Pod
apiVersion: v1
kind: Pod
metadata:
name: app
labels:
app: app
spec:
containers:
- name: app
image: nginx:1.25
ports:
- containerPort: 80
Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: app
spec:
replicas: 3
selector:
matchLabels:
app: app
template:
metadata:
labels:
app: app
spec:
containers:
- name: app
image: nginx:1.25
Service
apiVersion: v1
kind: Service
metadata:
name: app-svc
spec:
selector:
app: app
ports:
- port: 80
targetPort: 8080
ConfigMap + Secret
envFrom:
- configMapRef:
name: app-config
env:
- name: PASSWORD
valueFrom:
secretKeyRef:
name: db-secret
key: password
Job
apiVersion: batch/v1
kind: Job
metadata:
name: job
spec:
template:
spec:
restartPolicy: Never
containers:
- name: job
image: busybox
command: ["sh", "-c", "echo done"]
CronJob
apiVersion: batch/v1
kind: CronJob
metadata:
name: backup
spec:
schedule: "0 2 * * *"
successfulJobsHistoryLimit: 3
failedJobsHistoryLimit: 1
jobTemplate:
spec:
template:
spec:
restartPolicy: OnFailure
containers:
- name: backup
image: busybox
command: ["sh", "-c", "echo backup"]
RBAC
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pod-reader
rules:
- apiGroups: [""]
resources: [pods]
verbs: [get, list, watch]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: pod-reader-binding
subjects:
- kind: ServiceAccount
name: reader
namespace: default
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
NetworkPolicy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: backend-allow
spec:
podSelector:
matchLabels:
tier: backend
policyTypes: [Ingress]
ingress:
- from:
- podSelector:
matchLabels:
tier: frontend
ports:
- protocol: TCP
port: 8080
Ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: app-ingress
spec:
ingressClassName: nginx
rules:
- host: app.example.com
http:
paths:
- path: /api
pathType: Prefix
backend:
service:
name: api-svc
port:
number: 8080
Gateway API HTTPRoute
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: app-route
spec:
parentRefs:
- name: main-gateway
hostnames:
- myapp.internal
rules:
- matches:
- path:
type: PathPrefix
value: /api/v1
backendRefs:
- name: api-backend
port: 8080
- matches:
- path:
type: PathPrefix
value: /static
backendRefs:
- name: static-server
port: 80
PVC
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: data
spec:
accessModes: [ReadWriteOnce]
resources:
requests:
storage: 1Gi
StatefulSet
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: db
spec:
serviceName: db-headless
replicas: 3
selector:
matchLabels:
app: db
template:
metadata:
labels:
app: db
spec:
containers:
- name: db
image: postgres:15
volumeMounts:
- name: data
mountPath: /var/lib/postgresql/data
volumeClaimTemplates:
- metadata:
name: data
spec:
accessModes: [ReadWriteOnce]
resources:
requests:
storage: 1Gi
DaemonSet
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: node-monitor
spec:
selector:
matchLabels:
app: node-monitor
template:
metadata:
labels:
app: node-monitor
spec:
nodeSelector:
kubernetes.io/os: linux
tolerations:
- key: node-role.kubernetes.io/control-plane
operator: Exists
effect: NoSchedule
containers:
- name: monitor
image: busybox
command: ["sh", "-c", "while true; do echo $(hostname); sleep 30; done"]
Exam tips
- Deployment selector must match template labels
- Service selector must match Pod labels
- Ingress backend port is Service
port - HTTPRoute
backendRefs[].port is the backend Service port - Job/CronJob restartPolicy is
Never or OnFailure - StatefulSet needs a matching headless Service