Configuration (18%)
Configuring a Pod to Use a ConfigMap
- Create a new file named
config.txtwith the following environment variables as key/value pairs on each line.
DB_URLequates tolocalhost:3306DB_USERNAMEequates topostgres
- Create a new ConfigMap named
db-configfrom that file. - Create a Pod named
backendthat uses the environment variables from the ConfigMap and runs the container with the imagenginx. - Shell into the Pod and print out the created environment variables. You should find
DB_URLandDB_USERNAMEwith their appropriate values.
Solution:
Create the environment variables in the text file.
$ echo -e "DB_URL=localhost:3306 DB_USERNAME=postgres" > config.txt
Create the ConfigMap and point to the text file upon creation.
$ kubectl create configmap db-config --from-env-file=config.txt configmap/db-config created $ kubectl run backend --image=nginx --restart=Never -o yaml --dry-run > pod.yaml
The final YAML file should look similar to the following code snippet.
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: backend name: backend spec: containers: - image: nginx name: backend envFrom: - configMapRef: name: db-config resources: {} dnsPolicy: ClusterFirst restartPolicy: Never status: {}
Create the Pod by pointing the create command to the YAML file.
$ kubectl create -f pod.yaml
Log into the Pod and run the env command.
$ kubectl exec backend -it -- /bin/sh / # env DB_URL=localhost:3306 DB_USERNAME=postgres ... / # exit
Configuring a Pod to Use a Secret
- Create a new Secret named
db-credentialswith the key/value pairdb-password=passwd. - Create a Pod named
backendthat defines uses the Secret as environment variable namedDB_PASSWORDand runs the container with the imagenginx. - Shell into the Pod and print out the created environment variables. You should find
DB_PASSWORDvariable.
Solution:
It's easy to create the secret from the command line. Furthermore, execute the run command to generate the YAML file for the Pod.
$ kubectl create secret generic db-credentials --from-literal=db-password=passwd secret/db-credentials created $ kubectl get secrets NAME TYPE DATA AGE db-credentials Opaque 1 26s $ kubectl run backend --image=nginx --restart=Never -o yaml --dry-run > pod.yaml
Edit the YAML file and create an environment that reads the relevant key from the secret.
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: backend name: backend spec: containers: - image: nginx name: backend env: - name: DB_PASSWORD valueFrom: secretKeyRef: name: db-credentials key: db-password resources: {} dnsPolicy: ClusterFirst restartPolicy: Never status: {}
Create the Pod by pointing the create command to the YAML file.
$ kubectl create -f pod.yaml
You can find the environment variable by shelling into the container and running the env command.
$ kubectl exec -it backend -- /bin/sh / # env DB_PASSWORD=passwd / # exit
Creating a Security Context for a Pod
- Create a Pod named
securedthat uses the imagenginxfor a single container. Mount anemptyDirvolume to the directory/data/app. - Files created on the volume should use the filesystem group ID 3000.
- Get a shell to the running container and create a new file named
logs.txtin the directory/data/app. List the contents of the directory and write them down.
Solution:
Start by creating the Pod definition as YAML file.
$ kubectl run secured --image=nginx --restart=Never -o yaml --dry-run > secured.yaml
Edit the YAML file, add a volume and a volume mount. Add a security context with the relevant group ID.
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: secured name: secured spec: securityContext: fsGroup: 3000 containers: - image: nginx name: secured volumeMounts: - name: data-vol mountPath: /data/app resources: {} volumes: - name: data-vol emptyDir: {} dnsPolicy: ClusterFirst restartPolicy: Never status: {}
Create the Pod and log into the container. Create the file in the directory of the volume mount. The group ID should be 3000 as defined by the security context.
$ kubectl create -f secured.yaml pod/secured created $ kubectl exec -it secured -- sh / # cd /data/app / # touch logs.txt / # ls -l -rw-r--r-- 1 root 3000 0 Mar 11 15:56 logs.txt / # exit
Defining a Pod’s Resource Requirements
Create a resource quota named apps under the namespace rq-demo using the following YAML definition in the file rq.yaml.
apiVersion: v1
kind: ResourceQuota
metadata:
name: app
spec:
hard:
pods: "2"
requests.cpu: "2"
requests.memory: 500m
- Create a new Pod that exceeds the limits of the resource quota requirements. Write down the error message.
- Change the request limits to fulfill the requirements to ensure that the Pod could be created successfully. Write down the output of the command that renders the used amount of resources for the namespace.
Solution:
First create the namespace and the resource quota in the namespace.
$ kubectl create namespace rq-demo $ kubectl create -f rq.yaml --namespace=rq-demo resourcequota/app created $ kubectl describe quota --namespace=rq-demo Name: app Namespace: rq-demo Resource Used Hard -------- ---- ---- pods 0 2 requests.cpu 0 2 requests.memory 0 500m
Next, create the YAML file named pod.yaml with more requested memory than available in the quota.
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: mypod name: mypod spec: containers: - image: nginx name: mypod resources: requests: memory: "1G" cpu: "400m" dnsPolicy: ClusterFirst restartPolicy: Never status: {}
Create the Pod and observe the error message.
$ kubectl create -f pod.yaml --namespace=rq-demo Error from server (Forbidden): error when creating "pod.yaml": pods "mypod" is forbidden: exceeded quota: app, requested: requests.memory=1G, used: requests.memory=0, limited: requests.memory=500m
Lower the memory settings to less than 500m (e.g. 200m) and create the Pod.
$ kubectl create -f pod.yaml --namespace=rq-demo pod/mypod created $ kubectl describe quota --namespace=rq-demo Name: app Namespace: rq-demo Resource Used Hard -------- ---- ---- pods 1 2 requests.cpu 400m 2 requests.memory 200m 500m
Using a Service Account
- Create a new service account named
backend-team. - Print out the token for the service account in YAML format.
- Create a Pod named
backendthat uses the imagenginxand the identitybackend-teamfor running processes. - Get a shell to the running container and print out the token of the service account.
Solution:
First, create the service acccount and inspect it.
$ kubectl create serviceaccount backend-team serviceaccount/backend-team created $ kubectl get serviceaccount backend-team -o yaml --export apiVersion: v1 kind: ServiceAccount metadata: creationTimestamp: 2019-05-09T22:43:54Z name: backend-team namespace: default resourceVersion: "1888067" selfLink: /api/v1/namespaces/default/serviceaccounts/backend-team uid: ecd3b7ea-72ab-11e9-96c5-025000000001 secrets: - name: backend-team-token-hskch
Next, you can create a new Pod and assign the service account to it.
$ kubectl run backend --image=nginx --restart=Never --serviceaccount=backend-team
You can print out the token from the volume source at /var/run/secrets/kubernetes.io/serviceaccount.
$ kubectl exec -it backend -- /bin/sh / # cat /var/run/secrets/kubernetes.io/serviceaccount/token eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImJhY2tlbmQtdGVhbS10b2tlbi1kbTJmZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJiYWNrZW5kLXRlYW0iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIxNzM0MzVjMS00NDJmLTExZTktOGRjMy0wMjUwMDAwMDAwMDEiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpiYWNrZW5kLXRlYW0ifQ.DjWUxEMNUmQVoXd4b-eIjxboj3w3k7hS5hfV8mm8eoEPz3HJJMgjIpAaurcvo1pp2Ggpd1kIhQvfRqI6-u57f80N5UqXt_qATJfonat2NNXX8pXmFNoPig9LB-pbo8TN_pYGWNworXsxmK9w6V9eaRosIinRp0u-cvijQbsBw3lxWgGo9S4G-7f19mMKN1Pg2xS2J6fKX9IKvhHrUkM91nwcwmsO0use5B4TGbuRa9METiGsfEpegvzMPBbPl0B_T1ANH_pck0LFNtvKe0g1v5zpKx2lRF9WdFAqPsG7BJ1dEH88JtBHzD59OhxIPqtyT4sXKjACBN_ka5ZADMzPJg