configmap
#自定义键值创建
[root@master ~]# kubectl create configmap myconfigmap --from-literal=girl=natasha --from-literal=boy=hulk -n myspace
configmap/myconfigmap created
[root@master ~]# kubectl describe configmap -n myspace
Name: myconfigmap
Namespace: myspace
Labels: <none>
Annotations: <none>
Data
====
boy:
----
hulk
girl:
----
natasha
Events: <none>
#基于文件创建---文件名字为key,文件内容为value
[root@master ~]# echo "this is test of base-file by configmap " > ./base-file
[root@master ~]# cat base-file
this is test of base-file by configmap
[root@master ~]# kubectl create configmap base-file --from-file=./base-file -n myspace
configmap/base-file created
[root@master ~]# kubectl describe configmap base-file -n myspace
Name: base-file
Namespace: myspace
Labels: <none>
Annotations: <none>
Data
====
base-file:
----
this is test of base-file by configmap
Events: <none>
#基于目录创建--from-file=目录路径,key为文件名,value为文件内容
[root@master ~]# ll ingress-nginx/
total 8
-rw-r--r-- 1 root root 163 Jun 8 18:54 single-service.yaml
-rw-r--r-- 1 root root 416 Jun 8 19:20 url-ingress.yaml
[root@master ~]# kubectl create configmap base-dir --from-file=./ingress-nginx/ -n myspace
configmap/base-dir created
[root@master ~]# kubectl get configmap base-dir -o yaml -n myspace
apiVersion: v1
data:
single-service.yaml: |
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: myapp-ingress
namespace: myspace
spec:
backend:
serviceName: myapp-svc
servicePort: 80
url-ingress.yaml: |
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: myapp2-svc
namespace: myspace
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: www.lff.com
http:
paths:
- path: /myapp
backend:
serviceName: myapp-svc
servicePort: 80
- path: /myapp2
backend:
serviceName: myapp2-svc
servicePort: 80
#基于配置清单--此处省略,不如通过命令来的方便,主要关键字如下
apiVersion: v1
kind: ConfigMap
metadata:
name: configmap-test
namespace: myspace
data:
str1: hello
name: xiaoming
#pod中应用configmap对象键值数据
[root@master ~]# kubectl get configmap -n myspace
NAME DATA AGE
base-dir 2 109m
base-file 1 115m
myconfigmap 2 122m
#pod中引用configmap资源---环境变量的形式
[root@master ~]# cat configmap-apply-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-configmap
namespace: myspace
spec:
containers:
- name: pod-configmap
image: ikubernetes/myapp:v1
env:
- name: configmap-pod
valueFrom:
configMapKeyRef:
name: base-file
key: base-file
- name: configmap-pod2
valueFrom:
configMapKeyRef:
name: base-dir
key: single-service.yaml
[root@master ~]# kubectl apply -f configmap-apply-pod.yaml
pod/pod-configmap created
[root@master ~]# kubectl get pods -n myspace
NAME READY STATUS RESTARTS AGE
pod-configmap 1/1 Running 0 42m
[root@master ~]# kubectl exec -it pod-configmap -n myspace env
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=pod-configmap
TERM=xterm
configmap-pod=this is test of base-file by configmap
configmap-pod2=apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: myapp-ingress
namespace: myspace
spec:
backend:
serviceName: myapp-svc
servicePort: 80
KUBERNETES_PORT=tcp://10.96.0.1:443
... ....
... ....
HOME=/root
#value和valueFrom不可以同时出现在一个pod中即:
env:
- name: a
value: 1
- name: b
valueFrom:
# envFrom字段将configmap资源中的所有键一次性导入,envFrom是个对象列表,--prex:var_name,给变量加个前缀用于区分不同的configmap资源
[root@master ~]# cat configmap-envfrom-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: envfrom
namespace: myspace
spec:
containers:
- name: envfrom
image: ikubernetes/myapp:v2
envFrom:
- prefix: k2s
configMapRef:
name: base-file
- prefix: k3s
configMapRef:
name: base-dir
- prefix: k8s
configMapRef:
name: myconfigmap
[root@master ~]# kubectl apply -f configmap-envfrom-pod.yaml
pod/envfrom created
[root@master ~]# kubectl get configmap -n myspace
NAME DATA AGE
base-dir 2 138m
base-file 1 144m
myconfigmap 2 150m
[root@master ~]# kubectl exec envfrom -n myspace env
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=envfrom
k8sgirl=natasha
k2sbase-file=this is test of base-file by configmap
k3ssingle-service.yaml=apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: myapp-ingress
namespace: myspace
spec:
backend:
serviceName: myapp-svc
servicePort: 80
k3surl-ingress.yaml=apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: myapp2-svc
namespace: myspace
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: www.lff.com
http:
paths:
- path: /myapp
backend:
serviceName: myapp-svc
servicePort: 80
- path: /myapp2
backend:
serviceName: myapp2-svc
servicePort: 80
k8sboy=hulk
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
KUBERNETES_SERVICE_HOST=10.96.0.1
KUBERNETES_SERVICE_PORT=443
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT=tcp://10.96.0.1:443
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP_PORT=443
NGINX_VERSION=1.12.2
HOME=/root
#configmap存储卷 --当环境变量的键值来源于较长的文件内容----卷挂载的形式
[root@master configmap-secret]# cat configmap-volume.yaml
apiVersion: v1
kind: Pod
metadata:
name: configmap-volume
namespace: myspace
spec:
containers:
- name: configmap-volume
image: ikubernetes/myapp:v3
volumeMounts:
- name: nginxconf
mountPath: /etc/nginx/conf.d/
volumes:
- name: nginxconf
configMap:
name: nginx-conf
[root@master configmap-secret]# kubectl create configmap nginx-conf --from-file=./nginxconf -n myspace
configmap/nginx-conf created
[root@master configmap-secret]# ll nginxconf/
total 0
-rw-r--r-- 1 root root 0 Jun 10 13:56 a.conf
-rw-r--r-- 1 root root 0 Jun 10 13:56 b.conf
-rw-r--r-- 1 root root 0 Jun 10 13:56 c.conf
[root@master configmap-secret]# kubectl exec -it configmap-volume -n myspace /bin/sh
/ # cd /etc/nginx/conf.d/
/etc/nginx/conf.d # ls
a.conf b.conf c.conf
[root@master configmap-secret]# kubectl get pods -n myspace
NAME READY STATUS RESTARTS AGE
configmap-volume 1/1 Running 0 3m7s
envfrom 1/1 Running 0 107m
pod-configmap 1/1 Running 0 3h8m
##总结:
#1.pod中,command和args参数会覆盖dockerfile中的ENTRYPOINT和cmd
#2.环境变量的值要么源于value,要么源于valueFrom,二者不可同时提供数据
#3.downwordAPI可以让Pod里的容器能够直接获取到这个Pod对象本身的一些信息,可以通过环境变量和卷挂载的形式
#4.kubectl create configmap confimap_name --from-literal=key1=value1 --from-literal=key2=value2
#5.kubectl create configmap confimap_name --from-file=dir_path/file_path
#6.env.valueFrom.configMapKeyRef.{name,key}
#7.envFrom.prefix.configMapRef.name(一次性导入configmap_name下的所有key)
#8.volumes和volumesMounts和iterms和subpath(挂载存储)
#9.configmap的特性都可适用于secret,前者是透明数据不敏感,后者主要用于才能出敏感信息,密码,私钥,证书等
secret
#一般类型的secret(generic-opaque)
[root@master configmap-secret]# kubectl create secret generic first-secret --from-literal=username=root --from-literal=password=PASSWORD
secret/first-secret created
[root@master configmap-secret]# kubectl get secret first-secret -o yaml
apiVersion: v1
data:
password: UEFTU1dPUkQ=
username: cm9vdA==
kind: Secret
metadata:
creationTimestamp: "2020-06-10T09:43:42Z"
name: first-secret
namespace: default
resourceVersion: "162362"
selfLink: /api/v1/namespaces/default/secrets/first-secret
uid: dea9ba26-aafe-11ea-b076-000c29cddc18
type: Opaque
[root@master configmap-secret]# echo UEFTU1dPUkQ=|base64 -d
PASSWORD
[root@master configmap-secret]# echo cm9vdA== |base64 -d
root
#用于ssh认证的secret对象
[root@master ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
[root@master ~]# ll ~/.ssh/
total 12
-rw------- 1 root root 1675 Jun 10 17:50 id_rsa
-rw-r--r-- 1 root root 393 Jun 10 17:50 id_rsa.pub
-rw-r--r-- 1 root root 518 Dec 6 2019 known_hosts
[root@master ~]# kubectl create secret generic ssh-key-secret --from-file=$HOME/.ssh/id_rsa.pub -n myspace
secret/ssh-key-secret created
[root@master ~]# kubectl describe secret ssh-key-secret -n myspace
Name: ssh-key-secret
Namespace: myspace
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
id_rsa.pub: 393 bytes
#基于私钥和证书创建SSL/TLS通信的secret对象--nginx-ssl通信
[root@master ~]# (umask 077; openssl genrsa -out nginx.key 2048)
[root@master ~]# ls
configmap-secret ingress-nginx nginx.key storage
[root@master ~]# openssl req -new -x509 -key nginx.key -out nginx.crt -subj /C=CN/ST=SH/L=SH/O=DevOps/CN=www.lff.com
[root@master ~]# ls
configmap-secret ingress-nginx nginx.crt nginx.key storage
[root@master ~]# kubectl create secret tls nginx-ssl --key=./nginx.key --cert=./nginx.crt -n myspace
secret/nginx-ssl created
[root@master ~]# kubectl describe secret nginx-ssl -n myspace
Name: nginx-ssl
Namespace: myspace
Labels: <none>
Annotations: <none>
Type: kubernetes.io/tls
Data
====
tls.crt: 1253 bytes
tls.key: 1675 bytes
#secret存储卷--卷挂载
[root@master ~]# cat pod-ssl.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-ssl
namespace: myspace
spec:
containers:
- name: pod-ssl
image: ikubernetes/myapp:v1
volumeMounts:
- name: nginx-ssl-conf-pod
mountPath: /etc/nginx/ssl/
readOnly: True
volumes:
- name: nginx-ssl-conf-pod
secret:
secretName: nginx-ssl
[root@master ~]# kubectl apply -f pod-ssl.yaml
pod/pod-ssl created
[root@master ~]# kubectl get pods -n myspace
NAME READY STATUS RESTARTS AGE
pod-ssl 1/1 Running 0 20s
[root@master ~]# kubectl exec -it pod-ssl -n myspace /bin/sh
/ # cd /etc/nginx/
/etc/nginx # ls
conf.d koi-win scgi_params
fastcgi.conf mime.types scgi_params.default
fastcgi.conf.default mime.types.default ssl
fastcgi_params modules uwsgi_params
fastcgi_params.default nginx.conf uwsgi_params.default
koi-utf nginx.conf.default win-utf
/etc/nginx # cd ssl;ls
tls.crt tls.key
#imagePullSecret资源对象--kubernetes.io/dockerconfigjson
1.创建docker-registry类型的secret对象,pod.spec.imagePullSecrets
2.创建docker-registry类型的secret对象,将其添加到特定的ServiceAccount,那些使用该sa资源创建的pod,以及默认使用该sa的pod对象都将直接使用imagePullSecrets中的认证信息 serviceaccount.imagePullSecrets
[root@master ~]# cat docker-registry.yaml
apiVersion: v1
kind: Pod
metadata:
name: docker-registry
namespace: myspace
spec:
imagePullSecrets:
- name: local-registry
containers:
- name: docker-registry
image: ikubernetes/myapp:v1
#kubernetes.io/service-account-token
- Secret分为kubernetes.io/service-account-token、kubernetes.io/dockerconfigjson、Opaque 三种类型,而Configmap不区分类型
- ServiceAccount 是命名空间级别的,每一个命名空间创建的时候就会自动创建一个名为 default的ServiceAccount对象,这个 ServiceAccount会自动关联到一个 Secret对象上,这个Secret对象是ServiceAccount 控制器自动创建的
- kubernetes.io/service-account-token,用于被ServiceAccount引用.ServiceAccout创建时Kubernetes会默认创建对应的 Secret,Pod如果使用了ServiceAccount,对应的Secret会自动挂载到Pod的/var/run/secrets/kubernetes.io/serviceaccount/
- ca.crt:用于校验服务端的证书信息
- namespace:表示当前管理的命名空间
- token:用于Pod身份认证的Token