Table of contents
Here’s an overview of the most important and complete Kubernetes objects, along with examples of their YAML configurations:
1. Namespace
Namespaces are a way to divide cluster resources between multiple users or projects.
apiVersion: v1
kind: Namespace
metadata:
name: my-namespace
2. Pod
A Pod is the smallest deployable unit in Kubernetes, which can contain one or more containers.
apiVersion: v1
kind: Pod
metadata:
name: my-pod
namespace: my-namespace
spec:
containers:
- name: my-container
image: nginx:latest
ports:
- containerPort: 80
3. ReplicaSet
A ReplicaSet ensures that a specified number of replicas of a pod are running at any given time.
apiVersion: apps/v1
kind: ReplicaSet
metadata:
name: my-replicaset
namespace: my-namespace
spec:
replicas: 3
selector:
matchLabels:
app: my-app
template:
metadata:
labels:
app: my-app
spec:
containers:
- name: nginx
image: nginx:latest
4. Deployment
A Deployment manages the ReplicaSets and provides declarative updates to Pods.
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-deployment
namespace: my-namespace
spec:
replicas: 3
selector:
matchLabels:
app: my-app
template:
metadata:
labels:
app: my-app
spec:
containers:
- name: nginx
image: nginx:latest
ports:
- containerPort: 80
5. Service
A Service is a stable endpoint that allows communication with Pods.
apiVersion: v1
kind: Service
metadata:
name: my-service
namespace: my-namespace
spec:
selector:
app: my-app
ports:
- protocol: TCP
port: 80
targetPort: 80
type: ClusterIP
6. ConfigMap
A ConfigMap is a way to inject configuration data into a Pod or container.
apiVersion: v1
kind: ConfigMap
metadata:
name: my-configmap
namespace: my-namespace
data:
key1: value1
key2: value2
7. Secret
A Secret is used to store sensitive data, such as passwords or API keys.
apiVersion: v1
kind: Secret
metadata:
name: my-secret
namespace: my-namespace
type: Opaque
data:
password: cGFzc3dvcmQ= # base64 encoded value of 'password'
8. PersistentVolume (PV)
A PersistentVolume is a piece of storage in the cluster that is provisioned either statically or dynamically.
apiVersion: v1
kind: PersistentVolume
metadata:
name: my-pv
namespace: my-namespace
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
hostPath:
path: /mnt/data
9. PersistentVolumeClaim (PVC)
A PersistentVolumeClaim is a request for storage by a user. It consumes the PersistentVolume.
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: my-pvc
namespace: my-namespace
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
10. StatefulSet
A StatefulSet is used for managing stateful applications, guaranteeing the ordering and uniqueness of pods.
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: my-statefulset
namespace: my-namespace
spec:
serviceName: "my-service"
replicas: 3
selector:
matchLabels:
app: my-app
template:
metadata:
labels:
app: my-app
spec:
containers:
- name: nginx
image: nginx:latest
volumeMounts:
- name: data
mountPath: /data
volumeClaimTemplates:
- metadata:
name: data
spec:
accessModes: [ "ReadWriteOnce" ]
resources:
requests:
storage: 1Gi
11. Ingress
An Ingress allows HTTP and HTTPS routing to services based on the request’s host or path.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-ingress
namespace: my-namespace
spec:
rules:
- host: myapp.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: my-service
port:
number: 80
12. HorizontalPodAutoscaler (HPA)
An HPA automatically scales the number of pod replicas based on observed CPU utilization or custom metrics.
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: my-hpa
namespace: my-namespace
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: my-deployment
minReplicas: 1
maxReplicas: 10
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 50
13. CronJob
A CronJob runs jobs on a scheduled basis.
apiVersion: batch/v1
kind: CronJob
metadata:
name: my-cronjob
namespace: my-namespace
spec:
schedule: "0 0 * * *"
jobTemplate:
spec:
template:
spec:
containers:
- name: my-container
image: nginx:latest
restartPolicy: OnFailure
14. Role & RoleBinding
Roles and RoleBindings define access permissions within a namespace.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: my-namespace
name: my-role
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: my-role-binding
namespace: my-namespace
subjects:
- kind: User
name: "jane"
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: my-role
apiGroup: rbac.authorization.k8s.io
15. NetworkPolicy
Network policies control the communication between pods.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: my-network-policy
namespace: my-namespace
spec:
podSelector:
matchLabels:
app: my-app
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: my-app
ports:
- protocol: TCP
port: 80
egress:
- to:
- podSelector:
matchLabels:
app: other-app
ports:
- protocol: TCP
port: 80
16. DaemonSet
A DaemonSet ensures that a copy of a Pod is running on all (or a selected subset of) nodes in the cluster. This is useful for deploying infrastructure services like monitoring agents, logging agents, or Istio sidecar proxies (if not using automatic sidecar injection).
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: my-daemonset
namespace: my-namespace
spec:
selector:
matchLabels:
app: my-daemon
template:
metadata:
labels:
app: my-daemon
spec:
containers:
- name: my-container
image: nginx:latest
17. Job
A Job is used for running batch or parallel tasks that should run to completion. Kubernetes ensures that the specified number of pods complete successfully.
apiVersion: batch/v1
kind: Job
metadata:
name: my-job
namespace: my-namespace
spec:
template:
spec:
containers:
- name: my-job-container
image: ubuntu
command: ["echo", "Hello, World!"]
restartPolicy: Never
18. EndPointSlice
EndpointSlice is a Kubernetes resource designed to improve scalability by splitting endpoints into smaller slices, especially when dealing with large-scale services.
apiVersion: discovery.k8s.io/v1beta1
kind: EndpointSlice
metadata:
name: my-endpointslice
namespace: my-namespace
addressType: IPv4
endpoints:
- addresses:
- "192.168.1.1"
conditions:
ready: true
ports:
- name: http
port: 80
protocol: TCP
19. PodDisruptionBudget (PDB)
A PodDisruptionBudget ensures that a minimum number of replicas of a Pod are available during voluntary disruptions, such as during maintenance or rolling updates.
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: my-pdb
namespace: my-namespace
spec:
minAvailable: 2
selector:
matchLabels:
app: my-app
20. LimitRange
A LimitRange allows you to set resource limits and requests for containers in a namespace. It can help to enforce resource constraints for Pods and avoid overconsumption.
apiVersion: v1
kind: LimitRange
metadata:
name: my-limitrange
namespace: my-namespace
spec:
limits:
- default:
memory: 512Mi
cpu: 1
defaultRequest:
memory: 256Mi
cpu: 0.5
type: Container
21. ResourceQuota
A ResourceQuota sets limits on the amount of resources that can be consumed in a given namespace, like CPU, memory, or storage.
apiVersion: v1
kind: ResourceQuota
metadata:
name: my-quota
namespace: my-namespace
spec:
hard:
requests.cpu: "10"
requests.memory: 10Gi
limits.cpu: "20"
limits.memory: 20Gi
pods: "50"
22. Affinity and Tolerations
Affinity and tolerations are used to control how Pods are scheduled on nodes, particularly for achieving high availability or for scheduling on specific hardware (e.g., GPUs).
• Node Affinity:
apiVersion: v1
kind: Pod
metadata:
name: my-affinity-pod
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: "kubernetes.io/hostname"
operator: In
values:
- node-1
• Tolerations:
apiVersion: v1
kind: Pod
metadata:
name: my-toleration-pod
spec:
tolerations:
- key: "key1"
operator: "Equal"
value: "value1"
effect: "NoSchedule"
23. PodSecurityPolicy (PSP)
A PodSecurityPolicy is used to control the security settings for Pods. It is now deprecated in newer versions of Kubernetes (v1.21 and above) and replaced by PodSecurity admission control.
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: my-psp
spec:
privileged: false
volumes:
- "configMap"
- "secret"
allowPrivilegeEscalation: false
runAsUser:
rule: MustRunAsNonRoot
seLinux:
rule: RunAsAny
Istio
Istio is a popular service mesh for Kubernetes, and it plays a crucial role in managing microservices by providing traffic management, security, and observability. While Istio isn’t technically a Kubernetes object (it’s more of an extension), it does integrate deeply with Kubernetes using several custom resources and objects.
To use Istio within a Kubernetes cluster, we typically deploy Istio’s components and leverage custom resources that Istio introduces. Below are key Kubernetes objects and configurations that are used when Istio is installed:
1. Istio Control Plane
The Istio control plane consists of several components (Pilot, Mixer, Citadel, etc.) that need to be deployed in your Kubernetes cluster.
Istio is usually installed via istioctl or Helm, which deploys the Istio control plane components into the istio-system namespace.
istioctl install --set profile=default
2. VirtualService
A VirtualService is an Istio custom resource that configures how traffic should be routed to different services within your mesh.
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: my-virtualservice
namespace: my-namespace
spec:
hosts:
- my-app
http:
- match:
- uri:
exact: /v1
route:
- destination:
host: my-app
subset: v1
- match:
- uri:
exact: /v2
route:
- destination:
host: my-app
subset: v2
This routes traffic based on the URL path (/v1, /v2) to different subsets of a service.
3. DestinationRule
A DestinationRule defines policies that apply to traffic intended for a service after routing has occurred. This could include load balancing, connection pool size, retries, and more.
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: my-destinationrule
namespace: my-namespace
spec:
host: my-app
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2
This defines two subsets of the my-app service, one for v1 and one for v2, based on the labels applied to the pods.
4. Gateway
A Gateway in Istio defines a load balancer for HTTP/TCP traffic, which controls how external traffic enters the mesh.
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: my-gateway
namespace: my-namespace
spec:
selector:
istio: ingressgateway # Use the default Istio ingress gateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
This creates an Istio gateway on port 80 that listens for HTTP traffic from external clients.
5. PeerAuthentication
The PeerAuthentication resource defines authentication policies for services when they communicate with each other in the mesh.
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: my-peer-authentication
namespace: my-namespace
spec:
mtls:
mode: STRICT
This enables mutual TLS (mTLS) for all services in the my-namespace namespace, ensuring secure communication between them.
6. AuthorizationPolicy
The AuthorizationPolicy defines fine-grained access control to services. You can enforce who can access a given service and the methods they can use.
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: my-authorization-policy
namespace: my-namespace
spec:
selector:
matchLabels:
app: my-app
rules:
- from:
- source:
principals: ["cluster.local/ns/default/sa/my-service-account"]
to:
- operation:
methods: ["GET"]
This example allows only the my-service-account service account to call the my-app service and only with the HTTP method GET.
7. Sidecar Injection
Istio typically uses sidecar proxies (Envoy proxies) to intercept and manage traffic to and from microservices. By default, Istio can inject sidecars automatically when a new pod is created, but this can be controlled with annotations or labels.
For automatic sidecar injection, enable it in the namespace:
kubectl label namespace my-namespace istio-injection=enabled
Or manually inject the sidecar into a pod using istioctl:
istioctl kube-inject -f my-pod.yaml | kubectl apply -f -
8. ServiceEntry
A ServiceEntry allows you to add entries to Istio’s internal service registry, enabling access to services outside of the mesh.
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: my-service-entry
namespace: my-namespace
spec:
hosts:
- "external-service.com"
location: MESH_EXTERNAL
ports:
- number: 80
name: http
protocol: HTTP
resolution: DNS
This allows services inside the mesh to access an external service (ex. external-service.com) over HTTP.
9. EnvoyFilter
Envoy filters can be used to apply custom configurations to the Envoy proxies. You can use this to modify how traffic is handled by Istio.
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: my-envoy-filter
namespace: my-namespace
spec:
workloadSelector:
labels:
app: my-app
filters:
- filterType: HTTP
filterName: envoy.filters.http.router
filterConfig:
maxStreamDuration: 300s
This configuration changes the maxStreamDuration for HTTP requests handled by the my-app service.
Installation of Istio
To install Istio, you can use the istioctl command:
curl -L https://istio.io/downloadIstio | sh -
cd istio-*
istioctl install --set profile=default
Once Istio is installed, you can use the above objects (VirtualService, Gateway, etc.) to configure your Istio service mesh.
These YAML configurations represent the most commonly used Kubernetes objects and are essential for managing various types of workloads and access control, including Pods, Services, Deployments, StatefulSets, and more. With these, you can handle deployments, storage, scaling, security, and networking effectively.