Kubernetes Deployment İçin Volumes

Giriş

Çeşitli volume tipleri var.

1. emptyDir

2. PersistentVolume

gibi

emptyDir

Şu cümleler önemli

emptyDir are volumes that get created empty when a Pod is created.

Deleting a Pod deletes all its emptyDirs.

emptyDir are meant for temporary working disk space.

Örnek

Şöyle yaparız

apiVersion: apps/v1
kind: Deployment
metadata:
  name: dune-quote-service
spec:
  replicas: 1
  selector:
    matchLabels:
      app: dune-quote-service
  template:
    metadata:
      labels:
        app: dune-quote-service
    spec:
      containers:
        - image: gamussa/reactive-quote-service:0.0.3
          imagePullPolicy: Always
          name: dune-quote-service
          ports:
            - containerPort: 9001
          env:
            ...
            - name: GRPC_SERVER_SECURITY_CERTIFICATECHAIN
              value: "file:/mnt/grpc-cert-chain/server.crt"
            - name: GRPC_SERVER_SECURITY_PRIVATEKEY
              value: "file:/mnt/grpc-pk/server.key"
          volumeMounts:
            - mountPath: /mnt/grpc-cert-chain
              name: grpc-cert-chain
            - mountPath: /mnt/grpc-pk
              name: grpc-pk
      volumes:
        - name: grpc-cert-chain
          secret:
            secretName: grpc-cert-chain
        - name: grpc-pk
          secret:
            secretName: grpc-pk

Örnek - sadece tmp Dizini Hakkı

Açıklaması şöyle

Applications running in a containerized environment seldom write data, as that practically goes against the logic of having an immutable system. However, at times, it may be needed for caching or temporary swapping/processing of files. Hence, to provide this functionality to the developer, we can mount an emptyDir as an ephemeral volume which is lost once the container is killed.

With this in place, we can also add another security context attribute called “readOnlyRootFilesystem” and set it as true, since the application running inside the container no longer needs to write anywhere on the file-system other than the ‘tmp’ directory.

Şöyle yaparız

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: springbootmaven
  name: springbootmaven
  namespace: boot
spec:
  replicas: 1
  selector:
    matchLabels:
      app: springbootmaven
  template:
    metadata:
      labels:
        app: springbootmaven
    spec:
      securityContext:
        fsGroup: 1337
        runAsNonRoot: true
        runAsUser: 1337
      containers:
      - image: salecharohit/springbootmaven
        name: springbootmaven
        ports:
        - containerPort: 8080
        securityContext:
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
          privileged: false
          runAsUser: 1337
          capabilities:
            drop: ["SETUID", "SETGID"]
        volumeMounts:
        - mountPath: /tmp
          name: tmp
      serviceAccountName: ""
      automountServiceAccountToken: false
      volumes:
      - emptyDir: {}
        name: tmp