1.Secret
2.Configmap
Secret
加密数据并存放Etcd中,让Pod的容器以挂载Volume方式访问。
应用场景:凭据 官方参考地址https://kubernetes.io/docs/concepts/configuration/secret/
1、创建一个密码配置文件 secret
方式一
[root@master01 yaml_doc]# echo -n 'admin' > ./username.txt [root@master01 yaml_doc]# echo -n '1f2d1e2e67df' > ./password.txt [root@master01 yaml_doc]# kubectl create secret generic db-user-pass --from-file=./username.txt --from-file=./password.txt secret/db-user-pass created [root@master01 yaml_doc]# kubectl get secret NAME TYPE DATA AGE db-user-pass Opaque 2 11s #结果 default-token-sj2lw kubernetes.io/service-account-token 3 11d registry-pull-secret kubernetes.io/dockerconfigjson 1 2d3h [root@master01 yaml_doc]# kubectl describe secret db-user-pass #查看详细信息 Name: db-user-pass Namespace: default Labels: <none> Annotations: <none> Type: Opaque Data ==== password.txt: 12 bytes username.txt: 5 bytes [root@master01 yaml_doc]#
方式二 推荐
[root@master01 yaml_doc]# echo -n 'admin' | base64 #使用base64编码 YWRtaW4= [root@master01 yaml_doc]# echo -n '1f2d1e2e67df' | base64 MWYyZDFlMmU2N2Rm [root@master01 yaml_doc]# vim secret.yaml apiVersion: v1 kind: Secret metadata: name: mysecret type: Opaque data: username: YWRtaW4= password: MWYyZDFlMmU2N2Rm [root@master01 yaml_doc]# kubectl create -f secret.yaml secret/mysecret created [root@master01 yaml_doc]# kubectl get secret NAME TYPE DATA AGE db-user-pass Opaque 2 6m19s default-token-4zq5b kubernetes.io/service-account-token 3 12d mysecret Opaque 2 6s #结果 [root@master01 yaml_doc]#
[root@master01 yaml_doc]# kubectl get secret mysecret -o yaml #以yaml的格式输出 apiVersion: v1 data: password: MWYyZDFlMmU2N2Rm username: YWRtaW4= kind: Secret metadata: creationTimestamp: "2019-09-16T11:42:37Z" name: mysecret namespace: default resourceVersion: "72440" selfLink: /api/v1/namespaces/default/secrets/mysecret uid: 14e7dce4-d877-11e9-b343-000c29586be2 type: Opaque [root@master01 yaml_doc]#
2、pod中使用也有两种方式
方式一 环境变量
[root@master01 yaml_doc]# cat secret-var.yaml apiVersion: v1 kind: Pod metadata: name: mypod spec: containers: - name: nginx image: 10.192.27.111/library/nginx:1.14 imagePullPolicy: IfNotPresent env: #设置环境变量 - name: SECRET_USERNAME #环境变量的值 valueFrom: secretKeyRef: name: mysecret key: username - name: SECRET_PASSWORD valueFrom: secretKeyRef: name: mysecret key: password # echo $SECRET_USERNAME # # # echo $SECRET_PASSWORD [root@master01 yaml_doc]# [root@master01 yaml_doc]# kubectl create -f secret-var.yaml pod/mypod created [root@master01 yaml_doc]# kubectl get pods NAME READY STATUS RESTARTS AGE mypod 1/1 Running 0 66s [root@master01 yaml_doc]# kubectl exec -it mypod bash root@mypod:/# echo $SECRET_USERNAME admin root@mypod:/# echo $SECRET_PASSWORD 1f2d1e2e67df root@mypod:/#
方式二 挂载方式 推荐
[root@master01 yaml_doc]# cat secret-vol.yaml apiVersion: v1 kind: Pod metadata: name: mypod spec: containers: - name: nginx image: 10.192.27.111/library/nginx:1.14 imagePullPolicy: IfNotPresent command: [ "/bin/bash", "-ce", "tail -f /dev/null" ] volumeMounts: - name: foo mountPath: "/etc/foo" #挂载点 readOnly: true #只读 volumes: #数据卷 - name: foo secret: secretName: mysecret # cat /etc/foo/username # # # cat /etc/foo/password [root@master01 yaml_doc]# [root@master01 yaml_doc]# kubectl apply -f secret-vol.yaml pod/mypod created [root@master01 yaml_doc]# kubectl get pods NAME READY STATUS RESTARTS AGE mypod 1/1 Running 0 9s [root@master01 yaml_doc]# kubectl exec -it mypod bash root@mypod:/# ls /etc/f fonts/ foo/ fstab root@mypod:/# ls /etc/f fonts/ foo/ fstab root@mypod:/# ls /etc/foo/ password username root@mypod:/#
ConfigMap
参考文档:https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/
与Secret类似,区别在于ConfigMap保存的是不需要加密配置信息。
应用场景:应用配置
使用方式一:
[root@master01 yaml_doc]# vim redis.properties redis.host=127.0.0.1 redis.port=6379 redis.password=123456 [root@master01 yaml_doc]# kubectl create configmap redis-config --from-file=redis.properties configmap/redis-config created [root@master01 yaml_doc]# kubectl get configmap # kubectl get cm NAME DATA AGE redis-config 1 15s [root@master01 yaml_doc]# kubectl describe cm redis-config Name: redis-config Namespace: default Labels: <none> Annotations: <none> Data ==== redis.properties: ---- redis.host=127.0.0.1 redis.port=6379 redis.password=123456 Events: <none> [root@master01 yaml_doc]# [root@master01 yaml_doc]# vim cm.yaml apiVersion: v1 kind: Pod metadata: name: mypod spec: containers: - name: busybox image: busybox command: [ "/bin/sh","-c","cat /etc/config/redis.properties" ] volumeMounts: #挂载点 - name: config-volume mountPath: /etc/config volumes: #数据卷 - name: config-volume configMap: name: redis-config restartPolicy: Never [root@master01 yaml_doc]# kubectl apply -f cm.yaml pod/mypod created [root@master01 yaml_doc]# kubectl get pod NAME READY STATUS RESTARTS AGE mypod 0/1 Completed 0 15s [root@master01 yaml_doc]# kubectl logs mypod redis.host=127.0.0.1 redis.port=6379 redis.password=123456 [root@master01 yaml_doc]#
使用方式二:
[root@master01 yaml_doc]# vim myconfig.yaml apiVersion: v1 kind: ConfigMap metadata: name: myconfig namespace: default data: special.level: info special.type: hello [root@master01 yaml_doc]# kubectl apply -f myconfig.yaml configmap/myconfig created [root@master01 yaml_doc]# kubectl get cm NAME DATA AGE myconfig 2 11s redis-config 1 9m10s [root@master01 yaml_doc]# vim congfig-var.yaml apiVersion: v1 kind: Pod metadata: name: mypod spec: containers: - name: busybox image: busybox command: [ "/bin/sh", "-c", "echo $(LEVEL) $(TYPE)" ] env: #环境变量 - name: LEVEL valueFrom: configMapKeyRef: name: myconfig key: special.level - name: TYPE valueFrom: configMapKeyRef: name: myconfig key: special.type restartPolicy: Never [root@master01 yaml_doc]# kubectl apply -f congfig-var.yaml pod/mypod created [root@master01 yaml_doc]# kubectl get pod NAME READY STATUS RESTARTS AGE mypod 0/1 Completed 0 9s [root@master01 yaml_doc]# kubectl logs mypod info hello [root@master01 yaml_doc]#