Standard resources cheatsheet
ClusterRole
Basic example
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "template.name" . }}
labels:
{{- include "template.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
resources:
- configmaps
- endpoints
- namespaces
- nodes
- pods
- pods/logs
- replicationcontrollers
- serviceaccounts
- services
verbs: &readOnly
- get
- watch
- list
- apiGroups: [""]
resources:
- secrets
verbs: &listOnly
- list
- apiGroups: ["apps"]
resources:
- controllerrevisions
- deployments
- daemonsets
- replicasets
- statefulsets
verbs: *readOnly
- apiGroups: ["autoscaling"]
resources:
- autoscaling
verbs: *readOnly
- apiGroups: ["batch"]
resources:
- cronjobs
- jobs
verbs: *readOnly
- apiGroups: ["networking.k8s.io"]
resources:
- ingresses
verbs: *readOnly
- apiGroups: ["policy"]
resources:
- podsecuritypolicies
verbs: *readOnlyClusterRoleBinding
Basic example for ServiceAccount <> ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "template.name" . }}
labels:
{{- include "template.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccount.name }}
namespace: {{ .Values.serviceAccount.namespace }}
roleRef:
kind: ClusterRole
name: {{ .Values.clusterRole.name }}
apiGroup: rbac.authorization.k8s.ioConfigMap
Basic example with hardcoded values
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "template.name" . }}
labels:
{{- include "template.labels" . | nindent 4 }}
data:
var1: value1
var2: value2For use with a .Values.config.env hashmap
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "template.fullname" . }}-env
labels:
{{- include template.labels" . | nindent 4 }}
annotations:
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-weight: "-10"
helm.sh/resource-policy: keep
data:
{{ toYaml .Values.config.env | nindent 2 }}CronJob
Basic example
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: {{ include "template.name" . }}
labels:
{{- include "template.labels" . | nindent 4 }}
spec:
schedule: "*/1 * * * *"
jobTemplate:
spec:
successfulJobsHistoryLimit: 3
failedJobsHistoryLimit: 5
template:
spec:
containers:
- name: {{ include "template.name" . }}
image: "{{ .Values.image.repository }}:{{ required "The image.tag must be specified to deploy this" .Values.image.tag }}"
imagePullPolicy: IfNotPresent
args:
- /bin/sh
- -c
- date; echo "Hello!"
restartPolicy: OnFailureDaemonSet
Basic example
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ include "template.fullname" . }}
labels:
{{- include "template.labels" . | nindent 4 }}
spec:
selector:
matchLabels:
{{- include "template.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "template.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "template.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
initContainers:
- name: {{ .Chart.Name }}-info-retrieval
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
command:
- sh
- -c
- |
env:
- name: NODENAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
volumeMounts:
- name: node-data
mountPath: /data
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- sh
- -c
- |
while :; do echo "HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: nc
Content-Length: 13
hello world
" | nc -l 12345; done;
env:
- name: NODENAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
resources:
{{- toYaml .Values.resources | nindent 12 }}
volumeMounts:
- name: node-data
mountPath: /data
volumes:
- name: node-data
hostPath:
path: /node-data
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}Deployment
Basic template with Secret, ConfigMap, and PVC resources
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "template.name" . }}
labels:
{{- include "template.labels" . | nindent 4 }}
spec:
replicas: 1
selector:
matchLabels:
{{- include "template.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "template.labels" . | nindent 8 }}
spec:
containers:
- name: {{ include "template.name" . }}
image: "{{ .Values.image.repository }}:{{ required "The image.tag must be specified to deploy this" .Values.image.tag }}"
imagePullPolicy: Never
ports:
- name: http
containerPort: {{ .Values.service.port }}
protocol: TCP
envFrom:
- secretRef:
name: {{ include "template.fullname" . }}-env
optional: false
- configMapRef:
name: {{ include "template.fullname" . }}-env
optional: false
resources:
limits:
memory: 25Mi
cpu: 75m
requests:
memory: 20Mi
cpu: 50m
volumeMounts:
- name: dir-mount
mountPath: /path/to/dir/
- name: file-mount
mountPath: /path/to/file.ext
subPath: file.ext
volumes:
- name: dir-mount
secret:
defaultMode: 440
secretName: {{ include "template.fullname" . }}-dir
- name: file-mount
secret:
defaultMode: 440
secretName: {{ include "template.fullname" . }}-fileIngress
Basic example
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ include "template.name" . }}
labels:
{{- include "template.labels" . | nindent 4 }}
spec:
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
pathType: Prefix
backend:
service:
name: {{ .serviceName }}
port:
number: {{ .servicePort }}
{{- end }}
{{- end }}Secret
Basic example
apiVersion: v1
kind: Secret
metadata:
name: {{ include "template.name" . }}
labels:
{{- include "template.labels" . | nindent 4 }}
type: Opaque
# either this ...
data:
var1: d293IHlvdSBhY3R1YWxseSBkZWNvZGVkIHRoaXM=
var2: YSBjdXJpb3VzIG9uZSwgeW91IGFyZQ==
# ... or this ...
stringData:
var1: hello world
var2: "12345"Service
Basic example
apiVersion: v1
kind: Service
metadata:
name: {{ include "template.name" . }}
labels:
{{- include "template.labels" . | nindent 4 }}
spec:
selector:
{{- include "template.labels" . | nindent 4 }}
ports:
- protocol: TCP
port: {{ .Values.service.port }}
targetPort: {{ .Values.service.port }}ServiceAccount
Basic example
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "template.name" . }}
labels:
{{- include "template.labels" . | nindent 4 }}StatefulSet
Basic example
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ include "template.fullname" . }}
labels:
{{- include "template.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.statefulSet.replicaCount }}
selector:
matchLabels:
{{- include "test.selectorLabels" . | nindent 6 }}
serviceName: {{ include "template.fullname" . }}-statefulset
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "template.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "template.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- sh
- -c
- |
while :; do echo "HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: nc
Content-Length: 13
hello world
" | nc -l 12345; done;
ports:
- containerPort: 12345
resources:
{{- toYaml .Values.resources | nindent 12 }}
volumeMounts:
- name: test-default
mountPath: /mnt/test-default
- name: test-statefulset
mountPath: /mnt/test-statefulset
volumes:
- name: test-default
emptyDir: {}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
volumeClaimTemplates:
- apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
{{- include "template.labels" . | nindent 8 }}
name: test-statefulset
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
volumeMode: FilesystemLast updated