docs
  • README
  • John's Notes and Documentation
    • Linux
      • Distributions
        • Arch Linux
          • Common Applications
          • Setting up pacaur with the Arch User Repository
          • Bluetooth
          • Hibernate
          • Graphical Configuration
          • libvirt
          • Post Install Tasks
            • Time
            • Reflector
            • SMTP
            • ZFS Configuration
            • smart
            • nfs
            • Package Management
              • aurutils
            • Programming Languages
              • nodejs
              • ruby
            • Restore Installed Applications
            • User Configuration Management
            • User Namespaces
            • Gaming with Wine
            • ZFS Dataset Structure
            • Raspberry PI Secure VPN Torrentbox
        • NixOS
          • Remotely Accessing Install Media
          • root on ZFS Install
      • systemd
        • Network Bonding
      • Tuning
        • CPU Tuning
        • Limits
        • Sysctls
        • Network Reliability With iwlwifi
        • Surface Pro 4 Power Tuning
        • ZFS Arc Max on Linux
      • TrueNAS
        • Setup
  • BSD
    • FreeBSD
      • iocage
      • Poudriere in a bhyve VM
    • FreeNAS
      • Copy SSH Keys off FreeNAS
      • FreeNAS Service jails
      • iocage Service jails
        • Couchpotato jail
        • Deluge jail
        • Emby jail
        • Poudriere WebUI jail
        • Podcatcher jail
        • Sabnzbd jail
        • Sickrage jail
        • Syncthing jail
        • Duplicity jail
        • Lets Encrypt jail
      • Wrong Version jail
    • pfSense
      • Sending Specific Traffic Through OpenVPN
  • Desktop and Userspace
    • Gaming
      • Grim Dawn
      • Path of Exile
    • Internet
      • Re-authenticate IRC Nickname
      • Lightdm VNC Connection with Password
    • Media
      • Convert Audio to Video
      • Convert Text to Speech
  • System Administration
    • Security
      • GPG Subkeys
    • Shell Scripting
      • dd
      • find
      • rsync
      • vim
    • ZFS
      • Mirrors
  • Certifications
    • CKA
      • Core-Concepts
      • Scheduling
      • Logging
      • Application Lifecycle Management
      • Cluster Maintenance
      • Security
      • Storage
      • Networking
      • Install Kubernetes with kubeadm
      • JSON PATH
Powered by GitBook
On this page
  • Rolling updates and Rollbacks
  • Commands and Arguments
  • Environment Variables
  • Configmaps
  • Secrets
  • Encrypting
  • Init Containers
  1. Certifications
  2. CKA

Application Lifecycle Management

Rolling updates and Rollbacks

Deployments trigger "rollouts", marking new "revisions"

kubectl rollout status deployment/myapp-deployment
kubectl rollout history deployment/myapp-deployment

Deployments rolling cause no downtime due to rolling strategy.

Modify yaml, then apply, causing new rollout and revision.

Upgrades in deployments create new replicaset and remove pods from old, add to new

Useful:

kubectl create -f deployment-definition.yaml
kubectl get deployments
kubectl apply -f deployment-definition.yaml
kubectl set image deployment/myapp-deployment nginx=nginx:1.9.1
kubectl rollout status deployment/myapp-deployment
kubectl rollout history deployment/myapp-deployment
kubectl rollout undo deployment/myapp-deployment

Commands and Arguments

Override commands and arguments via:

apiVersion: v1
kind: Pod
metadata:
  name: ubuntu-sleeper-pod
spec:
    containers:
        - name: ubuntu-sleeper
          image: ubuntu-sleeper
          command: [ "sleep2.0" ]
          args: [ "10" ]

Environment Variables

apiVersion: v1
kind: Pod
metadata:
  name: simple-webapp-color
spec:
 containers:
 - name: simple-webapp-color
   image: simple-webapp-color
   ports:
   - containerPort: 8080
   env:
   - name: APP_COLOR
     value: pink

Configmaps

Lets is define kv pairs

Imperative:

kubectl create configmap CONFIG_NAME --from-literal=KEY=VALUE
kubectl create configmap app-config \
    --from-literal=APP_COLOR=blue \
    --from-literal=APP_MODE=prod

File:

ConfigMap:

APP_COLOR: blue
APP_MODE: prod
```_

```shell
kubectl create configmap CONFIG_NAME --from-file=CONFIG_FILE
kubectl create configmap app-config --from-file=app_config.properties

Declarative:

apiVersion: v1
kind: ConfigMap
metadata:
  name: app-config
data:
  APP_COLOR: blue
  APP_MODE: prod
apiVersion: v1
kind: Pod
metadata:
  name: simple-webapp-color
spec:
 containers:
 - name: simple-webapp-color
   image: simple-webapp-color
   ports:
   - containerPort: 8080
   envFrom:
   - configMapRef:
       name: app-config
kubectl get configmaps
kubectl get configmap CONFIG_MAP
kubectl describe configmap CONFIG_MAP

Secrets

Same as ConfigMap, but encoded (NOT ENCRYPTED).

kubectl create secret

We encode as base64 in yaml:

echo -n VALUE | base64
echo -n ENOCED_VALUE | base64 --decode

Secret:

APP_COLOR: BASE64_ENCODED
APP_MODE: BASE64_ENCODED
apiVersion: v1
kind: Secret
metadata:
  name: app-config
data:
  APP_COLOR: blue
  APP_MODE: prod
kubectl get secrets
kubectl get secret CONFIG_MAP
kubectl describe secret generic CONFIG_MAP

Just like configmap use envFrom:

apiVersion: v1
kind: Pod
metadata:
  name: simple-webapp-color
spec:
 containers:
 - name: simple-webapp-color
   image: simple-webapp-color
   ports:
   - containerPort: 8080
   envFrom:
   - secretKeyRef:
       name: app-config

Can use EncryptionConfiguration to encrypt secrets at rest (stall accessible by users with access to pods)

Encrypting

We can encrypt at rest in etcd

We can query etcd with etcdctl:

Check if --encryption-provider-config set in kube-apiserver:

(kubeadm):

less /etc/kubernetes/manifests/kube-apiserver.yaml

Create EncryptionConfiguration (see docs), and pass via --encryption-provider-config

Init Containers

If you only wish to run something at initialization in a multi-container pod, use an initContainer, they work just like regular containers but exit.

apiVersion: v1
kind: Pod
metadata:
  name: myapp-pod
  labels:
    app: myapp
spec:
  containers:
  - name: myapp-container
    image: busybox:1.28
    command: ['sh', '-c', 'echo The app is running! && sleep 3600']
  initContainers:
  - name: init-myservice
    image: busybox
    command: ['sh', '-c', 'git clone  ;']

initContainers must run to completion before the other container start. They run in sequential order.

PreviousLoggingNextCluster Maintenance

Last updated 4 months ago

Encrypting Confidential Data at Rest