本文收录在容器技术学习系列文章总目录
1、configmap
1.1 认识configmap
ConfigMap用于保存配置数据的键值对,可以用来保存单个属性,也可以用来保存配置文件。ConfigMap跟secret很类似,但它可以更方便地处理不包含敏感信息的字符串。
1.2 创建configmap
1.2.1 通过命令行
创建一个名为nginx-config的configmap,指定端口和server name
[root@master ~]# kubectl create configmap nginx-config --from-literal=nginx_port=80 --from-literal=server_name=myapp.along.com configmap/nginx-config created [root@master ~]# kubectl get cm NAME DATA AGE nginx-config 2 11s [root@master ~]# kubectl describe cm nginx-config Name: nginx-config Namespace: default Labels: <none> Annotations: <none> Data ==== nginx_port: ---- 80 server_name: ---- myapp.along.com Events: <none>
1.2.2 通过文件
(1)准备文件
[root@master ~]# mkdir configmap
[root@master ~]# cd configmap
[root@master configmap]# vim www.conf
server {
server_name myapp.along.com;
listen 80;
root /data/web/html/;
}
(2)创建查询认证
[root@master configmap]# kubectl create configmap nginx-www --from-file=./www.conf
configmap/nginx-www created
[root@master configmap]# kubectl get cm
NAME DATA AGE
nginx-config 2 3m
nginx-www 1 5s
[root@master configmap]# kubectl describe cm nginx-www
Name: nginx-www
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
www.conf:
----
server {
server_name myapp.along.com;
listen 80;
root /data/web/html/;
}
Events: <none>
1.3 创建pod使用configmap
1.3.1 pod通过环境变量使用configmap
通过使用环境变量传入pod的configmap,不能实时更新
(1)编写configmap的yaml文件
[root@master configmap]# vim pod-configmap.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-cm-1
namespace: default
labels:
app: myapp
tier: frontend
annotations:
along.com/created-by: "cluster admin"
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v1
ports:
- name: http
containerPort: 80
env:
- name: NGINX_SERVER_PORT
valueFrom:
configMapKeyRef:
name: nginx-config
key: nginx_port
- name: NGINX_SERVER_NAME
valueFrom:
configMapKeyRef:
name: nginx-config
key: server_name
(2)创建pod,查询认证
[root@master configmap]# kubectl apply -f pod-configmap.yaml pod/pod-cm-1 created [root@master configmap]# kubectl get pods NAME READY STATUS RESTARTS AGE pod-cm-1 1/1 Running 0 41s ---查询pod内部变量 [root@master configmap]# kubectl exec -it pod-cm-1 -- printenv |grep NGINX_SERVER NGINX_SERVER_PORT=80 NGINX_SERVER_NAME=myapp.along.com
(3)通过环境变量导入configmap,修改configmap后,pod中内容不会更改
① 使用edit修改configmap,把nginx_port 80改为8080
[root@master configmap]# kubectl edit cm nginx-config ... ... nginx_port: "8080" #把80改为8080 ... ... configmap/nginx-config edited
② 查询,configmap被修改,但是pod中变量并未修改
因为configmap只是在容器启动时加载生效;现在pod已经创建,再修改,不会生效
------cm已经修改------ [root@master configmap]# kubectl describe cm nginx-config Data ==== nginx_port: ---- 8080 server_name: ---- myapp.along.com Events: <none> ------但是pod实际没有改变------ [root@master configmap]# kubectl exec -it pod-cm-1 -- printenv |grep NGINX_SERVER NGINX_SERVER_PORT=80 NGINX_SERVER_NAME=myapp.along.com
1.3.2 pod通过存储卷使用configmap
通过使用存储卷传入pod的configmap,可以实时更新
(1)编写configmap的yaml文件,并创建configmap
创建一个volume,使用上边创建好的名为nginx-config的configmap
[root@master configmap]# vim pod-configmap-2.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-cm-2
namespace: default
labels:
app: myapp
tier: frontend
annotations:
along.com/created-by: "cluster admin"
spec:
volumes:
- name: nginxconf
configMap:
name: nginx-config
containers:
- name: myapp
image: ikubernetes/myapp:v1
ports:
- name: http
containerPort: 80
volumeMounts:
- name: nginxconf
mountPath: /etc/nginx/config.d/
readOnly: true
[root@master configmap]# kubectl apply -f pod-configmap-2.yaml
pod/pod-cm-2 created
(2)登入pod中,查询验证
[root@master configmap]# kubectl get pods NAME READY STATUS RESTARTS AGE pod-cm-2 1/1 Running 0 7s [root@master ~]# kubectl exec -it pod-cm-2 -- /bin/sh / # cd /etc/nginx/config.d/ /etc/nginx/config.d # ls nginx_port server_name /etc/nginx/config.d # cat nginx_port 80 /etc/nginx/config.d # cat server_name myapp.along.com
(3)通过环境变量导入configmap,修改configmap后,pod中内容会更改
① 使用edit修改configmap,把nginx_port 80改为8080
[root@master ~]# kubectl edit cm nginx-config apiVersion: v1 data: nginx_port: "8080" server_name: myapp.along.com ... ... configmap/nginx-config edited
② 再登入pod查看,发现已经改变
[root@master ~]# kubectl exec -it pod-cm-2 -- /bin/sh / # cat /etc/nginx/config.d/nginx_port 8080/
1.4 一个完整的configmap的应用实例
1.4.1 编写创建pod的yaml文件,使用nginx-www的configmap
[root@master configmap]# vim pod-configmap-3.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-cm-3
namespace: default
labels:
app: myapp
tier: frontend
annotations:
along.com/created-by: "cluster admin"
spec:
volumes:
- name: nginxconf
configMap:
name: nginx-www
containers:
- name: myapp
image: ikubernetes/myapp:v1
ports:
- name: http
containerPort: 80
volumeMounts:
- name: nginxconf
mountPath: /etc/nginx/conf.d/
readOnly: true
1.4.2 创建pod
[root@master configmap]# kubectl apply -f pod-configmap-3.yaml pod/pod-cm-3 created [root@master configmap]# kubectl get pods NAME READY STATUS RESTARTS AGE pod-cm-3 1/1 Running 0 24s
1.4.3 登入pod,查询配置是否成功
[root@master configmap]# kubectl exec -it pod-cm-3 -- /bin/sh
/ # cat /etc/nginx/conf.d/www.conf
server {
server_name myapp.along.com;
listen 80;
root /data/web/html/;
}
/ # nginx -T |tail -7 #-T查询nginx的配置信息
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/conf.d/www.conf:
server {
server_name myapp.along.com;
listen 80;
root /data/web/html/;
}
---生成nginx的主页内容
/ # mkdir -p /data/web/html
/ # vi /data/web/html/index.html
<h1>Nginx Server configured by CM</h1>
1.4.4 在其他节点访问,验证是否成功
(1)在master上新开一个窗口,查询pod对应的IP
[root@master ~]# kubectl get pods -o wide NAME READY STATUS RESTARTS AGE IP NODE pod-cm-3 1/1 Running 0 7m 10.244.1.124 node2
(2)在任意节点上配置host,使其能连通此pod
[root@node1 ~]# vim /etc/hosts 10.244.1.124 myapp.along.com
(3)访问pod,成功
[root@node1 ~]# curl myapp.along.com <h1>Nginx Server configured by CM</h1>
1.4.5 通过修改configmap,修改pod内nginx服务的端口
(1)修改configmap的配置,将nginx的端口由80改为8888
[root@master ~]# kubectl edit cm nginx-www
apiVersion: v1
data:
www.conf: "server {
server_name myapp.along.com;
listen 8888;
root /data/web/html/;
}
"
... ...
configmap/nginx-www edited
(2)在pod内还需要重载nginx配置(现在是手工操作,后面会使用k8s工具完成)
/ # cat /etc/nginx/conf.d/www.conf 查询configmap的修改是否生效
server {
server_name myapp.along.com;
listen 8888;
root /data/web/html/;
}
/ # nginx -s reload 重载一下nginx配置
2019/02/25 02:32:00 [notice] 16#16: signal process started
(3)在node节点上访问验证,成功
[root@node1 ~]# curl myapp.along.com:8888 <h1>Nginx Server configured by CM</h1>
2、secret
2.1 认识secret
- Secret 对象类型用来保存敏感信息,例如密码、OAuth 令牌和 ssh key。将这些信息放在 secret 中比放在 pod 的定义或者 docker 镜像中来说更加安全和灵活。
- Secret 是一种包含少量敏感信息例如密码、token 或 key 的对象。这样的信息可能会被放在 Pod spec 中或者镜像中;将其放在一个 secret 对象中可以更好地控制它的用途,并降低意外暴露的风险。
- 用户可以创建 secret,同时系统也创建了一些 secret。
- 要使用 secret,pod 需要引用 secret。Pod 可以用两种方式使用 secret:作为 volume 中的文件被挂载到 pod 中的一个或者多个容器里,或者当 kubelet 为 pod 拉取镜像时使用。
- Secret有三种类型:
- Service Account:用来访问Kubernetes API,由Kubernetes自动创建,并且会自动挂载到Pod的/run/secrets/kubernetes.io/serviceaccount目录中;
- Opaque:base64编码格式的Secret,用来存储密码、密钥等;
- kubernetes.io/dockerconfigjson:用来存储私有docker registry的认证信息。
2.2 创建一个secret
---创建secret [root@master ~]# kubectl create secret generic mysql-root-passwd --from-literal=password=MyP@ss123 secret/mysql-root-passwd created ---查询secret信息 [root@master ~]# kubectl get secret NAME TYPE DATA AGE default-token-wjbzf kubernetes.io/service-account-token 3 35d mysql-root-passwd Opaque 1 11s ---查询详细信息 [root@master ~]# kubectl describe secret mysql-root-passwd Name: mysql-root-passwd Namespace: default Labels: <none> Annotations: <none> Type: Opaque Data ==== password: 9 bytes #已经进行64位加密 ---以yaml文件显示信息 [root@master ~]# kubectl get secret mysql-root-passwd -o yaml apiVersion: v1 data: password: TXlQQHNzMTIz kind: Secret metadata: creationTimestamp: 2018-10-10T03:14:04Z name: mysql-root-passwd namespace: default resourceVersion: "436965" selfLink: /api/v1/namespaces/default/secrets/mysql-root-passwd uid: 8adbf6ae-cc3a-11e8-bb48-005056277243 type: Opaque ---解密 [root@master ~]# echo TXlQQHNzMTIz |base64 -d MyP@ss123
2.3 通过secret向pod注入环境变量
(1)编写yaml文件,创建pod
[root@master configmap]# vim pod-secret-1.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-secret-1
namespace: default
labels:
app: myapp
tier: frontend
annotations:
along.com/created-by: "cluster admin"
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v1
ports:
- name: http
containerPort: 80
env:
- name: MYSQL_ROOT_PASSWD
valueFrom:
secretKeyRef:
name: mysql-root-passwd
key: password
[root@master configmap]# kubectl apply -f pod-secret-1.yaml
pod/pod-secret-1 created
(2)查询并认证
[root@master configmap]# kubectl get pods NAME READY STATUS RESTARTS AGE pod-secret-1 1/1 Running 0 14s ---验证,查询pod中的环境变量,筛选出MYSQL_ROOT_PASSWD [root@master configmap]# kubectl exec pod-secret-1 -- printenv |grep MYSQL MYSQL_ROOT_PASSWD=MyP@ss123