一、ConfigMap
1、简介
ConfigMap允许你将配置文件与镜像文件分离,以使容器化的应用程序具有可移植性。ConfigMap API给我们提供了向容器中注入配置信息的机制,ConfigMap可以被用来保存单个属性,也可以用来保存整个配置文件或者JSON二进制大对象。
data 一栏包括了配置数据,ConfigMap 可以被用来保存单个属性,也可以用来保存一个配置文件。 配置数据可以通过很多种方式在 Pods 里被使用。ConfigMaps 可以被用来:
配置数据可以通过很多种方式在Pods里被使用。ConfigMaps可以被用来:
1. 设置环境变量的值
2. 在容器里设置命令行参数
3. 在数据卷里面创建config文件
用户和系统组件两者都可以在ConfigMap里面存储配置数据。
2、创建
2.1、使用目录或文件创建
可以使用kubectl create configmap name --from-file= 从同一个目录中的多个文件创建ConfigMap
SQL
1、下载相关的配置
wget https://kubernetes.io/examples/configmap/game.properties
wget https://kubernetes.io/examples/configmap/ui.properties
2、创建configmapconfigmap: kubectl create configmap <map-name> <data-source> --from-file可以接单个文件,也可以接目录
####接目录
[root@k8s-master configmap]# kubectl create configmap dame-config --from-file=./
configmap/dame-config created
####接单个文件
[root@k8s-master configmap]# kubectl create cm game-config2 --from-file=game.properties --from-file=ui.properties
configmap/game-config2 created
3、查看相关的配置
[root@k8s-master configmap]# kubectl get cm
NAME DATA AGE
dame-config 2 7m29s
game-config2 2 6m13s
kube-root-ca.crt 1 44d
[root@k8s-master configmap]# kubectl describe cm/dame-config
Name: dame-config
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
game.properties:
----
enemies=aliens
lives=3
enemies.cheat=true
enemies.cheat.level=noGoodRotten
secret.code.passphrase=UUDDLRLRBABAS
secret.code.allowed=true
secret.code.lives=30
ui.properties:
----
color.good=purple
color.bad=yellow
allow.textmode=true
how.nice.to.look=fairlyNice
Events: <none>
[root@k8s-master configmap]# kubectl describe cm/game-config2
Name: game-config2
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
game.properties:
----
enemies=aliens
lives=3
enemies.cheat=true
enemies.cheat.level=noGoodRotten
secret.code.passphrase=UUDDLRLRBABAS
secret.code.allowed=true
secret.code.lives=30
ui.properties:
----
color.good=purple
color.bad=yellow
allow.textmode=true
how.nice.to.look=fairlyNice
Events: <none>
2.2、从env文件创建
当使用多个--from-env-file来从多个数据源创建configmap时,仅仅最后一个env文件有效。
环境文件包含环境变量列表。
语法规则:
env:文件中的每一行必须为VAR = VAL格式。
以#开头的行(即注释)将被忽略。
空行将被忽略。
引号没有特殊处理(即它们将成为 ConfigMap 值的一部分)。
Makefile
1、下载对应的测试文件
wget https://kubernetes.io/examples/configmap/game-env-file.properties
[root@k8s-master configmap]# cat game-env-file.properties
enemies=aliens
lives=3
allowed="true"
2、创建config-map-env-file配置文件
[root@k8s-master configmap]# kubectl create configmap game-config-env-file --from-env-file=game-env-file.properties
configmap/game-config-env-file created
[root@k8s-master configmap]# kubectl get cm/game-config-env-file -o yaml
apiVersion: v1
data:
allowed: '"true"'
enemies: aliens
lives: "3"
kind: ConfigMap
metadata:
creationTimestamp: "2022-05-09T02:42:04Z"
name: game-config-env-file
namespace: default
resourceVersion: "11386444"
uid: 8b1ad825-d3b1-481f-b3b7-8ce606aec388
2.3、命令创建
Kubectl create configmap 与--from-literal参数一起使用
YAML
1、创建配置文件
[root@k8s-master configmap]# kubectl create configmap special-config --from-literal=special.how=very --from-literal=special.type=charm
configmap/special-config created
2、查看和配置
[root@k8s-master configmap]# kubectl get cm
NAME DATA AGE
dame-config 2 30m
game-config-env-file 3 9m43s
game-config2 2 28m
kube-root-ca.crt 1 44d
special-config 2 3s
[root@k8s-master configmap]# kubectl get configmap/special-config -o yaml
apiVersion: v1
data:
special.how: very
special.type: charm
kind: ConfigMap
metadata:
creationTimestamp: "2022-05-09T02:51:44Z"
name: special-config
namespace: default
resourceVersion: "11388285"
uid: 60d2ca2e-b50f-48a8-910b-c97d4ecb5c9e
2.4、生成器创建
使用 kustomization 目录创建 ConfigMap 对象
YAML
[root@k8s-master configmap]# cat kustomization.yaml
configMapGenerator:
- name: game-config-4
files:
- game.properties
[root@k8s-master configmap]# kubectl create -k .
configmap/game-config-4-tbg7c4gc77 created
[root@k8s-master configmap]# kubectl get configmap/game-config-4-tbg7c4gc77 -o yaml
apiVersion: v1
data:
game.properties: |-
enemies=aliens
lives=3
enemies.cheat=true
enemies.cheat.level=noGoodRotten
secret.code.passphrase=UUDDLRLRBABAS
secret.code.allowed=true
secret.code.lives=30
kind: ConfigMap
metadata:
creationTimestamp: "2022-05-09T02:58:42Z"
name: game-config-4-tbg7c4gc77
namespace: default
resourceVersion: "11389637"
uid: 5e82a50f-f933-4c20-8007-0724a6829d7c
或者也可以使用生成器来实现。
Bash
cat <<EOF >./kustomization.yaml
configMapGenerator:
- name: special-config-2
literals:
- special.how=very
- special.type=charm
EOF
3、使用
3.1、env
使用 configMapKeyRef 传入值:
YAML
[root@k8s-master configmap]# cat configmap-env.yaml
apiVersion: v1
data:
special.how: very
special.type: charm
kind: ConfigMap
metadata:
name: special-config
---
apiVersion: v1
kind: Pod
metadata:
name: dapi-test-pod
spec:
containers:
- name: test-container
image: busybox
command: [ "/bin/sh", "-c", "env" ]
env:
- name: SPECIAL_LEVEL_KEY
valueFrom:
configMapKeyRef:
name: special-config
key: special.how
restartPolicy: Never
2、创建pod
[root@k8s-master configmap]# kubectl apply -f configmap-env.yaml
configmap/special-config created
pod/dapi-test-pod created
[root@k8s-master configmap]# kubectl get pod
NAME READY STATUS RESTARTS AGE
centos 1/1 Running 0 21h
dapi-test-pod 0/1 Completed 0 30s
3、查看日志
[root@k8s-master configmap]# kubectl logs dapi-test-pod |grep -i special
SPECIAL_LEVEL_KEY=very
上述yaml表示,新建一个名为SPECIAL_LEVEL_KEY的环境变量,其值来源于configMap里面的special.how
上一个例子是有指定一个具体的KEY,如果没有指定呢?
YAML
1、创建yaml
[root@k8s-master configmap]# cat configmap-env-no-key.yaml
apiVersion: v1
kind: Pod
metadata:
name: dapi-test-pod2
spec:
containers:
- name: test-container
image: busybox
command: [ "/bin/sh", "-c", "env" ]
envFrom:
- configMapRef:
name: special-config
restartPolicy: Never
2、创建pod
[root@k8s-master configmap]# kubectl apply -f configmap-env-no-key.yaml
pod/dapi-test-pod2 created
3、查看日志
[root@k8s-master configmap]# kubectl logs dapi-test-pod2|grep -i special
special.type=charm
special.how=very
3.2、挂载文件目录法(可以使用 volumeMounts 方法进行挂载。)
YAML
1、创建pod的yml文件
[root@k8s-master configmap]# cat configmap-volumemounts.yaml
apiVersion: v1
kind: Pod
metadata:
name: dapi-test-pod3
spec:
containers:
- name: test-container
image: busybox
command: [ "/bin/sh", "-c", "ls /etc/config/;cat /etc/config/special.how;cat /etc/config/special.type" ]
volumeMounts:
- name: config-volume
mountPath: /etc/config
volumes:
- name: config-volume
configMap:
name: special-config
restartPolicy: Never
2、创建pod并查看日志
[root@k8s-master configmap]# kubectl apply -f configmap-volumemounts.yaml
pod/dapi-test-pod3 created
[root@k8s-master configmap]# kubectl logs dapi-test-pod3
special.how
special.type
备注:
上述yaml表示将special-config这个cm挂载至/etc/config目录下。可以看到,
其每一个KEY都是会生成一个文件,文件的内容为value的值。
挂载单独的KEY:
YAML
[root@k8s-master configmap]# cat configmap-volumemounts-spec-key.yaml
apiVersion: v1
kind: Pod
metadata:
name: dapi-test-pod4
spec:
containers:
- name: test-container
image: busybox
command: [ "/bin/sh","-c","cat /etc/config/keys;sleep 600" ]
volumeMounts:
- name: config-volume
mountPath: /etc/config
volumes:
- name: config-volume
configMap:
name: special-config
items:
- key: name.li
path: keys
restartPolicy: Never
[root@k8s-master configmap]# kubectl exec -it dapi-test-pod4 /bin/sh
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
/ # cat /etc/config/keys
lqb/ #
[root@k8s-master ~]# kubectl exec -it dapi-test-pod4 -- cat /etc/config/keys
very20220509
4、ConfigMap热更新的问题
Pod的 dapi-test-pod4保持运行。使用 kubectl edit cm special-config 去修改special.how的值。可以发现是可以更新的,但时间要超过30S。
CoffeeScript
[root@k8s-master ~]# kubectl exec -it dapi-test-pod4 -- cat /etc/config/keys
very20220509[root@k8s-master ~]# kubectl exec -it dapi-test-pod4 -- cat /etc/config/keys
very20220510[root@k8s-master ~]# kubectl exec -it dapi-test-pod4 -- cat /etc/config/keys
注意:使用volumes挂载的方式是可以更新configMap的,但是使用env方式导给POD是更新不了的。
5、使用ConfigMap挂载redis配置
YAML
1、相关的配置文件
[root@k8s-master configmap-redis]# cat kustomization.yaml
configMapGenerator:
- name: test-redis-config
files:
- redis-config
resources:
- redis-pod.yaml
[root@k8s-master configmap-redis]# cat redis-config
maxmemory 2mb
maxmemory-policy allkeys-lru
[root@k8s-master configmap-redis]# cat redis-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: redis
spec:
containers:
- name: redis
image: redis:5.0.4
command:
- redis-server
- "/redis-master/redis.conf"
env:
- name: MASTER
value: "true"
ports:
- containerPort: 6379
resources:
limits:
cpu: "0.1"
volumeMounts:
- mountPath: /redis-master-data
name: data
- mountPath: /redis-master
name: config
volumes:
- name: data
emptyDir: {}
- name: config
configMap:
name: test-redis-config
items:
- key: redis-config
path: redis.conf
2、批量执行该文件
[root@k8s-master configmap-redis]# kubectl apply -k .
configmap/test-redis-config-hfbhg9b679 created
pod/redis created
[root@k8s-master ~]# kubectl describe cm/test-redis-config-hfbhg9b679
Name: test-redis-config-hfbhg9b679
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
redis-config:
----
maxmemory 2mb
maxmemory-policy allkeys-lru
Events: <none>
3、查看相关的配置
[root@k8s-master ~]# kubectl exec -it redis redis-cli
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
127.0.0.1:6379> CONFIG GET maxmemory
1) "maxmemory"
2) "2097152"
127.0.0.1:6379> CONFIG GET maxmemory-policy
1) "maxmemory-policy"
2) "allkeys-lru"
127.0.0.1:6379> exit
[root@k8s-master ~]# kubectl exec -it redis /bin/bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
root@redis:/data# cat /redis-master/redis.conf
maxmemory 2mb
maxmemory-policy allkeys-lru
二、Secret
2.1、简介
Secret 解决了密码、token、密钥等敏感数据的配置问题,而不需要把这些敏感数据暴露到镜像或者 Pod Spec 中。Secret 可以以 Volume 或者环境变量的方式使用。
Secret 有三种类型:
• Service Account :用来访问 Kubernetes API,由 Kubernetes 自动创建,并且会自动挂载到 Pod 的 /run/secrets/kubernetes.io/serviceaccount 目录中;
• Opaque :base64 编码格式的 Secret,用来存储密码、密钥等;
• kubernetes.io/dockerconfigjson :用来存储私有 docker registry 的认证信息。
2.2、Secret类型
2.2.1、Opaque类型
Opaque类型的数据是一个map类型,要求value是base64编码格式,如果您使用的密码具有特殊字符,则需要使用 \\ 字符对其进行转义。
文件创建
SQL
[root@k8s-master secret]# echo -n 'admin' > ./username.txt
[root@k8s-master secret]# echo -n '1f2d1e2e67df' > ./password.txt
[root@k8s-master secret]# kubectl create secret generic db-user-pass --from-file=username.txt --from-file=password.txt
secret/db-user-pass created
[root@k8s-master secret]# kubectl create secret generic db-user-pass --from-file=username.txt --from-file=password.txt -o yaml --dry-run
W0509 16:44:01.992251 9057 helpers.go:557] --dry-run is deprecated and can be replaced with --dry-run=client.
apiVersion: v1
data:
password.txt: MWYyZDFlMmU2N2Rm
username.txt: YWRtaW4=
kind: Secret
metadata:
creationTimestamp: null
name: db-user-pass
默认情况下,kubectl get 和 kubectl describe 是不会显示密码的内容。 这是为了防止机密被意外地暴露给旁观者或存储在终端日志中。
手工创建
Makefile
[root@k8s-master secret]# echo -n 'admin'|base64
YWRtaW4=
[root@k8s-master secret]# echo -n '1f2d1e2e3e567f'|base64
MWYyZDFlMmUzZTU2N2Y=
[root@k8s-master secret]# cat sg-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
username: YWRtaW4=
password: MWYyZDFlMmUzZTU2N2Y=
[root@k8s-master secret]# kubectl apply -f sg-secret.yaml
secret/mysecret created
#####加密整个配置文件
[root@k8s-master secret]# cat stringData.yml
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
stringData:
config.yaml: |-
apiUrl: "https://my.api.com/api/v1"
username: admin
password: 1f2d1e2e67df
root@k8s-master secret]# kubectl get secret
NAME TYPE DATA AGE
db-user-pass Opaque 2 59m
default-token-kmq6s kubernetes.io/service-account-token 3 45d
mysecret Opaque 1 58s
[root@k8s-master secret]# kubectl get secrets mysecret -o yaml
apiVersion: v1
data:
config.yaml: YXBpVXJsOiAiaHR0cHM6Ly9teS5hcGkuY29tL2FwaS92MSIKdXNlcm5hbWU6IGFkbWluCnBhc3N3b3JkOiAxZjJkMWUyZTY3ZGY=
kind: Secret
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","kind":"Secret","metadata":{"annotations":{},"name":"mysecret","namespace":"default"},"stringData":{"config.yaml":"apiUrl: \"https://my.api.com/api/v1\"\nusername: admin\npassword: 1f2d1e2e67df"},"type":"Opaque"}
creationTimestamp: "2022-05-09T09:41:51Z"
name: mysecret
namespace: default
resourceVersion: "11466379"
uid: 6f69ec7c-3b0e-40f3-86bd-aea262c3483e
type: Opaque
2.2.2、 kubernetes.io/dockerconfigjson
可以直接用 kubectl 命令来创建用于 docker registry 认证的 secret:
CoffeeScript
[root@k8s-master secret]# kubectl create secret docker-registry myregistrykey --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL
secret/myregistrykey created
[root@k8s-master secret]# kubectl get secret/myregistrykey -owide
NAME TYPE DATA AGE
myregistrykey kubernetes.io/dockerconfigjson 1 28s
[root@k8s-master secret]# kubectl describe secret/myregistrykey
Name: myregistrykey
Namespace: default
Labels: <none>
Annotations: <none>
Type: kubernetes.io/dockerconfigjson
Data
====
.dockerconfigjson: 161 bytes
2.2.3、Service Account
用于被serviceaccount引用。serviceaccout创建时Kubernetes会默认创建对应的secret。Pod如果使用了serviceaccount,对应的secret会自动挂载到Pod的/run/secrets/kubernetes.io/serviceaccount目录中。
Secret 是一种包含少量敏感信息例如密码、token 或 key 的对象。这样的信息可能会被放在 Pod spec 中或者镜像中;将其放在一个 secret 对象中可以更好地控制它的用途,并降低意外暴露的风险。
Service Account 用来访问 Kubernetes API,由 Kubernetes 自动创建,并且会自动挂载到 Pod 的 /run/secrets/kubernetes.io/serviceaccount 目录中。
SQL
[root@k8s-master secret]# kubectl run nginx --image nginx
pod/nginx created
[root@k8s-master secret]# kubectl exec nginx ls /run/secrets/kubernetes.io/serviceaccount
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
ca.crt
namespace
token
2.3、使用方法
Secret 可以作为数据卷被挂载,或作为环境变量暴露出来以供 pod 中的容器使用。它们也可以被系统的其他部分使用,而不直接暴露在 pod 内。例如,它们可以保存凭据,系统的其他部分应该用它来代表您与外部系统进行交互。
volume挂载法
YAML
[root@k8s-master secret]# cat pod-volume-secrets.yaml
apiVersion: v1
kind: Pod
metadata:
name: dapi-test-pod
spec:
containers:
- name: test-container
image: busybox
command: [ "/bin/sh","-c","cat /etc/config/keys;sleep 600" ]
volumeMounts:
- name: config-volume
mountPath: /etc/config
volumes:
- name: config-volume
secret:
secretName: mysecret
restartPolicy: Never
[root@k8s-master secret]# kubectl apply -f pod-volume-secrets.yaml
pod/dapi-test-pod created
[root@k8s-master secret]# kubectl exec -it dapi-test-pod -- cat /etc/config/config.yaml
apiUrl: "https://my.api.com/api/v1"
username: admin
password: 1f2d1e2e67df
将单独的key指定到目录下
YAML
[root@master Secret]# cat pod-volume-secrets2.yaml
apiVersion: v1
kind: Pod
metadata:
name: dapi-test-pod
spec:
containers:
- name: test-container
image: busybox
command: [ "/bin/sh","-c","cat /etc/config/keys;sleep 600" ]
volumeMounts:
- name: config-volume
mountPath: /etc/config
volumes:
- name: config-volume
secret:
secretName: db-user-pass
items:
- key: username.txt
path: my-group/my-username
restartPolicy: Never
[root@master Secret]# kubectl apply -f pod-volume-secrets2.yaml
pod/dapi-test-pod created
[root@master Secret]# kubectl exec -it dapi-test-pod -- cat /etc/config/my-group/my-username
admin[root@master Secret]#
环境变量引用
YAML
[root@k8s-master secret]# cat pod-env-secrets.yaml
apiVersion: v1
kind: Pod
metadata:
name: dapi-test-pod3
spec:
containers:
- name: test-container
image: busybox
command: [ "/bin/sh","-c","env;echo ${SECRET_USERNAME} ${SECRET_PASSWORD}" ]
env:
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
name: db-user-pass
key: username.txt
- name: SECRET_PASSWORD
valueFrom:
secretKeyRef:
name: db-user-pass
key: password.txt
restartPolicy: Never
[root@k8s-master secret]# kubectl apply -f pod-env-secrets.yaml
pod/dapi-test-pod3 created
[root@k8s-master secret]# kubectl logs dapi-test-pod3 |egrep "admin|SECRET"
SECRET_PASSWORD=1f2d1e2e67df
SECRET_USERNAME=admin
admin 1f2d1e2e67df
Secrets其用法是跟ConfigMap基本上是一致,区别不同是ConfigMap是明文,而Secrets是经过base64加密过的。