文章目录
一、Secret
加密数据并存放在Etcd中,让Pod的容器以挂载Volume方式访问
应用场景:凭据
https://kubernetes.io/docs/concepts/configuration/secret/
方式一:
[root@localhost demo]# echo -n 'admin' > ./username.txt
[root@localhost demo]# echo -n '1f2d1e2e67df' > ./password.txt
[root@localhost demo]# kubectl create secret generic db-user-pass --from-file=./username.txt --from-file=./password.txt
secret/db-user-pass created
[root@localhost demo]# kubectl get secret
NAME TYPE DATA AGE
db-user-pass Opaque 2 61s
[root@localhost demo]# kubectl describe secret db-user-pass
Name: db-user-pass
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
password.txt: 12 bytes
username.txt: 5 bytes
方式二:
[root@localhost demo]# echo -n 'admin' | base64
YWRtaW4=
[root@localhost demo]# echo -n '1f2d1e2e67df' | base64
MWYyZDFlMmU2N2Rm
[root@localhost demo]# vim secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
username: YWRtaW4=
password: MWYyZDFlMmU2N2Rm
[root@localhost demo]# kubectl create -f secret.yaml
secret/mysecret created
[root@localhost demo]# kubectl get secret
NAME TYPE DATA AGE
mysecret Opaque 2 50s
第一种:使用secret中的变量导入到pod中
复制configmap.yaml和secret-simple.yaml
[root@localhost demo]# kubectl get secret mysecret -o yaml
apiVersion: v1
data:
password: MWYyZDFlMmU2N2Rm
username: YWRtaW4=
kind: Secret
metadata:
creationTimestamp: 2020-02-19T03:54:50Z
name: mysecret
namespace: default
resourceVersion: "973651"
selfLink: /api/v1/namespaces/default/secrets/mysecret
uid: 93d69e01-52cb-11ea-895a-000c297a15fb
type: Opaque
//key: username赋值给SECRET_USERNAME
//key: password 赋值给SECRET_PASSWORD
[root@localhost demo]# vim secret-var.yaml
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: nginx
image: nginx
env:
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
name: mysecret
key: username
- name: SECRET_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: password
[root@localhost demo]# kubectl apply -f secret-var.yaml
pod/mypod created
[root@localhost demo]# kubectl get pods
NAME READY STATUS RESTARTS AGE
mypod 1/1 Running 0 38s
[root@localhost demo]# kubectl exec -it mypod bash
root@mypod:/# echo $SECRET_USERNAME
admin
root@mypod:/# echo $SECRET_PASSWORD
1f2d1e2e67df
第二种:以volume的形式挂载到pod的某个目录下
[root@localhost demo]# vim secret-vol.yaml
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: nginx
image: nginx
volumeMounts:
- name: foo
mountPath: "/etc/foo"
readOnly: true
volumes:
- name: foo
secret:
secretName: db-user-pass
[root@localhost demo]# kubectl delete -f secret-var.yaml
pod "mypod" deleted
[root@localhost demo]# kubectl create -f secret-vol.yaml
pod/mypod created
[root@localhost demo]# kubectl get pods
NAME READY STATUS RESTARTS AGE
mypod 1/1 Running 0 94s
//容器看见里面的文件被挂载
[root@localhost demo]# kubectl exec -it mypod bash
root@mypod:/# ls /etc/foo
password username
root@mypod:/# cd /etc/foo
root@mypod:/etc/foo# cat password
1f2d1e2e67df
root@mypod:/etc/foo# cat username
admin
二、ConfigMap
与Secret类似,区别在于ConfigMap保存的是不需要加密配置的信息
应用场景:应用配置
创建方式一:kubectl
[root@localhost demo]# vim redis.properties
redis.host=127.0.0.1
redis.port=6379
redis.password=123456
//创建configmap资源
[root@localhost demo]# kubectl create configmap redis-config --from-file=redis.properties
configmap/redis-config created
//查看资源
[root@localhost demo]# kubectl get configmap
NAME DATA AGE
redis-config 1 32s
//也可以用缩写查看
[root@localhost demo]# kubectl get cm
NAME DATA AGE
redis-config 1 78s
[root@localhost demo]# kubectl describe cm redis-config
Name: redis-config
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
redis.properties:
----
redis.host=127.0.0.1
redis.port=6379
redis.password=123456
Events: <none>
//创建mypod资源查看文件导入
[root@localhost demo]# vim cm.yaml
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: busybox
image: busybox
command: [ "/bin/sh","-c","cat /etc/config/redis.properties" ]
volumeMounts:
- name: config-volume
mountPath: /etc/config
volumes:
- name: config-volume
configMap:
name: redis-config
restartPolicy: Never
//删除掉之前创建重名的mypod
[root@localhost demo]# kubectl delete pod mypod
pod "mypod" deleted
[root@localhost demo]# kubectl apply -f cm.yaml
pod/mypod created
[root@localhost demo]# kubectl get pods
NAME READY STATUS RESTARTS AGE
mypod 0/1 Completed 0 7m59s
//查看里面的配置信息
[root@localhost demo]# kubectl logs mypod
redis.host=127.0.0.1
redis.port=6379
redis.password=123456
第二种变量参数形式
//创建configmap资源
[root@localhost demo]# vim myconfig.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: myconfig
namespace: default
data:
special.level: info
special.type: hello
[root@localhost demo]# kubectl apply -f myconfig.yaml
configmap/myconfig created
//创建mypod使用configmap资源输出变量参数
[root@localhost demo]# vim config-var.yaml
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: busybox
image: busybox
command: [ "/bin/sh", "-c", "echo $(LEVEL) $(TYPE)" ]
env:
- name: LEVEL
valueFrom:
configMapKeyRef:
name: myconfig
key: special.level
- name: TYPE
valueFrom:
configMapKeyRef:
name: myconfig
key: special.type
restartPolicy: Never
//清除已有的mypod资源
[root@localhost demo]# kubectl delete pod mypod
pod "mypod" deleted
//创建mypod资源
[root@localhost demo]# kubectl apply -f config-var.yaml
pod/mypod created
//查看变量的输出
[root@localhost demo]# kubectl logs mypod
info hello
795
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
