kubernetes.io > Documentation > Tasks > Configure Pods and Containers > Configure a Pod to Use a ConfigMap
show
kubectl create configmap config --from-literal=foo=lala --from-literal=foo2=lolo
show
kubectl get cm config -o yaml
# or
kubectl describe cm config
Create the file with
echo -e "foo3=lili\nfoo4=lele" > config.txt
show
kubectl create cm configmap2 --from-file=config.txt
kubectl get cm configmap2 -o yaml
Create the file with the command
echo -e "var1=val1\n# this is a comment\n\nvar2=val2\n#anothercomment" > config.env
show
kubectl create cm configmap3 --from-env-file=config.env
kubectl get cm configmap3 -o yaml
Create the file with
echo -e "var3=val3\nvar4=val4" > config4.txt
show
kubectl create cm configmap4 --from-file=special=config4.txt
kubectl describe cm configmap4
kubectl get cm configmap4 -o yaml
Create a configMap called 'options' with the value var5=val5. Create a new nginx pod that loads the value from variable 'var5' in an env variable called 'option'
show
kubectl create cm options --from-literal=var5=val5
kubectl run nginx --image=nginx --restart=Never --dry-run=client -o yaml > pod.yaml
vi pod.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: nginx
name: nginx
spec:
containers:
- image: nginx
imagePullPolicy: IfNotPresent
name: nginx
resources: {}
env:
- name: option # name of the env variable
valueFrom:
configMapKeyRef:
name: options # name of config map
key: var5 # name of the entity in config map
dnsPolicy: ClusterFirst
restartPolicy: Never
status: {}
kubectl create -f pod.yaml
kubectl exec -it nginx -- env | grep option # will show 'option=val5'
Create a configMap 'anotherone' with values 'var6=val6', 'var7=val7'. Load this configMap as env variables into a new nginx pod
show
kubectl create configmap anotherone --from-literal=var6=val6 --from-literal=var7=val7
kubectl run --restart=Never nginx --image=nginx -o yaml --dry-run=client > pod.yaml
vi pod.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: nginx
name: nginx
spec:
containers:
- image: nginx
imagePullPolicy: IfNotPresent
name: nginx
resources: {}
envFrom: # different than previous one, that was 'env'
- configMapRef: # different from the previous one, was 'configMapKeyRef'
name: anotherone # the name of the config map
dnsPolicy: ClusterFirst
restartPolicy: Never
status: {}
kubectl create -f pod.yaml
kubectl exec -it nginx -- env
Create a configMap 'cmvolume' with values 'var8=val8', 'var9=val9'. Load this as a volume inside an nginx pod on path '/etc/lala'. Create the pod and 'ls' into the '/etc/lala' directory.
show
kubectl create configmap cmvolume --from-literal=var8=val8 --from-literal=var9=val9
kubectl run nginx --image=nginx --restart=Never -o yaml --dry-run=client > pod.yaml
vi pod.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: nginx
name: nginx
spec:
volumes: # add a volumes list
- name: myvolume # just a name, you'll reference this in the pods
configMap:
name: cmvolume # name of your configmap
containers:
- image: nginx
imagePullPolicy: IfNotPresent
name: nginx
resources: {}
volumeMounts: # your volume mounts are listed here
- name: myvolume # the name that you specified in pod.spec.volumes.name
mountPath: /etc/lala # the path inside your container
dnsPolicy: ClusterFirst
restartPolicy: Never
status: {}
kubectl create -f pod.yaml
kubectl exec -it nginx -- /bin/sh
cd /etc/lala
ls # will show var8 var9
cat var8 # will show val8
kubernetes.io > Documentation > Tasks > Configure Pods and Containers > Configure a Security Context for a Pod or Container
show
kubectl run nginx --image=nginx --restart=Never --dry-run=client -o yaml > pod.yaml
vi pod.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: nginx
name: nginx
spec:
securityContext: # insert this line
runAsUser: 101 # UID for the user
containers:
- image: nginx
imagePullPolicy: IfNotPresent
name: nginx
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Never
status: {}
Create the YAML for an nginx pod that has the capabilities "NET_ADMIN", "SYS_TIME" added to its single container
show
kubectl run nginx --image=nginx --restart=Never --dry-run=client -o yaml > pod.yaml
vi pod.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: nginx
name: nginx
spec:
containers:
- image: nginx
imagePullPolicy: IfNotPresent
name: nginx
securityContext: # insert this line
capabilities: # and this
add: ["NET_ADMIN", "SYS_TIME"] # this as well
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Never
status: {}
kubernetes.io > Documentation > Tasks > Configure Pods and Containers > Assign CPU Resources to Containers and Pods
show
kubectl run nginx --image=nginx --restart=Never --requests='cpu=100m,memory=256Mi' --limits='cpu=200m,memory=512Mi'
Note: Use of --requests
and --limits
flags in the imperative run
command is deprecated as of 1.21 K8s version and will be removed in the future. Instead, use kubectl set resources
command in combination with kubectl run --dry-run=client -o yaml ...
as shown below.
Alternative using set resources
in combination with imperative run
command:
kubectl run nginx --image=nginx --restart=Never --dry-run=client -o yaml | kubectl set resources -f - --requests=cpu=100m,memory=256Mi --limits=cpu=200m,memory=512Mi --local -o yaml > nginx-pod.yml
kubectl create -f nginx-pod.yml
kubernetes.io > Documentation > Concepts > Configuration > Secrets
kubernetes.io > Documentation > Tasks > Inject Data Into Applications > Distribute Credentials Securely Using Secrets
show
kubectl create secret generic mysecret --from-literal=password=mypass
Create a file called username with the value admin:
echo -n admin > username
show
kubectl create secret generic mysecret2 --from-file=username
show
kubectl get secret mysecret2 -o yaml
echo -n YWRtaW4= | base64 -d # on MAC it is -D, which decodes the value and shows 'admin'
Alternative using --jsonpath
:
kubectl get secret mysecret2 -o jsonpath='{.data.username}' | base64 -d # on MAC it is -D
Alternative using --template
:
kubectl get secret mysecret2 --template '{{.data.username}}' | base64 -d # on MAC it is -D
show
kubectl run nginx --image=nginx --restart=Never -o yaml --dry-run=client > pod.yaml
vi pod.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: nginx
name: nginx
spec:
volumes: # specify the volumes
- name: foo # this name will be used for reference inside the container
secret: # we want a secret
secretName: mysecret2 # name of the secret - this must already exist on pod creation
containers:
- image: nginx
imagePullPolicy: IfNotPresent
name: nginx
resources: {}
volumeMounts: # our volume mounts
- name: foo # name on pod.spec.volumes
mountPath: /etc/foo #our mount path
dnsPolicy: ClusterFirst
restartPolicy: Never
status: {}
kubectl create -f pod.yaml
kubectl exec -it nginx /bin/bash
ls /etc/foo # shows username
cat /etc/foo/username # shows admin
Delete the pod you just created and mount the variable 'username' from secret mysecret2 onto a new nginx pod in env variable called 'USERNAME'
show
kubectl delete po nginx
kubectl run nginx --image=nginx --restart=Never -o yaml --dry-run=client > pod.yaml
vi pod.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: nginx
name: nginx
spec:
containers:
- image: nginx
imagePullPolicy: IfNotPresent
name: nginx
resources: {}
env: # our env variables
- name: USERNAME # asked name
valueFrom:
secretKeyRef: # secret reference
name: mysecret2 # our secret's name
key: username # the key of the data in the secret
dnsPolicy: ClusterFirst
restartPolicy: Never
status: {}
kubectl create -f pod.yaml
kubectl exec -it nginx -- env | grep USERNAME | cut -d '=' -f 2 # will show 'admin'
kubernetes.io > Documentation > Tasks > Configure Pods and Containers > Configure Service Accounts for Pods
show
kubectl get sa --all-namespaces
Alternatively
kubectl get sa -A
show
kubectl create sa myuser
Alternatively:
# let's get a template easily
kubectl get sa default -o yaml > sa.yaml
vim sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: myuser
kubectl create -f sa.yaml
show
kubectl run nginx --image=nginx --restart=Never -o yaml --dry-run=client > pod.yaml
vi pod.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: nginx
name: nginx
spec:
serviceAccountName: myuser # we use pod.spec.serviceAccountName
containers:
- image: nginx
imagePullPolicy: IfNotPresent
name: nginx
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Never
status: {}
or
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: nginx
name: nginx
spec:
serviceAccount: myuser # we use pod.spec.serviceAccount
containers:
- image: nginx
imagePullPolicy: IfNotPresent
name: nginx
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Never
status: {}
kubectl create -f pod.yaml
kubectl describe pod nginx # will see that a new secret called myuser-token-***** has been mounted