《Kubernetes进阶实战》第八章《配置容器应用:ConfigMap和Secret》
configmap和secret
PV和PVC是借助于StorageClass来分配磁盘的
如何给Pod传配置信息:
两种方式:
- 1.把configmap关联到一个pod上,传递给pod内部的一个变量,注入的方式给容器传配置信息
- 2.配置卷,将配置文件映射到外面的路径
configmap在kubernetes上扮演了kubernetes的配置中心的功能
Pod启动时候讲configmap打包为存储卷,挂载到配置文件的路径下
configmap是明文的信息
secret是密文传递的,功能和configmap一样的
配置容器化应用的方式:
1,自定义命令行参数
command
args
2,把配置文件直接add进镜像,不推荐
3,环境变量(类似docker)
1,Cloud native的应用创徐一般可以直接通过环境变量加载配置
2,通过entrypoint脚本来预处理变量为配置文件中的配置信息
4.存储卷
pod资源环境变量的传递方式
一个configmap是一群pod的配置集合
保存的方式key,vallue
StorageClass
在pv和pvc使用过程中存在的问题,在pvc申请存储空间时,未必就有现成的pv符合pvc申请的需求,上面nfs在做pvc可以成功的因素是因为我们做了指定的需求处理。那么当PVC申请的存储空间不一定有满足PVC要求的PV事,又该如何处理呢???为此,Kubernetes为管理员提供了描述存储"class(类)"的方法(StorageClass)。举个例子,在存储系统中划分一个1TB的存储空间提供给Kubernetes使用,当用户需要一个10G的PVC时,会立即通过restful发送请求,从而让存储空间创建一个10G的image,之后在我们的集群中定义成10G的PV供给给当前的PVC作为挂载使用。在此之前我们的存储系统必须支持restful接口,比如ceph分布式存储,而glusterfs则需要借助第三方接口完成这样的请求。如图:
[root@master ~]# kubectl explain storageclass
KIND: StorageClass
VERSION: storage.k8s.io/v1
DESCRIPTION:
StorageClass describes the parameters for a class of storage for which
PersistentVolumes can be dynamically provisioned. StorageClasses are
non-namespaced; the name of the storage class according to etcd is in
ObjectMeta.Name.
FIELDS:
allowVolumeExpansion
AllowVolumeExpansion shows whether the storage class allow volume expand
allowedTopologies <[]Object>
Restrict the node topologies where volumes can be dynamically provisioned.
Each volume plugin defines its own supported topology specifications. An
empty TopologySelectorTerm list means there is no topology restriction.
This field is only honored by servers that enable the VolumeScheduling
feature.
apiVersion
APIVersion defines the versioned schema of this representation of an
object. Servers should convert recognized schemas to the latest internal
value, and may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#resources
kind
Kind is a string value representing the REST resource this object
represents. Servers may infer this from the endpoint the client submits
requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
metadata configmap
[root@master ~]# kubectl create configmap --help
Create a configmap based on a file, directory, or specified literal value.
A single configmap may package one or more key/value pairs.
When creating a configmap based on a file, the key will default to the basename of the file, and the value will default
to the file content. If the basename is an invalid key, you may specify an alternate key.
When creating a configmap based on a directory, each file whose basename is a valid key in the directory will be
packaged into the configmap. Any directory entries except regular files are ignored (e.g. subdirectories, symlinks,
devices, pipes, etc).
Aliases:
configmap, cm
Examples:
# Create a new configmap named my-config based on folder bar
kubectl create configmap my-config --from-file=path/to/bar
# Create a new configmap named my-config with specified keys instead of file basenames on disk
kubectl create configmap my-config --from-file=key1=/path/to/bar/file1.txt --from-file=key2=/path/to/bar/file2.txt
# Create a new configmap named my-config with key1=config1 and key2=config2
kubectl create configmap my-config --from-literal=key1=config1 --from-literal=key2=config2
# Create a new configmap named my-config from the key=value pairs in the file
kubectl create configmap my-config --from-file=path/to/bar
# Create a new configmap named my-config from an env file
kubectl create configmap my-config --from-env-file=path/to/bar.env
Options:
--allow-missing-template-keys=true: If true, ignore any errors in templates when a field or map key is missing in
the template. Only applies to golang and jsonpath output formats.
--append-hash=false: Append a hash of the configmap to its name.
--dry-run=false: If true, only print the object that would be sent, without sending it.
--from-env-file='': Specify the path to a file to read lines of key=val pairs to create a configmap (i.e. a Docker
.env file).
--from-file=[]: Key file can be specified using its file path, in which case file basename will be used as
configmap key, or optionally with a key and file path, in which case the given key will be used. Specifying a directory
will iterate each named file in the directory whose basename is a valid configmap key.
--from-literal=[]: Specify a key and literal value to insert in configmap (i.e. mykey=somevalue)
--generator='configmap/v1': The name of the API generator to use.
-o, --output='': Output format. One of:
json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-file.
--save-config=false: If true, the configuration of current object will be saved in its annotation. Otherwise, the
annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.
--template='': Template string or path to template file to use when -o=go-template, -o=go-template-file. The
template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].
--validate=true: If true, use a schema to validate the input before sending it
Usage:
kubectl create configmap NAME [--from-file=[key=]source] [--from-literal=key1=value1] [--dry-run] [options]
Use "kubectl options" for a list of global command-line options (applies to all commands).
[root@master ~]#
命令模式创建
开始创建配置文件
[root@master ~]# kubectl create configmap nginx-config --from-literal=nginx_port=80 --from-literal=server_name=myapp.node1.com
configmap/nginx-config created
查看创建的配置信息
[root@master ~]# kubectl get cm
NAME DATA AGE
nginx-config 2 13s
查看创建的具体信息
[root@master ~]# kubectl describe cm nginx-config
Name: nginx-config
Namespace: default
Labels:
Annotations:
Data
====
nginx_port:
----
80
server_name:
----
myapp.node1.com
Events:
注:这个configmap就可以被Pod启动的时候调用了
创建一个nginx配置
[root@master ~]# vim www.conf
[root@master ~]# kubectl create configmap nginx-www --from-file=www=./www.conf
configmap/nginx-www created
[root@master ~]# kubectl get cm
NAME DATA AGE
nginx-config 2 85s
nginx-www 1 4s
[root@master ~]# kubectl get cm nginx-www -o yaml
apiVersion: v1
data:
www: ""
kind: ConfigMap
metadata:
creationTimestamp: "2019-02-24T01:03:29Z"
name: nginx-www
namespace: default
resourceVersion: "22038"
selfLink: /api/v1/namespaces/default/configmaps/nginx-www
uid: ff54810b-37cf-11e9-b791-000c297bb055
[root@master ~]# vim www.conf
[root@master ~]# cat www.conf
server {
server_name jesse.com
listen 80
root /data/web/html/;
}
[root@master ~]# kubectl create configmap nginx-www --from-file=www=./www.conf
configmap/nginx-www created
[root@master ~]# kubectl get cm nginx-www -o yaml
apiVersion: v1
data:
www: |
server {
server_name jesse.com
listen 80
root /data/web/html/;
}
kind: ConfigMap
metadata:
creationTimestamp: "2019-02-24T01:05:01Z"
name: nginx-www
namespace: default
resourceVersion: "22171"
selfLink: /api/v1/namespaces/default/configmaps/nginx-www
uid: 36330257-37d0-11e9-b791-000c297bb055
[root@master ~]# kubectl describe cm nginx-www
Name: nginx-www
Namespace: default
Labels:
Annotations:
Data
====
www:
----
server {
server_name jesse.com
listen 80
root /data/web/html/;
}
Events: 创建yaml文件
[root@master ~]# mkdir configmap
[root@master ~]# cd configmap
[root@master configmap]# vim pod-configmap.yaml
[root@master configmap]# cat pod-configmap.yaml
#**************************************************************
#Author: linkun
#QQ: 2********0
#Date: 2019-02-24
#FileName: pod-configmap.yaml
#URL: https://blog.csdn.net/zisefeizhu
#Description: The test script
#Copyright (C): 2019 All rights reserved
#************************************************************
apiVersion: v1
kind: Pod
metadata:
name: pod-cm-1
namespace: default
labels:
app: myapp
tier: frontend
annotations:
node01/create-by: "cluster admin"
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v1
ports:
- name: http
containerPort: 80
env:
- name: NGINX_SERVER_PORT
valueFrom:
configMapKeyRef:
name: nginx-config
key: nginx_port
- name: NGINX_SERVER_NAME
valueFrom:
configMapKeyRef:
name: nginx-config
key: server_name
[root@master configmap]# kubectl apply -f pod-configmap.yaml
pod/pod-cm-1 created
[root@master configmap]# kubectl get pods
NAME READY STATUS RESTARTS AGE
pod-cm-1 1/1 Running 0 4s
进入容器中查看是否在环境变量中生成成功
[root@master configmap]# kubectl exec -it pod-cm-1 /bin/sh
/ # printenv
MYAPP_SVC_PORT_80_TCP_ADDR=10.98.57.156
KUBERNETES_PORT=tcp://10.96.0.1:443
KUBERNETES_SERVICE_PORT=443
MYAPP_SVC_PORT_80_TCP_PORT=80
HOSTNAME=pod-cm-1 生成数据
SHLVL=1
MYAPP_SVC_PORT_80_TCP_PROTO=tcp
HOME=/root
NGINX_SERVER_PORT=80 生成端口
NGINX_SERVER_NAME=myapp.node1.com 自己定义的主机名
MYAPP_SVC_PORT_80_TCP=tcp://10.98.57.156:80
TERM=xterm
NGINX_VERSION=1.12.2
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_PROTO=tcp
MYAPP_SVC_SERVICE_HOST=10.98.57.156
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
PWD=/
KUBERNETES_SERVICE_HOST=10.96.0.1
MYAPP_SVC_SERVICE_PORT=80
MYAPP_SVC_PORT=tcp://10.98.57.156:80
注:通过上面已经说明,环境信息已经注入
如果更改掉配置,看看是否会生效
[root@master configmap]# kubectl edit cm nginx-config
configmap/nginx-config edited
apiVersion: v1
data:
nginx_port: "8080" #更改后的端口
server_name: myapp.node1.com
configmap/nginx-config edited
[root@master configmap]# kubectl describe cm nginx-config
Name: nginx-config
Namespace: default
Labels:
Annotations:
Data
====
nginx_port:
----
8080
server_name:
----
myapp.node1.com
Events:
[root@master configmap]# kubectl exec -it pod-cm-1 /bin/sh
/ # printenv
MYAPP_SVC_PORT_80_TCP_ADDR=10.98.57.156
KUBERNETES_PORT=tcp://10.96.0.1:443
KUBERNETES_SERVICE_PORT=443
MYAPP_SVC_PORT_80_TCP_PORT=80
HOSTNAME=pod-cm-1
SHLVL=1
MYAPP_SVC_PORT_80_TCP_PROTO=tcp
HOME=/root
NGINX_SERVER_PORT=80 发现没有改变
NGINX_SERVER_NAME=myapp.node1.com
MYAPP_SVC_PORT_80_TCP=tcp://10.98.57.156:80
TERM=xterm
NGINX_VERSION=1.12.2
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_PROTO=tcp
MYAPP_SVC_SERVICE_HOST=10.98.57.156
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
PWD=/
KUBERNETES_SERVICE_HOST=10.96.0.1
MYAPP_SVC_SERVICE_PORT=80
MYAPP_SVC_PORT=tcp://10.98.57.156:80 注:也就是说,当我们使用系统变量时,只在系统的启动时才会有效,如果我们使用存储卷的方式是可以随时改变的
使用存储卷的方式
[root@master configmap]# kubectl delete pods pod-cm-1
pod "pod-cm-1" deleted
[root@master configmap]# cp pod-configmap.yaml pod-configmap-2.yaml
[root@master configmap]# vim pod-configmap-2.yaml
[root@master configmap]# cat pod-configmap-2.yaml
#**************************************************************
#Author: linkun
#QQ: 2********0
#Date: 2019-02-24
#FileName: pod-configmap.yaml
#URL: https://blog.csdn.net/zisefeizhu
#Description: The test script
#Copyright (C): 2019 All rights reserved
#************************************************************
apiVersion: v1
kind: Pod
metadata:
name: pod-cm-2
namespace: default
labels:
app: myapp
tier: frontend
annotations:
node01/create-by: "cluster admin"
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v1
ports:
- name: http
containerPort: 80
volumeMounts: 修改点
- name: nginxconf
mountPath: /etc/nginx/config.d/
readOnly: true
volumes:
- name: nginxconf
configMap:
name: nginx-config
[root@master configmap]# kubectl apply -f pod-configmap-2.yaml
pod/pod-cm-2 created
[root@master configmap]# kubectl get pods
NAME READY STATUS RESTARTS AGE
pod-cm-2 1/1 Running 0 4s
进入容器查看状态
[root@master configmap]# kubectl exec -it pod-cm-2 /bin/sh
/ # cd /etc/nginx/config.d/
/etc/nginx/config.d # ls
nginx_port server_name
/etc/nginx/config.d # cat nginx_port
/etc/nginx/config.d # cat nginx_port
动态更改配置
[root@master ~]# kubectl edit cm nginx-config
# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
nginx_port: "8088"
[root@master ~]# kubectl edit cm nginx-config
configmap/nginx-config edited
/etc/nginx/config.d # cat nginx_port
8080
经改过来了,同步需要几秒钟
/etc/nginx/config.d # cat nginx_port
8088/etc/nginx/config.d # ls -l
total 0
lrwxrwxrwx 1 root root 17 Feb 24 01:34 nginx_port -> ..data/nginx_port
lrwxrwxrwx 1 root root 18 Feb 24 01:34 server_name -> ..data/server_name注:同步到apiserver -->pod中
利用configmap和nginx建站
[root@master configmap]# cp pod-configmap-2.yaml pod-configmap-3.yaml
[root@master configmap]# vim pod-configmap-3.yaml
[root@master configmap]# cat pod-configmap-3.yaml
#**************************************************************
#Author: linkun
#QQ: 2********0
#Date: 2019-02-24
#FileName: pod-configmap.yaml
#URL: https://blog.csdn.net/zisefeizhu
#Description: The test script
#Copyright (C): 2019 All rights reserved
#************************************************************
apiVersion: v1
kind: Pod
metadata:
name: pod-cm-3 #修改点
namespace: default
labels:
app: myapp
tier: frontend
annotations:
node01/create-by: "cluster admin"
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v1
ports:
- name: http
containerPort: 80
volumeMounts:
- name: nginxconf
mountPath: /etc/nginx/conf.d/ #修改点
readOnly: true
volumes:
- name: nginxconf
configMap:
name: nginx-www #修改点
[root@master ~]# kubectl delete cm nginx-www
configmap "nginx-www" deleted
[root@master ~]# cat www.conf
server {
server_name zisefeizhu.com
listen 80;
root /data/web/html/;
}
[root@master ~]# kubectl create configmap nginx-www --from-file=./www.conf
configmap/nginx-www created
[root@master ~]# kubectl get cm
NAME DATA AGE
nginx-config 2 74m
nginx-www 1 2s
[root@master configmap]# kubectl apply -f pod-configmap-3.yaml
pod/pod-cm-3 created
[root@master configmap]# kubectl get pods
NAME READY STATUS RESTARTS AGE
pod-cm-3 1/1 Running 0 5s
[root@master configmap]# kubectl exec -it pod-cm-3 /bin/sh
/ # cd /etc/nginx/conf.d/
/etc/nginx/conf.d # ls
www.conf
/etc/nginx/conf.d # cat www.conf
server {
server_name zisefeizhu
listen 80;
root /data/web/html/;
}
查看nginx的配置
nginx -T
mkdir /data/web/html -p
vi /data/web/html/index.html
Test Nginx
[root@master configmap]# kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE
pod-cm-23 1/1 Running 0 7m 10.244.2.62 node02
在node01上测试,添加zisefeizhu10.244.2.62 到解析文件/etc/hosts
[root@node01 ~]# curl zisefeizhu.com
Test Nginx
[root@master configmap]# kubectl edit cm nginx-www
更改端口8080
apiVersion: v1
data:
www.conf: |
server {
server_name zisefeizhu.com
listen 8080;
root /data/web/html/;
}
kind: ConfigMap
在容器内部查看是否生效:
/etc/nginx/conf.d # cat www.conf
server {
server_name jesse.com
listen 8080;
root /data/web/html/;
}
在容器内查看端口:
/etc/nginx/conf.d # netstat -tnl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
重载一下nginx配置文件
nginx -s reload
存储卷挂载
[root@master ~]# kubectl explain pods.spec.volumes.configMap.items
KIND: Pod
VERSION: v1
RESOURCE: items <[]Object>
DESCRIPTION:
If unspecified, each key-value pair in the Data field of the referenced
ConfigMap will be projected into the volume as a file whose name is the key
and content is the value. If specified, the listed keys will be projected
into the specified paths, and unlisted keys will not be present. If a key
is specified which is not present in the ConfigMap, the volume setup will
error unless it is marked optional. Paths must be relative and may not
contain the '..' path or start with '..'.
Maps a string key to a path within a volume.
FIELDS:
key -required-
The key to project.
mode
Optional: mode bits to use on this file, must be a value between 0 and
0777. If not specified, the volume defaultMode will be used. This might be
in conflict with other options that affect the file mode, like fsGroup, and
the result can be other mode bits set.
path -required-
The relative path of the file to map the key to. May not be an absolute
path. May not contain the path element '..'. May not start with the string
'..'. secret
[root@master ~]# kubectl create secret generic mysql-root-password --from-literal=password=zisefeizhu@com
secret/mysql-root-password created
[root@master ~]# kubectl get secret
NAME TYPE DATA AGE
default-token-h8l2m kubernetes.io/service-account-token 3 5d23h
mysql-root-password Opaque 1 23s
[root@master ~]# kubectl describe secret mysql-root-password
Name: mysql-root-password
Namespace: default
Labels:
Annotations:
Type: Opaque
Data
====
password: 14 bytes
[root@master ~]# kubectl get secret mysql-root-password
NAME TYPE DATA AGE
mysql-root-password Opaque 1 46s
[root@master ~]# kubectl get secret mysql-root-password -o yaml
apiVersion: v1
data:
password: emlzZWZlaXpodUBjb20=
kind: Secret
metadata:
creationTimestamp: "2019-02-24T02:25:15Z"
name: mysql-root-password
namespace: default
resourceVersion: "29115"
selfLink: /api/v1/namespaces/default/secrets/mysql-root-password
uid: 6b64abc8-37db-11e9-b791-000c297bb055
type: Opaque
解码
[root@master ~]# echo emlzZWZlaXpodUBjb20= |base64 -d
zisefeizhu@com 获取环境变量
[root@master ~]# cd configmap/
[root@master configmap]# vim pod-secret-1.yaml
[root@master configmap]# cat pod-secret-1.yaml
#**************************************************************
#Author: linkun
#QQ: 2********0
#Date: 2019-02-24
#FileName: pod-secret-1.yaml
#URL: https://blog.csdn.net/zisefeizhu
#Description: The test script
#Copyright (C): 2019 All rights reserved
#************************************************************
apiVersion: v1
kind: Pod
metadata:
name: pod-secret-1
namespace: default
labels:
app: myapp
tier: frontend
annotations:
zpx.com/create-by: "cluster admin"
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v1
ports:
- name: http
containerPort: 80
env:
- name: mYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mysql-root-password
key: password
[root@master configmap]# kubectl apply -f pod-secret-1.yaml
pod/pod-secret-1 created
[root@master configmap]# kubectl get pods
NAME READY STATUS RESTARTS AGE
pod-secret-1 1/1 Running 0 5s
[root@master configmap]# kubectl exec pod-secret-1 -- printenv
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=pod-secret-1
mYSQL_ROOT_PASSWORD=zisefeizhu@com
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
KUBERNETES_SERVICE_HOST=10.96.0.1
KUBERNETES_SERVICE_PORT=443
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT=tcp://10.96.0.1:443
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP_PORT=443
MYAPP_SVC_PORT_80_TCP_PROTO=tcp
MYAPP_SVC_PORT=tcp://10.98.57.156:80
MYAPP_SVC_PORT_80_TCP_ADDR=10.98.57.156
MYAPP_SVC_SERVICE_HOST=10.98.57.156
MYAPP_SVC_SERVICE_PORT=80
MYAPP_SVC_PORT_80_TCP=tcp://10.98.57.156:80
MYAPP_SVC_PORT_80_TCP_PORT=80
NGINX_VERSION=1.12.2
HOME=/root