diff --git a/cn/docs/tasks/inject-data-application/podpreset-allow-db-merged.yaml b/cn/docs/tasks/inject-data-application/podpreset-allow-db-merged.yaml new file mode 100644 index 0000000000..73d93312fa --- /dev/null +++ b/cn/docs/tasks/inject-data-application/podpreset-allow-db-merged.yaml @@ -0,0 +1,37 @@ +apiVersion: v1 +kind: Pod +metadata: + name: website + labels: + app: website + role: frontend + annotations: + podpreset.admission.kubernetes.io/podpreset-allow-database: "resource version" +spec: + containers: + - name: website + image: ecorp/website + volumeMounts: + - mountPath: /cache + name: cache-volume + - mountPath: /etc/app/config.json + readOnly: true + name: secret-volume + ports: + - containerPort: 80 + env: + - name: DB_PORT + value: "6379" + - name: duplicate_key + value: FROM_ENV + - name: expansion + value: $(REPLACE_ME) + envFrom: + - configMapRef: + name: etcd-env-config + volumes: + - name: cache-volume + emptyDir: {} + - name: secret-volume + secret: + secretName: config-details diff --git a/cn/docs/tasks/inject-data-application/podpreset-allow-db.yaml b/cn/docs/tasks/inject-data-application/podpreset-allow-db.yaml new file mode 100644 index 0000000000..96f6dbfe20 --- /dev/null +++ b/cn/docs/tasks/inject-data-application/podpreset-allow-db.yaml @@ -0,0 +1,31 @@ +apiVersion: settings.k8s.io/v1alpha1 +kind: PodPreset +metadata: + name: allow-database + namespace: myns +spec: + selector: + matchLabels: + role: frontend + env: + - name: DB_PORT + value: 6379 + - name: duplicate_key + value: FROM_ENV + - name: expansion + value: $(REPLACE_ME) + envFrom: + - configMapRef: + name: etcd-env-config + volumeMounts: + - mountPath: /cache + name: cache-volume + - mountPath: /etc/app/config.json + readOnly: true + name: secret-volume + volumes: + - name: cache-volume + emptyDir: {} + - name: secret-volume + secret: + secretName: config-details diff --git a/cn/docs/tasks/inject-data-application/podpreset-configmap.yaml b/cn/docs/tasks/inject-data-application/podpreset-configmap.yaml new file mode 100644 index 0000000000..806a880bff --- /dev/null +++ b/cn/docs/tasks/inject-data-application/podpreset-configmap.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: etcd-env-config +data: + number_of_members: "1" + initial_cluster_state: new + initial_cluster_token: DUMMY_ETCD_INITIAL_CLUSTER_TOKEN + discovery_token: DUMMY_ETCD_DISCOVERY_TOKEN + discovery_url: http://etcd_discovery:2379 + etcdctl_peers: http://etcd:2379 + duplicate_key: FROM_CONFIG_MAP + REPLACE_ME: "a value" + diff --git a/cn/docs/tasks/inject-data-application/podpreset-conflict-pod.yaml b/cn/docs/tasks/inject-data-application/podpreset-conflict-pod.yaml new file mode 100644 index 0000000000..9061b9f5e8 --- /dev/null +++ b/cn/docs/tasks/inject-data-application/podpreset-conflict-pod.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: website + labels: + app: website + role: frontend +spec: + containers: + - name: website + image: ecorp/website + volumeMounts: + - mountPath: /cache + name: cache-volume + ports: + volumes: + - name: cache-volume + emptyDir: {} + - containerPort: 80 diff --git a/cn/docs/tasks/inject-data-application/podpreset-conflict-preset.yaml b/cn/docs/tasks/inject-data-application/podpreset-conflict-preset.yaml new file mode 100644 index 0000000000..ab70b14d28 --- /dev/null +++ b/cn/docs/tasks/inject-data-application/podpreset-conflict-preset.yaml @@ -0,0 +1,19 @@ +apiVersion: settings.k8s.io/v1alpha1 +kind: PodPreset +metadata: + name: allow-database + namespace: myns +spec: + selector: + matchLabels: + role: frontend + env: + - name: DB_PORT + value: "6379" + volumeMounts: + - mountPath: /cache + name: other-volume + volumes: + - name: other-volume + emptyDir: {} + diff --git a/cn/docs/tasks/inject-data-application/podpreset-merged.yaml b/cn/docs/tasks/inject-data-application/podpreset-merged.yaml new file mode 100644 index 0000000000..0a5dfce0b5 --- /dev/null +++ b/cn/docs/tasks/inject-data-application/podpreset-merged.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: website + labels: + app: website + role: frontend + annotations: + podpreset.admission.kubernetes.io/podpreset-allow-database: "resource version" +spec: + containers: + - name: website + image: ecorp/website + volumeMounts: + - mountPath: /cache + name: cache-volume + ports: + - containerPort: 80 + env: + - name: DB_PORT + value: "6379" + volumes: + - name: cache-volume + emptyDir: {} + diff --git a/cn/docs/tasks/inject-data-application/podpreset-multi-merged.yaml b/cn/docs/tasks/inject-data-application/podpreset-multi-merged.yaml new file mode 100644 index 0000000000..dd6a7197ef --- /dev/null +++ b/cn/docs/tasks/inject-data-application/podpreset-multi-merged.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: website + labels: + app: website + role: frontend + annotations: + podpreset.admission.kubernetes.io/podpreset-allow-database: "resource version" + podpreset.admission.kubernetes.io/podpreset-proxy: "resource version" +spec: + containers: + - name: website + image: ecorp/website + volumeMounts: + - mountPath: /cache + name: cache-volume + - mountPath: /etc/proxy/configs + name: proxy-volume + ports: + - containerPort: 80 + env: + - name: DB_PORT + value: "6379" + volumes: + - name: cache-volume + emptyDir: {} + - name: proxy-volume + emptyDir: {} diff --git a/cn/docs/tasks/inject-data-application/podpreset-pod.yaml b/cn/docs/tasks/inject-data-application/podpreset-pod.yaml new file mode 100644 index 0000000000..82c590a924 --- /dev/null +++ b/cn/docs/tasks/inject-data-application/podpreset-pod.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: website + labels: + app: website + role: frontend +spec: + containers: + - name: website + image: ecorp/website + ports: + - containerPort: 80 + diff --git a/cn/docs/tasks/inject-data-application/podpreset-preset.yaml b/cn/docs/tasks/inject-data-application/podpreset-preset.yaml new file mode 100644 index 0000000000..c5d34437f2 --- /dev/null +++ b/cn/docs/tasks/inject-data-application/podpreset-preset.yaml @@ -0,0 +1,18 @@ +apiVersion: settings.k8s.io/v1alpha1 +kind: PodPreset +metadata: + name: allow-database + namespace: myns +spec: + selector: + matchLabels: + role: frontend + env: + - name: DB_PORT + value: "6379" + volumeMounts: + - mountPath: /cache + name: cache-volume + volumes: + - name: cache-volume + emptyDir: {} diff --git a/cn/docs/tasks/inject-data-application/podpreset-proxy.yaml b/cn/docs/tasks/inject-data-application/podpreset-proxy.yaml new file mode 100644 index 0000000000..20dab81f36 --- /dev/null +++ b/cn/docs/tasks/inject-data-application/podpreset-proxy.yaml @@ -0,0 +1,15 @@ +apiVersion: settings.k8s.io/v1alpha1 +kind: PodPreset +metadata: + name: proxy + namespace: myns +spec: + selector: + matchLabels: + role: frontend + volumeMounts: + - mountPath: /etc/proxy/configs + name: proxy-volume + volumes: + - name: proxy-volume + emptyDir: {} diff --git a/cn/docs/tasks/inject-data-application/podpreset-replicaset-merged.yaml b/cn/docs/tasks/inject-data-application/podpreset-replicaset-merged.yaml new file mode 100644 index 0000000000..97f16fde1f --- /dev/null +++ b/cn/docs/tasks/inject-data-application/podpreset-replicaset-merged.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + app: guestbook + tier: frontend + annotations: + podpreset.admission.kubernetes.io/podpreset-allow-database: "resource version" +spec: + containers: + - name: php-redis + image: gcr.io/google_samples/gb-frontend:v3 + resources: + requests: + cpu: 100m + memory: 100Mi + volumeMounts: + - mountPath: /cache + name: cache-volume + env: + - name: GET_HOSTS_FROM + value: dns + - name: DB_PORT + value: "6379" + ports: + - containerPort: 80 + volumes: + - name: cache-volume + emptyDir: {} + diff --git a/cn/docs/tasks/inject-data-application/podpreset-replicaset.yaml b/cn/docs/tasks/inject-data-application/podpreset-replicaset.yaml new file mode 100644 index 0000000000..e3ad37470c --- /dev/null +++ b/cn/docs/tasks/inject-data-application/podpreset-replicaset.yaml @@ -0,0 +1,29 @@ +apiVersion: apps/v1beta2 +kind: ReplicaSet +metadata: + name: frontend +spec: + replicas: 3 + selector: + matchLabels: + tier: frontend + matchExpressions: + - {key: tier, operator: In, values: [frontend]} + template: + metadata: + labels: + app: guestbook + tier: frontend + spec: + containers: + - name: php-redis + image: gcr.io/google_samples/gb-frontend:v3 + resources: + requests: + cpu: 100m + memory: 100Mi + env: + - name: GET_HOSTS_FROM + value: dns + ports: + - containerPort: 80 diff --git a/cn/docs/tasks/inject-data-application/podpreset.md b/cn/docs/tasks/inject-data-application/podpreset.md new file mode 100644 index 0000000000..af28ac14c0 --- /dev/null +++ b/cn/docs/tasks/inject-data-application/podpreset.md @@ -0,0 +1,124 @@ +--- +approvers: +- jessfraz +title: 使用 PodPreset 将信息注入 Pods +--- + +在 pod 创建时,用户可以使用 `podpreset` 对象将 secrets、卷挂载和环境变量等信息注入其中。 +本文展示了一些 `PodPreset` 资源使用的示例。 +用户可以从[理解 Pod Presets](/docs/concepts/workloads/pods/podpreset/) 中了解 PodPresets 的整体情况。 + +* TOC +{:toc} + +## 创建 Pod Preset + +### 简单的 Pod Spec 示例 + +这里是一个简单的示例,展示了如何通过 Pod Preset 修改 Pod spec 。 + +**用户提交的 pod spec:** + +{% include code.html language="yaml" file="podpreset-pod.yaml" ghlink="/cn/docs/tasks/inject-data-application/podpreset-pod.yaml" %} + +**Pod Preset 示例:** + +{% include code.html language="yaml" file="podpreset-preset.yaml" ghlink="/cn/docs/tasks/inject-data-application/podpreset-preset.yaml" %} + +**通过准入控制器后的 Pod spec:** + +{% include code.html language="yaml" file="podpreset-merged.yaml" ghlink="/cn/docs/tasks/inject-data-application/podpreset-merged.yaml" %} + +### 带有 `ConfigMap` 的 Pod Spec 示例 + +这里的示例展示了如何通过 Pod Preset 修改 Pod spec,Pod Preset 中定义了 `ConfigMap` 作为环境变量取值来源。 + +**用户提交的 pod spec:** + +{% include code.html language="yaml" file="podpreset-pod.yaml" ghlink="/cn/docs/tasks/inject-data-application/podpreset-pod.yaml" %} + +**用户提交的 `ConfigMap`:** + +{% include code.html language="yaml" file="podpreset-configmap.yaml" ghlink="/cn/docs/tasks/inject-data-application/podpreset-configmap.yaml" %} + +**Pod Preset 示例:** + +{% include code.html language="yaml" file="podpreset-allow-db.yaml" ghlink="/cn/docs/tasks/inject-data-application/podpreset-allow-db.yaml" %} + +**通过准入控制器后的 Pod spec:** + +{% include code.html language="yaml" file="podpreset-allow-db-merged.yaml" ghlink="/cn/docs/tasks/inject-data-application/podpreset-allow-db-merged.yaml" %} + +### 带有 Pod Spec 的 ReplicaSet 示例 + +以下示例展示了(通过 ReplicaSet 创建 pod 后)只有 pod spec 会被 Pod Preset 所修改。 + +**用户提交的 ReplicaSet:** + +{% include code.html language="yaml" file="podpreset-replicaset.yaml" ghlink="/cn/docs/tasks/inject-data-application/podpreset-replicaset.yaml" %} + +**Pod Preset 示例:** + +{% include code.html language="yaml" file="podpreset-preset.yaml" ghlink="/cn/docs/tasks/inject-data-application/podpreset-preset.yaml" %} + +**通过准入控制器后的 Pod spec:** + +注意 ReplicaSet spec 没有改变,用户必须检查单独的 pod 来验证 PodPreset 已被应用。 + +{% include code.html language="yaml" file="podpreset-replicaset-merged.yaml" ghlink="/cn/docs/tasks/inject-data-application/podpreset-replicaset-merged.yaml" %} + +### 多 PodPreset 示例 + +这里的示例展示了如何通过多个 Pod 注入策略修改 Pod spec。 + +**用户提交的 pod spec:** + +{% include code.html language="yaml" file="podpreset-pod.yaml" ghlink="/cn/docs/tasks/inject-data-application/podpreset-pod.yaml" %} + +**Pod Preset 示例:** + +{% include code.html language="yaml" file="podpreset-preset.yaml" ghlink="/cn/docs/tasks/inject-data-application/podpreset-preset.yaml" %} + +**另一个 Pod Preset 示例:** + +{% include code.html language="yaml" file="podpreset-proxy.yaml" ghlink="/cn/docs/tasks/inject-data-application/podpreset-proxy.yaml" %} + +**通过准入控制器后的 Pod spec:** + +{% include code.html language="yaml" file="podpreset-multi-merged.yaml" ghlink="/cn/docs/tasks/inject-data-application/podpreset-multi-merged.yaml" %} + +### 冲突示例 + +这里的示例展示了 Pod Preset 与原 Pod 存在冲突时,Pod spec 不会被修改。 + +**用户提交的 pod spec:** + +{% include code.html language="yaml" file="podpreset-conflict-pod.yaml" ghlink="/cn/docs/tasks/inject-data-application/podpreset-conflict-pod.yaml" %} + +**Pod Preset 示例:** + +{% include code.html language="yaml" file="podpreset-conflict-preset.yaml" ghlink="/cn/docs/tasks/inject-data-application/podpreset-conflict-preset.yaml" %} + +**因存在冲突,通过准入控制器后的 Pod spec 不会改变:** + +{% include code.html language="yaml" file="podpreset-conflict-pod.yaml" ghlink="/cn/docs/tasks/inject-data-application/podpreset-conflict-pod.yaml" %} + +**如果运行 `kubectl describe...` 用户会看到以下事件:** + +``` +$ kubectl describe ... +.... +Events: + FirstSeen LastSeen Count From SubobjectPath Reason Message + Tue, 07 Feb 2017 16:56:12 -0700 Tue, 07 Feb 2017 16:56:12 -0700 1 {podpreset.admission.kubernetes.io/podpreset-allow-database } conflict Conflict on pod preset. Duplicate mountPath /cache. +``` + +## 删除 Pod Preset + +一旦用户不再需要 pod preset,可以使用 `kubectl` 进行删除: + +```shell +$ kubectl delete podpreset allow-database +podpreset "allow-database" deleted +``` +