This example manifests declare two Kubernetes resources: A pod and a load balancer service that makes the pod externally accessible.
The hello_server_pod has two containers:
- A "Hello, world" HTTP server
- A
fimsidecar that monitors the integrity of anindex.htmlfile deployed in the application
The pod overrides the default value of shareProcessNamespace and sets it to true so that the application and
sidecar processes share the same process namespace; i.e. you can view the processes in both containers from either container.
The fim container runs with the CAP SYS_PTRACE capability so that the container
can view all files in the hello_server container which is necessary to check the integrity of the files. The container runtime also adds capabilities to override discretionary access control and to kill processes to the fim container.
The fim container has a livenessProbe that checks the integrity of the index.html file.
Using a Pod manifest is not best practice; it is better to deploy a Deployment rather than to deploy a Pod directly. It's more instructive though to use a pod here since:
- The manifest is shorter and,
- It's easier to use
kubectl exec <pod_name>since the pod name is fixed ("hello-server") if we use a Pod manifest while the pod name would be random if we used a Deployment.
The hello_load_balancer_service service is a simple Load Balancer service that routes requests on port 80 to port 8000 of the hello_server container.