From d338a2f7b78d8779545640a702c91dcfe4bd6af2 Mon Sep 17 00:00:00 2001 From: jongwooo Date: Mon, 26 Jun 2023 15:54:14 +0900 Subject: [PATCH] [ko] Update outdated files in dev-1.27-ko.1 (M244-M253) Signed-off-by: jongwooo --- .../konnectivity/konnectivity-agent.yaml | 2 +- .../konnectivity/konnectivity-server.yaml | 3 ++- .../ko/examples/admin/sched/my-scheduler.yaml | 14 ++++++++++ .../ko/examples/application/php-apache.yaml | 1 - .../limit-range/problematic-limit-range.yaml | 1 + .../ko/examples/pods/inject/secret-pod.yaml | 1 + .../pods/pod-with-scheduling-gates.yaml | 4 +-- ...ith-cluster-level-baseline-pod-security.sh | 20 +++++++++++--- ...h-namespace-level-baseline-pod-security.sh | 26 ++++++++++++++----- .../service/networking/custom-dns.yaml | 2 +- 10 files changed, 59 insertions(+), 15 deletions(-) diff --git a/content/ko/examples/admin/konnectivity/konnectivity-agent.yaml b/content/ko/examples/admin/konnectivity/konnectivity-agent.yaml index 19430460f5..316645382e 100644 --- a/content/ko/examples/admin/konnectivity/konnectivity-agent.yaml +++ b/content/ko/examples/admin/konnectivity/konnectivity-agent.yaml @@ -22,7 +22,7 @@ spec: - key: "CriticalAddonsOnly" operator: "Exists" containers: - - image: us.gcr.io/k8s-artifacts-prod/kas-network-proxy/proxy-agent:v0.0.16 + - image: us.gcr.io/k8s-artifacts-prod/kas-network-proxy/proxy-agent:v0.0.37 name: konnectivity-agent command: ["/proxy-agent"] args: [ diff --git a/content/ko/examples/admin/konnectivity/konnectivity-server.yaml b/content/ko/examples/admin/konnectivity/konnectivity-server.yaml index 0f2fe702a0..b0e4d8be4a 100644 --- a/content/ko/examples/admin/konnectivity/konnectivity-server.yaml +++ b/content/ko/examples/admin/konnectivity/konnectivity-server.yaml @@ -8,12 +8,13 @@ spec: hostNetwork: true containers: - name: konnectivity-server-container - image: registry.k8s.io/kas-network-proxy/proxy-server:v0.0.32 + image: registry.k8s.io/kas-network-proxy/proxy-server:v0.0.37 command: ["/proxy-server"] args: [ "--logtostderr=true", # 이것은 egressSelectorConfiguration에 설정된 값과 일치해야 한다. "--uds-name=/etc/kubernetes/konnectivity-server/konnectivity-server.socket", + "--delete-existing-uds-file", # 다음 두 줄은 Konnectivity 서버가 apiserver와 # 동일한 시스템에 배포되고 API 서버의 인증서와 # 키가 지정된 위치에 있다고 가정한다. diff --git a/content/ko/examples/admin/sched/my-scheduler.yaml b/content/ko/examples/admin/sched/my-scheduler.yaml index 5addf9e0e6..fa1c65bf9a 100644 --- a/content/ko/examples/admin/sched/my-scheduler.yaml +++ b/content/ko/examples/admin/sched/my-scheduler.yaml @@ -30,6 +30,20 @@ roleRef: name: system:volume-scheduler apiGroup: rbac.authorization.k8s.io --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: my-scheduler-extension-apiserver-authentication-reader + namespace: kube-system +roleRef: + kind: Role + name: extension-apiserver-authentication-reader + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: my-scheduler + namespace: kube-system +--- apiVersion: v1 kind: ConfigMap metadata: diff --git a/content/ko/examples/application/php-apache.yaml b/content/ko/examples/application/php-apache.yaml index d29d2b9159..a194dce6f9 100644 --- a/content/ko/examples/application/php-apache.yaml +++ b/content/ko/examples/application/php-apache.yaml @@ -6,7 +6,6 @@ spec: selector: matchLabels: run: php-apache - replicas: 1 template: metadata: labels: diff --git a/content/ko/examples/concepts/policy/limit-range/problematic-limit-range.yaml b/content/ko/examples/concepts/policy/limit-range/problematic-limit-range.yaml index 2a19606c1d..496343624a 100644 --- a/content/ko/examples/concepts/policy/limit-range/problematic-limit-range.yaml +++ b/content/ko/examples/concepts/policy/limit-range/problematic-limit-range.yaml @@ -12,3 +12,4 @@ spec: cpu: "1" min: cpu: 100m + type: Container diff --git a/content/ko/examples/pods/inject/secret-pod.yaml b/content/ko/examples/pods/inject/secret-pod.yaml index 8be694cdde..8487da8d1c 100644 --- a/content/ko/examples/pods/inject/secret-pod.yaml +++ b/content/ko/examples/pods/inject/secret-pod.yaml @@ -10,6 +10,7 @@ spec: # name must match the volume name below - name: secret-volume mountPath: /etc/secret-volume + readOnly: true # The secret data is exposed to Containers in the Pod through a Volume. volumes: - name: secret-volume diff --git a/content/ko/examples/pods/pod-with-scheduling-gates.yaml b/content/ko/examples/pods/pod-with-scheduling-gates.yaml index b0b012fb72..de761d9694 100644 --- a/content/ko/examples/pods/pod-with-scheduling-gates.yaml +++ b/content/ko/examples/pods/pod-with-scheduling-gates.yaml @@ -4,8 +4,8 @@ metadata: name: test-pod spec: schedulingGates: - - name: foo - - name: bar + - name: example.com/foo + - name: example.com/bar containers: - name: pause image: registry.k8s.io/pause:3.6 diff --git a/content/ko/examples/security/kind-with-cluster-level-baseline-pod-security.sh b/content/ko/examples/security/kind-with-cluster-level-baseline-pod-security.sh index b8dea7589b..0bdc5380e3 100644 --- a/content/ko/examples/security/kind-with-cluster-level-baseline-pod-security.sh +++ b/content/ko/examples/security/kind-with-cluster-level-baseline-pod-security.sh @@ -51,11 +51,12 @@ nodes: # default None propagation: None EOF -kind create cluster --name psa-with-cluster-pss --image kindest/node:v1.23.0 --config /tmp/pss/cluster-config.yaml +kind create cluster --name psa-with-cluster-pss --config /tmp/pss/cluster-config.yaml kubectl cluster-info --context kind-psa-with-cluster-pss + # (임의의) 서비스 어카운트 어드미션 컨트롤러가 사용 가능할 때까지 15초 간 대기 sleep 15 -cat < /tmp/pss/nginx-pod.yaml +cat </dev/null && bash -c 'read -p "Press any key to continue... " -n1 -s' ) || \ + ( printf "Press Enter to continue... " && read ) 1>&2 + +# 정리 +printf "\n\nCleaning up:\n" 1>&2 +set -e +kubectl delete pod --all -n example --now +kubectl delete ns example +kind delete cluster --name psa-with-cluster-pss +rm -f /tmp/pss/cluster-config.yaml diff --git a/content/ko/examples/security/kind-with-namespace-level-baseline-pod-security.sh b/content/ko/examples/security/kind-with-namespace-level-baseline-pod-security.sh index 11ce4acc8c..8a5107fdb9 100644 --- a/content/ko/examples/security/kind-with-namespace-level-baseline-pod-security.sh +++ b/content/ko/examples/security/kind-with-namespace-level-baseline-pod-security.sh @@ -1,11 +1,11 @@ #!/bin/sh -# v1.23 출시 전까지, 노드 이미지 종류는 k/k 마스터 브랜치로부터 빌드 되어야 한다 -# Ref: https://kind.sigs.k8s.io/docs/user/quick-start/#building-images -kind create cluster --name psa-ns-level --image kindest/node:v1.23.0 +kind create cluster --name psa-ns-level kubectl cluster-info --context kind-psa-ns-level # (임의의) 서비스 어카운트 어드미션 컨트롤러가 사용 가능할 때까지 15초 간 대기 sleep 15 -kubectl create ns example + +# 네임스페이스 생성 및 레이블 지정 +kubectl create ns example || exit 1 # 네임스페이스가 존재하면, 다음 단계를 수행하지 않는다 kubectl label --overwrite ns example \ pod-security.kubernetes.io/enforce=baseline \ pod-security.kubernetes.io/enforce-version=latest \ @@ -13,7 +13,9 @@ kubectl label --overwrite ns example \ pod-security.kubernetes.io/warn-version=latest \ pod-security.kubernetes.io/audit=restricted \ pod-security.kubernetes.io/audit-version=latest -cat < /tmp/pss/nginx-pod.yaml + +# 파드 실행해 보기 +cat </dev/null && bash -c 'read -p "Press any key to continue... " -n1 -s' ) || \ + ( printf "Press Enter to continue... " && read ) 1>&2 + +# 정리 +printf "\n\nCleaning up:\n" 1>&2 +set -e +kubectl delete pod --all -n example --now +kubectl delete ns example +kind delete cluster --name psa-ns-level diff --git a/content/ko/examples/service/networking/custom-dns.yaml b/content/ko/examples/service/networking/custom-dns.yaml index 02f77a9efe..56a4b8589d 100644 --- a/content/ko/examples/service/networking/custom-dns.yaml +++ b/content/ko/examples/service/networking/custom-dns.yaml @@ -10,7 +10,7 @@ spec: dnsPolicy: "None" dnsConfig: nameservers: - - 1.2.3.4 + - 192.0.2.1 # 다음은 예시이다 searches: - ns1.svc.cluster-domain.example - my.dns.search.suffix