ConfigMap 和 Secret 是 Kubernetes 系统上两种特殊类型的存储卷,ConfigMap 对象用于为容器中的应用提供配置数据以定制程序的行为,不过敏感的配置信息,例如密钥、证书等通常由 Secret 对象来进行配置,它们将相应的配置信息保存于对象中,而后在 Pod 资源上以存储卷的形式将其挂载并获取相关的配置,以实现配置与镜像文件的解耦
ConfigMap
配置中心的角色,使得可以注入到 pod 中在 pod 启动或让 pod 挂载,得以实现动态修改配置,但 ConfigMap 是明文存储的
Secret
与 ConfigMap 功能相同,唯一不同的是配置使用 base64 加密的,此外 Secret 有三种类型
- docker-registry: 当 kubelet 向 docker 仓库拉取镜像时的认证信息必须存储在这类 Secret 中,pod 创建时则通过
pod.spec.imagePullSecrets
来指定 secret - generic: 通用
- tls: 存储证书
valueFrom 模板
[root@master-0 volume]# kubectl explain pod.spec.containers.env.valueFrom
KIND: Pod
VERSION: v1
RESOURCE: valueFrom <Object>
DESCRIPTION:
Source for the environment variable's value. Cannot be used if value is not
empty.
EnvVarSource represents a source for the value of an EnvVar.
FIELDS:
configMapKeyRef <Object> # configmap 键值对,值长度没有限制
Selects a key of a ConfigMap.
fieldRef <Object> # 某个字段,比如引用当前 pod 的 metadata.name... ...
Selects a field of the pod: supports metadata.name, metadata.namespace,
metadata.labels, metadata.annotations, spec.nodeName,
spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
resourceFieldRef <Object> # 资源需求和资源限制
Selects a resource of the container: only resources limits and requests
(limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu,
requests.memory and requests.ephemeral-storage) are currently supported.
secretKeyRef <Object> # secret 键值对,值长度没有限制
Selects a key of a secret in the pod's namespace
创建 configMapKeyRef
-
创建 cm 的资源清单
[root@master-0 volume]# kubectl explain cm KIND: ConfigMap VERSION: v1 DESCRIPTION: ConfigMap holds configuration data for pods to consume. FIELDS: apiVersion <string> APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources binaryData <map[string]string> # 二进制格式的数据 BinaryData contains the binary data. Each key must consist of alphanumeric characters, '-', '_' or '.'. BinaryData can contain byte sequences that are not in the UTF-8 range. The keys stored in BinaryData must not overlap with the ones in the Data field, this is enforced during validation process. Using this field will require 1.10+ apiserver and kubelet. data <map[string]string> # 映射,多个键值组成的哈希 Data contains the configuration data. Each key must consist of alphanumeric characters, '-', '_' or '.'. Values with non-UTF-8 byte sequences must use the BinaryData field. The keys stored in Data must not overlap with the keys in the BinaryData field, this is enforced during validation process. immutable <boolean> Immutable, if set to true, ensures that data stored in the ConfigMap cannot be updated (only object metadata can be modified). If not set to true, the field can be modified at any time. Defaulted to nil. This is an alpha field enabled by ImmutableEphemeralVolumes feature gate. kind <string> Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds metadata <Object> Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata [root@master-0 config]# cat config.yaml apiVersion: v1 kind: ConfigMap metadata: name: test-config namespace: default data: cache_host: memcached-gcxt cache_port: "112211" cache_prefix: gcxt my.cnf: | [mysqld] log-bin = mysql-bin [root@master-0 config]# kubectl apply -f config.yaml configmap/test-config created
-
cm 在命令行的创建模板
[root@master-0 ~]# kubectl create configmap my-config --from-file=key1=/path/to/bar/file1.txt --from-file=key2=/path/to/bar/file2.txt # 直接通过文件给 kay 值 [root@master-0 ~]# kubectl create configmap my-config --from-file=path/to/bar # 不给定 kay 名则直接以文件名为 kay,my-config 就是容器挂载后路径下的配置文件名 [root@master-0 ~]# kubectl create configmap my-config --from-literal=key1=config1 --from-literal=key2=config2 # 命令行创建
-
cm 在命令行的创建方法
[root@master-0 ~]# kubectl create configmap nginx-config --from-literal=nginx_port=80 --from-literal=server_name=test.com configmap/nginx-config created [root@master-0 ~]# kubectl get cm NAME DATA AGE nginx-config 2 14s [root@master-0 config]# cat config server{ server_name test.com; listen 80; root /data/web/html; } [root@master-0 config]# kubectl create configmap www.conf --from-file=./www.conf configmap/www.conf created # 命名中不能有下划线 [root@master-0 config]# kubectl get cm www.conf -oyaml apiVersion: v1 data: config: | server{ server_name test.com; listen 80; root /data/web/html; } kind: ConfigMap metadata: creationTimestamp: "2020-09-11T18:01:53Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:config: {} manager: kubectl operation: Update time: "2020-09-11T18:01:53Z" name: www.conf namespace: default resourceVersion: "2516849" selfLink: /api/v1/namespaces/default/configmaps/www.conf uid: c6ac4a0c-c63b-4ffd-846b-081c6b96aa50
-
通过 env 环境变量的方式注入配置文件
[root@master-0 config]# cat pod-cm.yaml apiVersion: v1 kind: Pod metadata: name: pod-cm-1 namespace: default labels: app: myapp tier: frontend spec: containers: - name: myapp image: nginx ports: - name: http containerPort: 80 env: - name: NGINX_SERVER_PORT # 必须下划线,注入到 pod 的环境变量中 valueFrom: configMapKeyRef: name: nginx-config key: nginx_port - name: NGINX_SERVER_NAME valueFrom: configMapKeyRef: name: nginx-config key: server_name [root@master-0 config]# kubectl apply -f pod-cm.yaml pod/pod-cm-1 created [root@master-0 config]# kubectl exec -it pod-cm-1 -- printenv|grep NGINX NGINX_SERVER_NAME=test.com NGINX_SERVER_PORT=80 NGINX_VERSION=1.19.2
-
使用 volume 方式挂载
[root@master-0 config]# cat pod-cm-volume.yaml apiVersion: v1 kind: Pod metadata: name: pod-cm-2 namespace: default labels: app: myapp tier: frontend spec: containers: - name: myapp image: nginx ports: - name: http containerPort: 80 volumeMounts: - name: nginx-conf mountPath: /etc/nginx/config.d readOnly: true volumes: - name: nginx-conf configMap: name: www.conf [root@master-0 config]# kubectl apply -f pod-cm-volume.yaml pod/pod-cm-2 created [root@master-0 config]# kubectl get pod NAME READY STATUS RESTARTS AGE myapp-deploy-5d645d645-2dsjq 1/1 Running 4 12d myapp-deploy-5d645d645-65ftw 1/1 Running 2 12d myapp-deploy-5d645d645-hfxqf 1/1 Running 4 12d pod-cm-2 1/1 Running 0 9m35s pod-vol-hostpath 1/1 Running 0 10h [root@master-0 config]# kubectl exec -it pod-cm-2 -- /bin/bash root@pod-cm-2:/# cd /etc/nginx/conf.d/ root@pod-cm-2:/etc/nginx/conf.d# ls nginx_port server_name
-
使用文件模式的 cm 创建 vhosts
[root@master-0 config]# cat pod-cm-vhosts.yaml apiVersion: v1 kind: Pod metadata: name: pod-cm-3 namespace: default labels: app: myapp tier: frontend spec: containers: - name: myapp image: nginx imagePullPolicy: Never ports: - name: http containerPort: 80 volumeMounts: - name: nginx-conf mountPath: /etc/nginx/conf.d readOnly: true volumes: - name: nginx-conf configMap: name: www.conf [root@master-0 config]# kubectl apply -f pod-cm-vhosts.yaml pod/pod-cm-3 created [root@master-0 config]# kubectl exec -it pod-cm-3 -- /bin/bash root@pod-cm-3:/# cd /etc/nginx/conf.d/ root@pod-cm-3:/etc/nginx/conf.d# ls www.conf
单独挂载 configmap 某项 key
- configmap 也可以不全部挂载而单独指明需要什么 key
[root@master-0 config]# kubectl explain pod.spec.volumes.configMap
KIND: Pod
VERSION: v1
RESOURCE: configMap <Object>
DESCRIPTION:
ConfigMap represents a configMap that should populate this volume
Adapts a ConfigMap into a volume. The contents of the target ConfigMap's
Data field will be presented in a volume as files using the keys in the
Data field as the file names, unless the items element is populated with
specific mappings of keys to paths. ConfigMap volumes support ownership
management and SELinux relabeling.
FIELDS:
defaultMode <integer>
Optional: mode bits to use on created files by default. Must be a value
between 0 and 0777. Defaults to 0644. Directories within the path are not
affected by this setting. This might be in conflict with other options that
affect the file mode, like fsGroup, and the result can be other mode bits
set.
items <[]Object> # 单独列出要挂载那些 key
If unspecified, each key-value pair in the Data field of the referenced
ConfigMap will be projected into the volume as a file whose name is the key
and content is the value. If specified, the listed keys will be projected
into the specified paths, and unlisted keys will not be present. If a key
is specified which is not present in the ConfigMap, the volume setup will
error unless it is marked optional. Paths must be relative and may not
contain the '..' path or start with '..'.
name <string>
Name of the referent. More info:
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
optional <boolean> # pod 启动时是否必须需要这个 configmap 默认为 false 即需要提前生成 cm,true 则不需要
Specify whether the ConfigMap or its keys must be defined
[root@master-0 config]# kubectl explain pod.spec.volumes.configMap.items
KIND: Pod
VERSION: v1
RESOURCE: items <[]Object>
DESCRIPTION:
If unspecified, each key-value pair in the Data field of the referenced
ConfigMap will be projected into the volume as a file whose name is the key
and content is the value. If specified, the listed keys will be projected
into the specified paths, and unlisted keys will not be present. If a key
is specified which is not present in the ConfigMap, the volume setup will
error unless it is marked optional. Paths must be relative and may not
contain the '..' path or start with '..'.
Maps a string key to a path within a volume.
FIELDS:
key <string> -required-
The key to project.
mode <integer> # 挂在文件后还可以指定权限
Optional: mode bits to use on this file, must be a value between 0 and
0777. If not specified, the volume defaultMode will be used. This might be
in conflict with other options that affect the file mode, like fsGroup, and
the result can be other mode bits set.
path <string> -required- # 需要指定路径,路径不能以..开头
The relative path of the file to map the key to. May not be an absolute
path. May not contain the path element '..'. May not start with the string
'..'.
创建 secret
[root@master-0 ~]# kubectl explain secret
KIND: Secret
VERSION: v1
DESCRIPTION:
Secret holds secret data of a certain type. The total bytes of the values
in the Data field must be less than MaxSecretSize bytes.
FIELDS:
apiVersion <string>
APIVersion defines the versioned schema of this representation of an
object. Servers should convert recognized schemas to the latest internal
value, and may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
data <map[string]string> # 加密,需要填入 base64 编译后的值
Data contains the secret data. Each key must consist of alphanumeric
characters, '-', '_' or '.'. The serialized form of the secret data is a
base64 encoded string, representing the arbitrary (possibly non-string)
data value here. Described in https://tools.ietf.org/html/rfc4648#section-4
immutable <boolean>
Immutable, if set to true, ensures that data stored in the Secret cannot be
updated (only object metadata can be modified). If not set to true, the
field can be modified at any time. Defaulted to nil. This is an alpha field
enabled by ImmutableEphemeralVolumes feature gate.
kind <string>
Kind is a string value representing the REST resource this object
represents. Servers may infer this from the endpoint the client submits
requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata <Object>
Standard object's metadata. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
stringData <map[string]string> # 明文值
stringData allows specifying non-binary secret data in string form. It is
provided as a write-only convenience method. All keys and values are merged
into the data field on write, overwriting any existing values. It is never
output when reading from the API.
type <string> # 类别标识,非必要
Used to facilitate programmatic handling of secret data.
-
资源清单类创建方式
[root@master-0 config]# cat secret.yaml apiVersion: v1 kind: Secret metadata: name: test-secret namespace: default stringData: cache_host: memcached-gcxt cache_port: "112211" cache_prefix: gcxt [root@master-0 config]# kubectl apply -f secret.yaml secret/test-secret created
-
命令行创建方式
[root@master-0 config]# kubectl create secret generic -h Usage: kubectl create secret generic NAME [--type=string] [--from-file=[key=]source] [--from-literal=key1=value1] [--dry-run=server|client|none] [options] [root@master-0 config]# kubectl create secret generic mysql-root-password --from-literal=passwrd=myp@SS123 secret/mysql-root-password created
-
同样可以使用 env 注入环境变量或者 volume 的方式挂载使用