kubernetes-memo

README.md

 kubectl apply -f test-leap.yaml
 kubectl exec -it test-leap-pod -- /bin/bash

Add kube-registry as insecure registry on each node

SEE /etc/containers/registries.conf

rccrio restart

_etc_containers_registries.conf

# For more information on this configuration file, see containers-registries.conf(5).
#
# Registries to search for images that are not fully-qualified.
# i.e. foobar.com/my_image:latest vs my_image:latest
[registries.search]
registries = ["docker.io"]

# Registries that do not use TLS when pulling images or uses self-signed
# certificates.
[registries.insecure]
registries = ["kube-registry.kube-system.svc.cluster.local:5000", "registry.suse.de"]

# Blocked Registries, blocks the `docker daemon` from pulling from the blocked registry.  If you specify
# "*", then the docker daemon will only be allowed to pull from registries listed above in the search
# registries.  Blocked Registries is deprecated because other container runtimes and tools will not use it.
# It is recommended that you use the trust policy file /etc/containers/policy.json to control which
# registries you want to allow users to pull and push from.  policy.json gives greater flexibility, and
# supports all container runtimes and tools including the docker daemon, cri-o, buildah ...
[registries.block]
registries = []

_etc_docker_daemon.json

{
  "log-level": "warn",
  "log-driver": "json-file",
  "log-opts": {
    "max-size": "10m",
    "max-file": "5"
  },
  "insecure-registries":["kube-registry.kube-system.svc.cluster.local:5000", "registry.suse.de"]
}

caasp-mariadb.yaml

---
apiVersion: apps/v1beta1
kind: Deployment
metadata:
  name: caasp-mariadb
  labels:
    app: caasp-mariadb
spec:
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: caasp-mariadb
        tier: mysql
    spec:
      containers:
        - image: registry.suse.de/devel/casp/head/controllernode/sle_15/caasp/v4/mariadb:10.0.35
          name: obs-mariadb
          env:
          - name: MYSQL_ROOT_PASSWORD
            value: opensuse
          ports:
          - containerPort: 3306
            name: mysql

kube-registry-clusterip.yaml

apiVersion: v1
kind: Service
metadata:
  name: kube-registry
  namespace: kube-system
spec:
  # clusterIP: 10.96.0.99
  ports:
  - name: https
    port: 5000
    protocol: TCP
    targetPort: 5000
  sessionAffinity: None
  type: ClusterIP
  selector:
    k8s-app: kube-registry

kube-registry.yaml

apiVersion: v1
kind: ReplicationController
metadata:
  name: kube-registry-v0
  namespace: kube-system
  labels:
    k8s-app: kube-registry
    version: v0
    kubernetes.io/cluster-service: "true"
spec:
  replicas: 3
  selector:
    k8s-app: kube-registry
    version: v0
  template:
    metadata:
      labels:
        k8s-app: kube-registry
        version: v0
        kubernetes.io/cluster-service: "true"
    spec:
      containers:
      - name: registry
        image: registry:2
        imagePullPolicy: Always
        #resources:
        #  limits:
        #    cpu: 100m
        #    memory: 100Mi
        env:
        # Configuration reference: https://docs.docker.com/registry/configuration/
        - name: REGISTRY_HTTP_ADDR
          value: :5000
        - name: REGISTRY_HTTP_SECRET
          value: "Ple4seCh4ngeThisN0tAVerySecretV4lue"
        - name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY
          value: /var/lib/registry
        volumeMounts:
        - name: image-store
          mountPath: /var/lib/registry
        ports:
        - containerPort: 5000
          name: registry
          protocol: TCP
        livenessProbe:
          httpGet:
            path: /
            port: registry
        readinessProbe:
          httpGet:
            path: /
            port: registry
      volumes:
      - name: image-store
        flexVolume:
          driver: ceph.rook.io/rook
          fsType: ceph
          options:
            fsName: myfs # name of the filesystem specified in the filesystem CRD.
            clusterNamespace: rook-ceph # namespace where the Rook cluster is deployed
            # by default the path is /, but you can override and mount a specific path of the filesystem by using the path attribute
            # the path must exist on the filesystem, otherwise mounting the filesystem at that path will fail
            # path: /some/path/inside/cephfs
            # (Optional) Specify an existing Ceph user that will be used for mounting storage with this StorageClass.
            #mountUser: user1
            # (Optional) Specify an existing Kubernetes secret name containing just one key holding the Ceph user secret.
            # The secret must exist in each namespace(s) where the storage will be consumed.
            #mountSecret: ceph-user1-secret

obs-mariadb.yaml

apiVersion: v1
kind: Service
metadata:
  name: obs-mariadb
  labels:
    app: obs-mariadb
spec:
  ports:
    - port: 3306
  selector:
    app: obs-mariadb
    tier: mysql
  clusterIP: None
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: obs-mariadb-pv-claim
  labels:
    app: obs-mariadb
spec:
  storageClassName: rook-ceph-block
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 20Gi
---
apiVersion: apps/v1beta1
kind: Deployment
metadata:
  name: obs-mariadb
  labels:
    app: obs-mariadb
spec:
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: obs-mariadb
        tier: mysql
    spec:
      containers:
        - image: kube-registry.kube-system.svc.cluster.local:5000/obs-mariadb:latest
          name: obs-mariadb
          env:
          - name: MYSQL_ROOT_PASSWORD
            value: opensuse
          ports:
          - containerPort: 3306
            name: mysql
          volumeMounts:
          - name: obs-mariadb-persistent-storage
            mountPath: /var/lib/mysql
          securityContext:
            privileged: true
      volumes:
      - name: obs-mariadb-persistent-storage
        persistentVolumeClaim:
          claimName: obs-mariadb-pv-claim

obs-repserver.yaml

---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: obs-repserver-pv-claim
  labels:
    app: obs-repserver
spec:
  storageClassName: rook-ceph-block
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 20Gi
---
apiVersion: v1
kind: Service
metadata:
  name: obs-repserver
spec:
  selector:
    app: obs-repserver
  clusterIP: None
  ports:
  - name: obs-repserver
    port: 5252
    targetPort: 5252
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: obs-repserver
  labels:
    app: obs-repserver
spec:
  strategy:
    type: Recreate
  replicas: 1
  selector:
    matchLabels:
      app: obs-repserver
  template:
    metadata:
      labels:
        app: obs-repserver
    spec:
      containers:
      - name: obs-repserver
        image: kube-registry.kube-system.svc.cluster.local:5000/obs-repserver:latest
        ports:
        - containerPort: 5352
        volumeMounts:
        - name: obs-repserver-persistent-storage
          mountPath: /srv/obs
      volumes:
      - name: obs-repserver-persistent-storage
        persistentVolumeClaim:
          claimName: obs-repserver-pv-claim

obs-srcserver.yaml

---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: obs-srcserver-pv-claim
  labels:
    app: obs-srcserver
spec:
  storageClassName: rook-ceph-block
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 20Gi
---
apiVersion: v1
kind: Service
metadata:
  name: obs-srcserver
spec:
  selector:
    app: obs-srcserver
  clusterIP: None
  ports:
  - name: obs-srcserver
    port: 5352
    targetPort: 5352
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: obs-srcserver
  labels:
    app: obs-srcserver
spec:
  strategy:
    type: Recreate
  replicas: 1
  selector:
    matchLabels:
      app: obs-srcserver
  template:
    metadata:
      labels:
        app: obs-srcserver
    spec:
      containers:
      - name: obs-srcserver
        image: kube-registry.kube-system.svc.cluster.local:5000/obs-srcserver:latest
        ports:
        - containerPort: 5352
        volumeMounts:
        - name: obs-srcserver-persistent-storage
          mountPath: /srv/obs
      volumes:
      - name: obs-srcserver-persistent-storage
        persistentVolumeClaim:
          claimName: obs-srcserver-pv-claim

obs-worker.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: obs-worker-deployment
  labels:
    app: obs-worker
spec:
  replicas: 3
  selector:
    matchLabels:
      app: obs-worker
  template:
    metadata:
      labels:
        app: obs-worker
    spec:
      containers:
      - name: obs-worker
        image: kube-registry.kube-system.svc.cluster.local:5000/obs-worker:latest
        ports:
        - containerPort: 8888
        command: ["/usr/lib/obs/server/containerworker"]

psp-privileged.yaml

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: psp-privileged
spec:
  fsGroup:
    rule: RunAsAny
  privileged: true
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
  - '*'
  allowedCapabilities:
  - '*'
  hostPID: true
  hostIPC: true
  hostNetwork: true

storageclass.yaml

apiVersion: ceph.rook.io/v1
kind: CephBlockPool
metadata:
  name: replicapool
  namespace: rook-ceph
spec:
  failureDomain: host
  replicated:
    size: 3
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
   name: rook-ceph-block
provisioner: ceph.rook.io/block
parameters:
  blockPool: replicapool
  # The value of "clusterNamespace" MUST be the same as the one in which your rook cluster exist
  clusterNamespace: rook-ceph
  # Specify the filesystem type of the volume. If not specified, it will use `ext4`.
  fstype: xfs
# Optional, default reclaimPolicy is "Delete". Other options are: "Retain", "Recycle" as documented in https://kubernetes.io/docs/concepts/storage/storage-classes/
reclaimPolicy: Retain

test-leap.yaml

apiVersion: v1
kind: Pod
metadata:
  name: test-leap-pod
spec:
  containers:
  - name: test-leap-cont
    image: registry.opensuse.org/opensuse/leap:15
    tty: true
    securityContext:
      privileged: true