基本框架

ansible/files/nodejs-demo/04-08-nodejs-demo.yaml

@@ -0,0 +1,109 @@
+# 对应文档：docs/04-08-nodejs-安全上下文.md
+# 累积：04-07 + pod securityContext.fsGroup、容器 securityContext、只读根、/tmp emptyDir
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nodejs-demo-config
+  namespace: default
+data:
+  APP_MSG: "Hello from ConfigMap"
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nodejs-demo
+  namespace: default
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nodejs-demo
+  template:
+    metadata:
+      labels:
+        app: nodejs-demo
+    spec:
+      nodeSelector:
+        kubernetes.io/hostname: ylc62
+      securityContext:
+        fsGroup: 1000
+      containers:
+        - name: nodejs-demo
+          image: node:18.20-alpine
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            runAsUser: 1000
+            readOnlyRootFilesystem: true
+          env:
+            - name: APP_MSG
+              valueFrom:
+                configMapKeyRef:
+                  name: nodejs-demo-config
+                  key: APP_MSG
+          command:
+            - node
+            - "-e"
+            - |
+              const http=require('http');
+              const msg=process.env.APP_MSG||'no env';
+              http.createServer((q,s)=>s.end(msg)).listen(8080);
+          ports:
+            - containerPort: 8080
+          resources:
+            requests:
+              cpu: "50m"
+              memory: "64Mi"
+            limits:
+              cpu: "500m"
+              memory: "256Mi"
+          livenessProbe:
+            httpGet:
+              path: /
+              port: 8080
+            initialDelaySeconds: 3
+            periodSeconds: 10
+          readinessProbe:
+            httpGet:
+              path: /
+              port: 8080
+            initialDelaySeconds: 2
+            periodSeconds: 5
+          volumeMounts:
+            - name: tmp
+              mountPath: /tmp
+      volumes:
+        - name: tmp
+          emptyDir: {}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: nodejs-demo
+  namespace: default
+spec:
+  selector:
+    app: nodejs-demo
+  ports:
+    - port: 80
+      targetPort: 8080
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: nodejs-demo
+  namespace: default
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: web
+spec:
+  rules:
+    - http:
+        paths:
+          - path: /node
+            pathType: Prefix
+            backend:
+              service:
+                name: nodejs-demo
+                port:
+                  number: 80