gvisor/g3doc/user_guide/tutorials/kubernetes.md

# WordPress with Kubernetes

This page shows you how to deploy a sample [WordPress][wordpress] site using
[GKE Sandbox][gke-sandbox].

### Before you begin

Take the following steps to enable the Kubernetes Engine API:

1.  Visit the [Kubernetes Engine page][project-selector] in the Google Cloud
    Platform Console.
1.  Create or select a project.

### Creating a node pool with gVisor enabled

Create a node pool inside your cluster with option `--sandbox type=gvisor` added
to the command, like below:

```bash
gcloud beta container node-pools create sandbox-pool --cluster=${CLUSTER_NAME} --image-type=cos_containerd --sandbox type=gvisor
```

If you prefer to use the console, select your cluster and select the **ADD NODE
POOL** button:

![+ ADD NODE POOL](./node-pool-button.png)

Then select the **Image type** with **Containerd** and select **Enable sandbox
with gVisor** option. Select other options as you like:

![+ NODE POOL](./add-node-pool.png)

### Check that gVisor is enabled

The gvisor RuntimeClass is instantiated during node creation. You can check for
the existence of the gvisor RuntimeClass using the following command:

```bash
kubectl get runtimeclasses
```

### Wordpress deployment

Now, let's deploy a WordPress site using GKE Sandbox. WordPress site requires
two pods: web server in the frontend, MySQL database in the backend. Both
applications use PersistentVolumes to store the site data data. In addition,
they use secret store to share MySQL password between them.

First, let's download the deployment configuration files to add the runtime
class annotation to them:

```bash
curl -LO https://k8s.io/examples/application/wordpress/wordpress-deployment.yaml
curl -LO https://k8s.io/examples/application/wordpress/mysql-deployment.yaml
```

Add a **spec.template.spec.runtimeClassName** set to **gvisor** to both files,
as shown below:

**wordpress-deployment.yaml:** ```yaml apiVersion: v1 kind: Service metadata:
name: wordpress labels: app: wordpress spec: ports: - port: 80 selector: app:
wordpress tier: frontend

## type: LoadBalancer

apiVersion: v1 kind: PersistentVolumeClaim metadata: name: wp-pv-claim labels:
app: wordpress spec: accessModes: - ReadWriteOnce resources: requests:

## storage: 20Gi

apiVersion: apps/v1 kind: Deployment metadata: name: wordpress labels: app:
wordpress spec: selector: matchLabels: app: wordpress tier: frontend strategy:
type: Recreate template: metadata: labels: app: wordpress tier: frontend spec:
runtimeClassName: gvisor # ADD THIS LINE containers: - image:
wordpress:4.8-apache name: wordpress env: - name: WORDPRESS_DB_HOST value:
wordpress-mysql - name: WORDPRESS_DB_PASSWORD valueFrom: secretKeyRef: name:
mysql-pass key: password ports: - containerPort: 80 name: wordpress
volumeMounts: - name: wordpress-persistent-storage mountPath: /var/www/html
volumes: - name: wordpress-persistent-storage persistentVolumeClaim: claimName:
wp-pv-claim ```

**mysql-deployment.yaml:** ```yaml apiVersion: v1 kind: Service metadata: name:
wordpress-mysql labels: app: wordpress spec: ports: - port: 3306 selector: app:
wordpress tier: mysql

## clusterIP: None

apiVersion: v1 kind: PersistentVolumeClaim metadata: name: mysql-pv-claim
labels: app: wordpress spec: accessModes: - ReadWriteOnce resources: requests:

## storage: 20Gi

apiVersion: apps/v1 kind: Deployment metadata: name: wordpress-mysql labels:
app: wordpress spec: selector: matchLabels: app: wordpress tier: mysql strategy:
type: Recreate template: metadata: labels: app: wordpress tier: mysql spec:
runtimeClassName: gvisor # ADD THIS LINE containers: - image: mysql:5.6 name:
mysql env: - name: MYSQL_ROOT_PASSWORD valueFrom: secretKeyRef: name: mysql-pass
key: password ports: - containerPort: 3306 name: mysql volumeMounts: - name:
mysql-persistent-storage mountPath: /var/lib/mysql volumes: - name:
mysql-persistent-storage persistentVolumeClaim: claimName: mysql-pv-claim ```

Note that apart from `runtimeClassName: gvisor`, nothing else about the
Deployment has is changed.

You are now ready to deploy the entire application. Just create a secret to
store MySQL's password and *apply* both deployments:

```bash
kubectl create secret generic mysql-pass --from-literal=password=${YOUR_SECRET_PASSWORD_HERE?}
kubectl apply -f mysql-deployment.yaml
kubectl apply -f wordpress-deployment.yaml
```

Wait for the deployments to be ready and an external IP to be assigned to the
Wordpress service:

```bash
watch kubectl get service wordpress
```

Now, copy the service `EXTERNAL-IP` from above to your favorite browser to view
and configure your new WordPress site.

Congratulations! You have just deployed a WordPress site using GKE Sandbox.

### What's next

To learn more about GKE Sandbox and how to run your deployment securely, take a
look at the [documentation][gke-sandbox-docs].

[gke-sandbox-docs]: https://cloud.google.com/kubernetes-engine/docs/how-to/sandbox-pods
[gke-sandbox]: https://cloud.google.com/kubernetes-engine/sandbox/
[project-selector]: https://console.cloud.google.com/projectselector/kubernetes
[wordpress]: https://wordpress.com/
Adapt website to use g3doc sources and bazel. This adapts the merged website repository to use the image and bazel build framework. It explicitly avoids the container_image rules provided by bazel, opting instead to build with direct docker commands when necessary. The relevant build commands are incorporated into the top-level Makefile. 2020-04-28 05:24:58 +00:00			`# WordPress with Kubernetes`
Add GKE Sandbox to Kubernetes section 2019-09-06 23:41:23 +00:00
			`This page shows you how to deploy a sample [WordPress][wordpress] site using`
			`[GKE Sandbox][gke-sandbox].`

			`### Before you begin`

			`Take the following steps to enable the Kubernetes Engine API:`

Merge pull request #2513 from amscanne:website-integrated PiperOrigin-RevId: 311184385 2020-05-12 19:55:23 +00:00			`1. Visit the [Kubernetes Engine page][project-selector] in the Google Cloud`
			`Platform Console.`
			`1. Create or select a project.`
Add GKE Sandbox to Kubernetes section 2019-09-06 23:41:23 +00:00
			`### Creating a node pool with gVisor enabled`

			Create a node pool inside your cluster with option `--sandbox type=gvisor` added
			`to the command, like below:`

			```bash
			`gcloud beta container node-pools create sandbox-pool --cluster=${CLUSTER_NAME} --image-type=cos_containerd --sandbox type=gvisor`
			```

			`If you prefer to use the console, select your cluster and select the **ADD NODE`
			`POOL** button:`

Adapt website to use g3doc sources and bazel. This adapts the merged website repository to use the image and bazel build framework. It explicitly avoids the container_image rules provided by bazel, opting instead to build with direct docker commands when necessary. The relevant build commands are incorporated into the top-level Makefile. 2020-04-28 05:24:58 +00:00			`![+ ADD NODE POOL](./node-pool-button.png)`
Add GKE Sandbox to Kubernetes section 2019-09-06 23:41:23 +00:00
			`Then select the Image type with Containerd and select **Enable sandbox`
			`with gVisor** option. Select other options as you like:`

Adapt website to use g3doc sources and bazel. This adapts the merged website repository to use the image and bazel build framework. It explicitly avoids the container_image rules provided by bazel, opting instead to build with direct docker commands when necessary. The relevant build commands are incorporated into the top-level Makefile. 2020-04-28 05:24:58 +00:00			`![+ NODE POOL](./add-node-pool.png)`
Add GKE Sandbox to Kubernetes section 2019-09-06 23:41:23 +00:00
			`### Check that gVisor is enabled`

			`The gvisor RuntimeClass is instantiated during node creation. You can check for`
			`the existence of the gvisor RuntimeClass using the following command:`

			```bash
			`kubectl get runtimeclasses`
			```

			`### Wordpress deployment`

			`Now, let's deploy a WordPress site using GKE Sandbox. WordPress site requires`
			`two pods: web server in the frontend, MySQL database in the backend. Both`
Merge pull request #2513 from amscanne:website-integrated PiperOrigin-RevId: 311184385 2020-05-12 19:55:23 +00:00			`applications use PersistentVolumes to store the site data data. In addition,`
			`they use secret store to share MySQL password between them.`
Add GKE Sandbox to Kubernetes section 2019-09-06 23:41:23 +00:00
			`First, let's download the deployment configuration files to add the runtime`
			`class annotation to them:`

			```bash
			`curl -LO https://k8s.io/examples/application/wordpress/wordpress-deployment.yaml`
			`curl -LO https://k8s.io/examples/application/wordpress/mysql-deployment.yaml`
			```

			`Add a spec.template.spec.runtimeClassName set to gvisor to both files,`
			`as shown below:`

Merge pull request #2513 from amscanne:website-integrated PiperOrigin-RevId: 311184385 2020-05-12 19:55:23 +00:00			wordpress-deployment.yaml: ```yaml apiVersion: v1 kind: Service metadata:
			`name: wordpress labels: app: wordpress spec: ports: - port: 80 selector: app:`
			`wordpress tier: frontend`
Add GKE Sandbox to Kubernetes section 2019-09-06 23:41:23 +00:00
Merge pull request #2513 from amscanne:website-integrated PiperOrigin-RevId: 311184385 2020-05-12 19:55:23 +00:00			`## type: LoadBalancer`

			`apiVersion: v1 kind: PersistentVolumeClaim metadata: name: wp-pv-claim labels:`
			`app: wordpress spec: accessModes: - ReadWriteOnce resources: requests:`

			`## storage: 20Gi`

			`apiVersion: apps/v1 kind: Deployment metadata: name: wordpress labels: app:`
			`wordpress spec: selector: matchLabels: app: wordpress tier: frontend strategy:`
			`type: Recreate template: metadata: labels: app: wordpress tier: frontend spec:`
			`runtimeClassName: gvisor # ADD THIS LINE containers: - image:`
			`wordpress:4.8-apache name: wordpress env: - name: WORDPRESS_DB_HOST value:`
			`wordpress-mysql - name: WORDPRESS_DB_PASSWORD valueFrom: secretKeyRef: name:`
			`mysql-pass key: password ports: - containerPort: 80 name: wordpress`
			`volumeMounts: - name: wordpress-persistent-storage mountPath: /var/www/html`
			`volumes: - name: wordpress-persistent-storage persistentVolumeClaim: claimName:`
			wp-pv-claim ```

			mysql-deployment.yaml: ```yaml apiVersion: v1 kind: Service metadata: name:
			`wordpress-mysql labels: app: wordpress spec: ports: - port: 3306 selector: app:`
			`wordpress tier: mysql`

			`## clusterIP: None`

			`apiVersion: v1 kind: PersistentVolumeClaim metadata: name: mysql-pv-claim`
			`labels: app: wordpress spec: accessModes: - ReadWriteOnce resources: requests:`

			`## storage: 20Gi`

			`apiVersion: apps/v1 kind: Deployment metadata: name: wordpress-mysql labels:`
			`app: wordpress spec: selector: matchLabels: app: wordpress tier: mysql strategy:`
			`type: Recreate template: metadata: labels: app: wordpress tier: mysql spec:`
			`runtimeClassName: gvisor # ADD THIS LINE containers: - image: mysql:5.6 name:`
			`mysql env: - name: MYSQL_ROOT_PASSWORD valueFrom: secretKeyRef: name: mysql-pass`
			`key: password ports: - containerPort: 3306 name: mysql volumeMounts: - name:`
			`mysql-persistent-storage mountPath: /var/lib/mysql volumes: - name:`
			mysql-persistent-storage persistentVolumeClaim: claimName: mysql-pv-claim ```
Add GKE Sandbox to Kubernetes section 2019-09-06 23:41:23 +00:00
Merge pull request #2513 from amscanne:website-integrated PiperOrigin-RevId: 311184385 2020-05-12 19:55:23 +00:00			Note that apart from `runtimeClassName: gvisor`, nothing else about the
			`Deployment has is changed.`
Add GKE Sandbox to Kubernetes section 2019-09-06 23:41:23 +00:00
			`You are now ready to deploy the entire application. Just create a secret to`
			`store MySQL's password and apply both deployments:`

			```bash
			`kubectl create secret generic mysql-pass --from-literal=password=${YOUR_SECRET_PASSWORD_HERE?}`
			`kubectl apply -f mysql-deployment.yaml`
			`kubectl apply -f wordpress-deployment.yaml`
			```

			`Wait for the deployments to be ready and an external IP to be assigned to the`
			`Wordpress service:`

			```bash
			`watch kubectl get service wordpress`
			```

			Now, copy the service `EXTERNAL-IP` from above to your favorite browser to view
			`and configure your new WordPress site.`

			`Congratulations! You have just deployed a WordPress site using GKE Sandbox.`

			`### What's next`

Merge pull request #2513 from amscanne:website-integrated PiperOrigin-RevId: 311184385 2020-05-12 19:55:23 +00:00			`To learn more about GKE Sandbox and how to run your deployment securely, take a`
			`look at the [documentation][gke-sandbox-docs].`
Add GKE Sandbox to Kubernetes section 2019-09-06 23:41:23 +00:00
			`[gke-sandbox-docs]: https://cloud.google.com/kubernetes-engine/docs/how-to/sandbox-pods`
			`[gke-sandbox]: https://cloud.google.com/kubernetes-engine/sandbox/`
			`[project-selector]: https://console.cloud.google.com/projectselector/kubernetes`
Add a tutorial on CNI 2019-12-21 07:59:04 +00:00			`[wordpress]: https://wordpress.com/`