Kubernetes Tutorial

Ci-Jie
T :4
n .(- C - 4 44
n F SJ DM /)
n 4 4 4 K N
4# #

n 0( . (0 0
n 41 0( . 6 0( . . 0 ) .
n 64

n H A eKac
n G b NSi H C ac
n O ac Gi M g E h , H
n g /. A - . B. : d
W A : A A A C

n H M
n A K
n A KM
n N
n . / / ./-.
: / / /
. -/ .

n LR : E / A E . E 69 04
1 FH
n UM P FH .7: S 2- 5 O
a G + B HE AF F B FFC AE CC
B D

$ sudo su
$ apt-get update
$ apt-get install -y apt-transport-https ca-certificates curl software-
properties-common
$ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key
add -
$ add-apt-repository "deb https://download.docker.com/linux/$(.
/etc/os-release; echo "$ID") $(lsb_release -cs) stable"
$ apt-get update && apt-get install -y docker-ce=$(apt-cache madison
docker-ce | grep 17.03 | head -1 | awk '{print $3}')

$ docker version
Client:
Version: 17.03.2-ce
API version: 1.27
Go version: go1.7.5
Git commit: f5ec1e2
Built: Tue Jun 27 03:35:14 2017
OS/Arch: linux/amd64
Server:
Version: 17.03.2-ce
API version: 1.27 (minimum version 1.12)
Go version: go1.7.5
Git commit: f5ec1e2
Built: Tue Jun 27 03:35:14 2017
OS/Arch: linux/amd64
Experimental: false

$ apt-get update && apt-get install -y apt-transport-https curl
$ curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-
key add -
$ cat <<EOF >/etc/apt/sources.list.d/kubernetes.list
deb http://apt.kubernetes.io/ kubernetes-xenial main
EOF
$ apt-get update
$ apt-get install -y kubelet kubeadm kubectl

$ kubeadm version
…
Usage:
kubeadm [command]
Available Commands:
alpha Experimental sub-commands not yet fully functional.
completion Output shell completion code for the specified shell (bash or zsh).
config Manage configuration for a kubeadm cluster persisted in a ConfigMap in the cluster.
help Help about any command
init Run this command in order to set up the Kubernetes master.
join Run this on any machine you wish to join an existing cluster
reset Run this to revert any changes made to this host by 'kubeadm init' or 'kubeadm join'.
token Manage bootstrap tokens.
…

$ kubeadm init
…
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/
You can now join any number of machines by running the following on each node
as root:
kubeadm join 192.168.1.13:6443 --token 6lkv4n.uob08598143vuqdg --discovery-token-ca-cert-hash
sha256:b031704cd27c0911d6a5723c9d186da3d43bd772bc7d6f5efab95e463894f963…
…

$ mkdir -p $HOME/.kube
$ cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
$ chown $(id -u):$(id -g) $HOME/.kube/config

$ kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s-1 NotReady master 56m v1.11.0

n ) -
n ) )
n )
n
n ) )
n ( )
C

$ kubectl apply -f "https://cloud.weave.works/k8s/net?k8s-
version=$(kubectl version | base64 | tr -d 'n')"
serviceaccount/weave-net created
clusterrole.rbac.authorization.k8s.io/weave-net created
clusterrolebinding.rbac.authorization.k8s.io/weave-net created
role.rbac.authorization.k8s.io/weave-net created
rolebinding.rbac.authorization.k8s.io/weave-net created
daemonset.extensions/weave-net created

$ kubectl get nodes
k8s-1 Ready master 56m v1.11.0

$ kubeadm join 192.168.1.13:6443 --token 6lkv4n.uob08598143vuqdg --
discovery-token-ca-cert-hash
sha256:b031704cd27c0911d6a5723c9d186da3d43bd772bc7d6f5efab95e
463894f963
…
This node has joined the cluster:
* Certificate signing request was sent to master and a response
was received.
* The Kubelet was informed of the new secure connection details.
Run 'kubectl get nodes' on the master to see this node join the cluster.

$ kubectl get nodes
k8s-2 Ready <none> 3m v1.11.0

$ kubeadm token create --print-join-command
I0628 09:14:48.723888 19798 feature_gate.go:230] feature gates: &{map[]}
kubeadm join 192.168.1.13:6443 --token kgze8w.jfqyowrqj9aoi877 --discovery-token-ca-cert-hash
sha256:15fb8bd02a82ef008ffdb1ebd4e7392e70115ffc4d6ae1caac8a32ba10ed3923

$ kubectl get nodes

$ kubectl apply -f
https://raw.githubusercontent.com/kubernetes/dashboard/master/src/d
eploy/recommended/kubernetes-dashboard.yaml
ommended/kubernetes-dashboard.yaml
secret/kubernetes-dashboard-certs created
serviceaccount/kubernetes-dashboard created
role.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
deployment.apps/kubernetes-dashboard created
service/kubernetes-dashboard created

$ kubectl proxy (screen)
$ curl http://localhost:8001/api/v1/namespaces/kube-
system/services/https:kubernetes-dashboard:/proxy/
<!doctype html> <html ng-app="kubernetesDashboard"> <head> <meta charset="utf-8"> <title ng-
controller="kdTitle as $ctrl" ng-bind="$ctrl.title()"></title> <link rel="icon" type="image/png"
href="assets/images/kubernetes-logo.png"> <meta name="viewport" content="width=device-width"> <link
rel="stylesheet" href="static/vendor.93db0a0d.css"> <link rel="stylesheet" href="static/app.93e259f7.css">
</head> <body ng-controller="kdMain as $ctrl">  <kd-login layout="column" layout-fill="" ng-if="$ctrl.isLoginState()"> </kd-login> <kd-
chrome layout="column" layout-fill="" ng-if="!$ctrl.isLoginState()"> </kd-chrome> <script
src="static/vendor.bd425c26.js"></script> <script src="api/appConfig.json"></script> <script
src="static/app.b5ad51ac.js"></script> </body> </html>

$ kubectl edit svc kubernetes-dashboard -n kube-system
$ kubectl get svc –n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP 40m
kubernetes-dashboard NodePort 10.110.140.252 <none> 443:30225/TCP 9m

-
-
$ vim admin-user.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kube-system

$ kubectl create -f admin-user.yaml
serviceaccount/admin-user created

$ kubectl get sa -n kube-system
NAME SECRETS AGE
admin-user 1 1m
attachdetach-controller 1 18h
bootstrap-signer 1 18h
certificate-controller 1 18h
clusterrole-aggregation-controller 1 18h
coredns 1 18h
…

$ kubectl -n kube-system describe secret $(kubectl -n kube-system get
secret | grep admin-user | awk '{print $1}’)
…
token:
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZX
Rlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2V
ydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLTlmdDd4Iiwia3ViZXJuZXRlcy5pby
9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLml
vL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJhOTdhNWI0ZC03YjRlLTExZTgtYmQwNC
1mYTE2M2U3YjRjMjEiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06YWRtaW4tdXN
lciJ9.P2p-
77_8JlZwInyuTQOIFUBpDipUxv2Pe3f3KdQSVMMuq5TcEhsaUEmNdzlNHXUOSEVn3dSulu9SRLvPZ2OlO-
02BkaZMBy_dioAURmZtPjom9w5Lafcwrb38lCaax0bYFZw-_9yGHukz3zmYk-PnrFQDn1fXb-
DgvylBIuK_7nd2GQALlRMKIUub-cyIA-
ol9Kq0RjtmGKKots90D8nTo7ok7n2c9Jpi7swkCM9yzo20sVJ6VqwZWw-
5BftAppZdZGQFmUgVkbfzeRv8Q3mR9cA0ix7JksBu-
9k3k8qyJG1OjUNcHzP_0E7XIaPHoQF4lrPDkbyVdGaPyY17JMxsQ

-$ vim admin-user-crb.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kube-system

$ kubectl create -f admin-user-crb.yaml
clusterrolebinding.rbac.authorization.k8s.io/admin-user created

$ kubectl get clusterrolebindings
NAME AGE
admin-user 44s
cluster-admin 19h
kubeadm:kubelet-bootstrap 19h
kubeadm:node-autoapprove-bootstrap 19h
…

()
$ git clone https://github.com/kubernetes/heapster.git
Cloning into 'heapster'...
remote: Counting objects: 30434, done.
remote: Total 30434 (delta 0), reused 0 (delta 0), pack-reused 30433
Receiving objects: 100% (30434/30434), 39.00 MiB | 7.30 MiB/s, done.
Resolving deltas: 100% (15636/15636), done.
Checking connectivity... done.

()
$ cd heapster/
$ kubectl create -f deploy/kube-config/influxdb/
deployment.extensions/monitoring-grafana created
service/monitoring-grafana created
serviceaccount/heapster created
deployment.extensions/heapster created
service/heapster created
deployment.extensions/monitoring-influxdb created
service/monitoring-influxdb created
$ kubectl create -f deploy/kube-config/rbac/heapster-rbac.yaml
clusterrolebinding.rbac.authorization.k8s.io/heapster created

$ kubectl get svc --all-namespaces
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
default kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 21h
kube-system heapster ClusterIP 10.97.192.100 <none> 80/TCP 12m
kube-system kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP 21h
kube-system kubernetes-dashboard NodePort 10.110.140.252 <none> 443:30225/TCP 21h
kube-system monitoring-grafana ClusterIP 10.100.85.131 <none> 80/TCP 12m
…
-

n . /
n / . /
n / /
n / . .
n / .
n
n /
n
n . /
n /( ). .
: / ( /

$ kubectl apply -f deploy/kube-config/influxdb/
deployment.extensions/monitoring-grafana unchanged
service/monitoring-grafana unchanged
serviceaccount/heapster unchanged
deployment.extensions/heapster unchanged
service/heapster unchanged
deployment.extensions/monitoring-influxdb unchanged
service/monitoring-influxdb unchanged…

$ kubectl edit svc kubernetes-dashboard -n kube-system
# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
kind: Service
metadata:
…

$ kubectl logs kubernetes-dashboard-6948bdb78-wcl9q -n kube-system
…
2018/06/29 06:32:54 [2018-06-29T06:32:54Z] Outcoming response to 10.32.0.1:38848 with 200 status code
2018/06/29 06:32:56 [2018-06-29T06:32:56Z] Incoming HTTP/2.0 GET /api/v1/login/status request from
10.32.0.1:38848: {}
2018/06/29 06:32:56 [2018-06-29T06:32:56Z] Outcoming response to 10.32.0.1:38848 with 200 status code
2018/06/29 06:32:56 [2018-06-29T06:32:56Z] Incoming HTTP/2.0 GET /api/v1/csrftoken/token request from
10.32.0.1:38848: {}
…

$ kubectl get pods -n kube-system -o wide
…
NAME READY STATUS RESTARTS AGE IP NODE
coredns-78fcdf6894-245lt 1/1 Running 0 22h 10.40.0.2 k8s-1
coredns-78fcdf6894-q5hm4 1/1 Running 7 22h 10.40.0.1 k8s-1
etcd-k8s-1 1/1 Running 0 22h 192.168.1.13 k8s-1
heapster-dd6db4f9f-gbvtt 1/1 Running 0 1h 10.38.0.2 k8s-3
…
-

$ kubectl describe svc kubernetes-dashboard -n kube-system
Name: kubernetes-dashboard
Namespace: kube-system
Labels: k8s-app=kubernetes-dashboard
Annotations: kubectl.kubernetes.io/last-applied-
configuration={"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{"k8s-
app":"kubernetes-dashboard"},"name":"kubernetes-dashboard","namespace":...
Selector: k8s-app=kubernetes-dashboard
Type: NodePort
IP: 10.110.140.252…

n a
n . :
n .
n .
n a .
N b . / . / . .

$ vim nginx-po.yaml
apiVersion: v1
kind: Pod
metadata:
name: nginx-pod
labels:
app: nginx
spec:
containers:
- name: nginx-container
image: nginx

$ kubectl get po
NAME READY STATUS RESTARTS AGE
nginx-pod 1/1 Running 0 3m
$ kubectl get po -o wide
nginx-pod 1/1 Running 0 4m 10.38.0.3 k8s-3

$ docker ps | grep nginx-container
0fe8adcd42a1
nginx@sha256:62a095e5da5f977b9f830adaf64d604c614024bf239d21068e4ca826d0d629a4
"nginx -g 'daemon ..." 4 minutes ago Up 4 minutes k8s_nginx-container_nginx-
pod_default_2b636f3a-7b78-11e8-bd04-fa163e7b4c21_0

$ kubectl exec -ti nginx-pod bash
$ apt-get update && apt-get install -y curl
$ curl 127.0.0.1:80
…
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
…

n I E . BNP
n CL : / ./ / / . -/
: ,/ / /: . -: - -/ : :/ -/:
/ :/ -/

$ vim nginx-svc.yaml
kind: Service
apiVersion: v1
metadata:
name: nginx-svc
spec:
ports:
- name: http
port: 81
targetPort: 80
selector:
app: nginx
type: ClusterIP

$ curl 10.103.19.26:81
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
…

$ vim nginx-svc.yaml
kind: Service
apiVersion: v1
metadata:
name: nginx-svc
spec:
ports:
- name: http
port: 81
targetPort: 80
nodePort: 30001
selector:
app: nginx
type: NodePort

$ kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 1d
nginx-svc NodePort 10.103.19.26 <none> 81:30001/TCP 16h

$ vim nginx-po.yaml
apiVersion: v1
kind: Pod
metadata:
name: nginx-pod-2
labels:
app: nginx
spec:
containers:
image: nginx

$ kubectl get po -o wide
nginx-pod 1/1 Running 0 16h 10.38.0.3 k8s-3
nginx-pod-2 1/1 Running 0 4m 10.32.0.4 k8s-2

$ apt-get update && apt-get install -y vim
$ vim /usr/share/nginx/html/index.html
…
<body>
<h1>Welcome to nginx! (pod-1)</h1>
…

$ kubectl exec -ti nginx-pod-2 bash
$ apt-get update && apt-get install -y vim
$ vim /usr/share/nginx/html/index.html
…
<body>
<h1>Welcome to nginx! (pod-2)</h1>
…

$ kubectl create namespace nginx
namespace/nginx created

$ vim nginx-ns.yaml
apiVersion: v1
kind: Namespace
metadata:
name: nginx2

$ kubectl get ns
NAME STATUS AGE
default Active 1d
kube-public Active 1d
kube-system Active 1d
nginx Active 3m
nginx2 Active 3s

$ kubectl delete ns nginx2
namespace "nginx2" deleted

$ vim nginx-po.yaml
apiVersion: v1
kind: Pod
metadata:
name: nginx-pod
namespace: nginx
labels:
app: nginx
spec:
containers:
image: nginx

$ kubectl get po nginx-pod -n nginx
nginx-pod 1/1 Running 0 2m

n :
n . /
/ . / / / . / . ./ . /

$ vim nginx-rs.yaml
apiVersion: extensions/v1beta1
kind: ReplicaSet
metadata:
name: replicaset-rs
spec:
replicas: 3
template:
metadata:
name: replicaset-po
labels:
app: nginx
spec:
containers:
- name: replicaset-container
image: nginx

$ kubectl get rs -n nginx
NAME DESIRED CURRENT READY AGE
replicaset-rs 3 3 3 17s

$ kubectl get po -n nginx
replicaset-rs-78lwk 1/1 Running 0 13m
replicaset-rs-kkqzc 1/1 Running 0 13m
replicaset-rs-mtt7h 1/1 Running 0 13m

$ kubectl delete po replicaset-rs-78lwk -n nginx
pod "replicaset-rs-78lwk" deleted
$ kubectl get po -n nginx
replicaset-rs-bgsmv 1/1 Running 0 11s
replicaset-rs-kkqzc 1/1 Running 0 16m
replicaset-rs-mtt7h 1/1 Running 0 16m

$ vim nginx-deploy.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deploy
namespace: nginx
labels:
app: nginx
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
name: nginx-po
labels:
app: nginx
spec:
containers:
image: nginx
ports:
- containerPort: 80

$ kubectl get deploy -n nginx
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
nginx-deploy 3 3 3 3 2m

$ kubectl set image deployment/nginx-deploy nginx-
container=nginx:alpine -n nginx
deployment.extensions/nginx-deploy image updated

$ kubectl describe po nginx-deploy-7698895786-7wd9d -n nginx
…
Containers:
nginx-container:
Container ID:
docker://a01d35c2b3dadd0912944e30faeab204632c15bf6dcb91ecea3562fa15a45f
85
Image: nginx:alpine
Image ID: docker-pullable://nginx@sha256:4a85273d1e403fbf67
…

$ kubectl rollout status deployment/nginx-deploy -n nginx
…
Waiting for deployment "nginx-deploy" rollout to finish: 1 out of 3 new replicas
have been updated...
have been updated
…

$ vim nginx-ds.yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: nginx-ds
namespace: nginx
labels:
app: nginx
spec:
selector:
matchLabels:
app: nginx
template:
metadata:
name: nginx-po
labels:
app: nginx
spec:
containers:
image: nginx
ports:
- containerPort: 80

$ vim nginx-ds.yaml
…
spec:
selector:
matchLabels:
app: nginx
template:
metadata:
name: nginx-po
labels:
app: nginx
spec:
containers:
image: nginx
ports:
- containerPort: 80
resources:
limits:
cpu: 100m
memory: 200Mi
requests:
cpu: 100m
memory: 200Mi

$ vim nginx-statefulset.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: nginx-statefulset
namespace: nginx
labels:
app: nginx
spec:
serviceName: nginx
replicas: 4
selector:
matchLabels:
app: nginx
template:
metadata:
name: nginx-po
labels:
app: nginx
spec:
containers:
image: nginx
ports:
- containerPort: 80

n N DSPHFR SP E
n /): A : /A / . ( : ( C
/ A- A
AA B A A A A A C :B

$ vim nginx-pv.yaml
kind: PersistentVolume
apiVersion: v1
metadata:
name: nginx-pv
labels:
app: nginx
spec:
storageClassName: manual
capacity:
storage: 10Gi
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
hostPath:
path: "/home/ubuntu/pv-file"

$ kubectl get pv
NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS
REASON AGE
nginx-pv 10Gi RWX Retain Available manual 7m

$ vim nginx-pvc.yaml
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: nginx-pvc
namespace: nginx
spec:
storageClassName: manual
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Gi

$ kubectl get pv
NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS
REASON AGE
nginx-pv-1 10Gi RWX Recycle Bound nginx/nginx-pvc manual 1m

$ vim nginx-deploy.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deploy
namespace: nginx
labels:
app: nginx
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
name: nginx-po
labels:
app: nginx
spec:
containers:
image: nginx
ports:
- containerPort: 80
volumeMounts:
- mountPath: "/usr/share/nginx/html"
name: nginx-storage
volumes:
- name: nginx-storage
persistentVolumeClaim:
claimName: nginx-pvc

$ echo -n 'admin' | base64
YWRtaW4=
$ vim nginx-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: nginx-secret
namespace: nginx
type: Opaque
data:
username: YWRtaW4=

$ kubectl describe nginx-secret –n nginx
Name: nginx-secret
Namespace: nginx
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
username: 5 bytes

$ vim nginx-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: nginx-pod
namespace: nginx
spec:
containers:
image: nginx
env:
- name: SECRET_NAME
valueFrom:
secretKeyRef:
name: nginx-secret
key: username

$ kubectl exec -ti nginx-pod bash -n nginx
$ export
…
declare -x KUBERNETES_SERVICE_PORT="443"
declare -x KUBERNETES_SERVICE_PORT_HTTPS="443"
declare -x NGINX_VERSION="1.15.0-1~stretch"
declare -x NJS_VERSION="1.15.0.0.2.1-1~stretch"
declare -x OLDPWD
declare -x PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
declare -x PWD="/"
declare -x SECRET_NAME="admin"
declare -x SHLVL="1”
…

n B : B
n / / - - / / / / - - :
. -
- -

$ vim sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: nginx-user
namespace: nginx

$ kubectl create -f sa.yaml
serviceaccount/nginx-user created

$ kubectl describe sa nginx-user -n nginx
Name: nginx-user
Namespace: nginx
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: nginx-user-token-jnbl5
Tokens: nginx-user-token-jnbl5
Events: <none>

$ vim nginx-r.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: nginx
name: nginx-r
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["get", "watch", "list", "update", "create", "delete"]
-

$ kubectl create -f nginx-r.yaml
role.rbac.authorization.k8s.io/nginx-r created

$ vim nginx-rb.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: nginx-rb
namespace: nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: nginx-r
subjects:
- kind: ServiceAccount
name: nginx-user
namespace: nginx
-

$ kubectl create -f nginx-rb.yaml
rolebinding.rbac.authorization.k8s.io/nginx-user created

Kubernetes Tutorial

More Related Content

What's hot

Similar to Kubernetes Tutorial

Recently uploaded

Kubernetes Tutorial