Production-Grade Container Orchestration

Synopsis Create a role binding for a particular role or cluster role. kubectl create rolebinding NAME --clusterrole=NAME|--role=NAME [--user=username] [--group=groupname] [--serviceaccount=namespace:serviceaccountname] [--dry-run=server|client|none] Examples # Create a role binding for user1, user2, and group1 using the admin cluster role kubectl create rolebinding admin --clusterrole=admin --user=user1 --user=user2 --group=group1 # Create a role binding for service account monitoring:sa-dev using the admin role kubectl create rolebinding admin-binding --role=admin --serviceaccount=monitoring:sa-dev Options --allow-missing-template-keys     Default: true If true, ignore any errors in templates when a field or map key is missing in the template.

Synopsis Check whether an action is allowed. VERB is a logical Kubernetes API verb like 'get', 'list', 'watch', 'delete', etc. TYPE is a Kubernetes resource. Shortcuts and groups will be resolved. NONRESOURCEURL is a partial URL that starts with "/". NAME is the name of a particular Kubernetes resource. This command pairs nicely with impersonation. See --as global flag. kubectl auth can-i VERB [TYPE | TYPE/NAME | NONRESOURCEURL] Examples # Check to see if I can create pods in any namespace kubectl auth can-i create pods --all-namespaces # Check to see if I can list deployments in my current namespace kubectl auth can-i list deployments.

Synopsis Set the selector on a resource. Note that the new selector will overwrite the old selector if the resource had one prior to the invocation of 'set selector'. A selector must begin with a letter or number, and may contain letters, numbers, hyphens, dots, and underscores, up to 63 characters. If --resource-version is specified, then updates will use this resource version, otherwise the existing resource-version will be used. Note: currently selectors can only be set on Service objects.

Synopsis Create a LoadBalancer service with the specified name. kubectl create service loadbalancer NAME [--tcp=port:targetPort] [--dry-run=server|client|none] Examples # Create a new LoadBalancer service named my-lbs kubectl create service loadbalancer my-lbs --tcp=5678:8080 Options --allow-missing-template-keys     Default: true If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. --dry-run string[="unchanged"]     Default: "none" Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it.

Production-Grade Container Orchestration

An overview of the key components that make up a Kubernetes cluster.

FEATURE STATE: Kubernetes v1.30 [stable] Pods were considered ready for scheduling once created. Kubernetes scheduler does its due diligence to find nodes to place all pending Pods. However, in a real-world case, some Pods may stay in a "miss-essential-resources" state for a long period. These Pods actually churn the scheduler (and downstream integrators like Cluster AutoScaler) in an unnecessary manner. By specifying/removing a Pod's .spec.schedulingGates, you can control when a Pod is ready to be considered for scheduling.

Overview of Linux kernel security modules and constraints that you can use to harden your Pods and containers.

Networking is a central part of Kubernetes, but it can be challenging to understand exactly how it is expected to work. There are 4 distinct networking problems to address: Highly-coupled container-to-container communications: this is solved by Pods and localhost communications. Pod-to-Pod communications: this is the primary focus of this document. Pod-to-Service communications: this is covered by Services. External-to-Service communications: this is also covered by Services. Kubernetes is all about sharing machines among applications.