Deploy-Laboratory/ansible/files/nodejs-demo/04-08-nodejs-demo.yaml

# 对应文档：docs/04-08-nodejs-安全上下文.md
# 累积：04-07 + pod securityContext.fsGroup、容器 securityContext、只读根、/tmp emptyDir
apiVersion: v1
kind: ConfigMap
metadata:
  name: nodejs-demo-config
  namespace: default
data:
  APP_MSG: "Hello from ConfigMap"
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nodejs-demo
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nodejs-demo
  template:
    metadata:
      labels:
        app: nodejs-demo
    spec:
      nodeSelector:
        kubernetes.io/hostname: ylc62
      securityContext:
        fsGroup: 1000
      containers:
        - name: nodejs-demo
          image: node:18.20-alpine
          imagePullPolicy: IfNotPresent
          securityContext:
            allowPrivilegeEscalation: false
            runAsNonRoot: true
            runAsUser: 1000
            readOnlyRootFilesystem: true
          env:
            - name: APP_MSG
              valueFrom:
                configMapKeyRef:
                  name: nodejs-demo-config
                  key: APP_MSG
          command:
            - node
            - "-e"
            - |
              const http=require('http');
              const msg=process.env.APP_MSG||'no env';
              http.createServer((q,s)=>s.end(msg)).listen(8080);
          ports:
            - containerPort: 8080
          resources:
            requests:
              cpu: "50m"
              memory: "64Mi"
            limits:
              cpu: "500m"
              memory: "256Mi"
          livenessProbe:
            httpGet:
              path: /
              port: 8080
            initialDelaySeconds: 3
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /
              port: 8080
            initialDelaySeconds: 2
            periodSeconds: 5
          volumeMounts:
            - name: tmp
              mountPath: /tmp
      volumes:
        - name: tmp
          emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
  name: nodejs-demo
  namespace: default
spec:
  selector:
    app: nodejs-demo
  ports:
    - port: 80
      targetPort: 8080
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nodejs-demo
  namespace: default
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
  rules:
    - http:
        paths:
          - path: /node
            pathType: Prefix
            backend:
              service:
                name: nodejs-demo
                port:
                  number: 80