Secret
https://kubernetes.io/docs/concepts/configuration/secret/
Secret解决了密码、token、密钥等敏感数据的配置问题,而不需要把这些敏感数据暴露到镜像或者Pod Spec中。Secret可以以Volume或者环境变量的方式使用。
使用kubectl创建secret
[root@k8s-master1 secret]# echo -n 'admin' > ./username.txt [root@k8s-master1 secret]# echo -n '1f2d1e2e67df' > ./password.txt [root@k8s-master1 secret]# kubectl create secret generic db-user-pass --from-file=./username.txt --from-file=./password.txt secret/db-user-pass created
查看secret信息
[root@k8s-master1 secret]# kubectl get secret NAME TYPE DATA AGE db-user-pass Opaque 2 15s default-token-7vs6s kubernetes.io/service-account-token 3 6d23h registry-pull-secret kubernetes.io/dockerconfigjson 1 5d3h sslexample-foo-com kubernetes.io/tls 2 66m [root@k8s-master1 secret]# kubectl describe secret/db-user-pass Name: db-user-pass Namespace: default Labels: <none> Annotations: <none> Type: Opaque Data ==== password.txt: 12 bytes username.txt: 5 bytes
使用yaml文件创建secret
[root@k8s-master1 secret]# echo -n 'admin' | base64 YWRtaW4= [root@k8s-master1 secret]# echo -n '1f2d1e2e67df' | base64 MWYyZDFlMmU2N2Rm [root@k8s-master1 secret]# vim secret.yaml apiVersion: v1 kind: Secret metadata: name: mysecret type: Opaque data: username: YWRtaW4= password: MWYyZDFlMmU2N2Rm [root@k8s-master1 secret]# kubectl create -f secret.yaml secret/mysecret created
Pod 可以通过 Volume 的方式使用 Secret
[root@k8s-master1 secret]# vim secret-vol.yaml apiVersion: v1 kind: Pod metadata: name: pod-secret spec: containers: - name: pod-secret image: busybox args: - /bin/sh - -c - sleep 10;touch /tmp/healthy;sleep 30000 volumeMounts: - name: foo mountPath: "/etc/foo" readOnly: true volumes: - name: foo secret: secretName: mysecret [root@k8s-master1 secret]# kubectl apply -f secret-vol.yaml pod/pod-secret created
进入容器查看
[root@k8s-master1 secret]# kubectl exec -it pod-secret sh / # ls /etc/foo/ password username/ # cat /etc/foo/username admin/ # / # cat /etc/foo/password 1f2d1e2e67df/ #
以 Volume 方式使用的 Secret 支持动态更新:Secret 更新后,容器中的数据也会更新。
[root@k8s-master1 secret]# vim secret.yaml apiVersion: v1 kind: Secret metadata: name: mysecret type: Opaque data: username: YWRtaW4= password: MWt3OG4zbDQ4Yg== [root@k8s-master1 secret]# kubectl apply -f secret.yaml Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply secret/mysecret configured [root@k8s-master1 secret]# kubectl exec -it pod-secret sh/ # cat /etc/foo/password 1kw8n3l48b/ # / #
Pod 可以通过 环境变量 的方式使用 Secret
[root@k8s-master1 secret]# vim secret-env.yaml apiVersion: v1 kind: Pod metadata: name: pod-secret-env spec: containers: - name: pod-secret-env image: busybox args: - /bin/sh - -c - sleep 10;touch /tmp/healthy;sleep 30000 env: - name: SECRET_USERNAME valueFrom: secretKeyRef: name: mysecret key: username - name: SECRET_PASSWORD valueFrom: secretKeyRef: name: mysecret key: password [root@k8s-master1 secret]# kubectl apply -f secret-env.yaml pod/pod-secret-env created [root@k8s-master1 secret]# kubectl exec -it pod-secret-env sh / # echo $SECRET_USERNAME admin / # echo $SECRET_PASSWORD 1kw8n3l48b
通过环境变量 SECRET_USERNAME 和 SECRET_PASSWORD 成功读取到 Secret 的数据。
需要注意的是,环境变量读取 Secret 很方便,但无法支撑 Secret 动态更新。
Secret 可以为 Pod 提供密码、Token、私钥等敏感数据;对于一些非敏感数据,比如应用的配置信息,则可以用 ConfigMap
ConfigMap
https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/
configmap是让配置文件从镜像中解耦,让镜像的可移植性和可复制性。许多应用程序会从配置文件、命令行参数或环境变量中读取配置信息。这些配置信息需要与docker image解耦,你总不能每修改一个配置就重做一个image吧?ConfigMap API给我们提供了向容器中注入配置信息的机制,ConfigMap可以被用来保存单个属性,也可以用来保存整个配置文件或者JSON二进制大对象。
configmap的创建
命令创建configmap
[root@k8s-master1 configmap]# kubectl create configmap nginx-config --from-literal=nginx_port=80 --from-literal=server_name=myapp.magedu.com configmap/nginx-config created [root@k8s-master1 configmap]# kubectl get cm NAME DATA AGE nginx-config 2 8s [root@k8s-master1 configmap]# kubectl describe cm nginx-config Name: nginx-config Namespace: default Labels: <none> Annotations: <none> Data ==== nginx_port: ---- 80 server_name: ---- myapp.magedu.com Events: <none>
通过 --from-file:每个文件内容对应一个信息条目。
[root@k8s-master1 configmap]# vim www.conf server { server_name myapp.magedu.com; listen 80; root /data/web/html; } [root@k8s-master1 configmap]# kubectl create configmap nginx-www --from-file=./www.conf configmap/nginx-www created [root@k8s-master1 configmap]# kubectl get cm NAME DATA AGE nginx-config 2 16m nginx-www 1 8s [root@k8s-master1 configmap]# kubectl get cm nginx-www -o yaml apiVersion: v1 data: www.conf: | server { server_name myapp.magedu.com; listen 80; root /data/web/html; } kind: ConfigMap metadata: creationTimestamp: "2018-12-26T03:49:22Z" name: nginx-www namespace: default resourceVersion: "518908" selfLink: /api/v1/namespaces/default/configmaps/nginx-www uid: 3add1507-08c1-11e9-ad5d-000c2977dc9c
使用configmap
环境变量方式注入到pod
[root@k8s-master1 configmap]# vim pod-configmap.yaml apiVersion: v1 kind: Pod metadata: name: pod-cm-1 namespace: default labels: app: myapp tier: frontend annotations: magedu.com/created-by: "cluster admin" spec: containers: - name: myapp image: ikubernetes/myapp:v1 ports: - name: http containerPort: 80 env: - name: NGINX_SERVER_PORT valueFrom: configMapKeyRef: name: nginx-config key: nginx_port - name: NGINX_SERVER_NAME valueFrom: configMapKeyRef: name: nginx-config key: server_name [root@k8s-master1 configmap]# kubectl apply -f pod-configmap.yaml pod/pod-cm-1 created [root@k8s-master1 configmap]# kubectl exec -it pod-cm-1 -- /bin/sh / # echo $NGINX_SERVER_PORT 80 / # echo $NGINX_SERVER_NAME myapp.magedu.com
修改端口,可以发现使用环境变化注入pod中的端口不会根据配置的更改而变化
[root@k8s-master1 configmap]# kubectl edit cm nginx-config configmap/nginx-config edited [root@k8s-master1 configmap]# kubectl exec -it pod-cm-1 -- /bin/sh / # echo $NGINX_SERVER_PORT 80
存储卷方式挂载configmap:
Volume 形式的 ConfigMap 也支持动态更新
[root@k8s-master1 configmap]# vim pod-configmap-vol.yaml apiVersion: v1 kind: Pod metadata: name: pod-cm-2 namespace: default labels: app: myapp tier: frontend annotations: magedu.com/created-by: "cluster admin" spec: containers: - name: myapp image: ikubernetes/myapp:v1 ports: - name: http containerPort: 80 volumeMounts: - name: nginxconf mountPath: /etc/nginx/config.d/ readOnly: true volumes: - name: nginxconf configMap: name: nginx-config [root@k8s-master1 configmap]# kubectl apply -f pod-configmap-vol.yaml pod/pod-cm-2 created [root@k8s-master1 configmap]# kubectl exec -it pod-cm-2 -- /bin/sh # cd /etc/nginx/config.d/ # ls nginx_port server_name # cat server_name myapp.magedu.com
以nginx-www配置nginx
[root@k8s-master1 configmap]# vim pod-configmap-ngx.yaml apiVersion: v1 kind: Pod metadata: name: pod-cm-3 namespace: default labels: app: myapp tier: frontend annotations: magedu.com/created-by: "cluster admin" spec: containers: - name: myapp image: ikubernetes/myapp:v1 ports: - name: http containerPort: 80 volumeMounts: - name: nginxconf mountPath: /etc/nginx/conf.d/ readOnly: true volumes: - name: nginxconf configMap: name: nginx-www [root@k8s-master1 configmap]# kubectl apply -f pod-configmap-ngx.yaml pod/pod-cm-3 created [root@k8s-master1 configmap]# kubectl exec -it pod-cm-3 -- /bin/sh / # cd /etc/nginx/conf.d/ /etc/nginx/conf.d # ls www.conf /etc/nginx/conf.d # cat www.conf server { server_name myapp.magedu.com; listen 80; root /data/web/html; }