- 配置容器化应用的方式:
1.自定义命令行参数
arg: []
2.把配置文件直接培进镜像
3.环境变量
env
1.cloud native 的应用程序一般可直接通过环境变量加载配置
2.通过entrypoint脚本来预处理变为环境变量配置信息
4.存储卷
5.comfigmap、secret传递或者引用配置信息
一般常用的是第五种,支持动态修改配置信息和共享容器配置更加方便、减少复杂的工作量
kubernetes之ConfigMap
ConfigMap用于保存配置数据的键值对,可以用来保存单个属性,也可以用来保存配置文件。ConfigMap跟secret很类似,但它可以更方便地处理不包含敏感信息的字符串。
应用实例:(可用kubectl create configmap --help 查看帮助信息)
1.命令行临时创建:
[root@master-01 base]# kubectl create configmap myhost --from-file=/etc/hosts //默认key为文件名,value为文件内容
configmap/myhost created
[root@master-01 base]# kubectl get cm
NAME DATA AGE
myhost 1 4s
[root@master-01 base]# kubectl describe cm
Name: myhost
Namespace: default
Labels:
Annotations:
Data
====
hosts:
----
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.1.1.10 master-01
10.1.1.3 master-02 node-01
10.1.1.4 node-02
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.1.1.10 master-01
10.1.1.3 master-02 node-01
10.1.1.4 node-02
10.1.1.5 harbor-ali.abc.com
Events:
2.直接定义key和值
[root@master-01 base]# kubectl create configmap myhost --from-literal=hostfile=/etc/hosts #自定义key值为hostfile,value为文件内容
configmap/myhost created
[root@master-01 base]# kubectl get cm
NAME DATA AGE
myhost 2 7s
[root@master-01 base]# kubectl describe cm myhost
Name: myhost
Namespace: default
Labels:
Annotations:
Data
====
hostfile:
----
/etc/hosts
key1:
----
config1
Events:
3.通过文件创建comfigmap
新建一个www.conf作为nginx pod的配置文件添加一下内容
[root@master-01 configmap]# cat www.conf
server {
server_name myapp.abc.com
listen 80;
root /data/web/html;
}
创建configmap
[root@master-01 configmap]# kubectl create configmap nginx-www --from-file=./www.conf #key名称不给默认为文件名
configmap/nginx-www created
[root@master-01 configmap]# kubectl get cm
NAME DATA AGE
myhost 2 5m10s
nginx-www 1 6s
[root@master-01 configmap]# kubectl describe cm nginx-www
Name: nginx-www
Namespace: default
Labels:
Annotations:
Data
====
www.conf:
----
server {
server_name myapp.abc.com
listen 80;
root /data/web/html;
}
Events:
4.pod引用configmap(两种方式,1.容器使用env引用,2.通过volumes引用)
1.容器env方式引用(配置不支持动态修改变量值)
创建一个configmap实例
[root@master-01 configmap]# kubectl create configmap nginx-config --from-literal=nginx_port=8080 --from-literal=server_name=www.abc.com
configmap/nginx-config created
[root@master-01 configmap]# kubectl get configmap
NAME DATA AGE
myhost 2 17m
nginx-config 2 8s
nginx-www 1 12m
[root@master-01 configmap]# kubectl describe cm configmap nginx-config
Name: nginx-config
Namespace: default
Labels:
Annotations:
Data
====
nginx_port:
----
8080
server_name:
----
www.abc.com
Events:
创建一个pod并引用configmap
[root@master-01 configmap]# cat myapp-cm.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp-cm-test
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: myapp
release: canary
template:
metadata:
labels:
app: myapp
release: canary
spec:
imagePullSecrets:
- name: regsecret
hostAliases:
- ip: "10.1.1.5"
hostnames:
- "harbor-ali.abc.com"
containers:
- name: myapp
image: "harbor-ali.abc.com/k8s_img/myapp:v1"
imagePullPolicy: Always
ports:
- name: http
containerPort: 80
env:
- name: NGINX_SERVER_PROT
valueFrom:
configMapKeyRef:
name: nginx-config #configmap的名称
key: nginx_port #configmap的key名
- name: NGINX_SERVER_NAME
valueFrom:
configMapKeyRef:
name: nginx-config #configmap的名称
key: server_name #configmap的key名
-----------------------------------------
创建pod
[root@master-01 configmap]# kubectl apply -f myapp-cm.yaml
[root@master-01 configmap]# kubectl get pod
NAME READY STATUS RESTARTS AGE
myapp-cm-test-868d9f6775-g5h5w 1/1 Running 0 37s
myapp-deploy-6c94846d6f-85b45 1/1 Running 0 3h37m
myapp-deploy-6c94846d6f-v8htl 1/1 Running 0 3h37m
myapp-hostpath-596f7f779b-9ctkv 1/1 Running 0 3d8h
myapp-pv-pvc-5b7976486d-wgqvc 1/1 Running 0 3d8h
myapp-volume-749f9b4896-wrm8c 1/1 Running 0 3d8h
secret-nginx 1/1 Running 1 3h55m
[root@master-01 configmap]# kubectl exec myapp-cm-test-868d9f6775-g5h5w -- printenv
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=myapp-cm-test-868d9f6775-g5h5w
NGINX_SERVER_PROT=8080 #环境变量已经传进来了
NGINX_SERVER_NAME=www.abc.com #环境变量已经传进来了
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
KUBERNETES_SERVICE_HOST=10.96.0.1
KUBERNETES_SERVICE_PORT=443
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT=tcp://10.96.0.1:443
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP_PORT=443
MYAPP_SVC_PORT_80_TCP_PROTO=tcp
MYAPP_SVC_PORT=tcp://10.98.57.156:80
MYAPP_SVC_PORT_80_TCP_ADDR=10.98.57.156
MYAPP_SVC_SERVICE_HOST=10.98.57.156
MYAPP_SVC_SERVICE_PORT=80
MYAPP_SVC_PORT_80_TCP=tcp://10.98.57.156:80
MYAPP_SVC_PORT_80_TCP_PORT=80
NGINX_VERSION=1.12.2
HOME=/root
2.通过volumes引用(支持可动态修改变量值)
[root@master-01 configmap]# cat myapp-cm-volume.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp-cm-volume
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: myapp
release: canary
template:
metadata:
labels:
app: myapp
release: canary
spec:
imagePullSecrets:
- name: regsecret
hostAliases:
- ip: "10.1.1.5"
hostnames:
- "harbor-ali.abc.com"
containers:
- name: myapp
image: "harbor-ali.abc.com/k8s_img/myapp:v1"
imagePullPolicy: Always
ports:
- name: http
containerPort: 80
volumeMounts:
- name: nginxconf
mountPath: /etc/nginx/config.d/ #挂载到容器的路径
volumes:
- name: nginxconf
configMap:
name: nginx-www #configmap的名称
创建pod
[root@master-01 configmap]# kubectl apply -f myapp-cm-volume.yaml
deployment.apps/myapp-cm-volume created
[root@master-01 configmap]# kubectl get pod
NAME READY STATUS RESTARTS AGE
myapp-cm-test-868d9f6775-g5h5w 1/1 Running 0 59m
myapp-cm-volume-78b9b4fd49-9lfp5 1/1 Running 0 6s
myapp==-deploy-6c94846d6f-85b45 1/1 Running 0 4h36m
myapp-deploy-6c94846d6f-v8htl 1/1 Running 0 4h36m
myapp-hostpath-596f7f779b-9ctkv 1/1 Running 0 3d9h
myapp-pv-pvc-5b7976486d-wgqvc 1/1 Running 0 3d9h
myapp-volume-749f9b4896-wrm8c 1/1 Running 0 3d9h
secret-nginx 1/1 Running 1 4h54m
验证是否在/etc/nginx/config.d/创建了www.conf
[root@master-01 configmap]# kubectl get pod
NAME READY STATUS RESTARTS AGE
myapp-cm-test-868d9f6775-g5h5w 1/1 Running 0 82m
myapp-cm-volume-78b9b4fd49-9lfp5 1/1 Running 0 22m
myapp-deploy-6c94846d6f-85b45 1/1 Running 0 4h59m
myapp-deploy-6c94846d6f-v8htl 1/1 Running 0 4h59m
myapp-hostpath-596f7f779b-9ctkv 1/1 Running 0 3d9h
myapp-pv-pvc-5b7976486d-wgqvc 1/1 Running 0 3d9h
myapp-volume-749f9b4896-wrm8c 1/1 Running 0 3d9h
secret-nginx 1/1 Running 1 5h17m
[root@master-01 configmap]# kubectl exec -it myapp-cm-volume-78b9b4fd49-9lfp5 -- ls /etc/nginx/config.d/
www.conf
[root@master-01 configmap]# kubectl exec -it myapp-cm-volume-78b9b4fd49-9lfp5 -- cat /etc/nginx/config.d/www.conf
server {
server_name myapp.abc.com
listen 80;
root /data/web/html;
}
验证是否支持动态修改configmap把www-nginx里面的key myapp.abc.com改为www.abc.com
[root@master-01 configmap]# kubectl edit cm nginx-www
configmap/nginx-www edited
[root@master-01 configmap]# kubectl exec -it myapp-cm-volume-78b9b4fd49-9lfp5 -- cat /etc/nginx/config.d/www.conf
server {
server_name myapp.abc.com
listen 80;
root /data/web/html;
}
[root@master-01 configmap]# kubectl exec -it myapp-cm-volume-78b9b4fd49-9lfp5 -- cat /etc/nginx/config.d/www.conf
server {
server_name www.abc.com
listen 80;
root /data/web/html;
}
可以看到等待几秒后修改的server_name 已经生效了
kubernetes之secret
Secret解决了密码、token、密钥等敏感数据的配置问题,而不需要把这些敏感数据暴露到镜像或者Pod Spec中,secret跟configmap类似。也是可以在pod中用env或者volumes的方式去引用只不过是secert一般存放安全性比较高的数据,如密码,密钥等需要加密数据
- Secret有三种类型:
1.Service Account:用来访问Kubernetes API,由Kubernetes自动创建,并且会自动挂载到Pod的/run/secrets/kubernetes.io/serviceaccount目录中。
2.Opaque:base64编码格式的Secret,用来存储密码、密钥等
3.kubernetes.io/dockerconfigjson:用来存储私有docker registry的认证信息。
创建一个secret用来保存密码相关信息(Opaque类型)
[root@master-01 configmap]# kubectl create secret generic mysql-root-password --from-literal=password=mysql123
secret/mysql-root-password created
[root@master-01 configmap]# kubectl get secret
NAME TYPE DATA AGE
default-token-vwpgh kubernetes.io/service-account-token 3 11d
mysecret Opaque 2 19h
mysql-root-password Opaque 1 7s
[root@master-01 configmap]# kubectl describe secret mysql-root-password
Name: mysql-root-password
Namespace: default
Labels:
Annotations:
Type: Opaque
Data
====
password: 8 bytes #不显示内容base64加密存放
要是想查看内容可以用一下命令
[root@master-01 configmap]# kubectl get secret mysql-root-password -o yaml
apiVersion: v1
data:
password: bXlzcWwxMjM=
kind: Secret
metadata:
creationTimestamp: "2019-11-26T02:14:33Z"
name: mysql-root-password
namespace: default
resourceVersion: "1624147"
selfLink: /api/v1/namespaces/default/secrets/mysql-root-password
uid: 01c27264-6307-4dfb-ba76-f79372fee076
type: Opaque
[root@master-01 configmap]# echo bXlzcWwxMjM= | base64 -d
mysql123
创建一个pod在env引用secret
[root@master-01 secret]# cat myapp-secret-env.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp-secret-test
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: myapp
release: canary
template:
metadata:
labels:
app: myapp
release: canary
spec:
imagePullSecrets:
- name: regsecret
hostAliases:
- ip: "10.1.1.5"
hostnames:
- "harbor-ali.abc.com"
containers:
- name: myapp-secret-test
image: "harbor-ali.abc.com/k8s_img/myapp:v1"
imagePullPolicy: Always
ports:
- name: http
containerPort: 80
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mysql-root-password #secret的名称
key: password #secret的key名
创建pod
[root@master-01 secret]# kubectl apply -f myapp-secret.yaml
deployment.apps/myapp-secret-test created
[root@master-01 secret]# kubectl get pod
NAME READY STATUS RESTARTS AGE
myapp-cm-test-868d9f6775-g5h5w 1/1 Running 0 15h
myapp-cm-volume-78b9b4fd49-9lfp5 1/1 Running 0 14h
myapp-deploy-6c94846d6f-85b45 1/1 Running 0 19h
myapp-deploy-6c94846d6f-v8htl 1/1 Running 0 19h
myapp-hostpath-596f7f779b-9ctkv 1/1 Running 0 4d
myapp-pv-pvc-5b7976486d-wgqvc 1/1 Running 0 4d
myapp-secret-test-69cb7cff67-v9t9b 1/1 Running 0 117s
myapp-volume-749f9b4896-wrm8c 1/1 Running 0 4d
secret-nginx 1/1 Running 1 19h
验证是否生效
[root@master-01 secret]# kubectl exec myapp-secret-test-69cb7cff67-v9t9b printenv
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=myapp-secret-test-69cb7cff67-v9t9b
MYSQL_ROOT_PASSWORD=mysql123
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
KUBERNETES_SERVICE_HOST=10.96.0.1
KUBERNETES_SERVICE_PORT=443
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT=tcp://10.96.0.1:443
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP_PORT=443
MYAPP_SVC_PORT_80_TCP_PROTO=tcp
MYAPP_SVC_PORT=tcp://10.98.57.156:80
MYAPP_SVC_PORT_80_TCP_ADDR=10.98.57.156
MYAPP_SVC_SERVICE_HOST=10.98.57.156
MYAPP_SVC_SERVICE_PORT=80
MYAPP_SVC_PORT_80_TCP=tcp://10.98.57.156:80
MYAPP_SVC_PORT_80_TCP_PORT=80
NGINX_VERSION=1.12.2
HOME=/root
创建secret用来存储私有docker registry的认证信息 (.kubernetes.io/dockerconfigjson类型)
[root@master-01 secret]# kubectl create secret docker-registry regsecret --docker-server=harbor-ali.abc.com --docker-username=admin --docker-password=harbor123 [email protected]
[root@master-01 secret]# kubectl get secrets regsecret
NAME TYPE DATA AGE
regsecret kubernetes.io/dockerconfigjson 1 30s
在pod中引用secret
[root@master-01 secret]# cat myapp-secret.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp-secret
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: myapp
release: canary
template:
metadata:
labels:
app: myapp
release: canary
spec:
imagePullSecrets:
- name: regsecret
containers:
- name: myapp-secret
image: "harbor-ali.abc.com/k8s_img/myapp:v1"
imagePullPolicy: Always
ports:
- name: http
containerPort: 80
创建pod验证是否成功
[root@master-01 secret]# kubectl get pod
NAME READY STATUS RESTARTS AGE
myapp-secret-6b44f446d-jx7xf 1/1 Running 0 56s
secret在volumes引用
[root@master-01 secret]# cat myapp-secret-volume.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp-secret-volume
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: myapp
release: canary
template:
metadata:
labels:
app: myapp
release: canary
spec:
imagePullSecrets:
- name: regsecret
containers:
- name: myapp-secret-volume
image: "harbor-ali.abc.com/k8s_img/myapp:v1"
imagePullPolicy: Always
ports:
- name: http
containerPort: 80
volumeMounts:
- name: mysql-passwrod
mountPath: /etc/secret #挂载到容器的路径
volumes:
- name: mysql-password
secret:
secretName: mysql-root-password #secret的名称
创建pod并验证
[root@master-01 secret]# kubectl apply -f myapp-secret-volume.yaml
deployment.apps/myapp-secret-volume created
[root@master-01 secret]# kubectl get pod
NAME READY STATUS RESTARTS AGE
myapp-secret-6b44f446d-jx7xf 1/1 Running 0 16m
myapp-secret-volume-59dd87d98b-q58wf 1/1 Running 0 11
[root@master-01 secret]# kubectl exec myapp-secret-volume-59dd87d98b-q58wf cat /etc/secret/password
mysql123