配置管理:
加密配置:保存密码,token,其他敏感信息的k8s资源
应用配置:我们需要定制化的给应用进行配置,我们需要把定制好的配置文件同步到pod当中容器
secret:
[root@master01 ~]# kubectl get secrets ##查看加密配置
[root@master01 ~]# kubectl get secrets -n kube-system ##查看加密配置
1、service-account-token:k8s集群自建,用来访问APIserver的secret,pod的默认使用这secret和APIserver进行通信。
自动挂载到pod的目录/run/secrets/kubernets.io/serviceaccount目录。
2、Opaque:用户自定义的密码,密钥等等,默认类型就是opaque。generic(语法)
3、kubernets.io/dockerconfigison:配置docker私有仓库的认证信息。
4、TLS:用来存储TLS或者SSL证书和私钥。
[root@master01 ~]# cd /opt/
[root@master01 opt]# mkdir secret
[root@master01 opt]# cd secret/
[root@master01 secret]# echo "xy102" > username.txt
[root@master01 secret]# echo "123456" > passwd.txt
[root@master01 secret]# echo "123456" > password.txt
##创建加密文件secret1,基于Opaque类型创建,文件来自于本目录路径
[root@master01 secret]# kubectl create secret generic secret1 --from-file=username.txt --from-file=password.txt
##查看secret配置文件
[root@master01 secret]# kubectl get secrets
secret1 Opaque 2 11s
##查看secret1的详细信息,类型
[root@master01 secret]# kubectl describe secrets secret1
Name: secret1
Namespace: default
Labels:
Annotations:
Type: Opaque
Data
====
password.txt: 7 bytes
username.txt: 6 bytes
##对指定内容进行加密
[root@master01 configmap]# echo -n xy102 | base64
eHkxMDI=
[root@master01 configmap]# echo -n 123456 | base64
MTIzNDU2
[root@master01 secret]# vim secret1.yaml
apiVersion: v1
kind: Secret
metadata:
name: secret2
type: Opaque
#声明类型
data: ##指定文件来自于加密过的文件
username: eHkxMDI=
password: MTIzNDU2
[root@master01 secret]# kubectl apply -f secret1.yaml
secret/secret2 created
[root@master01 secret]# vim secret1.yaml
apiVersion: v1
kind: Secret
metadata:
name: secret2
type: Opaque
#声明类型
data:
username: eHkxMDI=
password: MTIzNDU2
----------------------------------------------
##以上已经创建好secret2加密文件
[root@master01 secret]# kubectl apply -f secret1.yaml
secret/secret2 created
[root@master01 secret]# vim test1.yaml
#如何把secrert挂载到pod当中
apiVersion: v1
kind: Pod
metadata:
name: pod1
labels:
app: test
spec:
containers:
- name: nginx
image: nginx:1.22
volumeMounts:
- name: sec-test
mountPath: "/etc/secrets" ##容器里面的目录
readOnly: true ##只读模式,默认就是只读
volumes:
- name: sec-test ##名称自定义
secret: ##引用加密文件格式声明
secretName: secret2 ##通过secret加密文件名称,把secret2文件挂载到容器
##查看加密文件详情
[root@master01 secret]# kubectl get secrets
secret2 Opaque 2 13m
##拉取pod,进行加密文件从宿主机到pod容器的挂载
[root@master01 secret]# kubectl apply -f test1.yaml
pod/pod1 created
[root@master01 secret]# kubectl get pod
pod1 1/1 Running 0 14s
[root@master01 secret]# kubectl exec -it pod1 bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
root@pod1:/# cd /etc/
root@pod1:/etc# cd secrets/
root@pod1:/etc/secrets# ls
password username
[root@master01 secret]# vim test1.yaml
#如何把secrert挂载到pod当中
#把secret作为环境变量传到pod当中
apiVersion: v1
kind: Pod
metadata:
name: pod1
labels:
app: test
spec:
containers:
- name: nginx
image: nginx:1.22
env:
#给pod容器定义环境变量
- name: USER
#环境变量的变量名
valueFrom:
#user变量的值从哪里来?
secretKeyRef:
##引用secret的某一个加密文件,采用key形式,进行捕捉,此处捕捉username
name: secret2
key: username
- name: PASSWORD
valueFrom:
secretKeyRef:
name: secret2
key: password
##引用secret的某一个加密文件,采用key形式,进行捕捉,此处捕捉password
[root@master01 secret]# kubectl apply -f test1.yaml --force
pod/pod1 configured
[root@master01 secret]# kubectl exec -it pod1 bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
root@pod1:/# echo $USER
xy102
root@pod1:/# echo $PASSWORD
123456
##-- 查看容器里面的文件
[root@master01 secret]# kubectl exec -it pod1 -- cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
[root@master01 opt]# kubectl create secret docker-registry harbor1 --docker-server=192.168.168.84 --docker-username=admin --docker-password=123456
secret/harbor1 created
[root@master01 secret]# vim test1.yaml
#如何把secrert挂载到pod当中
#把secret作为环境变量传到pod当中
apiVersion: v1
kind: Pod
metadata:
name: pod1
labels:
app: test
spec:
containers:
- name: nginx
image: hub.test.com/test1/nginx:v1
imagePullSecrets:
#指定docker私有仓库的加密的secret配置,和containers对齐
- name: harbor1
##使用harbor1文件进行免密登录
[root@master01 secret]# kubectl apply -f test1.yaml --force
pod/pod1 configured
[root@master01 secret]# kubectl get pod
NAME READY STATUS RESTARTS AGE
nfs1-76f66b958-68wpl 1/1 Running 0 3d
pod1 1/1 Running 0 52s
[root@k8s4 ~]# vim /etc/docker/daemon.json
[root@k8s4 ~]# systemctl daemon-reload
{
"registry-mirrors": [
"https://hub-mirror.c.163.com",
"https://docker.m.daocloud.io",
"https://ghcr.io",
"https://mirror.baidubce.com",
"https://docker.nju.edu.cn"
],
"exec-opts": ["native.cgroupdriver=systemd"],
"log-driver": "json-file",
"log-opts": {
"max-size": "100m"
}
}
[root@k8s4 ~]# systemctl restart docker
[root@k8s4 ~]# docker pull tomcat
[root@k8s4 ~]# docker tag tomcat:latest hub.test.com/test1/tomcat:v1
[root@k8s4 ~]# docker login -u admin -p 123456 https://hub.test.com
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@k8s4 ~]# docker push hub.test.com/test1/tomcat:v1
[root@master01 secret]# vim test1.yaml
#如何把secrert挂载到pod当中
#把secret作为环境变量传到pod当中
apiVersion: v1
kind: Pod
metadata:
name: pod1
labels:
app: test
spec:
containers:
- name: nginx
image: hub.test.com/test1/tomcat:v1
imagePullSecrets:
#指定docker私有仓库的加密的secret配置,和containers对齐
- name: harbor1
[root@master01 secret]# kubectl apply -f test1.yaml
[root@node02 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest 5ef79149e0ec 3 weeks ago 188MB
hub.test.com/test1/tomcat v1 c2a444ea6cd7 4 weeks ago 508MB
语法和secret一致,但是configMap保存的不是加密信息,就是用于应用的配置信息。
[root@master01 opt]# mkdir configmap
[root@master01 opt]# cd configmap/
[root@master01 configmap]# echo 123 > test1
[root@master01 configmap]# echo 456 > test2
[root@master01 configmap]# kubectl create configmap con1 --from-file=/opt/configmap/
configmap/con1 created
[root@master01 configmap]# kubectl describe configmaps con1
Name: con1
Namespace: default
Labels:
Annotations:
Data
====
test1:
----
123
test2:
----
456
Events:
[root@master01 configmap]# vim configmap1.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: con2
data:
test1: "123"
test2: "456"
[root@master01 configmap]# kubectl apply -f configmap1.yaml
configmap/con2 created
#yaml文件默认都是字符串,出现数字时,要引起来
[root@master01 configmap]# kubectl get cm
con2 2 2m7s
[root@master01 configmap]# vim con2.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod1
labels:
app: test
spec:
containers:
- name: nginx
image: nginx:1.22
env:
- name: ABC
valueFrom:
configMapKeyRef:
name: con1
key: test1
- name: DEF
valueFrom:
configMapKeyRef:
name: con1
key: test2
[root@master01 configmap]# kubectl apply -f con2.yaml --force
pod/pod1 configured
[root@master01 configmap]# kubectl apply -f con2.yaml --force
pod/pod1 configured
[root@master01 configmap]# kubectl exec -it pod1 bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
root@pod1:/# echo $ABC
123
root@pod1:/# echo $DEF
456
[root@master01 configmap]# vim con2.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod1
labels:
app: test
spec:
containers:
- name: nginx
image: nginx:1.22
[root@master01 configmap]# vim nginx.conf
worker_processes 2;
events {
worker_connections 1024;
}
http {
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 8081;
server_name localhost;
charset utf-8;
location / {
root html;
index index.html index.php;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
##创建configMap,基于本地文件nginx.conf
[root@master01 configmap]# kubectl create configmap nginx-con --from-file=/opt/configmap/nginx.conf
configmap/nginx-con created
[root@master01 configmap]# kubectl get cm
NAME DATA AGE
con1 2 16m
con2 2 12m
kube-root-ca.crt 1 13d
nginx-con 1 71s
redis-config 2 20h
redis-config-master 3 26h
##创建configMap,基于本地文件nginx.conf
[root@master01 configmap]# kubectl create configmap nginx-con --from-file=/opt/configmap/nginx.conf
configmap/nginx-con created
[root@master01 configmap]# kubectl get cm
NAME DATA AGE
con1 2 16m
con2 2 12m
kube-root-ca.crt 1 13d
nginx-con 1 71s
redis-config 2 20h
redis-config-master 3 26h
[root@master01 configmap]# kubectl get cm nginx-con -o yaml
apiVersion: v1
data:
nginx.conf: |
worker_processes 2;
events {
worker_connections 1024;
}
http {
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name localhost;
charset utf-8;
location / {
root /usr/share/nginx/html;
index index.html index.php;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
kind: ConfigMap
metadata:
creationTimestamp: "2024-09-09T03:28:45Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data: {}
manager: kubectl-create
operation: Update
time: "2024-09-09T03:28:45Z"
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
f:nginx.conf: {}
manager: kubectl-edit
operation: Update
time: "2024-09-09T04:37:54Z"
name: nginx-con
namespace: default
resourceVersion: "732623"
selfLink: /api/v1/namespaces/default/configmaps/nginx-con
uid: 11452970-5f50-474e-8954-94812f9089c4
apiVersion: v1
kind: ConfigMap
metadata:
name: redis-config
data:
redis.conf: |
bind 0.0.0.0
protected-mode no
port 6379
dir /data
appendonly yes
sentinel.conf: |
sentinel monitor mymaster redis-master 6379 2
sentinel down-after-milliseconds mymaster 5000
sentinel failover-timeout mymaster 10000
sentinel parallel-syncs mymaster 1
[root@master01 configmap]# vim con1-test.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx1
labels:
app: test
spec:
replicas: 1
selector:
matchLabels:
app: test
template:
metadata:
labels:
app: test
spec:
containers:
- name: nginx
image: nginx:1.22
ports:
- containerPort: 8081
volumeMounts:
- name: nginx-con1
mountPath: /etc/nginx
- name: html-1
mountPath: /usr/share/nginx/html
volumes:
- name: nginx-con1
configMap:
name: nginx-con
--------------------------------------------------
kubectl create configmap nginx-con --from-file=/opt/configmap/nginx.conf
configmap/nginx-con created ##从此处可以发现nginx-con来自哪里,传到/etc/nginx目录中去
[root@master01 configmap]# ll
总用量 24
-rw-r--r--. 1 root root 665 9月 9 12:29 con1-test.yaml
-rw-r--r--. 1 root root 130 9月 9 11:26 con2.yaml
-rw-r--r--. 1 root root 158 9月 9 11:19 configmap1.yaml
-rw-r--r--. 1 root root 475 9月 9 11:27 nginx.conf
-rw-r--r--. 1 root root 4 9月 9 11:12 test1
-rw-r--r--. 1 root root 4 9月 9 11:12 test2
[root@master01 configmap]# cat nginx.conf
worker_processes 2;
events {
worker_connections 1024;
}
http {
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 8081;
server_name localhost;
charset utf-8;
location / {
root html;
index index.html index.php;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
##发现源文件没有更改
##查看cm的文件
[root@master01 configmap]# kubectl get cm
NAME DATA AGE
con1 2 120m
con2 2 116m
kube-root-ca.crt 1 13d
nginx-con 1 105m
redis-config 2 22h
redis-config-master 3 28h
[root@master01 configmap]# kubectl describe cm nginx-con
Name: nginx-con
Namespace: default
Labels:
Annotations:
Data
====
nginx.conf:
----
worker_processes 2;
events {
worker_connections 1024;
}
http {
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name localhost;
charset utf-8;
location / {
root /usr/share/nginx/html;
index index.html index.php;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
Events:
##kubectl edit cm nginx-con
##edit cm nginx-con相当于更改cm下的nginx-con
--------------------------------------------------
- name: html-1
hostPath:
path: /opt/html11
type: DirectoryOrCreate
[root@master01 configmap]# vim con1-test.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx1
labels:
app: test
spec:
replicas: 1
selector:
matchLabels:
app: test
template:
metadata:
labels:
app: test
spec:
containers:
- name: nginx
image: nginx:1.22
ports:
- containerPort: 8081
volumeMounts:
- name: nginx-con1
mountPath: /etc/nginx
- name: html-1
mountPath: /usr/share/nginx/html
volumes:
- name: nginx-con1
configMap:
name: nginx-con
- name: html-1
hostPath:
path: /opt/html11
type: DirectoryOrCreate
[root@master01 configmap]# kubectl apply -f con1-test.yaml
deployment.apps/nginx1 configured
[root@master01 configmap]# kubectl get pod
[root@master01 configmap]# kubectl get pod
NAME READY STATUS RESTARTS AGE
nfs1-76f66b958-68wpl 1/1 Running 0 3d2h
nginx1-fbc555f4b-srvxb 1/1 Running 0 29s
pod1 1/1 Running 0 65m
[root@master01 configmap]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nfs1-76f66b958-68wpl 1/1 Running 0 3d2h 10.244.2.173 node02
nginx1-fbc555f4b-srvxb 1/1 Running 0 2m43s 10.244.2.233 node02
pod1 1/1 Running 0 67m 10.244.2.232 node02
[root@master01 configmap]# curl 10.244.2.233
curl: (7) Failed connect to 10.244.2.233:80; 拒绝连接
[root@master01 configmap]# curl 10.244.2.233:8081
404 Not Found
404 Not Found
nginx/1.22.1
[root@master01 configmap]# kubectl logs -f nginx1-fbc555f4b-srvxb
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: /etc/nginx/conf.d/default.conf is not a file or does not exist
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2024/09/09 04:32:50 [error] 20#20: *1 "/etc/nginx/html/index.html" is not found (2: No such file or directory), client: 10.244.0.0, server: localhost, request: "GET / HTTP/1.1", host: "10.244.2.233:8081"
10.244.0.0 - - [09/Sep/2024:04:32:50 +0000] "GET / HTTP/1.1" 404 153 "-" "curl/7.29.0"
[root@master01 configmap]# kubectl exec -it nginx1-fbc555f4b-srvxb bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
root@nginx1-fbc555f4b-srvxb:/# cd /etc/nginx/
root@nginx1-fbc555f4b-srvxb:/etc/nginx# ls
nginx.conf
root@nginx1-fbc555f4b-srvxb:/etc/nginx# cat nginx.conf
worker_processes 2;
events {
worker_connections 1024;
}
http {
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 8081;
server_name localhost;
charset utf-8;
location / {
root html;
index index.html index.php;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
##config的热跟新
[root@master01 configmap]# kubectl edit cm nginx-con ##在k8s外面更改cm配置文件
server {
listen 80;
server_name localhost;
charset utf-8;
location / {
root /usr/local/nginx/html;
configmap/nginx-con edited
##外部使用命令查看pod容器的文件内容
[root@master01 configmap]# kubectl exec -it nginx1-fbc555f4b-srvxb -- cat /etc/nginx/nginx.conf
worker_processes 2;
events {
worker_connections 1024;
}
http {
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name localhost;
charset utf-8;
location / {
root /usr/local/nginx/html;
index index.html index.php;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
##滚动更新
[root@master01 configmap]# kubectl patch deployments.apps nginx1 --patch '{"spec": {"template": {"metadata": {"annotations": {"version/config": "20240909" }}}}}'
deployment.apps/nginx1 patched
##查看pod更新后的信息
[root@master01 configmap]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nfs1-76f66b958-68wpl 1/1 Running 0 3d2h 10.244.2.173 node02
nginx1-bf65f8864-qdxbp 1/1 Running 0 30s 10.244.1.237 node01
pod1 1/1 Running 0 79m 10.244.2.232 node02
[root@master01 configmap]# curl 10.244.1.237
404 Not Found
404 Not Found
nginx/1.22.1
##进入节点,进行挂载目录添加访问页面
[root@node01 opt]# cd html11/
[root@node01 html11]# ll
总用量 0
[root@node01 html11]# echo 123 > index.html
[root@node01 html11]# ll
总用量 4
-rw-r--r--. 1 root root 4 9月 9 12:45 index.html
[root@master01 configmap]# curl 10.244.1.237
404 Not Found
404 Not Found
nginx/1.22.1
#访问还是404,根据404判断,应该页面没找到,查看挂载pod业务容器的挂载目录,发现挂载错误,为/usr/local/nginx/html,访问的应该是/usr/share/nginx/html;
[root@master01 configmap]# kubectl exec -it nginx1-bf65f8864-qdxbp -- cat /etc/nginx/nginx.conf
worker_processes 2;
events {
worker_connections 1024;
}
http {
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name localhost;
charset utf-8;
location / {
root /usr/local/nginx/html;
index index.html index.php;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
#重新更改并查看pod容器内部的文件
[root@master01 configmap]# kubectl edit cm nginx-con
configmap/nginx-con edited
[root@master01 configmap]# kubectl exec -it nginx1-bf65f8864-qdxbp -- cat /etc/nginx/nginx.conf
worker_processes 2;
events {
worker_connections 1024;
}
http {
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name localhost;
charset utf-8;
location / {
root /usr/share/nginx/html;
index index.html index.php;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
##改完需要重启,读取配置文件
[root@master01 configmap]# kubectl patch deployments.apps nginx1 --patch '{"spec": {"template": {"metadata": {"annotations": {"version/config": "20240909" }}}}}'
deployment.apps/nginx1 patched (no change)
##没有改变,重启不了
##使用大招##重启
[root@master01 configmap]# kubectl delete pod nginx1-bf65f8864-qdxbp
pod "nginx1-bf65f8864-qdxbp" deleted
##查看pod的容器详细信息,发现调度到节点2上了,进入节点node02更改配置文件
[root@master01 configmap]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nfs1-76f66b958-68wpl 1/1 Running 0 3d2h 10.244.2.173 node02
nginx1-bf65f8864-l5htm 1/1 Running 0 16s 10.244.2.234 node02
pod1 1/1 Running 0 85m 10.244.2.232 node02
[root@master01 configmap]# curl 10.244.2.234
403 Forbidden
403 Forbidden
nginx/1.22.1
##添加访问页面设置
[root@node02 opt]# cd /opt/html11/
[root@node02 html11]# ll
总用量 0
[root@node02 html11]# echo 123 > index.html
[root@master01 configmap]# curl 10.244.2.234
123
[root@master01 configmap]# kubectl exec -it nginx1-bf65f8864-l5htm bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
root@nginx1-bf65f8864-l5htm:/# cd /etc/nginx/
root@nginx1-bf65f8864-l5htm:/etc/nginx# ls
nginx.conf
root@nginx1-bf65f8864-l5htm:/etc/nginx# cat nginx.conf
worker_processes 2;
events {
worker_connections 1024;
}
http {
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name localhost;
charset utf-8;
location / {
root /usr/share/nginx/html;
index index.html index.php;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
##根据name分别进行pod容器内和节点目录进行挂载
root@nginx1-bf65f8864-l5htm:/etc/nginx# cd /usr/share/nginx/html/
root@nginx1-bf65f8864-l5htm:/usr/share/nginx/html# ls
index.html
configmap的挂载点目录,权限是只读权限
课后思考?
怎么传configMap文件
怎么更改更新配置文件