k8s中ConfigMap、Secret创建使用演示、配置文件存储介绍

目录

一.ConfigMap(cm)

1.适用场景

2.创建并验证configmap

(1)以yaml配置文件创建configmap,验证变化是是否同步

(2)--from-file以目录或文件

3.如何使用configmap

(1)使用env或envfrom来替代环境变量

(2)configmap与volume搭配使用

4.配置configmap触发deployment滚动更新

二.Secret

1.常用场景

2.创建secret

3.使用secret

(1)env变量

(2)volume挂载


一.ConfigMap(cm)

在Kubernetes中,ConfigMap是一种用于存储配置数据的对象,它提供了一种将配置数据与容器分离的方式,使得容器的配置可以独立于容器镜像进行管理和修改。ConfigMap可以在部署应用程序时,将配置信息注入到容器中,从而使得容器可以动态地适应不同的环境和需求。

1.适用场景

(1)容器化应用程序的配置管理:将应用程序的配置数据存储到ConfigMap中,从而使得容器可以在运行时根据需要获取这些配置数据,进而动态地适应不同的环境和需求。

(2)多个容器共享配置数据:将多个容器所需的公共配置数据存储到ConfigMap中,从而避免了重复存储和管理配置数据的问题,同时也方便了对配置的修改和更新。

(3)管理Kubernetes资源的配置数据:将Kubernetes资源的配置数据存储到ConfigMap中,从而可以通过修改ConfigMap来对资源进行配置和管理。

接下来介绍configmap的存储使用方式

2.创建并验证configmap

(1)以yaml配置文件创建configmap,验证变化是是否同步

[root@k8s-master volume]# cat mycm.yaml 
apiVersion: v1
kind: ConfigMap
metadata:
  name: my-configmap
  namespace: myns
data:   #用data代替spec
  username: sulibao
  passwd: slb317418 
​
---
​
apiVersion: v1
kind: Pod
metadata:
  name: my-nginx-configmap
  namespace: myns
spec:
  containers:
  - name: nginx
    image: nginx
    ports:
    - name: nginx-port
      containerPort: 80
    volumeMounts:
    - name: myvolume
      mountPath: /root/mymsg
  volumes:
  - name: myvolume
    configMap:   #指定volume类型为configmap
      name: my-configmap 
​
​
[root@k8s-master volume]# kubectl apply -f mycm.yaml 
configmap/my-configmap created
pod/my-nginx-configmap created
​
[root@k8s-master volume]# kubectl get pods,cm -n myns   #pod创建成功
NAME                     READY   STATUS    RESTARTS   AGE
pod/my-nginx-configmap   1/1     Running   0          67s
​
NAME                         DATA   AGE
kube-root-ca.crt             1      40m
configmap/my-configmap       2      67s
​
[root@k8s-master volume]# kubectl exec -it my-nginx-configmap -n myns -- /bin/sh -c "cat /root/mymsg/username"   
#内容一致,创建成功
sulibao
[root@k8s-master volume]# kubectl exec -it my-nginx-configmap -n myns -- /bin/sh -c "cat /root/mymsg/passwd"
slb317418
​
​
#接下来edit这个configmap中的内容,使passwd产生变化,再验证pod中是否变化,结果成功
[root@k8s-master volume]# kubectl edit cm my-configmap -n myns
[root@k8s-master volume]# kubectl get cm my-configmap -n myns -o yaml | grep passwd
  passwd: num123456
      {"apiVersion":"v1","data":{"passwd":"slb317418","username":"sulibao"},"kind":"ConfigMap","metadata":{"annotations":{},"name":"my-configmap","namespace":"myns"}}
[root@k8s-master volume]# kubectl exec -it my-nginx-configmap -n myns -- /bin/sh -c "cat /root/mymsg/passwd"
num123456

(2)--from-file以目录或文件

#根据一个目录来创建configmap
[root@k8s-master volume]# kubectl create cm my-cm --from-file=/root/volume/a/ -n myns
configmap/my-cm created
[root@k8s-master volume]# kubeckubec get cm -n myns
-bash: kubeckubec: command not found
[root@k8s-master volume]# kubectl get cm -n myns
NAME               DATA   AGE
kube-root-ca.crt   1      33m
my-cm              2      16s
[root@k8s-master volume]# kubectl describe cm my-cm -n myns
Name:         my-cm
Namespace:    myns
Labels:       
Annotations:  
​
Data
====
passwd:
----
slb317418
​
username:
----
sulibao
​
​
BinaryData
====
​
Events:  
​
​
​
#根据两个文件来创建configmap,和上面以目录创建效果一致
[root@k8s-master a]# ll
total 8
-rw-r--r-- 1 root root 10 Dec 16 16:54 passwd
-rw-r--r-- 1 root root  8 Dec 16 16:54 username
[root@k8s-master a]# kubectl create cm my-cm --from-file=/root/volume/a/username --from-file=/root/volume/a/passwd -n myns
configmap/my-cm created
[root@k8s-master a]# kubectl get cm -n myns
NAME               DATA   AGE
kube-root-ca.crt   1      36m
my-cm              2      8s
[root@k8s-master a]# kubectl describe cm my-cm -n myns
Name:         my-cm
Namespace:    myns
Labels:       
Annotations:  
​
Data
====
passwd:
----
slb317418
​
username:
----
sulibao
​
​
BinaryData
====
​
Events:  
(3)以命令行传递信息创建configmap
[root@k8s-master volume]# kubectl create cm my-cm --from-literal=username=sulibao --from-literal=passwd=slb317418 -n myns
configmap/my-cm created
[root@k8s-master volume]# kubectl get cm -n myns
NAME               DATA   AGE
kube-root-ca.crt   1      40m
my-cm              2      10s
[root@k8s-master volume]# kubectl describe cm my-cm -n myns
Name:         my-cm
Namespace:    myns
Labels:       
Annotations:  
​
Data
====
passwd:
----
slb317418
username:
----
sulibao
​
BinaryData
====
​
Events:  

3.如何使用configmap

(1)使用env或envfrom来替代环境变量

apiVersion: v1
kind: ConfigMap
metadata:
  name: my-configmap1
  namespace: myns
data:
  username: sulibao
  passwd: slb317418 
​
---
​
apiVersion: v1
kind: ConfigMap
metadata:
  name: my-configmap2
  namespace: myns
data:
  email: 123.qq.com
​
---
​
apiVersion: v1
kind: Pod
metadata:
  name: my-nginx-configmap
  namespace: myns
spec:
  containers:
  - name: busybox
    image: busybox
    command: ["/bin/sh","-c","env;sleep 3000"]
    env:
    - name: name   #要被替代的名称,最终的变量名字是这个
      valueFrom:
        configMapKeyRef:
          name: my-configmap1    #指定configmap的名称
          key: username    #指定configmap中的某个键,该键的值会用来代替上面指定的name原本的值
    - name: passwd
      valueFrom:
        configMapKeyRef:
          name: my-configmap1
          key: passwd
    envFrom:
    - configMapRef:
        name: my-configmap2    #指定configmap的名称
​
[root@k8s-master volume]# kubectl get pods,cm -n myns
NAME                     READY   STATUS    RESTARTS   AGE
pod/my-nginx-configmap   1/1     Running   0          4m52s
​
NAME                         DATA   AGE
configmap/kube-root-ca.crt   1      123m
configmap/my-configmap1      2      4m52s
configmap/my-configmap2      1      4m52s
​
[root@k8s-master volume]# kubectl logs my-nginx-configmap -n myns | grep -E '(email|passwd|name)'
email=123.qq.com
name=sulibao
passwd=slb317418
​
[root@k8s-master volume]# kubectl exec -it my-nginx-configmap -n myns -- /bin/sh    #进入pod进行验证
/ # 
/ # env
KUBERNETES_PORT=tcp://10.96.0.1:443
KUBERNETES_SERVICE_PORT=443
HOSTNAME=my-nginx-configmap
SHLVL=1
HOME=/root
TERM=xterm
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_PROTO=tcp
email=123.qq.com
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
name=sulibao
passwd=slb317418
KUBERNETES_SERVICE_HOST=10.96.0.1
PWD=/
/ # echo $name
sulibao
/ # echo $email
123.qq.com

(2)configmap与volume搭配使用

apiVersion: v1
kind: ConfigMap
metadata: 
  name: my-configmap
  namespace: myns
data:
  username: sulibao
  passwd: slb317418
​
---
​
apiVersion: v1
kind: Pod
metadata:
  name: my-nginx-configmap
  namespace: myns
spec:
  containers:
  - name: busybox
    image: busybox
    command: ["/bin/sh","-c","cd /root/mymsg;sleep 3000"]
    volumeMounts:
    - name: myvolume
      mountPath: /root/mymsg
  volumes:
  - name: myvolume
    configMap:
      name: my-configmap
​
[root@k8s-master volume]# kubectl get pods,cm -n myns
NAME                     READY   STATUS    RESTARTS   AGE
pod/my-nginx-configmap   1/1     Running   0          10s
​
NAME                         DATA   AGE
configmap/kube-root-ca.crt   1      145m
configmap/my-configmap       2      10s
​
[root@k8s-master volume]# kubectl exec -it my-nginx-configmap -n myns -- /bin/sh -c "cat /root/mymsg/passwd"
slb317418
[root@k8s-master volume]# kubectl exec -it my-nginx-configmap -n myns -- /bin/sh -c "cat /root/mymsg/username"
sulibao

4.配置configmap触发deployment滚动更新

apiVersion: v1
kind: ConfigMap
metadata: 
  name: my-configmap
  namespace: myns
data:
  username: sulibao
  passwd: slb317418
​
---
​
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: my-deploy
  name: my-deploy
  namespace: myns
spec:
  replicas: 3
  selector:
    matchLabels:
      app: my-deploy
  template:
    metadata:
      labels:
        app: my-deploy
    spec:
      containers:
      - image: busybox
        command: ["/bin/sh","-c","touch /root/a.txt;cat /root/mymsg/username > /root/a.txt;sleep 3000"]
        name: busybox
        volumeMounts:
        - name: myvolume
          mountPath: /root/mymsg
      volumes:
      - name: myvolume
        configMap:
          name: my-configmap
​
[root@k8s-master volume]# kubectl get pods,cm -n myns
NAME                             READY   STATUS    RESTARTS   AGE
pod/my-deploy-574476c4d9-85m78   1/1     Running   0          8s
pod/my-deploy-574476c4d9-fghm2   1/1     Running   0          8s
pod/my-deploy-574476c4d9-w4rrj   1/1     Running   0          8s
​
NAME                         DATA   AGE
configmap/kube-root-ca.crt   1      11m
configmap/my-configmap       2      8s
[root@k8s-master volume]# kubectl exec -it my-deploy-574476c4d9-85m78 -n myns -- /bin/sh -c "cat /root/a.txt"
sulibao
​
[root@k8s-master volume]#  kubectl patch deployment my-deploy -n myns --patch '{"spec": {"template": {"metadata": {"annotations": {"update": "2" }}}}}'
deployment.apps/my-deploy patched
#此段命令更新deployment,去触发deployment的滚动更新
​
[root@k8s-master vokubectl edit cm my-configmap -n myns   #更改了配置内容
[root@k8s-master volume]# kubectl get pods -n myns -w  #对比上面的pod,此时已经全部更新完成
NAME                         READY   STATUS    RESTARTS   AGE
my-deploy-664d69c7cf-5zkwz   1/1     Running   0          2m9s
my-deploy-664d69c7cf-dsxkp   1/1     Running   0          2m13s
my-deploy-664d69c7cf-vslz4   1/1     Running   0          2m5s
[root@k8s-master volume]# kubectl exec -it my-deploy-664d69c7cf-5zkwz -n myns -- /bin/sh -c "cat /root/a.txt"
SLB

二.Secret

在Kubernetes中,Secret是一种用于存储和管理敏感数据的对象,它提供了一种安全地存储密码、令牌、证书等敏感信息的机制。Secret的内容是以Base64编码方式存储的,但需要注意的是,Base64编码并不等同于加密,因此使用Secret时要确保对敏感数据进行适当的加密和保护。

1.常用场景

(1)存储认证信息:Secret可以用于存储应用程序所需的用户名、密码、令牌等认证信息。这些认证信息可以被容器在运行时访问,并用于与外部服务进行安全通信。

(2)存储TLS/SSL证书:Secret可以用于存储TLS/SSL证书和私钥,以便在Kubernetes集群中启用加密的通信。这些证书可以被挂载到Pod中,并用于与其他服务进行安全的HTTPS通信。

(3)共享敏感数据:Secret可以用于共享敏感数据,例如API密钥、数据库连接字符串等。通过将Secret挂载到多个Pod中,可以方便且安全地共享这些敏感数据,而无需在每个Pod中手动配置。

(4)配置容器化应用程序:Secret可以用于存储应用程序的配置信息,例如数据库密码、第三方服务的API密钥等。将配置信息存储在Secret中,可以将容器镜像与配置数据分离,并在部署时注入到容器中,从而使容器的配置更加灵活和安全。

接下来介绍secret的存储使用方式

2.创建secret

可以通过yaml、--from-file、--from-literal进行创建,如下

[root@k8s-master volume]# kubectl create secret generic username --from-file=username -n myns
secret/username created
[root@k8s-master volume]# kubectl create secret generic passwd --from-file=passwd -n myns
secret/passwd created
[root@k8s-master volume]# kubectl get secrets -n myns
NAME       TYPE     DATA   AGE
passwd     Opaque   1      6s
username   Opaque   1      10s
​
[root@k8s-master volume]# kubectl create secret generic user --from-literal=user=SLB -n myns
secret/user created
[root@k8s-master volume]# kubectl create secret generic pass --from-literal=pass=123456 -n myns
secret/pass created
[root@k8s-master volume]# kubectl get secrets  -n myns
NAME       TYPE     DATA   AGE
pass       Opaque   1      8s
passwd     Opaque   1      93s
user       Opaque   1      29s
username   Opaque   1      97s
​
apiVersion: v1
kind: Secret
metadata:
  name: secret1
  namespace: myns
type: Opaque
data:
  user1: YWRtaW4=
  pass1: MWYyZDFlMmU2N2Rm
[root@k8s-master volume]# kubectl get secrets  -n myns
NAME       TYPE     DATA   AGE
pass       Opaque   1      2m31s
passwd     Opaque   1      3m56s
secret1    Opaque   2      5s
user       Opaque   1      2m52s
username   Opaque   1      4m
​
#这里演示如何进行base64的编码和解码
[root@k8s-master volume]# echo -n "freg" | base64
ZnJlZw==
[root@k8s-master volume]# echo -n "ZnJlZw==" | base64 --decode
freg

3.使用secret

(1)env变量

[root@k8s-master volume]# kubectl get pods -n myns
NAME              READY   STATUS    RESTARTS   AGE
my-nginx-secret   1/1     Running   0          10s
[root@k8s-master volume]# kubectl exec -it my-nginx-secret -n myns
error: you must specify at least one command for the container
[root@k8s-master volume]# kubectl exec -it my-nginx-secret -n myns -- /bin/sh
/ # 
/ # env
KUBERNETES_SERVICE_PORT=443
KUBERNETES_PORT=tcp://10.96.0.1:443
HOSTNAME=my-nginx-secret
SHLVL=1
HOME=/root
TERM=xterm
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
KUBERNETES_SERVICE_PORT_HTTPS=443
name=sulibao
​
KUBERNETES_SERVICE_HOST=10.96.0.1
PWD=/
/ # echo $name
sulibao
​
​
​
[root@k8s-master volume]# kubectl edit secrets username -n myns    #edit过后env没有同步
secret/username edited
[root@k8s-master volume]# kubectl get pods -n myns
NAME              READY   STATUS    RESTARTS   AGE
my-nginx-secret   1/1     Running   0          4m44s
[root@k8s-master volume]# kubectl exec -it my-nginx-secret -n myns -- /bin/sh
/ # 
/ # echo $name
sulibao

(2)volume挂载

apiVersion: v1
kind: Pod
metadata:
  name: my-nginx
  namespace: myns
spec:
  containers:
  - name: nginx
    image: nginx
    ports:
    - name: nginx-port
      containerPort: 80
    volumeMounts:
    - name: myvolume
      mountPath: /root
  volumes:
  - name: myvolume
    projected:
      sources:
      - secret:
          name: username
      - secret:
          name: passwd
​
[root@k8s-master volume]# kubectl get pods -n myns
NAME       READY   STATUS    RESTARTS   AGE
my-nginx   1/1     Running   0          5s
[root@k8s-master volume]# kubectl exec -it my-nginx -n myns -- /bin/sh -c "cat /root/username"
sulibao
[root@k8s-master volume]# kubectl exec -it my-nginx -n myns -- /bin/sh -c "cat /root/passwd"
slb317418
​
#edit过后通过volume挂载的secret同步了
[root@k8s-master volume]# kubectl exec -it my-nginx -n myns -- /bin/sh -c "cat /root/username"
cenov

你可能感兴趣的:(Linux,#,k8s,kubernetes,云原生,configmap,volume,secret)