K8S存储之特殊存储（ConfigMap、Secret和downwardAPI）

1 ConfigMap

ConfigMap用于保持配置数据的键值对，可以用来保持单个熟悉，也可以用来保存配置文件。ConfigMap跟secret很类似，但它可以更方便地处理不包含敏感信息的字符串。

1.1 ConfigMap创建

可以使用kubectl create configmap从文件、目录或者key-value字符串创建等创建Configmap。

范例1：从key-value字符串创建ConfigMap

#创建ConfigMap
root@ubuntu-200 ~]# kubectl create configmap name --from-literal=name=yang
configmap/name created

#查看创建的Configmap
[root@ubuntu-200 ~]# kubectl describe configmaps name 
Name:         name
Namespace:    default
Labels:       <none>
Annotations:  <none>

Data
====
name:
----
yang
Events:  <none>

#也可以多个值一起跟在后面，创建的Configmap会有多个键值对
[root@ubuntu-200 ~]# kubectl create configmap test-configmap --from-literal=name=yang --from-literal=name2=wang
configmap/test-configmap created
#查看创建的Configmap
[root@ubuntu-200 ~]# kubectl describe configmaps test-configmap 
Name:         test-configmap
Namespace:    default
Labels:       <none>
Annotations:  <none>

Data
====
name:
----
yang
name2:
----
wang
Events:  <none>

范例2：基于文件创建

这种方式创建的ConfigMap对象，其数据存储的键为文件路径的基名，值为文件内容。

[root@ubuntu-200 ~]# cat config.env 
a=b
c=d

#创建configmap
[root@ubuntu-200 ~]# kubectl create configmap test2 --from-env-file=config.env 
configmap/test2 created

#查看Configmap
[root@ubuntu-200 ~]# kubectl get configmaps -o wide
NAME             DATA   AGE
demoapp-config   2      28h
name             1      31m
test-configmap   2      26m
test2            2      8m31s
[root@ubuntu-200 ~]# kubectl describe configmaps test2
Name:         test2
Namespace:    default
Labels:       <none>
Annotations:  <none>

Data
====
c:
----
d
a:
----
b
Events:  <none>

[root@ubuntu-200 /data]# cat myserver.conf 
server {
    listen 8080;
    server_name  localhost;
    include /etc/nginx/conf.d/myserver-*.conf
    
    location / {
    root /usr/share/nginx/html;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

}

[root@ubuntu-200 /data]# kubectl create configmap nginx-config --from-file=/data/myserver.conf

[root@ubuntu-200 /data]# kubectl describe configmaps nginx-config 
Name:         nginx-config
Namespace:    default
Labels:       <none>
Annotations:  <none>

Data
====
myserver.conf:
----
server {
    listen 8080;
    server_name  localhost;
    include /etc/nginx/conf.d/myserver-*.conf
  
    location / {
  root /usr/share/nginx/html;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

}

范例3：直接从文件目录创建,如果从文件创建，那么文件名会成为key，而文件内容会成为value

[root@ubuntu-200 ~]# mkdir /data/config
[root@ubuntu-200 ~]# cd /data/
[root@ubuntu-200 /data]# echo a > config/a
[root@ubuntu-200 /data]# echo b > config/b
[root@ubuntu-200 /data]# cat config/a
a
[root@ubuntu-200 /data]# cat config/b
b

#创建Configmap
[root@ubuntu-200 /data]# kubectl create configmap test3 --from-file=/data/config/ 
configmap/test3 created

#查看创建的Configmap
[root@ubuntu-200 /data]# kubectl get configmaps -o wide
NAME             DATA   AGE
demoapp-config   2      28h
name             1      37m
test-configmap   2      32m
test2            2      14m
test3            2      18s
[root@ubuntu-200 /data]# kubectl describe configmaps test3
Name:         test3
Namespace:    default
Labels:       <none>
Annotations:  <none>

Data
====
a:
----
a

b:
----
b

Events:  <none>

范例4:使用资源清单创建

基于配置文件创建ConfigMap资源时,它所使用的字段包括通常的apiVersion、kind和metadata字段，以及用于存储数据的关键字段“data”。

[root@ubuntu-200 /data]# cat ConfigMap.yaml 
apiVersion: v1
kind: ConfigMap
metadata:
  name: configmap-demo
  namespace: default
data:
  log_level: INFO    #前面为键,后面为值
  log_file: /data/configmap.log
[root@ubuntu-200 /data]# kubectl apply -f ConfigMap.yaml
[root@ubuntu-200 /data]# kubectl describe configmaps configmap-demo 
Name:         configmap-demo
Namespace:    default
Labels:       <none>
Annotations:  <none>

Data
====
log_file:
----
/data/configmap.log
log_level:
----
INFO
Events:  <none>

1.2 ConfigMap的使用

ConfigMap可以通过多种方式在Pod中使用，比如设置环境变量、设置容器命令行参数、在Volume中创建配置文件等。

注意：

• ConfigMap必须在pod引用它之前创建

• 使用envFrom时，将会自动忽略无效点键

• Pod只能使用同一个命令空间内的ConfigMap

范例1：基于键值进行引用

#编写资源清单
[root@ubuntu-200 ~]# cat configmap-env.yaml 
apiVersion: v1
kind: ConfigMap
metadata:
  name: configmap-app
  namespace: default
data:
  demoapp.port: "8080"
  demoapp.host: 0.0.0.0
---
apiVersion: v1
kind: Pod
metadata:
  name: configmap-env-demo
  namespace: default
spec:
  containers:
  - image: ikubernetes/demoapp:v1.0
    name: demoapp
    env:
    - name: PORT
      valueFrom:
        configMapKeyRef:
          name: configmap-app
          key: demoapp.port
          optional: false
    - name: HOST
      valueFrom:
        configMapKeyRef:
          name: configmap-app
          key: demoapp.host
          optional: true 

#创建Pod和ConfigMap
[root@ubuntu-200 ~]# kubectl apply -f configmap-env.yaml 
configmap/configmap-app created
pod/configmap-env-demo created

#查看Pod
[root@ubuntu-200 ~]# kubectl get pods -o wide
NAME                 READY   STATUS    RESTARTS   AGE     IP             NODE         NOMINATED NODREADINESS GATES
configmap-env-demo   1/1     Running   0          6s      10.244.5.118   c8-48        <none>       <none>
nginx                1/1     Running   0          72m     10.244.2.84    ubuntu-210   <none>       <none>
pod-redis            1/1     Running   0          11h     10.244.1.67    ubuntu-220   <none>       <none>
tomcat-sc            0/1     Pending   0          4h57m   <none>         <none>       <none>       <none>
volume-nfs-redis     1/1     Running   1          24h     10.244.2.72    ubuntu-210   <none>       <none>

#验证ConfigMap是否生效,可看到更改的端口已生效
[root@ubuntu-200 ~]# kubectl exec configmap-env-demo -- netstat -tnl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN  

范例2:基于存储卷引用

格式1:挂载ConfigMap中所有值

  volumes:
  - name: nginxconfs
    configMap:
      name: nginx-config    #ConfigMap的名称
      optional: false

格式2:挂载ConfigMap中的部分值

  volumes:
  - name: nginxconfs
    configMap:
      name: nginx-confs #ConfigMap的名称
      items:
      - key: envoy.yaml
        path: envoy.yaml
        mode: 0644
      - key: lds.conf
        path: lds.conf
        mode: 0644
      optional: false #是否为必要选项,false表示必要,true表示非必要.

#查看名为nginx-config的ConfigMap
[root@ubuntu-200 ~]# kubectl describe cm nginx-config 
Name:         nginx-config
Namespace:    default
Labels:       <none>
Annotations:  <none>

Data
====
myserver.conf:
----
server {
    listen 8080;
    server_name  localhost;
  
    location / {
  root /usr/share/nginx/html;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

}

Events:  <none>

#编写Pod资源清单,在清单中引用ConfigMap
[root@ubuntu-200 ~]# cat configmap-volume.yaml 
apiVersion: v1
kind: Pod
metadata:
  name: configmap-volume
  namespace: default
spec:
  containers:
  - name: nginx-server
    image: nginx:alpine
    volumeMounts:
    - name: nginxconfs
      mountPath: /etc/nginx/conf.d/
      readOnly: true
  volumes:
  - name: nginxconfs
    configMap:
      name: nginx-config
      optional: false

#创建pod
[root@ubuntu-200 ~]# kubectl apply -f configmap-volume.yaml

#查看pod并访问
[root@ubuntu-200 ~]# kubectl get pods -o wide
NAME                 READY   STATUS    RESTARTS   AGE     IP             NODE         NOMINATED NODE   READINESS GATES
configmap-env-demo   1/1     Running   0          30m     10.244.5.118   c8-48        <none>           <none>
configmap-volume     1/1     Running   0          10m     10.244.5.122   c8-48        <none>           <none>
[root@ubuntu-200 ~]# curl 10.244.5.122:8080
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
         35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

#进入Pod查看配置文件
[root@ubuntu-200 ~]# kubectl exec -it configmap-volume -- /bin/sh
/ # cat /etc/nginx/conf.d/myserver.conf
server {
    listen 8080;
    server_name  localhost;
    
    location / {
    root /usr/share/nginx/html;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

}

2 Secret

Secret解决了密码、token、秘钥等敏感数据的配置问题，而不需要把这些敏感数据暴露到镜像或者Pod Spec中。Secret可以以Volume或者环境变量的方式使用。

Secret根据用途存在类型的概念，如下：

#调用方法
Secret资源，使用环境变量 

containers:
- name: …
  image: …
  env:
  - name: <string>       # 变量名，其值来自于某Secret对象上的指定键的值；
    valueFrom:            # 键值引用； 
      secretKeyRef:       
        name: <string>    # 引用的Secret对象的名称，需要与该Pod位于同一名称空间；
        key: <string>     # 引用的Secret对象上的键，其值将传递给环境变量；
        optional: <boolean> # 是否为可选引用；
  envFrom:                 # 整体引用指定的Secret对象的全部键名和键值；
  - prefix: <string>     # 将所有键名引用为环境变量时统一添加的前缀；
secretRef:        
  name: <string>     # 引用的Secret对象名称；
  optional: <boolean> # 是否为可选引用；

1、docker-registry：专用于让kubelet启动Pod时从私有镜像仓库pull镜像时，首先认证到Registry时使用；

Docker Registry类型，也是独特类型：

#语法
# kubectl create secret docker-registry my-secret --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL

也能从dokcer的认证文件中加载信息，这时使用--from-file选项；

$HOME/.dockercfg, ~/.docker/config.json

何时引用，以及如何引用

pod.spec.imagePullSecrets

2、tls：专门用于保存tls/ssl用到证书和配对的私钥；

TLS类型是一种独特点类型，在创建secret的命令行中，除了类型标识的不同之外，它还需要使用专用的选项--cert和--key。

无论证书和私钥文件名是什么，它们会被统一为tls.key和tls.crt

#创建私钥
[root@ubuntu-200 /data/crt]# (umask 077;openssl genrsa -out nginx.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.........................+++++
................................................+++++
e is 65537 (0x010001)

#创建自签名证书
[root@ubuntu-200 /data/crt]# openssl req -new -x509 -key nginx.key -out nginx.crt -subj /C=CN/ST=Beijing/L=Beijing/O=Devops/CN=www.magedu.com
[root@ubuntu-200 /data/crt]# ls
nginx.crt  nginx.key

#创建Secret
[root@ubuntu-200 /data/crt]# kubectl create secret tls nginx-ssl-secret --key=/data/crt/nginx.key  --cert=/data/crt/nginx.crt 
secret/nginx-ssl-secret created

#查看Secret
[root@ubuntu-200 /data/crt]# kubectl get secrets 
NAME                  TYPE                                  DATA   AGE
default-token-tdksz   kubernetes.io/service-account-token   3      9d
mysql-root-auth       Opaque                                2      47m
nginx-ssl-secret      kubernetes.io/tls                     2      78s
web-basic-authn       kubernetes.io/basic-auth              2      31m

3、generic：余下通用配置；可以存在的子类型

--type="kubernetes.io/basic-auth"

--type="kubernetes.io/rbd"

--type="kubernetes.io/ssh-auth"

另外，保存有专用于ServiceAccount的相关的token信息的Secret资源会使用资源注解来保存其使用场景。

资源的元数据：除了name，namespace之外，常用的还有labels，annotations（资源注解）；

（1）annotation的名称遵循类似于labels的名称命名格式，但其数据长度不受限制；

（2）它不能用于被标签选择器作为筛选条件；但常用于为那些仍处于Beta阶段点应用程序提供临时的配置接口；

（3）管理命令：

添加注解：kubectl annotate TYPE/NAME KEY=VALUE

删除注解：kubectl annotate TYPE/NAME KEY-

还有一种由kubeadm的bootstrap所使用的token专用的类型，它通常保存于kube-system名称空间，以bootstrap-token-为前缀。

 

范例1：命令创建Secret

#创建Secret
[root@ubuntu-200 ~]# kubectl create secret generic mysql-root-auth --from-literal=username=root --from-literal=password=123456

#查看创建的Secret
[root@ubuntu-200 ~]# kubectl get secrets 
NAME                  TYPE                                  DATA   AGE
default-token-tdksz   kubernetes.io/service-account-token   3      9d
mysql-root-auth       Opaque                                2      71s
[root@ubuntu-200 ~]# kubectl describe secrets mysql-root-auth 
Name:         mysql-root-auth
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
password:  6 bytes
username:  4 bytes

[root@ubuntu-200 ~]# kubectl get secrets mysql-root-auth -o yaml      
apiVersion: v1
data:
  password: MTIzNDU2    #看似加密，实际是base64编码
  username: cm9vdA==
kind: Secret
metadata:
  creationTimestamp: "2020-12-11T13:40:16Z"
  managedFields:
  - apiVersion: v1
    fieldsType: FieldsV1
    fieldsV1:
      f:data:
        .: {}
        f:password: {}
        f:username: {}
      f:type: {}
    manager: kubectl-create
    operation: Update
    time: "2020-12-11T13:40:16Z"
  name: mysql-root-auth
  namespace: default
  resourceVersion: "1114872"
  selfLink: /api/v1/namespaces/default/secrets/mysql-root-auth
  uid: 1acde185-0ad9-4fce-be1a-2547dad974ab
type: Opaque
#用base64 -d进行解码
[root@ubuntu-200 ~]# echo "MTIzNDU2" | base64 -d
123456

#创建特定标签的generic
[root@ubuntu-200 ~]# kubectl create secret generic web-basic-authn --from-literal=username=devopser --from-literal=password=123456 --type="kubernetes.io/basic-auth"
secret/web-basic-authn created
[root@ubuntu-200 ~]# kubectl get secrets 
NAME                  TYPE                                  DATA   AGE
default-token-tdksz   kubernetes.io/service-account-token   3      9d
mysql-root-auth       Opaque                                2      15m
web-basic-authn       kubernetes.io/basic-auth              2      9s

2.2 secret的调用

范例1: 环境变量引用

使用环境变量传递值的,只有在第一次调用时生效,启用过后修改不起作用.

#编辑资源清单
[root@ubuntu-200 ~]# cat secret-env.yaml 
apiVersion: v1
kind: Pod
metadata:
  name: secret-env
  namespace: default
spec:
  containers:
  - name: mysql
    image: mysql
    imagePullPolicy: IfNotPresent
    env:
    - name: MYSQL_ROOT_PASSWORD
      valueFrom:
        secretKeyRef:
          name: mysql-root-auth        #调用的secret
          key: password                #调用secret中的卷

#创建pod
[root@ubuntu-200 ~]# kubectl apply -f secret-env.yaml

#查看pod是否正常运行
[root@ubuntu-200 ~]# kubectl get pods
NAME         READY   STATUS    RESTARTS   AGE
secret-env   1/1     Running   0          9m18s

#进入容器测试,使用secret中的密码进行登录
[root@ubuntu-200 ~]# kubectl exec -it secret-env -- bash
root@secret-env:/# mysql -uroot -p123456    
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or g.
Your MySQL connection id is 8
Server version: 8.0.22 MySQL Community Server - GPL

Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

mysql> exit
Bye

范例2: 存储卷挂载

#编写资源清单
[root@ubuntu-200 ~]# cat secret-volume.yaml 
apiVersion: v1
kind: Pod
metadata:
  name: secret-volume
  namespace: default
spec:
  containers:
  - name: ngx-server
    image: nginx:alpine
    volumeMounts:
    - name: nginxcerts
      mountPath: /etc/nginx/certs/
      readOnly: true
    - name: nginxconfs
      mountPath: /etc/nginx/conf.d/
      readOnly: true
  volumes:
  - name: nginxcerts    
    secret:
      secretName: nginx-ssl-secret    #确保引用的secret存在
  - name: nginxconfs
    configMap:
      name: nginx-sslvhosts-confs    #确保引用的configMap存在
      optional: false

#创建ConfigMap
[root@ubuntu-200 /data/sslconf]# cat myserver.conf 
server {
    listen 443 ssl;
    server_name www.1234.com;

    ssl_certificate /etc/nginx/certs/tls.crt; 
    ssl_certificate_key /etc/nginx/certs/tls.key;

    ssl_session_timeout 5m;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 

    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; 
    ssl_prefer_server_ciphers on;

    include /etc/nginx/conf.d/myserver-*.cfg;

    location / {
        root /usr/share/nginx/html;
    }
}

server {
    listen 80;
    server_name www.ilinux.io; 
    return 301 https://$host$request_uri; 
}
[root@ubuntu-200 /data/sslconf]# cat myserver-gzip.cfg
gzip on;
gzip_comp_level 5;
gzip_proxied     expired no-cache no-store private auth;
gzip_types text/plain text/css application/xml text/javascript;
[root@ubuntu-200 /data/sslconf]# cat myserver-status.cfg
location /nginx-status {
    stub_status on;
    access_log off;
}
#创建ConfigMap
[root@ubuntu-200 /data/sslconf]# kubectl create configmap nginx-sslvhosts-confs --from-file=/data/sslconf/

#查看引用的ConfigMap是否存在,如不存在则创建
[root@ubuntu-200 ~]# kubectl get configmaps 
NAME                    DATA   AGE
configmap-app           2      36h
configmap-demo          2      36h
demoapp-config          2      2d18h
name                    1      38h
nginx-config            1      35h
nginx-sslvhosts-confs   3      15m
test-configmap          2      38h
test2                   2      38h
test3                   2      38h

[root@ubuntu-200 ~]# kubectl describe configmaps nginx-sslvhosts-confs
Name:         nginx-sslvhosts-confs
Namespace:    default
Labels:       <none>
Annotations:  <none>

Data
====
myserver.conf:
----
server {
    listen 443 ssl;
    server_name www.1234.com;

    ssl_certificate /etc/nginx/certs/tls.crt; 
    ssl_certificate_key /etc/nginx/certs/tls.key;

    ssl_session_timeout 5m;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 

    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; 
    ssl_prefer_server_ciphers on;

    include /etc/nginx/conf.d/myserver-*.cfg;

    location / {
        root /usr/share/nginx/html;
    }
}

server {
    listen 80;
    server_name www.ilinux.io; 
    return 301 https://$host$request_uri; 
}

myserver-gzip.cfg:
----
gzip on;
gzip_comp_level 5;
gzip_proxied     expired no-cache no-store private auth;
gzip_types text/plain text/css application/xml text/javascript;

myserver-status.cfg:
----
location /nginx-status {
    stub_status on;
    access_log off;
}

Events:  <none>

#创建pod
[root@ubuntu-200 ~]# kubectl apply -f secret-volume.yaml 
[root@ubuntu-200 ~]# kubectl get pods
NAME            READY   STATUS    RESTARTS   AGE
secret-env      1/1     Running   0          50m
secret-volume   1/1     Running   0          18m

#进入pod测试
[root@ubuntu-200 ~]# kubectl exec secret-volume -it -- sh
#可看到已监听443端口
/ # netstat -tnl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      
/ # ifconfig 
eth0      Link encap:Ethernet  HWaddr B2:1C:CA:F1:44:9E  
          inet addr:10.244.2.108  Bcast:10.244.2.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1450  Metric:1
          RX packets:6 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:488 (488.0 B)  TX bytes:42 (42.0 B)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
#访问测试
/ # curl -H "Host:www.1234.com" https://10.244.2.108:443
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
/ # curl -k -H "Host:www.1234.com" https://10.244.2.108:443
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
         35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

3 downwardAPI存储卷类型

从严格意义上来说好,downwardAPI不是存储卷,它自身就存在,原因在于,它引用的是Pod自身的运行环境信息,这些信息在Pod启动时就存在

类似于ConfigMap和Secret资源,容器能够在环境变量中在valueFrom字段中嵌套fieldRef或resourceFieldRef字段来引用其所属Pod对象的元数据信息.不过,通常只有常量类型的属性才能通过环境变量注入到容器中,毕竟,在进程启动完成后无法再向其告知变量值的变动,于是环境变量也就不支持中途的更新操作.容器规范中可以在环境变量配置中的valueFrom通过内嵌字段filedRef引用的信息包括如下这些：

3.1 第一类：

　　1.metadata.name：Pod对象的名称；

　　2.metadata.namespace：Pod对象隶属的名称空间；

　　3.metadata.uid：Pod对象的UID；

　　4.metadata.labels['<KEY>']：Pod对象标签中的指定键的值，例如：metadata.labels['mylabel']，仅Kubernetes 1.9及之后的版本才支持；

　　5.metadata.annotations['<KEY>']：Pod对象注解信息中的指定键的值，仅Kubernetes 1.9及之后的版本才支持。

3.2 第二类：容器上的计算资源需求和资源限制相关的信息，以及临时存储资源需求和资源限制相关的信息可通过容器规范中的resourceFieldRef字段引用，相关字段包括requests.cpu、limits.cpu、requests.memory和limits.memory等。另外，可通过环境变量引用的信息有如下几个：

1. status.podIP：Pod对象的IP地址

2. spec.serviceAccountName：Pod对象使用的ServiceAccount资源名称

3. spec.nodeName：节点名称

4. status.hostIP：节点IP地址

3.3 第三类：还可以通过resourceFieldRef字段引用当前容器的资源请求及资源限额的定义，因此它们包括以下6项：

　　1. requests.cpu

　　2. requests.memory

　　3. requests.ephemeral-storage

　　4. limits.cpu

　　5. limits.memory

　　6. limits.ephemeral-storage

范例1：直接引用

#编辑资源清单
[root@ubuntu-200 ~]# cat downwardAPI-01.yaml 
apiVersion: v1
kind: Pod
metadata:
  name: downwardapi-01
  labels:
    app: demoapp
spec:
  containers:
  - name: demoapp
    image: ikubernetes/demoapp:v1.0
#    command: [ "/bin/sh", "-c", "env" ]
    resources:
      requests:
        memory: "32Mi"
        cpu: "250m"
      limits:
        memory: "64Mi"
        cpu: "500m"
    env:
    - name: THIS_POD_NAME
      valueFrom:
        fieldRef:
            fieldPath: metadata.name
    - name: THIS_POD_MAMESPACE
      valueFrom:
        fieldRef:
          fieldPath: metadata.namespace
    - name: THIS_APP_LABEL
      valueFrom:
        fieldRef:
          fieldPath: metadata.labels['app']
    - name: THIS_CPU_LIMIT
      valueFrom:
        resourceFieldRef:
          resource: limits.cpu
    - name: THIS_MEM_REQUEST
      valueFrom:
        resourceFieldRef:
          resource: requests.memory
          divisor: 1Mi
#  restartPolicy: Never

#创建pod
[root@ubuntu-200 ~]# kubectl apply -f downwardAPI-01.yaml 
pod/downwardapi-01 created

#查看pod
[root@ubuntu-200 ~]# kubectl get pods 
NAME             READY   STATUS    RESTARTS   AGE
downwardapi-01   1/1     Running   0          5s
secret-env       1/1     Running   0          102m
secret-volume    1/1     Running   0          69m

#进入容器内部查看
[root@ubuntu-200 ~]# kubectl exec downwardapi-01 -it -- sh
[root@downwardapi-01 /]# env 
NGINX_SERVICE_PORT_81_TCP_PROTO=tcp
KUBERNETES_SERVICE_PORT=443
KUBERNETES_PORT=tcp://10.96.0.1:443
HOSTNAME=downwardapi-01
THIS_CPU_LIMIT=1    #自定义的
THIS_APP_LABEL=demoapp    #自定义的
SHLVL=1
HOME=/root
NGINX_SERVICE_PORT_81_TCP=tcp://10.96.57.111:81
THIS_MEM_REQUEST=32    #自定义的
PS1=[u@h w]$ 
NGINX_SERVICE_SERVICE_PORT_HTTP=81
MYSQL_SERVICE_SERVICE_PORT_HTTP=8080
TERM=xterm
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
NGINX_SERVICE_SERVICE_HOST=10.96.57.111
THIS_POD_NAME=downwardapi-01    #自定义的
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_PROTO=tcp
MYSQL_SERVICE_PORT_8080_TCP_ADDR=10.96.27.252
MYSQL_SERVICE_SERVICE_HOST=10.96.27.252
MYSQL_SERVICE_PORT_8080_TCP_PORT=8080
MYSQL_SERVICE_PORT_8080_TCP_PROTO=tcp
DEPLOYENV=Production
NGINX_SERVICE_PORT=tcp://10.96.57.111:81
NGINX_SERVICE_SERVICE_PORT=81
MYSQL_SERVICE_SERVICE_PORT=8080
MYSQL_SERVICE_PORT=tcp://10.96.27.252:8080
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
RELEASE=Stable
KUBERNETES_SERVICE_HOST=10.96.0.1
PWD=/
THIS_POD_MAMESPACE=default    #自定义的
NGINX_SERVICE_PORT_81_TCP_ADDR=10.96.57.111
MYSQL_SERVICE_PORT_8080_TCP=tcp://10.96.27.252:8080
NGINX_SERVICE_PORT_81_TCP_PORT=81

范例2：存储卷挂载

#编写资源清单
[root@ubuntu-200 ~]# cat downwardAPI-01.yaml 
apiVersion: v1
kind: Pod
metadata:
  name: downwardapi-01
  labels:
    app: demoapp
spec:
  containers:
  - name: demoapp
    image: ikubernetes/demoapp:v1.0
#    command: [ "/bin/sh", "-c", "env" ]
    resources:
      requests:
        memory: "32Mi"
        cpu: "250m"
      limits:
        memory: "64Mi"
        cpu: "500m"
    env:
    - name: THIS_POD_NAME
      valueFrom:
        fieldRef:
            fieldPath: metadata.name
    - name: THIS_POD_MAMESPACE
      valueFrom:
        fieldRef:
          fieldPath: metadata.namespace
    - name: THIS_APP_LABEL
      valueFrom:
        fieldRef:
          fieldPath: metadata.labels['app']
    - name: THIS_CPU_LIMIT
      valueFrom:
        resourceFieldRef:
          resource: limits.cpu
    - name: THIS_MEM_REQUEST
      valueFrom:
        resourceFieldRef:
          resource: requests.memory
          divisor: 1Mi
#  restartPolicy: Never

#创建pod
[root@ubuntu-200 ~]# kubectl apply -f downwardAPI-volume.yaml 
pod/dapi-vol-pod created
#查看pod
[root@ubuntu-200 ~]# kubectl get pods
NAME             READY   STATUS    RESTARTS   AGE
dapi-vol-pod     1/1     Running   0          5s
downwardapi-01   1/1     Running   0          25m
secret-env       1/1     Running   0          127m
secret-volume    1/1     Running   0          95m

#进入pod查看
[root@ubuntu-200 ~]# kubectl exec -it dapi-vol-pod -- sh
[root@dapi-vol-pod /]# cd /etc/podinfo/
[root@dapi-vol-pod /etc/podinfo]# ls
cpu_limit        mem_request      pod_annotations  pod_labels       pod_namespace
[root@dapi-vol-pod /etc/podinfo]# cat cpu_limit 
[root@dapi-vol-pod /etc/podinfo]# cat mem_request 
[root@dapi-vol-pod /etc/podinfo]# cat pod_annotations 
ilinux.io/app="demoapp"
kubectl.kubernetes.io/last-applied-configuration="{"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{"ilinux.io/app":"demoapp"},"labels":{"app":"dapi-vol-pod","rack":"rack-101","zone":"east-china"},"name":"dapi-vol-pod","namespace":"default"},"spec":{"containers":[{"image":"ikubernetes/demoapp:v1.0","name":"volume-test-container","resources":{"limits":{"cpu":"500m","memory":"64Mi"},"requests":{"cpu":"200m","memory":"32Mi"}},"volumeMounts":[{"mountPath":"/etc/podinfo","name":"podinfo","readOnly":false}]}],"volumes":[{"downwardAPI":{"defaultMode":420,"items":[{"fieldRef":{"fieldPath":"metadata.namespace"},"path":"pod_namespace"},{"fieldRef":{"fieldPath":"metadata.labels"},"path":"pod_labels"},{"fieldRef":{"fieldPath":"metadata.annotations"},"path":"pod_annotations"},{"path":"cpu_limit","resourceFieldRef":{"containerName":"volume-test-container","resource":"limits.cpu"}},{"path":"mem_request","resourceFieldRef":{"containerName":"volume-test-container","divisor":"1Mi","resource":"requests.memory"}}]},"name":"podinfo"}]}}
"
kubernetes.io/config.seen="2020-12-12T03:43:53.245628998Z"
kubernetes.io/config.source="api"[root@dapi-vol-pod /etc/podinfo]# 
#如果引用的选项有多个，会以键值对的形式生成在pod内
[root@dapi-vol-pod /etc/podinfo]# cat pod_labels 
app="dapi-vol-pod"
rack="rack-101"
zone="east-china"