Secret
https://kubernetes.io/docs/concepts/configuration/secret/
Secret解决了密码、token、密钥等敏感数据的配置问题,而不需要把这些敏感数据暴露到镜像或者Pod Spec中。Secret可以以Volume或者环境变量的方式使用。
使用kubectl创建secret
代码语言:javascript复制[root@k8s-master1 secret]# echo -n 'admin' > ./username.txt
[root@k8s-master1 secret]# echo -n '1f2d1e2e67df' > ./password.txt
[root@k8s-master1 secret]# kubectl create secret generic db-user-pass --from-file=./username.txt --from-file=./password.txt
secret/db-user-pass created查看secret信息
代码语言:javascript复制[root@k8s-master1 secret]# kubectl get secret
NAME TYPE DATA AGE
db-user-pass Opaque 2 15s
default-token-7vs6s kubernetes.io/service-account-token 3 6d23h
registry-pull-secret kubernetes.io/dockerconfigjson 1 5d3h
sslexample-foo-com kubernetes.io/tls 2 66m
[root@k8s-master1 secret]# kubectl describe secret/db-user-pass
Name: db-user-pass
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
password.txt: 12 bytes
username.txt: 5 bytes使用yaml文件创建secret
代码语言:javascript复制[root@k8s-master1 secret]# echo -n 'admin' | base64
YWRtaW4=
[root@k8s-master1 secret]# echo -n '1f2d1e2e67df' | base64
MWYyZDFlMmU2N2Rm
[root@k8s-master1 secret]# vim secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
username: YWRtaW4=
password: MWYyZDFlMmU2N2Rm
[root@k8s-master1 secret]# kubectl create -f secret.yaml
secret/mysecret createdPod 可以通过 Volume 的方式使用 Secret
代码语言:javascript复制[root@k8s-master1 secret]# vim secret-vol.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-secret
spec:
containers:
- name: pod-secret
image: busybox
args:
- /bin/sh
- -c
- sleep 10;touch /tmp/healthy;sleep 30000
volumeMounts:
- name: foo
mountPath: "/etc/foo"
readOnly: true
volumes:
- name: foo
secret:
secretName: mysecret
[root@k8s-master1 secret]# kubectl apply -f secret-vol.yaml
pod/pod-secret created进入容器查看
代码语言:javascript复制[root@k8s-master1 secret]# kubectl exec -it pod-secret sh
/ # ls /etc/foo/
password username/ # cat /etc/foo/username
admin/ #
/ # cat /etc/foo/password
1f2d1e2e67df/ # 以 Volume 方式使用的 Secret 支持动态更新:Secret 更新后,容器中的数据也会更新。
代码语言:javascript复制[root@k8s-master1 secret]# vim secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
username: YWRtaW4=
password: MWt3OG4zbDQ4Yg==
[root@k8s-master1 secret]# kubectl apply -f secret.yaml
Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply
secret/mysecret configured
[root@k8s-master1 secret]# kubectl exec -it pod-secret sh/ # cat /etc/foo/password
1kw8n3l48b/ #
/ #Pod 可以通过 环境变量 的方式使用 Secret
代码语言:javascript复制[root@k8s-master1 secret]# vim secret-env.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-secret-env
spec:
containers:
- name: pod-secret-env
image: busybox
args:
- /bin/sh
- -c
- sleep 10;touch /tmp/healthy;sleep 30000
env:
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
name: mysecret
key: username
- name: SECRET_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: password
[root@k8s-master1 secret]# kubectl apply -f secret-env.yaml
pod/pod-secret-env created
[root@k8s-master1 secret]# kubectl exec -it pod-secret-env sh
/ # echo $SECRET_USERNAME
admin
/ # echo $SECRET_PASSWORD
1kw8n3l48b通过环境变量 SECRET_USERNAME 和 SECRET_PASSWORD 成功读取到 Secret 的数据。 需要注意的是,环境变量读取 Secret 很方便,但无法支撑 Secret 动态更新。 Secret 可以为 Pod 提供密码、Token、私钥等敏感数据;对于一些非敏感数据,比如应用的配置信息,则可以用 ConfigMap
ConfigMap
https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/
configmap是让配置文件从镜像中解耦,让镜像的可移植性和可复制性。许多应用程序会从配置文件、命令行参数或环境变量中读取配置信息。这些配置信息需要与docker image解耦,你总不能每修改一个配置就重做一个image吧?ConfigMap API给我们提供了向容器中注入配置信息的机制,ConfigMap可以被用来保存单个属性,也可以用来保存整个配置文件或者JSON二进制大对象。
configmap的创建
命令创建configmap
代码语言:javascript复制[root@k8s-master1 configmap]# kubectl create configmap nginx-config --from-literal=nginx_port=80 --from-literal=server_name=myapp.magedu.com
configmap/nginx-config created
[root@k8s-master1 configmap]# kubectl get cm
NAME DATA AGE
nginx-config 2 8s
[root@k8s-master1 configmap]# kubectl describe cm nginx-config
Name: nginx-config
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
nginx_port:
----
80
server_name:
----
myapp.magedu.com
Events: <none>通过 --from-file:每个文件内容对应一个信息条目。
代码语言:javascript复制[root@k8s-master1 configmap]# vim www.conf
server {
server_name myapp.magedu.com;
listen 80;
root /data/web/html;
}
[root@k8s-master1 configmap]# kubectl create configmap nginx-www --from-file=./www.conf
configmap/nginx-www created
[root@k8s-master1 configmap]# kubectl get cm
NAME DATA AGE
nginx-config 2 16m
nginx-www 1 8s
[root@k8s-master1 configmap]# kubectl get cm nginx-www -o yaml
apiVersion: v1
data:
www.conf: |
server {
server_name myapp.magedu.com;
listen 80;
root /data/web/html;
}
kind: ConfigMap
metadata:
creationTimestamp: "2018-12-26T03:49:22Z"
name: nginx-www
namespace: default
resourceVersion: "518908"
selfLink: /api/v1/namespaces/default/configmaps/nginx-www
uid: 3add1507-08c1-11e9-ad5d-000c2977dc9c使用configmap
环境变量方式注入到pod
代码语言:javascript复制[root@k8s-master1 configmap]# vim pod-configmap.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-cm-1
namespace: default
labels:
app: myapp
tier: frontend
annotations:
magedu.com/created-by: "cluster admin"
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v1
ports:
- name: http
containerPort: 80
env:
- name: NGINX_SERVER_PORT
valueFrom:
configMapKeyRef:
name: nginx-config
key: nginx_port
- name: NGINX_SERVER_NAME
valueFrom:
configMapKeyRef:
name: nginx-config
key: server_name
[root@k8s-master1 configmap]# kubectl apply -f pod-configmap.yaml
pod/pod-cm-1 created
[root@k8s-master1 configmap]# kubectl exec -it pod-cm-1 -- /bin/sh
/ # echo $NGINX_SERVER_PORT
80
/ # echo $NGINX_SERVER_NAME
myapp.magedu.com修改端口,可以发现使用环境变化注入pod中的端口不会根据配置的更改而变化
代码语言:javascript复制[root@k8s-master1 configmap]# kubectl edit cm nginx-config
configmap/nginx-config edited
[root@k8s-master1 configmap]# kubectl exec -it pod-cm-1 -- /bin/sh
/ # echo $NGINX_SERVER_PORT
80存储卷方式挂载configmap: Volume 形式的 ConfigMap 也支持动态更新
代码语言:javascript复制[root@k8s-master1 configmap]# vim pod-configmap-vol.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-cm-2
namespace: default
labels:
app: myapp
tier: frontend
annotations:
magedu.com/created-by: "cluster admin"
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v1
ports:
- name: http
containerPort: 80
volumeMounts:
- name: nginxconf
mountPath: /etc/nginx/config.d/
readOnly: true
volumes:
- name: nginxconf
configMap:
name: nginx-config
[root@k8s-master1 configmap]# kubectl apply -f pod-configmap-vol.yaml
pod/pod-cm-2 created
[root@k8s-master1 configmap]# kubectl exec -it pod-cm-2 -- /bin/sh
# cd /etc/nginx/config.d/
# ls
nginx_port server_name
# cat server_name
myapp.magedu.com以nginx-www配置nginx
代码语言:javascript复制[root@k8s-master1 configmap]# vim pod-configmap-ngx.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-cm-3
namespace: default
labels:
app: myapp
tier: frontend
annotations:
magedu.com/created-by: "cluster admin"
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v1
ports:
- name: http
containerPort: 80
volumeMounts:
- name: nginxconf
mountPath: /etc/nginx/conf.d/
readOnly: true
volumes:
- name: nginxconf
configMap:
name: nginx-www
[root@k8s-master1 configmap]# kubectl apply -f pod-configmap-ngx.yaml
pod/pod-cm-3 created
[root@k8s-master1 configmap]# kubectl exec -it pod-cm-3 -- /bin/sh
/ # cd /etc/nginx/conf.d/
/etc/nginx/conf.d # ls
www.conf
/etc/nginx/conf.d # cat www.conf
server {
server_name myapp.magedu.com;
listen 80;
root /data/web/html;
}
