在生产环境中经常会遇到需要修改配置文件的情况,传统的修改方式不仅会影响到服务的正常运行,而且操作步骤也很繁琐。为了解决这个问题,kubernetes项目从1.2版本引入了ConfigMap功能,用于将应用的配置信息与程序的分离。这种方式不仅可以实现应用程序被的复用,而且还可以通过不同的配置实现更灵活的功能。在创建容器时,用户可以将应用程序打包为容器镜像后,通过环境变量或者外接挂载文件的方式进行配置注入。ConfigMap && Secret 是K8S中的针对应用的配置中心,它有效的解决了应用挂载的问题,并且支持加密以及热更新等功能,可以说是一个k8s提供的一件非常好用的功能
ConfigMap顾名思义,是用于保存配置数据的键值对,可以用来保存单个属性,也可以保存配置文件。Secret可以为Pod提供密码、Token、私钥等敏感数据;对于一些非敏感数据,比如应用的配置信息,则可以使用ConfigMap
ps : ConfigMap的创建和使用方式与Secret非常类似,主要的不同是以明文的形式存放
可以使用
kubectl create configmap
从文件、目录或者 key-value 字符串创建等创建 ConfigMap。也可以通过kubectl create -f
从描述文件创建
kubectl create configmap my-config-file --from-file=/etc/resolv.conf
key :键的名称是文件名称
value:的值是这个文件的内容
#指定配置文件创建
[root@m01 ~]# kubectl create configmap my-conf-file --from-file=/etc/resolv.conf
configmap/my-conf-file created
#查看cm的详细内容
[root@m01 ~]# kubectl describe configmaps my-conf-file
Name: my-conf-file
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
resolv.conf:
----
# Generated by NetworkManager
nameserver 114.114.114.114
Events: <none>
#查看当前的cm
[root@m01 ~]# kubectl get cm
NAME DATA AGE
kube-root-ca.crt 1 27h
my-conf-file 1 76s
kubectl create configmap my-config-3 --from-file=test
key:目录中的文件名为value :文件内容
#创建目录
[root@m01 ~]# mkdir configmap
#添加测试文件
[root@m01 ~/configmap]# cp /etc/passwd /configmap/
[root@m01 ~/configmap]# cp /etc/shells /configmap/
#创建configmap
[root@m01 ~]# kubectl create configmap my-file --from-file=/configmap
configmap/my-file created
[root@m01 ~]# kubectl get configmaps my-file
NAME DATA AGE
my-file 2 23s
#查看详cm细信息
[root@m01 ~]# kubectl describe cm my-file
Name: my-file
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
passwd:
----
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:997:User for polkitd:/:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
www:x:1000:1000::/home/www:/bin/bash
shells:
----
/bin/sh
/bin/bash
/usr/bin/sh
/usr/bin/bash
Events: <none>
kubectl create configmap my-config --from-literal=key1=config1 --from-literal=key2=config2
#创建配置文件(直接指定配置名称及文件内容)
[root@m01 ~]# kubectl create configmap my-config --from-literal=key1=config1 --from-literal=key2=config2
configmap/my-config created
[root@m01 ~]# kubectl get cm my-config
NAME DATA AGE
my-config 2 93s
#查看configmap详情
[root@m01 ~]# kubectl describe cm my-config
Name: my-config
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
key1: #key值
----
config1 #value
key2:
----
config2
Events: <none>
#编写配置清单
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx
data:
default.conf: |-
server {
listen 90;
server_name www.baidu.com;
location / {
root /daima;
autoindex on;
autoindex_localtime on;
autoindex_exact_size on;
}
}
#创建configmap
[root@m01 ~]# kubectl apply -f hzl.yaml
configmap/nginx created
#查看configmap
[root@m01 ~]# kubectl get cm
NAME DATA AGE
kube-root-ca.crt 1 29h
my-config 2 69m
nginx 1 40s
#查看详cm细内容
[root@m01 ~]# kubectl describe cm nginx
Name: nginx
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
default.conf:
----
server {
listen 90;
server_name www.baidu.com;
location / {
root /daima;
autoindex on;
autoindex_localtime on;
autoindex_exact_size on;
}
}
Events: <none>
kind: ConfigMap
apiVersion: v1
metadata:
name: test-mysql
data:
MYSQL_ROOT_PASSWORD: "123456"
MYSQL_DATABASE: discuz
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: test-mysql
spec:
selector:
matchLabels:
app: test-mysql
template:
metadata:
labels:
app: test-mysql
spec:
containers:
- name: mysql
image: mysql:5.7
envFrom: #引用数据中心定义的环境变量
- configMapRef:
name: test-mysql
1)ConfigMap必须在Pod之前创建。
2)ConfigMap受Namespace限制, 只有处于相同Namespace中的Pod才可以引用它。
3)ConfigMap中的配额管理还未能实现。
4)kubelet只支持可以被API Server管理的Pod使用ConfigMap。kubelet在本Node上通过–manifest- url或- config自动创建的静态Pod将无法引用ConfigMap。
5)在Pod对ConfigMap进行挂载(volumeMount) 操作时,在容器内部只能挂载为“目录”,无法挂载为“文件”。在挂载到容器内部后,在目录下将包含ConfigMap定义的每个item,如果在该目录下原来还有其他文件,则容器内的该目录将被挂载的ConfigMap覆盖。
通过挂载方式使用configmap
#编写资源清单
[root@m01 ~]# vim configmap.yaml
kind: ConfigMap
apiVersion: v1
metadata:
name: configmap-yaml
labels:
app: configmap
data:
key: value
nginx_config: |- #设定配置文件名称及添加文件内容
upstream tomcatserver1 {
server 192.168.15.55:8081;
}
server {
listen 80;
server_name 8081.max.com;
location / {
proxy_pass http://tomcatserver1;
index index.html index.htm;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
---
kind: Pod
apiVersion: v1
metadata:
name: configmap-pod
labels:
app: configmap-pod
spec:
containers:
- name: nginx
image: nginx
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
volumeMounts:
- mountPath: /usr/share/nginx/demo
name: conf-name
volumes:
- name: conf-name
configMap:
name: configmap-yaml
items:
- key: nginx_config
path: nginx_config
- key: key
path: key
#创建configmap文件
[root@m01 ~]# kubectl apply -f test.yaml
configmap/configmap-yaml unchanged
pod/configmap-pod created
#查看configmap
[root@m01 ~]# kubectl get pod -l app=configmap-pod
NAME READY STATUS RESTARTS AGE
configmap-pod 1/1 Running 0 25s
#进入创建的容器
[root@m01 ~]# kubectl exec -it configmap-pod -- bash
root@configmap-pod:/# cd /usr/share/nginx/
root@configmap-pod:/usr/share/nginx# ls -l
total 8
drwxrwxrwx 3 root root 4096 Oct 7 12:57 demo
drwxr-xr-x 2 root root 4096 Sep 10 12:33 html
root@configmap-pod:/usr/share/nginx# cd demo/
root@configmap-pod:/usr/share/nginx/demo# ls
key nginx_config
#查看已经挂载
root@configmap-pod:/usr/share/nginx/demo# cat nginx_config
upstream tomcatserver1 {
server 192.168.15.55:8081;
}
upstream tomcatserver2 {
server 192.168.15.56:8082;
}
server {
listen 80;
server_name 8081.max.com;
location / {
proxy_pass http://tomcatserver1;
index index.html index.htm;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
root@configmap-pod:/usr/share/nginx/demo# cat key
valueroot@configmap-pod:/usr/share/nginx/demo#
mountPath结合subPath(也可解决多个configmap挂载同一目录,导致覆盖)作用
之所以会产生这种挂载,是为了解决多配置文件挂载,互相覆盖的问题,这种模式只会覆盖单一的配置文件
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-conf
data:
nginx.conf: |-
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 4096;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
}
default.conf: |-
server {
listen 90;
server_name www.hzl.com;
location / {
root /daima;
autoindex on;
autoindex_localtime on;
autoindex_exact_size on;
}
}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
spec:
selector:
matchLabels:
app: nginx
template:
metadata:
name: nginx
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx
volumeMounts:
- mountPath: /etc/nginx/conf.d
name: nginx-default
- mountPath: /etc/nginx/nginx.conf # 精确到文件
name: nginx-conf
subPath: nginx.conf # 精确到文件
volumes:
- name: nginx-default
configMap:
name: nginx-conf
items:
- key: default.conf
path: default.conf
- name: nginx-conf
configMap:
name: nginx-conf
items:
- key: nginx.conf
path: nginx.conf
# 进入容器查看
[root@m01 k8s]# kubectl exec -it nginx-b46f4f758-68ggn -- bash
root@nginx-b46f4f758-68ggn:/etc/nginx# ls
conf.d fastcgi_params mime.types modules nginx.conf scgi_params uwsgi_params
#文件都存在,只单独覆盖了nginx.conf
root@nginx-b46f4f758-68ggn:/etc/nginx# cd conf.d/
root@nginx-b46f4f758-68ggn:/etc/nginx/conf.d# ls
default.conf
#查看文件内容(配置文件已经替换)
root@nginx-b46f4f758-mzwwx:/etc/nginx# cat conf.d/default.conf
server {
listen 90;
server_name www.hzl.com;
location / {
root /daima;
autoindex on;
autoindex_localtime on;
autoindex_exact_size on;
}
}
root@nginx-b46f4f758-mzwwx:/etc/nginx#
在不停服的前提下,可以更新配置文件
实现修改配置文件可以做到动态更新
#configmap的热更新
1>使用该 ConfigMap 挂载的 Env 不会同步更新
2>使用该 ConfigMap 挂载的 Volume 中的数据需要一段时间(实测大概10秒)才能同步更新
ps: 当ConfigMap以数据卷的形式挂载进Pod时,更新ConfigMap(或删掉重建ConfigMap),Pod内挂载的配置信息会热更新,但使用环境变量方式加载到pod,则不会自动更新(ENV 是在容器启动的时候注入的,启动之后 kubernetes 就不会再改变环境变量的值)。且同一个 namespace 中的 pod 的环境变量是不断累加的
DEBUG[root@kubernetes-master-01 configmap]# cat test.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-nginx
spec:
replicas: 1
selector:
matchLabels:
run: my-nginx
template:
metadata:
labels:
run: my-nginx
spec:
containers:
- name: my-nginx
image: nginx
ports:
- containerPort: 80
envFrom:
- configMapRef:
name: env-config
volumeMounts:
- mountPath: /usr/share/nginx/demo/
name: config
volumes:
- name: config
configMap:
name: env-config
items:
- key: log_level
path: log_level
---
apiVersion: v1
kind: ConfigMap
metadata:
name: env-config
namespace: default
data:
log_level: INFO
#创建pod
[root@m01 ~]# kubectl apply -f hzl.yaml
deployment.apps/my-nginx created
configmap/env-config created
#查看容器(统计信息)
[root@kubernetes-master-01 configmap]# kubectl exec my-nginx-6947589dc-tbvs5 -- cat /usr/share/nginx/demo/log_level
INFO
#更改文件(再现更改)
[root@kubernetes-master-01 configmap]# kubectl edit configmaps env-config
configmap/env-config edited
[root@kubernetes-master-01 configmap]# kubectl exec my-nginx-6947589dc-tbvs5 -- cat /usr/share/nginx/demo/log_level
DEBU
Secret解决了密码、token、密钥等敏感数据的配置问题,可以以Volume或者环境变量的方式去使用
1》Service Account :用来访问Kubernetes API,由Kubernetes自动创建,并且会自动挂载到Pod的/run/secrets/kubernetes.io/serviceaccount目录中;
2》Opaque :base64编码格式的Secret,用来存储密码、密钥等;
3》kubernetes.io/dockerconfigjson :用来存储私有docker registry的认证信息
Opaque类型的数据是一个map类型,要求value是base64编码格式
#opaque的数据类型是一个map类型,要求value是base64的编码格式
1》加密
[root@m01 ~]# echo 1234abc1234 |base64
MTIzNGFiYzEyMzQK
2》解密
[root@m01 ~]# echo MTIzNGFiYzEyMzQK |base64 -d
1234abc1234
#资源清单编写
apiVersion: v1
kind: Secret
metadata:
name: mysql-password
data:
password: MTIzNGFiYzEyMzQK #使用加密
#创建secret数据
[root@m01 ~]# kubectl apply -f hzl.yaml
secret/mysql-password created
#查看secret
[root@m01 ~]# kubectl get secrets mysql-password
NAME TYPE DATA AGE
mysql-password Opaque 1 118s
#编写资源清单
[root@m01 ~]# cat hzl.yaml
kind: Deployment
apiVersion: apps/v1
metadata:
name: mysecret
spec:
selector:
matchLabels:
app: mysecret
template:
metadata:
labels:
app: mysecret
spec:
containers:
- name: nginx
imagePullPolicy: IfNotPresent
image: nginx
volumeMounts:
- name: mysecret
mountPath: "/opt/secrets"
readOnly: true
volumes:
- name: mysecret
secret:
secretName: mysecret
#创建secret
[root@m01 ~]# kubectl apply -f hzl.yaml
secret/mysql-password created
deployment.apps/test-secret created
#创建测试
[root@m01 ~]# kubectl apply -f hzl.yaml
secret/mysecret created
deployment.apps/my-secret created
[root@kubernetes-master-01 secret]# kubectl exec -it mysecret-5bcb897fff-77bn5 -- bash
root@mysecret-5bcb897fff-77bn5:/# cd /opt/secrets/
root@mysecret-5bcb897fff-77bn5:/opt/secrets# ls
password username
root@mysecret-5bcb897fff-77bn5:/opt/secrets# cat username
oldboyroot@mysecret-5bcb897fff-77bn5:/opt/secrets# cat password
oldboy123
用来存储私有docker registry的认证信息
#定义变量
export DOCKER_REGISTRY_SERVER=10.0.0.100
export DOCKER_USER=root
export DOCKER_PASSWORD=root@123 #用户密码
export DOCKER_EMAIL=[email protected] #用户邮箱
#创建secret命令
kubectl create secret docker-registry myregistrykey --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL
#定义变量
[root@m01 ~]# export DOCKER_REGISTRY_SERVER=10.0.0.100
[root@m01 ~]# export DOCKER_USER=root
[root@m01 ~]# export DOCKER_PASSWORD=root@123
[root@m01 ~]# export [email protected]
#测试使用
[root@kubernetes-master-01 secret]# kubectl create secret docker-registry myregistrykey --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL
secret/myregistrykey created
#查看状态
[root@m01 ~]# kubectl describe secret myregistrykey
Name: myregistrykey
Namespace: default
Labels: <none>
Annotations: <none>
Type: kubernetes.io/dockerconfigjson
Data
====
.dockerconfigjson: 161 bytes
spec:
imagePullSecrets:
- name: ailiyun
containers:
- name: mysql
image: registry.cn-shanghai.aliyuncs.com/hzl_images/mysql:5.7
envFrom:
- secretRef:
name: mysql-password
Service Account用来访问Kubernetes API,由Kubernetes自动创建,并且会自动挂载到Pod的/run/secrets/kubernetes.io/serviceaccount目录中
[root@m01 ~]# kubectl exec nginx-6cf7488b57-bd887 -- ls /run/secrets/kubernetes.io/serviceaccount
ca.crt
namespace
Token