Kubernetes secret和configmap的配置管理

Secret配置管理

Secret机密

官网文档地址：点我点我！

Secret解决了密码、token、密钥等敏感数据的配置问题，将加密数据存放在etcd中，而不需要把这些敏感数据暴露到镜像或者Pod Spec中。Secret可以以Volume或者环境变量的方式使用。
Secret是用来保存小片敏感数据的k8s资源，例如密码，token，或者秘钥。这类数据当然也可以存放在Pod或者镜像中，但是放在Secret中是为了更方便的控制如何使用数据，并减少暴露的风险。
用户可以创建自己的secret，系统也会有自己的secret。
Pod需要先引用才能使用某个secret，Pod有2种方式来使用secret：
1、作为volume的一个域被一个或多个容器挂载；
2、在拉取镜像的时候被kubelet引用。

创建secret

方式一：基于文件创建secret

创建用户与密码文件

[root@localhost ~]# echo -n "JUEJUE" > username.txt
[root@localhost ~]# echo -n "JUEJUE123" > password.txt
[root@localhost ~]# kubectl create secret generic db-user-pass --from-file=/root/username.txt --from-file=/root/password.txt
secret/db-user-pass created
[root@localhost ~]# kubectl get secret
NAME                  TYPE                                  DATA   AGE
db-user-pass          Opaque                                2      40s
default-token-jddm2   kubernetes.io/service-account-token   3      15d
[root@localhost ~]# kubectl describe secret db-user-pass
Name:         db-user-pass
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
password.txt:  9 bytes
username.txt:  6 bytes

帮助文档

[root@localhost ~]# kubectl create secret  --help		##该命令的帮助文档
Create a secret using specified subcommand.

Available Commands:
  docker-registry 创建一个给 Docker registry 使用的 secret
  generic         从本地 file, directory 或者 literal value 创建一个
secret
  tls             创建一个 TLS secret

Usage:
  kubectl create secret [flags] [options]

Use "kubectl <command> --help" for more information about a given command.
Use "kubectl options" for a list of global command-line options (applies to all
commands).

方式二：基于参数创建secret

创建变量参数（进行base64解码 ）

[root@localhost ~]# echo -n 'JUEJUE' |base64
SlVFSlVF
[root@localhost ~]# echo -n 'JUEJUE123' |base64
SlVFSlVFMTIz

创建yaml文件

[root@localhost ~]# vim secret.yaml
apiVersion: v1
kind: Secret	##指定secret类型
metadata:
  name: mysecret
type: Opaque
data:
  username: SlVFSlVF	##输入解码后的参数
  password: SlVFSlVFMTIz

创建secret资源并查看详细信息

[root@localhost ~]# kubectl create -f secret.yaml 
secret/mysecret created
[root@localhost ~]# kubectl get secret
NAME                  TYPE                                  DATA   AGE
db-user-pass          Opaque                                2      9m36s
default-token-jddm2   kubernetes.io/service-account-token   3      15d
mysecret              Opaque 
[root@localhost ~]# kubectl describe secret mysecret
Name:         mysecret
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
password:  9 bytes
username:  6 bytes

pod使用secret

方式一：使用secret中的变量导入到pod

调用secret资源中的变量
key: username赋值给SECRET_USERNAME
key: password 赋值给SECRET_PASSWORD

[root@localhost ~]# kubectl get secret mysecret -o yaml
apiVersion: v1
data:
  password: SlVFSlVFMTIz
  username: SlVFSlVF
kind: Secret
metadata:
  creationTimestamp: 2020-10-15T10:23:35Z
  name: mysecret
  namespace: default
  resourceVersion: "187729"
  selfLink: /api/v1/namespaces/default/secrets/mysecret
  uid: 7b8f56a4-0ed0-11eb-ad59-000c29aff78f
type: Opaque

创建yaml文件并创建资源

[root@localhost ~]# vim secret-pod.yaml
apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
  - name: nginx
    image: nginx
    imagePullPolicy: IfNotPresent
    env:
      - name: SECRET_USERNAME
        valueFrom:
          secretKeyRef:
            name: mysecret	##指定mysecret资源pod
            key: username	##指定用户名
      - name: SECRET_PASSWORD
        valueFrom:
          secretKeyRef:
            name: mysecret	##指定mysecret资源pod
            key: password		##指定密码

[root@localhost ~]# kubectl apply -f secret-pod.yaml 
pod/mypod created
[root@localhost ~]# kubectl get pod
NAME                    READY   STATUS              RESTARTS   AGE
[root@localhost ~]# kubectl get pod
NAME                    READY   STATUS    RESTARTS   AGE
dns-test                1/1     Running   0          22h
mypod                   1/1     Running   0          14s

登陆pod资源验证用户名和密码

[root@localhost ~]# kubectl exec -it mypod bash
root@mypod:/# echo $SECRET_USERNAME
JUEJUE
root@mypod:/# echo $SECRET_PASSWORD
JUEJUE123

方式二：使用挂载

以volume的形式挂载到pod的某个目录下

创建yaml文件资源

[root@localhost ~]# vim secret-volume.yaml
apiVersion: v1
kind: Pod
metadata:
  name: mypod01
spec:
  containers:
  - name: nginx01
    image: nginx
    imagePullPolicy: IfNotPresent
    volumeMounts:
    - name: foo
      mountPath: "/etc/foo"     ##容器内的挂载路径
      readOnly: true
  volumes:
  - name: foo
    secret:
      secretName: mysecret

[root@localhost ~]# kubectl create -f secret-volume.yaml 
pod/mypod01 created
[root@localhost ~]# kubectl get pod
NAME                    READY   STATUS      RESTARTS   AGE
dns-test                0/1     Completed   0          22h
mypod                   1/1     Running     0          10m
mypod01                 1/1     Running     0          3s

登陆pod资源验证用户密码

[root@localhost ~]# kubectl exec -it mypod01 bash
root@mypod01:/# cd /etc/foo
root@mypod01:/etc/foo# ls
password  username
root@mypod01:/etc/foo# cat username               
JUEJUEroot@mypod01:/etc/foo# cat password 
JUEJUE123root@mypod01:/etc/foo# 

ConfigMap配置管理

configmap与Secret类似，区别在于ConfigMap保存的是不需要加密配置的信息
应用场景：应用配置
有两种创建方式：1、使用kubectl创建（yaml文件）2、使用变量参数创建

方式一：使用kubectl创建

编写redis服务需要的配置并创建configmap资源

[root@localhost ~]# vim redis.properties
redis.host=127.0.0.1
redis.port=6379
redis.password=123456
[root@localhost ~]# kubectl create configmap redis-config --from-file=redis.properties
configmap/redis-config created

查看configmap资源

[root@localhost ~]# kubectl get configmap
NAME           DATA   AGE
redis-config   1      42s
[root@localhost ~]# kubectl get cm
NAME           DATA   AGE
redis-config   1      55s
[root@localhost ~]# kubectl describe configmap redis-config
Name:         redis-config
Namespace:    default
Labels:       <none>
Annotations:  <none>

Data
====
redis.properties:
----
redis.host=127.0.0.1
redis.port=6379
redis.password=123456

Events:  <none>

编写yaml文件并创建pod资源

[root@localhost ~]# vim cn.yaml
apiVersion: v1
kind: Pod
metadata:
  name: mypod-2
spec:
  containers:
    - name: busybox
      image: busybox
      command: [ "/bin/sh","-c","cat /etc/config/redis.properties" ]
      volumeMounts:
      - name: config-volume
        mountPath: /etc/config
  volumes:
    - name: config-volume
      configMap:
        name: redis-config
  restartPolicy: Never
[root@localhost ~]# kubectl create -f cn.yaml 
pod/mypod-2 created

[root@localhost ~]# kubectl get pod 
NAME                    READY   STATUS              RESTARTS   AGE
mypod-2   0/1   Completed   0     25s

验证结果

[root@localhost ~]# kubectl logs mypod-2
redis.host=127.0.0.1
redis.port=6379
redis.password=123456

方式二：使用变量参数形式创建configmap资源

创建configmap资源

[root@localhost ~]# vim myconfig.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: myconfig
  namespace: default
data:
  special.level: info
  special.type: hello

[root@localhost ~]# kubectl create -f myconfig.yaml 
configmap/myconfig created
[root@localhost ~]# kubectl get cm
NAME           DATA   AGE
myconfig       2      6s
redis-config   1      15m

创建测试pod

[root@localhost ~]# vim configmap-test.yaml
apiVersion: v1
kind: Pod
metadata:
  name: configmap-test
spec:
  containers:
    - name: busybox
      image: busybox
      command: [ "/bin/sh", "-c", "echo $(LEVEL) $(TYPE)" ]
      env:
        - name: LEVEL
          valueFrom:
            configMapKeyRef:
              name: myconfig
              key: special.level
        - name: TYPE
          valueFrom:
            configMapKeyRef:
              name: myconfig
              key: special.type
  restartPolicy: Never

[root@localhost ~]# kubectl apply -f configmap-test.yaml 
pod/configmap-test created
[root@localhost ~]# kubectl get pod
NAME                    READY   STATUS      RESTARTS   AGE
configmap-test          0/1     Completed   0          54s

查看变量输出结果

[root@localhost ~]# kubectl logs configmap-test
info hello