update order

dennyzhang · Feb 2, 2020 · 1fb8dd1 · 1fb8dd1
1 parent 9dfdda1
commit 1fb8dd1
Show file tree

Hide file tree

Showing 4 changed files with 100 additions and 5 deletions.
diff --git a/README.org b/README.org
@@ -114,10 +114,6 @@ File me [[https://github.com/dennyzhang/cheatsheet.dennyzhang.com/issues][Issues
 | [[https://github.com/dennyzhang/kubernetes-yaml-templates/blob/master/statefulset/statefulset-replicated-cassandra.yaml][statefulset/statefulset-replicated-cassandra.yaml]] | Statefulset: single cassandra        |
 | [[https://github.com/dennyzhang/kubernetes-yaml-templates/blob/master/statefulset/statefulset-replicated-mysql][statefulset/statefulset-replicated-mysql]]          | Statefulset: cassandra with replicas |
 | Reference                                         | [[https://cheatsheet.dennyzhang.com/cheatsheet-kubernetes-A4][Link: kubectl cheatsheet]]             |
-** General
-| Yaml                    | Summary                  |
-|-------------------------+--------------------------|
-| [[https://github.com/dennyzhang/kubernetes-yaml-templates/blob/master/namespace/ns-dummy.yaml][namespace/ns-dummy.yaml]] | Create a dummy namespace |
 ** Jobs & CronJob
 | Yaml                  | Summary                         |
 |-----------------------+---------------------------------|
@@ -126,6 +122,10 @@ File me [[https://github.com/dennyzhang/cheatsheet.dennyzhang.com/issues][Issues
 | Yaml                  | Summary                         |
 |-----------------------+---------------------------------|
 | [[https://github.com/dennyzhang/kubernetes-yaml-templates/blob/master/hpa/hpa-nginx.yaml][hpa/hpa-nginx.yaml]] | Deploy a horizontal pod autoscaler for nginx deployment |
+** Adhoc
+| Yaml                    | Summary                  |
+|-------------------------+--------------------------|
+| [[https://github.com/dennyzhang/kubernetes-yaml-templates/blob/master/namespace/ns-dummy.yaml][namespace/ns-dummy.yaml]] | Create a dummy namespace |
 ** Related Tools
 | Name                              | Summary                                         |
 |-----------------------------------+-------------------------------------------------|
@@ -153,7 +153,7 @@ License: Code is licensed under [[https://www.dennyzhang.com/wp-content/mit_lice
 #+LATEX_HEADER: \rhead{Updated: \today}
 #+LATEX_HEADER: \rfoot{\thepage\ of \pageref{LastPage}}
 #+LATEX_HEADER: \lfoot{\href{https://github.com/dennyzhang/kubernetes-yaml-templates}{GitHub: https://github.com/dennyzhang/kubernetes-yaml-templates}}
-#+LATEX_HEADER: \lhead{\href{https://cheatsheet.dennyzhang.com/cheatsheet-slack-A4}{Blog URL: https://cheatsheet.dennyzhang.com/kubernetes-yaml-templates}}
+#+LATEX_HEADER: \lhead{\href{https://cheatsheet.dennyzhang.com/kubernetes-yaml-templates}{Blog URL: https://cheatsheet.dennyzhang.com/kubernetes-yaml-templates}}
 #+AUTHOR: Denny Zhang
 #+EMAIL:  denny@dennyzhang.com
 #+TAGS: noexport(n)

diff --git a/deployment/deployment-nginx-serviceaccount.yaml b/deployment/deployment-nginx-serviceaccount.yaml
@@ -0,0 +1,26 @@
+# https://kubernetes.io/docs/tutorials/k8s201/
+# https://cheatsheet.dennyzhang.com/kubernetes-yaml-templates
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment
+spec:
+  selector:
+    matchLabels:
+      app: nginx
+  replicas: 2
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      serviceAccount: test-privileged-sa
+      containers:
+      - name: nginx
+        image: nginx:1.8
+        resources:
+          limits:
+            memory: "128Mi"
+            cpu: "250m"
+        ports:
+        - containerPort: 80
diff --git a/kubernetes-yaml-templates.pdf b/kubernetes-yaml-templates.pdf
diff --git a/podsecurity/podsecurity-privileged-usage.yaml b/podsecurity/podsecurity-privileged-usage.yaml
@@ -0,0 +1,69 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ns-denny
+# Create service account
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: test-privileged-sa
+  namespace: ns-denny
+---
+# create privileged-psp
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: privileged-psp
+  namespace: ns-denny
+spec:
+  fsGroup:
+    rule: RunAsAny
+  privileged: true
+  runAsUser:
+    rule: RunAsAny
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: RunAsAny
+  volumes:
+  - '*'
+  allowedCapabilities:
+  - '*'
+  hostPID: true
+  hostIPC: true
+  hostNetwork: true
+  hostPorts:
+  - min: 1
+    max: 65536
+---
+# Create role with certain psp
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: psp:role-privileged-sa
+  namespace: ns-denny
+rules:
+  - apiGroups:
+      - extensions
+    resourceNames:
+      - privileged-psp
+    resources:
+      - podsecuritypolicies
+    verbs:
+      - use
+---
+# Bind role to service account
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: psp:bind-privileged-sa
+  namespace: ns-denny
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: psp:role-privileged-sa
+subjects:
+  - kind: ServiceAccount
+    name: test-privileged-sa