update contents

4.1_pod_and_service/ex-1_run_container/READNE.md

@@ -48,3 +48,97 @@ root@3e9080f20c4d:/# curl http://192.168.49.4:32343/ping;echo
 
 
 マルチコンテナポッドも知って欲しい。
+
+
+
+
+$ kubectl apply -f pod.yaml 
+pod/my-pod created
+
+$ kubectl get pods
+NAME     READY   STATUS    RESTARTS   AGE
+my-pod   1/1     Running   0          5s
+
+
+
+$ kubectl describe pods my-pod
+Name:             my-pod
+Namespace:        default
+Priority:         0
+Service Account:  default
+Node:             minikube/192.168.49.2
+Start Time:       Sun, 07 Jan 2024 15:57:21 +0900
+Labels:           app=my-app-1
+                  run=my-pod
+Annotations:      <none>
+Status:           Running
+IP:               10.244.0.13
+IPs:
+  IP:  10.244.0.13
+Containers:
+  my-pod:
+    Container ID:   docker://489e10f9cfcf9f4fdee26619cef0ef5086bca9d577e0a84ba76606a9ae530b0f
+    Image:          ghcr.io/takara9/ex1:1.0
+    Image ID:       docker-pullable://ghcr.io/takara9/ex1@sha256:cb6cd2557aa67456f72663d3d612f5741de72a0b4635fdd2a10c9c1ac3238344
+    Port:           9100/TCP
+    Host Port:      0/TCP
+    State:          Running
+      Started:      Sun, 07 Jan 2024 15:57:21 +0900
+    Ready:          True
+    Restart Count:  0
+    Environment:    <none>
+    Mounts:
+      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-n4ftc (ro)
+Conditions:
+  Type              Status
+  Initialized       True 
+  Ready             True 
+  ContainersReady   True 
+  PodScheduled      True 
+Volumes:
+  kube-api-access-n4ftc:
+    Type:                    Projected (a volume that contains injected data from multiple sources)
+    TokenExpirationSeconds:  3607
+    ConfigMapName:           kube-root-ca.crt
+    ConfigMapOptional:       <nil>
+    DownwardAPI:             true
+QoS Class:                   BestEffort
+Node-Selectors:              <none>
+Tolerations:                 node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
+                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
+Events:
+  Type    Reason     Age    From              Message
+  ----    ------     ----   ----              -------
+  Normal  Scheduled  4m23s  default-scheduler Successfully assigned default/my-pod to minikube
+  Normal  Pulled     4m23s  kubelet           Container image "ghcr.io/takara9/ex1:1.0" already present on machine
+  Normal  Created    4m23s  kubelet           Created container my-pod
+  Normal  Started    4m23s  kubelet           Started container my-pod
+
+
+
+サービスのデプロイ
+
+$ kubectl apply -f service.yaml 
+service/my-service configured
+
+
+サービスの存在確認
+
+$ kubectl get service
+NAME         TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)    AGE
+kubernetes   ClusterIP   10.96.0.1        <none>        443/TCP    9h
+my-service   ClusterIP   10.100.232.199   <none>        9100/TCP   6h58m
+
+
+サービスをPCターミナルへフォワード
+
+$ kubectl port-forward service/my-service 9100:9100
+Forwarding from 127.0.0.1:9100 -> 9100
+Forwarding from [::1]:9100 -> 9100
+
+
+別ターミナルでcurlコマンドでアクセスして確認
+
+$ curl http://localhost:9100/ping;echo
+<p>pong</p>
+

4.1_pod_and_service/ex-1_run_container/service.yaml

@@ -5,7 +5,6 @@ metadata:
   labels:
     app: my-app-1
 spec:
-  type: NodePort
   selector:
     run: my-pod 
   ports:

4.1_pod_and_service/ex-2_service_label/README.md

@@ -0,0 +1 @@
+kubectl patch service my-service --patch-file patch.yaml

4.1_pod_and_service/ex-3_name_descovery/README.md

@@ -5,7 +5,7 @@
 
 # DNS
 
-mini:~ takara$ kubectl run -it mypod --image=ghcr.io/takara9/my-ubuntu:0.2 -- bash
+$ kubectl run -it mypod --image=ghcr.io/takara9/my-ubuntu:0.2 -- bash
 If you don't see a command prompt, try pressing enter.
 root@mypod:/# 
 

4.1_pod_and_service/ex-4_readyness_liveness/livenessprobe/pod.yaml

@@ -14,8 +14,6 @@ spec:
     - touch /tmp/healthy; sleep 30; rm -f /tmp/healthy; tail -f /dev/null
     livenessProbe:
       exec:
-        command:
-        - cat
-        - /tmp/healthy
+        command: ["cat", "/tmp/healthy"]
       initialDelaySeconds: 5
       periodSeconds: 5

4.1_pod_and_service/ex-4_readyness_liveness/readnesprobe/pod.yaml

@@ -14,8 +14,6 @@ spec:
     - sleep 30; touch /tmp/healthy; tail -f /dev/null
     readinessProbe:
       exec:
-        command:
-        - cat
-        - /tmp/healthy
+        command: ["cat","/tmp/healthy"]
       initialDelaySeconds: 5
       periodSeconds: 5

4.1_pod_and_service/ex-5_psa/ns.yaml → 4.1_pod_and_service/ex-5_psa/namespace-h-secure.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: my-ns
+  name: myns
   labels:
     pod-security.kubernetes.io/enforce: restricted
     pod-security.kubernetes.io/warn:    restricted

4.1_pod_and_service/ex-5_psa/pod-3.yaml → 4.1_pod_and_service/ex-5_psa/nginx-security.yaml

@@ -1,13 +1,14 @@
 apiVersion: v1
 kind: Pod
 metadata:
-  name: nginx2
+  name: nginx-secure
+  namespace: myns
 spec:
   containers:
     - image: ghcr.io/takara9/sec-nginx:1.0
       name: nginx
       ports:
-        - containerPort: 80
+        - containerPort: 9200
       securityContext:
         allowPrivilegeEscalation: false
         runAsNonRoot: true

4.1_pod_and_service/ex-5_psa/pod-2.yaml → 4.1_pod_and_service/ex-5_psa/nginx-std.yaml

@@ -1,7 +1,8 @@
 apiVersion: v1
 kind: Pod
 metadata:
-  name: nginx
+  name: nginx-std
+  namespace: myns
 spec:
   containers:
     - image: nginx

4.1_pod_and_service/ex-5_psa/pod1-std.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-std
+  namespace: myns
+spec:
+  volumes:
+  - name: vol
+    emptyDir: {}
+  containers:
+  - name: general
+    image: busybox:1.28
+    command: [ "sh", "-c", "sleep 1h" ]
+    volumeMounts:
+    - name: vol
+      mountPath: /data/demo

4.1_pod_and_service/ex-5_psa/pod-1.yaml → 4.1_pod_and_service/ex-5_psa/pod1-w-sc.yaml

@@ -1,7 +1,8 @@
 apiVersion: v1
 kind: Pod
 metadata:
-  name: security-context-demo
+  name: pod-with-sc
+  namespace: myns
 spec:
   securityContext:
     runAsUser: 1000
@@ -10,16 +11,15 @@ spec:
     runAsNonRoot: true
     seccompProfile: 
       type: RuntimeDefault
-
   volumes:
-  - name: sec-ctx-vol
+  - name: vol
     emptyDir: {}
   containers:
-  - name: sec-ctx-demo
+  - name: general
     image: busybox:1.28
     command: [ "sh", "-c", "sleep 1h" ]
     volumeMounts:
-    - name: sec-ctx-vol
+    - name: vol
       mountPath: /data/demo
     securityContext:
       allowPrivilegeEscalation: false

4.1_pod_and_service/secure-nginx/Dockerfile → 4.1_pod_and_service/ex-5_psa/secure-nginx/Dockerfile

@@ -3,4 +3,5 @@ FROM nginx:1.21.6-alpine
 COPY config/default.conf /etc/nginx/conf.d/default.conf
 COPY config/nginx.conf /etc/nginx/nginx.conf
 
+EXPOSE 9200
 USER 101:101

4.1_pod_and_service/secure-nginx/config/nginx.conf → 4.1_pod_and_service/ex-5_psa/secure-nginx/config/nginx.conf

@@ -4,7 +4,6 @@ worker_processes  auto;
 error_log  /var/log/nginx/error.log notice;
 pid        /tmp/nginx.pid;
 
-
 events {
     worker_connections  1024;
 }
@@ -15,22 +14,16 @@ http {
     fastcgi_temp_path     /tmp/fastcgi_temp;
     uwsgi_temp_path       /tmp/uwsgi_temp;
     scgi_temp_path        /tmp/scgi_temp;
-
     include       /etc/nginx/mime.types;
     default_type  application/octet-stream;
-
     log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                       '$status $body_bytes_sent "$http_referer" '
                       '"$http_user_agent" "$http_x_forwarded_for"';
 
     access_log  /var/log/nginx/access.log  main;
-
     sendfile        on;
     #tcp_nopush     on;
-
     keepalive_timeout  65;
-
     #gzip  on;
-
     include /etc/nginx/conf.d/*.conf;
 }

4.7_CICD/README.md

@@ -1,3 +1,7 @@
+## CICD
+
+GitHub Actionsで、minikube を実行して、
+コードを修正したら、ビルドとテストを自動実施する。
 
 
 https://minikube.sigs.k8s.io/docs/tutorials/setup_minikube_in_github_actions/
@@ -8,4 +12,6 @@ GitHub Actions 上で　
 
 Dockerfileで、ARM と ADMDを区別しなくても良いようにする。
 
-docker pull maven:3.9.6-eclipse-temurin-21-jammy
+docker pull maven:3.9.6-eclipse-temurin-21-jammy
+
+オブザーバビリティ