ibm-cloud-architecture
diff --git a/‎docs/labs/index.md‎
Lines changed: 2 additions & 2 deletions b/‎docs/labs/index.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎docs/labs/kubernetes/lab10/index.md‎
Lines changed: 41 additions & 37 deletions b/‎docs/labs/kubernetes/lab10/index.md‎
Lines changed: 41 additions & 37 deletions
diff --git a/‎docs/labs/kubernetes/lab10/solution.md‎
Lines changed: 14 additions & 49 deletions b/‎docs/labs/kubernetes/lab10/solution.md‎
Lines changed: 14 additions & 49 deletions
diff --git a/‎docs/labs/kubernetes/lab2/index.md‎
Lines changed: 21 additions & 19 deletions b/‎docs/labs/kubernetes/lab2/index.md‎
Lines changed: 21 additions & 19 deletions
diff --git a/‎docs/labs/kubernetes/lab2/solution.md‎
Lines changed: 14 additions & 54 deletions b/‎docs/labs/kubernetes/lab2/solution.md‎
Lines changed: 14 additions & 54 deletions
@@ -25,7 +25,7 @@
   | ***Solutions***                         |         |         |
   | Lab Solutions | Solutions for the Kubernetes Labs  | [Solutions](kubernetes/lab-solutions.md) |
 
-## Continuous Integration
+## DevOps
 
   | Task                            | Description         | Link        |
   | --------------------------------| ------------------  |:----------- |
@@ -36,7 +36,7 @@
   | IBM Cloud DevOps | Using IBM Cloud ToolChain with Tekton | [Tekton on IBM Cloud](devops/ibm-toolchain/index.md) |
   | Jenkins Lab | Using Jenkins to test new versions of applications. | [Jenkins](devops/jenkins/index.md) |
 
-## Continuous Deployment
+## GitOps
 
   | Task                            | Description         | Link        |
   | --------------------------------| ------------------  |:----------- |
 
@@ -1,42 +1,46 @@
 ---
-title: Kubernetes Lab 10 - Persistent Volumes
+title: Kubernetes Lab 10 - Network Policies
 ---
 
 ## Problem
 
-The death star plans can't be lost no matter what happens so we need to make sure we protect them at all costs.
-
-In order to do that you will need to do the following:
-
-Create a `PersistentVolume`:
-
-- The PersistentVolume should be named `postgresql-pv`.
-
-- The volume needs a capacity of `1Gi`.
-
-- Use a storageClassName of `localdisk`.
-
-- Use the accessMode `ReadWriteOnce`.
-
-- Store the data locally on the node using a `hostPath` volume at the location `/mnt/data`.
-
-Create a `PersistentVolumeClaim`:
-
-- The PersistentVolumeClaim should be named `postgresql-pv-claim`.
-
-- Set a resource request on the claim for `500Mi` of storage.
-
-- Use the same storageClassName and accessModes as the PersistentVolume so that this claim can bind to the PersistentVolume.
-
-Create a `Postgresql` Pod configured to use the `PersistentVolumeClaim`:
-- The Pod should be named `postgresql-pod`.
-
-- Use the image `bitnami/postgresql`.
-
-- Expose the containerPort `5432`.
-
-- Set an `environment variable` called `MYSQL_ROOT_PASSWORD` with the value `password`.
-
-- Add the `PersistentVolumeClaim` as a volume and mount it to the container at the path `/bitnami/postgresql/`.
-
-
+Setup minikube
+
+```
+minikube start --network-plugin=cni
+kubectl apply -f https://docs.projectcalico.org/v3.9/manifests/calico.yaml
+kubectl -n kube-system set env daemonset/calico-node FELIX_IGNORELOOSERPF=true
+kubectl -n kube-system get pods | grep calico-node
+```
+
+Create secured pod
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: network-policy-secure-pod
+  labels:
+    app: secure-app
+spec:
+  containers:
+  - name: nginx
+    image: bitnami/nginx
+    ports:
+    - containerPort: 8080
+```
+
+Create client pod
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: network-policy-client-pod
+spec:
+  containers:
+  - name: busybox
+    image: radial/busyboxplus:curl
+    command: ["/bin/sh", "-c", "while true; do sleep 3600; done"]
+```
+
+Create a policy to allow only client pods with label `allow-access: "true"` to access secure pod
+ 
@@ -1,59 +1,24 @@
 ---
-title: Kubernetes Lab 10 - Persistent Volumes
+title: Kubernetes Lab 9 - Network Policies
 ---
 
 ## Solution
 
-```yaml
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: postgresql-pv
-spec:
-  storageClassName: localdisk
-  capacity:
-    storage: 1Gi
-  accessModes:
-    - ReadWriteOnce
-  hostPath:
-    path: "/mnt/data"
-```
-
-```yaml
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: postgresql-pv-claim
-spec:
-  storageClassName: localdisk
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 500Mi
-```
 
 ```yaml
-apiVersion: v1
-kind: Pod
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
 metadata:
-  name: postgresql-pod
+  name: my-network-policy
 spec:
-  containers:
-  - name: postgresql
-    image: bitnami/postgresql
-    ports:
-    - containerPort: 5432
-    env:
-    - name: MYSQL_ROOT_PASSWORD
-      value: password
-    volumeMounts:
-    - name: sql-storage
-      mountPath: /bitnami/postgresql/
-  volumes:
-  - name: sql-storage
-    persistentVolumeClaim:
-      claimName: postgresql-pv-claim
+  podSelector:
+    matchLabels:
+      app: secure-app
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          allow-access: "true"
 ```
-
-verify via `ls /mnt/data` on node
@@ -1,29 +1,31 @@
 ---
-title: Kubernetes Lab 2 - Pod Configuration
+title: Kubernetes Lab 2 - Probes
 ---
 
-## Problem
+### Container Health Issues
 
-- Create a pod definition named `yoda-service-pod.yml`, and then create a pod in the cluster using this definition to make sure it works.
+The first issue is caused by application instances entering an unhealthy state and responding to user requests with error messages. Unfortunately, this state does not cause the container to stop, so the Kubernetes cluster is not able to detect this state and restart the container. Luckily, the application has an internal endpoint that can be used to detect whether or not it is healthy. This endpoint is `/healthz` on port `8080`.
 
-The specifications are as follows:
+- Your first task will be to *create a probe* to check this endpoint periodically.
+  - If the endpoint returns an **error** or **fails** to respond, the probe will detect this and the cluster will restart the container.
 
- - The current image for the container is `bitnami/nginx`. You do not need a custom command or args.
- - There is some configuration data the container will need:
-    - `yoda.baby.power=100000000`
-    - `yoda.strength=10`
- - It will expect to find this data in a file at `/etc/yoda-service/yoda.cfg`. Store the configuration data in a ConfigMap called `yoda-service-config` and provide it to the container as a mounted volume.
- - The container should expect to use `64Mi` of memory and `250m` CPU (use resource requests).
- - The container should be limited to `128Mi` of memory and `500m` CPU (use resource limits).
- - The container needs access to a database password in order to authenticate with a backend database server. The password is `0penSh1ftRul3s!`. It should be stored as a Kubernetes secret called `yoda-db-password` and passed to the container as an *environment variable* called `DB_PASSWORD`.
- - The container will need to access the Kubernetes API using the ServiceAccount `yoda-svc`. Create the service account if it doesn't already exist, and configure the pod to use it.
+### Container Startup Issues
 
-## Verification
+Another issue is caused by new pods when they are starting up. The application takes a few seconds after startup before it is ready to service requests. As a result, some users are getting error message during this brief time.
 
-To verify your setup is complete, check `/etc/yoda-service` for the `yoda.cfg` file and use the `cat` command to check it's contents.
+ - To fix this, you will need to *create another probe*. To detect whether the application is `ready`, the probe should simply make a request to the root endpoint, *`/ready`, on port `8080`*. If this request succeeds, then the application is ready.
 
+- Also set a `initial delay` of `5 seconds` for the probes.
+
+Here is the Pod yaml file,  **add** the probes, then **create** the pod in the cluster to test it.
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: energy-shield-service
+spec:
+  containers:
+  - name: energy-shield
+    image: ibmcase/energy-shield:1
 ```
-kubectl exec -it yoda-service /bin/bash
-cd /etc/yoda-service
-cat yoda.cfg
-```
 
@@ -1,65 +1,25 @@
 ---
-title: Kubernetes Lab 2 - Pod Configuration
+title: Kubernetes Lab 4 - Probes
 ---
 
-## Solution
-
-```yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: yoda-service-config
-data:
-  yoda.cfg: |-
-    yoda.baby.power=100000000
-    yoda.strength=10
-```
-
-```yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: yoda-svc
-
-```
-
-```yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: yoda-db-password
-stringData:
-  password: 0penSh1ftRul3s!
-```
+## Solution 
 
 ```yaml
 apiVersion: v1
 kind: Pod
 metadata:
-  name: yoda-service
+  name: energy-shield-service
 spec:
-  serviceAccountName: yoda-svc
   containers:
-  - name: yoda-service
-    image: bitnami/nginx
-    volumeMounts:
-      - name: config-volume
-        mountPath: /etc/yoda-service
-    env:
-    - name: DB_PASSWORD
-      valueFrom:
-        secretKeyRef:
-          name: yoda-db-password
-          key: password
-    resources:
-      requests:
-        memory: "64Mi"
-        cpu: "250m"
-      limits:
-        memory: "128Mi"
-        cpu: "500m"
-  volumes:
-  - name: config-volume
-    configMap:
-      name: yoda-service-config
+  - name: energy-shield
+    image: ibmcase/energy-shield:1
+    livenessProbe:
+      httpGet:
+        path: /healthz
+        port: 8080
+    readinessProbe:
+      httpGet:
+        path: /ready
+        port: 8080
+      initialDelaySeconds: 5
 ```