目录
一.ConfigMap(cm)
1.适用场景
2.创建并验证configmap
(1)以yaml配置文件创建configmap,验证变化是是否同步
(2)--from-file以目录或文件
3.如何使用configmap
(1)使用env或envfrom来替代环境变量
(2)configmap与volume搭配使用
4.配置configmap触发deployment滚动更新
二.Secret
1.常用场景
2.创建secret
3.使用secret
(1)env变量
(2)volume挂载
在Kubernetes中,ConfigMap是一种用于存储配置数据的对象,它提供了一种将配置数据与容器分离的方式,使得容器的配置可以独立于容器镜像进行管理和修改。ConfigMap可以在部署应用程序时,将配置信息注入到容器中,从而使得容器可以动态地适应不同的环境和需求。
(1)容器化应用程序的配置管理:将应用程序的配置数据存储到ConfigMap中,从而使得容器可以在运行时根据需要获取这些配置数据,进而动态地适应不同的环境和需求。
(2)多个容器共享配置数据:将多个容器所需的公共配置数据存储到ConfigMap中,从而避免了重复存储和管理配置数据的问题,同时也方便了对配置的修改和更新。
(3)管理Kubernetes资源的配置数据:将Kubernetes资源的配置数据存储到ConfigMap中,从而可以通过修改ConfigMap来对资源进行配置和管理。
接下来介绍configmap的存储使用方式
[root@k8s-master volume]# cat mycm.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: my-configmap
namespace: myns
data: #用data代替spec
username: sulibao
passwd: slb317418
---
apiVersion: v1
kind: Pod
metadata:
name: my-nginx-configmap
namespace: myns
spec:
containers:
- name: nginx
image: nginx
ports:
- name: nginx-port
containerPort: 80
volumeMounts:
- name: myvolume
mountPath: /root/mymsg
volumes:
- name: myvolume
configMap: #指定volume类型为configmap
name: my-configmap
[root@k8s-master volume]# kubectl apply -f mycm.yaml
configmap/my-configmap created
pod/my-nginx-configmap created
[root@k8s-master volume]# kubectl get pods,cm -n myns #pod创建成功
NAME READY STATUS RESTARTS AGE
pod/my-nginx-configmap 1/1 Running 0 67s
NAME DATA AGE
kube-root-ca.crt 1 40m
configmap/my-configmap 2 67s
[root@k8s-master volume]# kubectl exec -it my-nginx-configmap -n myns -- /bin/sh -c "cat /root/mymsg/username"
#内容一致,创建成功
sulibao
[root@k8s-master volume]# kubectl exec -it my-nginx-configmap -n myns -- /bin/sh -c "cat /root/mymsg/passwd"
slb317418
#接下来edit这个configmap中的内容,使passwd产生变化,再验证pod中是否变化,结果成功
[root@k8s-master volume]# kubectl edit cm my-configmap -n myns
[root@k8s-master volume]# kubectl get cm my-configmap -n myns -o yaml | grep passwd
passwd: num123456
{"apiVersion":"v1","data":{"passwd":"slb317418","username":"sulibao"},"kind":"ConfigMap","metadata":{"annotations":{},"name":"my-configmap","namespace":"myns"}}
[root@k8s-master volume]# kubectl exec -it my-nginx-configmap -n myns -- /bin/sh -c "cat /root/mymsg/passwd"
num123456
#根据一个目录来创建configmap
[root@k8s-master volume]# kubectl create cm my-cm --from-file=/root/volume/a/ -n myns
configmap/my-cm created
[root@k8s-master volume]# kubeckubec get cm -n myns
-bash: kubeckubec: command not found
[root@k8s-master volume]# kubectl get cm -n myns
NAME DATA AGE
kube-root-ca.crt 1 33m
my-cm 2 16s
[root@k8s-master volume]# kubectl describe cm my-cm -n myns
Name: my-cm
Namespace: myns
Labels:
Annotations:
Data
====
passwd:
----
slb317418
username:
----
sulibao
BinaryData
====
Events:
#根据两个文件来创建configmap,和上面以目录创建效果一致
[root@k8s-master a]# ll
total 8
-rw-r--r-- 1 root root 10 Dec 16 16:54 passwd
-rw-r--r-- 1 root root 8 Dec 16 16:54 username
[root@k8s-master a]# kubectl create cm my-cm --from-file=/root/volume/a/username --from-file=/root/volume/a/passwd -n myns
configmap/my-cm created
[root@k8s-master a]# kubectl get cm -n myns
NAME DATA AGE
kube-root-ca.crt 1 36m
my-cm 2 8s
[root@k8s-master a]# kubectl describe cm my-cm -n myns
Name: my-cm
Namespace: myns
Labels:
Annotations:
Data
====
passwd:
----
slb317418
username:
----
sulibao
BinaryData
====
Events:
(3)以命令行传递信息创建configmap
[root@k8s-master volume]# kubectl create cm my-cm --from-literal=username=sulibao --from-literal=passwd=slb317418 -n myns
configmap/my-cm created
[root@k8s-master volume]# kubectl get cm -n myns
NAME DATA AGE
kube-root-ca.crt 1 40m
my-cm 2 10s
[root@k8s-master volume]# kubectl describe cm my-cm -n myns
Name: my-cm
Namespace: myns
Labels:
Annotations:
Data
====
passwd:
----
slb317418
username:
----
sulibao
BinaryData
====
Events:
apiVersion: v1
kind: ConfigMap
metadata:
name: my-configmap1
namespace: myns
data:
username: sulibao
passwd: slb317418
---
apiVersion: v1
kind: ConfigMap
metadata:
name: my-configmap2
namespace: myns
data:
email: 123.qq.com
---
apiVersion: v1
kind: Pod
metadata:
name: my-nginx-configmap
namespace: myns
spec:
containers:
- name: busybox
image: busybox
command: ["/bin/sh","-c","env;sleep 3000"]
env:
- name: name #要被替代的名称,最终的变量名字是这个
valueFrom:
configMapKeyRef:
name: my-configmap1 #指定configmap的名称
key: username #指定configmap中的某个键,该键的值会用来代替上面指定的name原本的值
- name: passwd
valueFrom:
configMapKeyRef:
name: my-configmap1
key: passwd
envFrom:
- configMapRef:
name: my-configmap2 #指定configmap的名称
[root@k8s-master volume]# kubectl get pods,cm -n myns
NAME READY STATUS RESTARTS AGE
pod/my-nginx-configmap 1/1 Running 0 4m52s
NAME DATA AGE
configmap/kube-root-ca.crt 1 123m
configmap/my-configmap1 2 4m52s
configmap/my-configmap2 1 4m52s
[root@k8s-master volume]# kubectl logs my-nginx-configmap -n myns | grep -E '(email|passwd|name)'
email=123.qq.com
name=sulibao
passwd=slb317418
[root@k8s-master volume]# kubectl exec -it my-nginx-configmap -n myns -- /bin/sh #进入pod进行验证
/ #
/ # env
KUBERNETES_PORT=tcp://10.96.0.1:443
KUBERNETES_SERVICE_PORT=443
HOSTNAME=my-nginx-configmap
SHLVL=1
HOME=/root
TERM=xterm
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_PROTO=tcp
email=123.qq.com
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
name=sulibao
passwd=slb317418
KUBERNETES_SERVICE_HOST=10.96.0.1
PWD=/
/ # echo $name
sulibao
/ # echo $email
123.qq.com
apiVersion: v1
kind: ConfigMap
metadata:
name: my-configmap
namespace: myns
data:
username: sulibao
passwd: slb317418
---
apiVersion: v1
kind: Pod
metadata:
name: my-nginx-configmap
namespace: myns
spec:
containers:
- name: busybox
image: busybox
command: ["/bin/sh","-c","cd /root/mymsg;sleep 3000"]
volumeMounts:
- name: myvolume
mountPath: /root/mymsg
volumes:
- name: myvolume
configMap:
name: my-configmap
[root@k8s-master volume]# kubectl get pods,cm -n myns
NAME READY STATUS RESTARTS AGE
pod/my-nginx-configmap 1/1 Running 0 10s
NAME DATA AGE
configmap/kube-root-ca.crt 1 145m
configmap/my-configmap 2 10s
[root@k8s-master volume]# kubectl exec -it my-nginx-configmap -n myns -- /bin/sh -c "cat /root/mymsg/passwd"
slb317418
[root@k8s-master volume]# kubectl exec -it my-nginx-configmap -n myns -- /bin/sh -c "cat /root/mymsg/username"
sulibao
apiVersion: v1
kind: ConfigMap
metadata:
name: my-configmap
namespace: myns
data:
username: sulibao
passwd: slb317418
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: my-deploy
name: my-deploy
namespace: myns
spec:
replicas: 3
selector:
matchLabels:
app: my-deploy
template:
metadata:
labels:
app: my-deploy
spec:
containers:
- image: busybox
command: ["/bin/sh","-c","touch /root/a.txt;cat /root/mymsg/username > /root/a.txt;sleep 3000"]
name: busybox
volumeMounts:
- name: myvolume
mountPath: /root/mymsg
volumes:
- name: myvolume
configMap:
name: my-configmap
[root@k8s-master volume]# kubectl get pods,cm -n myns
NAME READY STATUS RESTARTS AGE
pod/my-deploy-574476c4d9-85m78 1/1 Running 0 8s
pod/my-deploy-574476c4d9-fghm2 1/1 Running 0 8s
pod/my-deploy-574476c4d9-w4rrj 1/1 Running 0 8s
NAME DATA AGE
configmap/kube-root-ca.crt 1 11m
configmap/my-configmap 2 8s
[root@k8s-master volume]# kubectl exec -it my-deploy-574476c4d9-85m78 -n myns -- /bin/sh -c "cat /root/a.txt"
sulibao
[root@k8s-master volume]# kubectl patch deployment my-deploy -n myns --patch '{"spec": {"template": {"metadata": {"annotations": {"update": "2" }}}}}'
deployment.apps/my-deploy patched
#此段命令更新deployment,去触发deployment的滚动更新
[root@k8s-master vokubectl edit cm my-configmap -n myns #更改了配置内容
[root@k8s-master volume]# kubectl get pods -n myns -w #对比上面的pod,此时已经全部更新完成
NAME READY STATUS RESTARTS AGE
my-deploy-664d69c7cf-5zkwz 1/1 Running 0 2m9s
my-deploy-664d69c7cf-dsxkp 1/1 Running 0 2m13s
my-deploy-664d69c7cf-vslz4 1/1 Running 0 2m5s
[root@k8s-master volume]# kubectl exec -it my-deploy-664d69c7cf-5zkwz -n myns -- /bin/sh -c "cat /root/a.txt"
SLB
在Kubernetes中,Secret是一种用于存储和管理敏感数据的对象,它提供了一种安全地存储密码、令牌、证书等敏感信息的机制。Secret的内容是以Base64编码方式存储的,但需要注意的是,Base64编码并不等同于加密,因此使用Secret时要确保对敏感数据进行适当的加密和保护。
(1)存储认证信息:Secret可以用于存储应用程序所需的用户名、密码、令牌等认证信息。这些认证信息可以被容器在运行时访问,并用于与外部服务进行安全通信。
(2)存储TLS/SSL证书:Secret可以用于存储TLS/SSL证书和私钥,以便在Kubernetes集群中启用加密的通信。这些证书可以被挂载到Pod中,并用于与其他服务进行安全的HTTPS通信。
(3)共享敏感数据:Secret可以用于共享敏感数据,例如API密钥、数据库连接字符串等。通过将Secret挂载到多个Pod中,可以方便且安全地共享这些敏感数据,而无需在每个Pod中手动配置。
(4)配置容器化应用程序:Secret可以用于存储应用程序的配置信息,例如数据库密码、第三方服务的API密钥等。将配置信息存储在Secret中,可以将容器镜像与配置数据分离,并在部署时注入到容器中,从而使容器的配置更加灵活和安全。
接下来介绍secret的存储使用方式
可以通过yaml、--from-file、--from-literal进行创建,如下
[root@k8s-master volume]# kubectl create secret generic username --from-file=username -n myns
secret/username created
[root@k8s-master volume]# kubectl create secret generic passwd --from-file=passwd -n myns
secret/passwd created
[root@k8s-master volume]# kubectl get secrets -n myns
NAME TYPE DATA AGE
passwd Opaque 1 6s
username Opaque 1 10s
[root@k8s-master volume]# kubectl create secret generic user --from-literal=user=SLB -n myns
secret/user created
[root@k8s-master volume]# kubectl create secret generic pass --from-literal=pass=123456 -n myns
secret/pass created
[root@k8s-master volume]# kubectl get secrets -n myns
NAME TYPE DATA AGE
pass Opaque 1 8s
passwd Opaque 1 93s
user Opaque 1 29s
username Opaque 1 97s
apiVersion: v1
kind: Secret
metadata:
name: secret1
namespace: myns
type: Opaque
data:
user1: YWRtaW4=
pass1: MWYyZDFlMmU2N2Rm
[root@k8s-master volume]# kubectl get secrets -n myns
NAME TYPE DATA AGE
pass Opaque 1 2m31s
passwd Opaque 1 3m56s
secret1 Opaque 2 5s
user Opaque 1 2m52s
username Opaque 1 4m
#这里演示如何进行base64的编码和解码
[root@k8s-master volume]# echo -n "freg" | base64
ZnJlZw==
[root@k8s-master volume]# echo -n "ZnJlZw==" | base64 --decode
freg
[root@k8s-master volume]# kubectl get pods -n myns
NAME READY STATUS RESTARTS AGE
my-nginx-secret 1/1 Running 0 10s
[root@k8s-master volume]# kubectl exec -it my-nginx-secret -n myns
error: you must specify at least one command for the container
[root@k8s-master volume]# kubectl exec -it my-nginx-secret -n myns -- /bin/sh
/ #
/ # env
KUBERNETES_SERVICE_PORT=443
KUBERNETES_PORT=tcp://10.96.0.1:443
HOSTNAME=my-nginx-secret
SHLVL=1
HOME=/root
TERM=xterm
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
KUBERNETES_SERVICE_PORT_HTTPS=443
name=sulibao
KUBERNETES_SERVICE_HOST=10.96.0.1
PWD=/
/ # echo $name
sulibao
[root@k8s-master volume]# kubectl edit secrets username -n myns #edit过后env没有同步
secret/username edited
[root@k8s-master volume]# kubectl get pods -n myns
NAME READY STATUS RESTARTS AGE
my-nginx-secret 1/1 Running 0 4m44s
[root@k8s-master volume]# kubectl exec -it my-nginx-secret -n myns -- /bin/sh
/ #
/ # echo $name
sulibao
apiVersion: v1
kind: Pod
metadata:
name: my-nginx
namespace: myns
spec:
containers:
- name: nginx
image: nginx
ports:
- name: nginx-port
containerPort: 80
volumeMounts:
- name: myvolume
mountPath: /root
volumes:
- name: myvolume
projected:
sources:
- secret:
name: username
- secret:
name: passwd
[root@k8s-master volume]# kubectl get pods -n myns
NAME READY STATUS RESTARTS AGE
my-nginx 1/1 Running 0 5s
[root@k8s-master volume]# kubectl exec -it my-nginx -n myns -- /bin/sh -c "cat /root/username"
sulibao
[root@k8s-master volume]# kubectl exec -it my-nginx -n myns -- /bin/sh -c "cat /root/passwd"
slb317418
#edit过后通过volume挂载的secret同步了
[root@k8s-master volume]# kubectl exec -it my-nginx -n myns -- /bin/sh -c "cat /root/username"
cenov