <li> <p>Set following mandatory parameters:<br> </p> <pre class="highlight plaintext"><code>bind &lt;slaveip: 10.0.0.21/22&gt; 127.0.0.1 requirepass &lt;master-password&gt; masterauth &lt;master-password&gt; replicaof &lt;masterip: 10.0.0.21&gt; 6379 </code></pre> </li> <li> <p>Restart the redis-server service:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo </span>systemctl restart redis-server </code></pre> </li> <li> <p>Make sure that Redis accepts connections with authentication:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span>redis-cli <span class="nt">--askpass</span> info </code></pre> </li> </ol> <h3> Check Redis replication setup </h3> <ol> <li> <p>Check the redis-server log on Master node:<br> </p> <pre class="highlight plaintext"><code>$ tail /var/log/redis/redis-server.log -n 20 3498:M 16 Sep 2024 22:25:53.086 * RDB memory usage when created 0.77 Mb 3498:M 16 Sep 2024 22:25:53.086 * DB loaded from disk: 0.000 seconds 3498:M 16 Sep 2024 22:25:53.086 * Ready to accept connections 3498:M 16 Sep 2024 23:29:52.119 * Replica 10.0.0.22:6379 asks for synchronization 3498:M 16 Sep 2024 23:29:52.119 * Full resync requested by replica 10.0.0.22:6379 3498:M 16 Sep 2024 23:29:52.119 * Replication backlog created, my new replication IDs are '368571d1e52c29535615e0043a3a6d6ddc1db70b' and '0000000000000000000000000000000000000000' 3498:M 16 Sep 2024 23:29:52.119 * Starting BGSAVE for SYNC with target: disk 3498:M 16 Sep 2024 23:29:52.119 * Background saving started by pid 3684 3684:C 16 Sep 2024 23:29:52.132 * DB saved on disk 3684:C 16 Sep 2024 23:29:52.133 * RDB: 0 MB of memory used by copy-on-write 3498:M 16 Sep 2024 23:29:52.185 * Background saving terminated with success 3498:M 16 Sep 2024 23:29:52.185 * Synchronization with replica 10.0.0.22:6379 succeeded 3498:M 16 Sep 2024 23:30:09.952 * Replica 10.0.0.23:6379 asks for synchronization 3498:M 16 Sep 2024 23:30:09.952 * Full resync requested by replica 10.0.0.23:6379 3498:M 16 Sep 2024 23:30:09.952 * Starting BGSAVE for SYNC with target: disk 3498:M 16 Sep 2024 23:30:09.952 * Background saving started by pid 3688 3688:C 16 Sep 2024 23:30:09.965 * DB saved on disk 3688:C 16 Sep 2024 23:30:09.965 * RDB: 0 MB of memory used by copy-on-write 3498:M 16 Sep 2024 23:30:09.985 * Background saving terminated with success 3498:M 16 Sep 2024 23:30:09.985 * Synchronization with replica 10.0.0.23:6379 succeeded </code></pre> </li> <li> <p>Check replication status on Master node:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span>redis-cli <span class="nt">--askpass</span> info replication Please input password: <span class="k">****************</span> <span class="c"># Replication</span> role:master connected_slaves:2 slave0:ip<span class="o">=</span>10.0.0.22,port<span class="o">=</span>6379,state<span class="o">=</span>online,offset<span class="o">=</span>1652,lag<span class="o">=</span>1 slave1:ip<span class="o">=</span>10.0.0.23,port<span class="o">=</span>6379,state<span class="o">=</span>online,offset<span class="o">=</span>1652,lag<span class="o">=</span>1 master_replid:368571d1e52c29535615e0043a3a6d6ddc1db70b master_replid2:0000000000000000000000000000000000000000 master_repl_offset:1652 second_repl_offset:-1 repl_backlog_active:1 repl_backlog_size:1048576 repl_backlog_first_byte_offset:1 repl_backlog_histlen:1652 </code></pre> </li> <li> <p>Run the following command on Master node:<br> </p> <pre class="highlight shell"><code><span class="nv">$ $ </span>redis-cli <span class="nt">--askpass</span> <span class="nb">set </span>abc 123 Please input password: <span class="k">****************</span> OK </code></pre> </li> <li> <p>Run the following command on Slave nodes:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span>redis-cli <span class="nt">--askpass</span> get abc Please input password: <span class="k">****************</span> <span class="s2">"123"</span> </code></pre> </li> </ol> <p>Congrats! Master-to-Slave data replication succeed.</p> <h2> Setup Redis Sentinel </h2> <h3> Install Redis Sentinel </h3> <ol> <li>Connect to hosts with the role <code>Sentinel</code> </li> <li> <p>Run the following commands:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo </span>apt-get update <span class="nv">$ </span><span class="nb">sudo </span>apt-get <span class="nb">install</span> <span class="nt">-y</span> redis-sentinel </code></pre> </li> <li> <p>Activate the redis-sentinel service to start when Sentinel server boots:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo </span>systemctl <span class="nb">enable </span>redis-sentinel </code></pre> </li> <li> <p>Check redis-sentinel status:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span>systemctl status redis-sentinel ● redis-sentinel.service - Advanced key-value store Loaded: loaded <span class="o">(</span>/lib/systemd/system/redis-sentinel.service<span class="p">;</span> enabled<span class="p">;</span> vendo&gt; Active: active <span class="o">(</span>running<span class="o">)</span> since Tue 2024-09-17 00:56:22 MSK<span class="p">;</span> 1min 29s ago Docs: http://redis.io/documentation, man:redis-sentinel<span class="o">(</span>1<span class="o">)</span> Main PID: 3259 <span class="o">(</span>redis-sentinel<span class="o">)</span> Status: <span class="s2">"Ready to accept connections"</span> Tasks: 5 <span class="o">(</span>limit: 2307<span class="o">)</span> Memory: 7.2M CPU: 190ms CGroup: /system.slice/redis-sentinel.service └─3259 /usr/bin/redis-sentinel 127.0.0.1:26379 <span class="o">[</span>sentinel] </code></pre> </li> </ol> <h3> Set up Sentinel nodes </h3> <ol> <li>Open the configuration file at <code>/etc/redis/sentinel.conf</code> </li> <li> <p>Set following mandatory parameters:<br> </p> <pre class="highlight plaintext"><code>protected-mode yes bind &lt;sentinelip: 10.0.0.24/25/26&gt; 127.0.0.1 sentinel monitor mymaster &lt;masterip: 10.0.0.21&gt; 6379 2 sentinel down-after-milliseconds mymaster 30000 sentinel failover-timeout mymaster 180000 sentinel parallel-syncs mymaster 1 sentinel auth-pass mymaster &lt;master-password&gt; requirepass &lt;sentinel-password&gt; </code></pre> </li> <li> <p>Restart the redis-sentinel service:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo </span>systemctl restart redis-sentinel </code></pre> </li> <li> <p>Make sure that Redis Sentinel accepts connections with authentication:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span>redis-cli <span class="nt">-p</span> 26379 <span class="nt">--askpass</span> info sentinel Please input password: <span class="k">****************</span> <span class="c"># Sentinel</span> sentinel_masters:1 sentinel_tilt:0 sentinel_running_scripts:0 sentinel_scripts_queue_length:0 sentinel_simulate_failure_flags:0 master0:name<span class="o">=</span>mymaster,status<span class="o">=</span>ok,address<span class="o">=</span>10.0.0.21:6379,slaves<span class="o">=</span>2,sentinels<span class="o">=</span>3 </code></pre> </li> </ol> <h2> Testing the failover </h2> <p>This section shows how to test the failover of the high availability Redis using Sentinel.</p> <h3> Master node failure </h3> <ol> <li> <p>Run the following command on Master node:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span>redis-cli <span class="nt">--askpass</span> client pause 40000 Please input password: <span class="k">****************</span> OK </code></pre> <blockquote> <p>Note: <code>client pause 40000</code> due to <code>sentinel down-after-milliseconds mymaster 30000</code></p> </blockquote> </li> <li> <p>Run the following command on one of the Sentinel nodes:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">tail</span> <span class="nt">-10</span> /var/log/redis/redis-sentinel.log 6175:X 18 Sep 2024 21:39:49.309 <span class="c"># +sdown master mymaster 10.0.0.21 6379</span> 6175:X 18 Sep 2024 21:39:49.555 <span class="c"># +new-epoch 1</span> 6175:X 18 Sep 2024 21:39:49.558 <span class="c"># +vote-for-leader 77fc4fbc9c6c7d063d62e38f528910ab67e8d907 1</span> 6175:X 18 Sep 2024 21:39:50.450 <span class="c"># +odown master mymaster 10.0.0.21 6379 #quorum 3/2</span> 6175:X 18 Sep 2024 21:39:50.451 <span class="c"># Next failover delay: I will not start a failover before Wed Sep 18 21:45:50 2024</span> 6175:X 18 Sep 2024 21:39:51.853 <span class="c"># +config-update-from sentinel 77fc4fbc9c6c7d063d62e38f528910ab67e8d907 10.0.0.26 26379 @ mymaster 10.0.0.21 6379</span> 6175:X 18 Sep 2024 21:39:51.853 <span class="c"># +switch-master mymaster 10.0.0.21 6379 10.0.0.22 6379</span> 6175:X 18 Sep 2024 21:39:51.853 <span class="k">*</span> +slave slave 10.0.0.23:6379 10.0.0.23 6379 @ mymaster 10.0.0.22 6379 6175:X 18 Sep 2024 21:39:51.853 <span class="k">*</span> +slave slave 10.0.0.21:6379 10.0.0.21 6379 @ mymaster 10.0.0.22 6379 6175:X 18 Sep 2024 21:40:09.323 <span class="k">*</span> +convert-to-slave slave 10.0.0.21:6379 10.0.0.21 6379 @ mymaster 10.0.0.22 6379 </code></pre> <blockquote> <p>Note: <code>Next failover delay: I will not start a failover before Wed Sep 18 21:45:50 2024</code> due to <code>sentinel failover-timeout mymaster 180000</code></p> </blockquote> </li> <li> <p>Run the following command on one of the Sentinel nodes:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span>redis-cli <span class="nt">-p</span> 26379 <span class="nt">--askpass</span> sentinel get-master-addr-by-name mymaster Please input password: <span class="k">****************</span> 1<span class="o">)</span> <span class="s2">"10.0.0.22"</span> 2<span class="o">)</span> <span class="s2">"6379"</span> </code></pre> <p>Redis node with IP <code>10.0.0.22</code> is the new Master node.</p> </li> <li> <p>Run the following command on the new Master node:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span>redis-cli <span class="nt">--askpass</span> info replication <span class="c"># Replication</span> role:master connected_slaves:2 slave0:ip<span class="o">=</span>10.0.0.23,port<span class="o">=</span>6379,state<span class="o">=</span>online,offset<span class="o">=</span>519426,lag<span class="o">=</span>1 slave1:ip<span class="o">=</span>10.0.0.21,port<span class="o">=</span>6379,state<span class="o">=</span>online,offset<span class="o">=</span>519559,lag<span class="o">=</span>0 master_replid:ade635098e62dc68f3ee65acf37970f98e1a2f8a master_replid2:8777248b814d71f4c609f437c37a529e01b7d0c5 master_repl_offset:519692 second_repl_offset:195253 repl_backlog_active:1 repl_backlog_size:1048576 repl_backlog_first_byte_offset:1 repl_backlog_histlen:519692 </code></pre> </li> </ol> <h3> Sentinel node failure </h3> <ol> <li> <p>Run the following command on the first Sentinel node:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo </span>systemctl stop redis-sentinel </code></pre> </li> <li> <p>Check <code>redis-sentinel.log</code> on the second Sentinel node:<br> </p> <pre class="highlight shell"><code><span class="nb">tail</span> <span class="nt">-1</span> /var/log/redis/redis-sentinel.log 5587:X 18 Sep 2024 22:14:36.112 <span class="c"># +sdown sentinel d01aa131dc0ba6cc4069f3ec67bf6b4fa6b501f8 10.0.0.24 26379 @ mymaster 10.0.0.22 6379</span> </code></pre> </li> <li> <p>Run the following command on Master node:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span>redis-cli <span class="nt">--askpass</span> client pause 40000 Please input password: <span class="k">****************</span> OK </code></pre> </li> <li> <p>Check <code>redis-sentinel.log</code> on the second Sentinel node:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">tail</span> <span class="nt">-10</span> /var/log/redis/redis-sentinel.log 5587:X 18 Sep 2024 22:20:49.232 <span class="c"># +failover-state-reconf-slaves master mymaster 10.0.0.22 6379</span> 5587:X 18 Sep 2024 22:20:49.255 <span class="k">*</span> +slave-reconf-sent slave 10.0.0.23:6379 10.0.0.23 6379 @ mymaster 10.0.0.22 6379 5587:X 18 Sep 2024 22:20:49.691 <span class="c"># -odown master mymaster 10.0.0.22 6379</span> 5587:X 18 Sep 2024 22:20:54.812 <span class="c"># -sdown master mymaster 10.0.0.22 6379</span> 5587:X 18 Sep 2024 22:20:56.253 <span class="k">*</span> +slave-reconf-inprog slave 10.0.0.23:6379 10.0.0.23 6379 @ mymaster 10.0.0.22 6379 5587:X 18 Sep 2024 22:20:56.254 <span class="k">*</span> +slave-reconf-done slave 10.0.0.23:6379 10.0.0.23 6379 @ mymaster 10.0.0.22 6379 5587:X 18 Sep 2024 22:20:56.278 <span class="c"># +failover-end master mymaster 10.0.0.22 6379</span> 5587:X 18 Sep 2024 22:20:56.278 <span class="c"># +switch-master mymaster 10.0.0.22 6379 10.0.0.21 6379</span> 5587:X 18 Sep 2024 22:20:56.279 <span class="k">*</span> +slave slave 10.0.0.23:6379 10.0.0.23 6379 @ mymaster 10.0.0.21 6379 5587:X 18 Sep 2024 22:20:56.279 <span class="k">*</span> +slave slave 10.0.0.22:6379 10.0.0.22 6379 @ mymaster 10.0.0.21 6379 </code></pre> <p>According to the log the node with IP <code>10.0.0.21</code> is the new Master node.</p> </li> <li> <p>Run the following command on the second Sentinel node:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo </span>systemctl stop redis-sentinel </code></pre> </li> <li> <p>Check <code>redis-sentinel.log</code> on the third Sentinel node:<br> </p> <pre class="highlight shell"><code><span class="nb">tail</span> <span class="nt">-1</span> /var/log/redis/redis-sentinel.log 5406:X 18 Sep 2024 22:26:57.116 <span class="c"># +sdown sentinel 4a1264d7e6946072945569a8a6c91ad5bff182aa 10.0.0.25 26379 @ mymaster 10.0.0.21 6379</span> </code></pre> <p>At this point, the only single Sentinel node <code>10.0.0.26</code> running, and the Redis node with IP <code>10.0.0.21</code> is the new Master node.</p> </li> <li> <p>Run the following command on Master node:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span>redis-cli <span class="nt">--askpass</span> client pause 40000 Please input password: <span class="k">****************</span> OK </code></pre> </li> <li> <p>Check <code>redis-sentinel.log</code> on the third Sentinel node:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">tail</span> <span class="nt">-2</span> /var/log/redis/redis-sentinel.log 5406:X 18 Sep 2024 22:26:57.116 <span class="c"># +sdown sentinel 4a1264d7e6946072945569a8a6c91ad5bff182aa 10.0.0.25 26379 @ mymaster 10.0.0.21 6379</span> 5406:X 18 Sep 2024 22:42:37.815 <span class="c"># +sdown master mymaster 10.0.0.21 6379</span> </code></pre> <p>According to the log the Master node is down, but there was no voting for the new leader. This is due to the missing of quorum among the Sentinel nodes.</p> </li> <li> <p>Don't forget to start <code>redis-sentinel</code> service on the first and second Sentinel nodes:<br> </p> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo </span>systemctl start redis-sentinel </code></pre> </li> </ol> <p>Congrats! You have configured Redis Sentinel.</p> <h2> Summary </h2> <p>In this post, we’ve seen:</p> <ul> <li>how to set up Redis Master-Slave replication</li> <li>how to set up Redis Sentinel</li> <li>hot to test the failover of the high availability Redis using Sentinel.</li> </ul> redis