密码管理说明
-
通过在yaml文件直接设置容器的密码(或者其他敏感信息)十分的方便,但是由于密码在yaml文件中是明文的,十分不安全。所以如何保护用户的密码等敏感信息,则需要用K8s的密码管理功能来完成。
-
K8s的密码管理分为两种:
- secret
- configmap–cm
环境准备并测试常规密码定义方式
- 首先需要有一套集群
[root@master ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
master Ready master 43d v1.21.0
node1 Ready <none> 43d v1.21.0
node2 Ready <none> 43d v1.21.0
[root@master ~]#
- 然后我们创建一个文件用来放后面的测试文件,创建一个命名空间,后面测试都在这个命名空间做
[root@master ~]# mkdir sec
[root@master ~]# cd sec/
[root@master sec]# kubectl create ns sec
namespace/sec created
[root@master sec]# kubens sec
Context "context" modified.
Active namespace is "sec".
[root@master sec]#
[root@master sec]# yum install mariadb -y
# node节点下载一个mysql镜像
[root@node1 ~]# docker images | grep my
hub.c.163.com/library/mysql latest 9e64176cd8a2 4 years ago 407MB
[root@node1 ~]#
- 最后来说一下,常规密码的定义和使用【以mysql为例】
下面就是创建一个mysqlpod和进入该数据库的方式了,但这种有一个缺点,就是密码以明文的方式存在,谁都可以看到密码,是不安全的,所以我们后面需要做的,就是让定义的密码别人看不见。
[root@master sec]# cat pod1.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: pod1
name: pod1
spec:
terminationGracePeriodSeconds: 0
containers:
- image: hub.c.163.com/library/mysql
imagePullPolicy: IfNotPresent
name: pod1
resources: {}
env:
- name: MYSQL_ROOT_PASSWORD
value: ccxhero
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
[root@master sec]#
[root@master sec]# kubectl apply -f pod1.yaml
pod/pod1 created
[root@master sec]#
[root@master sec]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
pod1 1/1 Running 0 7s 10.244.166.154 node1 <none> <none>
[root@master sec]#
# 下面进入数据库呢是直接在master上,还可以进入容器的方式进入,如上,pod是运行在node1上的,则去node1上,执行下面2条命令
#docker exec -it pod_name bash
#mysql -uroot -pccxhero
[root@master sec]# mysql -uroot -pccxhero -h 10.244.166.154
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.7.18 MySQL Community Server (GPL)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]>
MySQL [(none)]> quit
Bye
[root@master sec]#
[root@master sec]# kubectl describe pod pod1 | grep -C3 ccx
Ready: True
Restart Count: 0
Environment:
MYSQL_ROOT_PASSWORD: ccxhero
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-pjz8m (ro)
Conditions:
[root@master sec]#
[root@master sec]# kubectl delete pod pod1
pod "pod1" deleted
[root@master sec]#
secret
说明
- 使用方式:
- 以变量的方式;(推荐,用来保存密码)
- 以卷的方式。
- secret的类型:
- Opaque:base64编码格式的Secret,用来存储密码、密钥等;但数据也通过base64 –decode解码得到原始数据,所有加密性很弱。(本节重点)
kubernetes.io/dockerconfigjson
:用来存储私有docker registry的认证信息,在yaml文件中可以使用imagePullSecrets来引用。kubernetes.io/service-account-token
: 用于被serviceaccount引用。serviceaccout创建时Kubernetes会默认创建对应的secret。Pod如果使用了serviceaccount,对应的secret会自动挂载到Pod目录/run/secrets/ kubernetes.io/serviceaccount中。
secret 常用命令
查看secret
命令:kubectl get secrets
[root@master ~]# kubectl get secrets
NAME TYPE DATA AGE
default-token-cj6f5 kubernetes.io/service-account-token 3 5d19h
[root@master ~]#
查看secret定义参数
kubectl describe secrets secrets_name
[root@master sec]# kubectl describe secrets mysecret1
Name: mysecret1
Namespace: sec
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
password1: 7 bytes
password2: 7 bytes
[root@master sec]#
解析secret定义密码
- 需要先 以yaml文件输出创建内容
语法:kubectl get secrets secret_name -o yaml1
[root@master sec]# kubectl get secrets mysecret1 -o yaml
apiVersion: v1
data:
# 下面就是定义的值密码了【其实我们设置的是redhat1和redhat2,在文件中就显示为被加密过的值了
password1: cmVkaGF0MQ==
password2: cmVkaGF0Mg==
kind: Secret
metadata:
creationTimestamp: "2021-08-30T03:13:56Z"
name: mysecret1
namespace: sec
resourceVersion: "7298993"
selfLink: /api/v1/namespaces/sec/secrets/mysecret1
uid: cd04d95a-b10d-4c7a-97ec-ff89f4df0598
type: Opaque
[root@master sec]#
- 其中存储的信息被base64编码过,可以解码检查一下是不是保存的密码redhat1【data下面的值】:
语法:echo data值 | base64 -d
[root@master sec]# echo cmVkaGF0MQ== | base64 -d
redhat1[root@master sec]#
[root@master sec]#
[root@master sec]# echo cmVkaGF0Mq== | base64 -d
redhat2[root@master sec]#
[root@master sec]#
- 以json格式验证密码【这个复杂了,用上面方法验证省事得多】
[root@master sec]# kubectl get secrets mysecret1 -o jsonpath={.data.password1} | base64 -d
redhat1[root@master sec]#
[root@master sec]# kubectl get secrets mysecret1 -o jsonpath={.data.password2} | base64 -d
redhat2[root@master sec]#
删除secret
语法:kubectl delete secrets secret_name
[root@master sec]# kubectl get secrets
NAME TYPE DATA AGE
default-token-cj6f5 kubernetes.io/service-account-token 3 5d20h
mysecret1 Opaque 2 45m
mysecret2 Opaque 1 30m
mysecret3 Opaque 1 23m
mysecret4 Opaque 3 23m
mysecret5 Opaque 1 16m
mysecret6 Opaque 3 15m
[root@master sec]#
[root@master sec]# kubectl delete secrets mysecret5
secret "mysecret5" deleted
[root@master sec]# kubectl delete secrets mysecret4
secret "mysecret4" deleted
[root@master sec]# kubectl delete secrets mysecret3
secret "mysecret3" deleted
[root@master sec]#
[root@master sec]# kubectl get secrets
NAME TYPE DATA AGE
default-token-cj6f5 kubernetes.io/service-account-token 3 5d20h
mysecret1 Opaque 2 45m
mysecret2 Opaque 1 30m
mysecret6 Opaque 3 15m
[root@master sec]#
创建Opaque的secret
- secret以键值对的方式存在。
- 语法:
# 方式1【建议使用此方法】
kubectl create secret generic mysecret1 --from-literal=user=tom --from-literal=键1=值1 --from-literal=键2=值2
# 方式2【了解为主】
# 语法secret的键为去掉路径的文件名hosts,值为文件的内容。
# 系统文件格式
kubectl create secret generic mysecret1 --from-file=/etc/hosts --from-file=/etc/issue
# 自定义文件
kubectl create secret generic mysecret1 --from-env-file=file_name
方式1: 命令行的方式(推荐)
创建并查看其中的secret
[root@master sec]# kubectl create secret generic mysecret1 --from-literal=password1=redhat1 --from-literal=password2=redhat2
secret/mysecret1 created
[root@master sec]#
[root@master sec]# kubectl get secrets
NAME TYPE DATA AGE
default-token-cj6f5 kubernetes.io/service-account-token 3 5d19h
mysecret1 Opaque 2 44s
[root@master sec]#
[root@master sec]# kubectl describe secrets mysecret1
Name: mysecret1
Namespace: sec
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
password1: 7 bytes
password2: 7 bytes
[root@master sec]#
以yaml文件输出创建内容【含参数解析】
- 语法:
kubectl get secrets secret_name -o yaml1
[root@master sec]# kubectl get secrets mysecret1 -o yaml
apiVersion: v1
data:
# 下面就是定义的值密码了【其实我们设置的是redhat1和redhat2,在文件中就显示为被加密过的值了
password1: cmVkaGF0MQ==
password2: cmVkaGF0Mg==
kind: Secret
metadata:
creationTimestamp: "2021-08-30T03:13:56Z"
name: mysecret1
namespace: sec
resourceVersion: "7298993"
selfLink: /api/v1/namespaces/sec/secrets/mysecret1
uid: cd04d95a-b10d-4c7a-97ec-ff89f4df0598
type: Opaque
[root@master sec]#
- 其中存储的信息被base64编码过,可以解码检查一下是不是保存的密码redhat1【data下面的值】:
语法:echo data值 | base64 -d
[root@master sec]# echo cmVkaGF0MQ== | base64 -d
redhat1[root@master sec]#
[root@master sec]#
[root@master sec]# echo cmVkaGF0Mq== | base64 -d
redhat2[root@master sec]#
[root@master sec]#
- 以json格式验证密码【这个复杂了,用上面方法验证省事得多】
[root@master sec]# kubectl get secrets mysecret1 -o jsonpath={.data.password1} | base64 -d
redhat1[root@master sec]#
[root@master sec]# kubectl get secrets mysecret1 -o jsonpath={.data.password2} | base64 -d
redhat2[root@master sec]#
方式2:文件的方式
系统文件创建并查看其中的secret
- 我们以hosts文件来创建,如下【就不解释代码了,看不懂的看上面一步里面的说明哦】
[root@master sec]# kubectl create secret generic mysecret2 --from-file=/etc/hosts
secret/mysecret2 created
[root@master sec]#
[root@master sec]# kubectl get secrets mysecret2 -o yaml
apiVersion: v1
data:
hosts: MTI3LjAuMC4xICAgbG9jYWxob3N0IGxvY2FsaG9zdC5sb2NhbGRvbWFpbiBsb2NhbGhvc3Q0IGxvY2FsaG9zdDQubG9jYWxkb21haW40Cjo6MSAgICAgICAgIGxvY2FsaG9zdCBsb2NhbGhvc3QubG9jYWxkb21haW4gbG9jYWxob3N0NiBsb2NhbGhvc3Q2LmxvY2FsZG9tYWluNgoKMTkyLjE2OC41OS4xNDIgbWFzdGVyCjE5Mi4xNjguNTkuMTQzIG5vZGUxCjE5Mi4xNjguNTkuMTQ0IG5vZGUyCgo=
kind: Secret
metadata:
creationTimestamp: "2021-08-30T03:28:48Z"
name: mysecret2
namespace: sec
resourceVersion: "7300718"
selfLink: /api/v1/namespaces/sec/secrets/mysecret2
uid: 8896a43e-67be-47e2-96d8-e677ddecf3ae
type: Opaque
[root@master sec]#
[root@master sec]# kubectl get secrets mysecret2 -o jsonpath={.data.hosts} | base64 -d
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.59.142 master
192.168.59.143 node1
192.168.59.144 node2
[root@master sec]#
自定义文件并查看其中的secret
- 现在来个自定义的【这个和方式1差不多了】
[root@master sec]# cat env.txt
user=ccx
password1=redhat1
password2=redhat2
[root@master sec]# kubectl create secret generic mysecret4 --from-env-file=env.txt
secret/mysecret4 created
[root@master sec]# kubectl get secrets mysecret4
NAME TYPE DATA AGE
mysecret4 Opaque 3 17s
[root@master sec]# kubectl get secrets mysecret4 -o yaml
apiVersion: v1
data:
password1: cmVkaGF0MQ==
password2: cmVkaGF0Mg==
user: Y2N4
kind: Secret
metadata:
creationTimestamp: "2021-08-30T03:35:40Z"
name: mysecret4
namespace: sec
resourceVersion: "7301514"
selfLink: /api/v1/namespaces/sec/secrets/mysecret4
uid: e60b0653-65e9-4c64-a652-2789aa7cb812
type: Opaque
[root@master sec]#
[root@master sec]# kubectl get secrets mysecret4 -o jsonpath={.data.password1} | base64 -d
redhat1[root@master sec]#
[root@master sec]# kubectl get secrets mysecret4 -o jsonpath={.data.password2} | base64 -d
redhat2[root@master sec]#
[root@master sec]# kubectl get secrets mysecret4 -o jsonpath={.data.user} | base64 -d
ccx[root@master sec]#
[root@master sec]#
- 必须要加env,如果不加env的话,就会成用系统文件的那种了【整个文件内容会被认为是参数】,就识别不到定义的参数内容了,如下
[root@master sec]# kubectl create secret generic mysecret5 --from-file=/root/sec/env.txt
secret/mysecret5 created
[root@master sec]# kubectl get secrets mysecret5 -o jsonpath={.data.password1} | base64 -d
[root@master sec]#
[root@master sec]# kubectl get secrets mysecret5 -o yaml
apiVersion: v1
data:
env.txt: dXNlcj1jY3gKcGFzc3dvcmQxPXJlZGhhdDEKcGFzc3dvcmQyPXJlZGhhdDIK
kind: Secret
metadata:
creationTimestamp: "2021-08-30T03:42:39Z"
name: mysecret5
namespace: sec
resourceVersion: "7302323"
selfLink: /api/v1/namespaces/sec/secrets/mysecret5
uid: e1d16180-c195-4ed0-abe7-b4abb0050581
type: Opaque
[root@master sec]#
# 而且用json方式还解析不出来值,不知道为啥
[root@master sec]# kubectl get secrets mysecret5 -o jsonpath={.data.env.txt} | base64 -d
[root@master sec]#
[root@master sec]# echo dXNlcj1jY3gKcGFzc3dvcmQxPXJlZGhhdDEKcGFzc3dvcmQyPXJlZGhhdDIK | base64 -d
user=ccx
password1=redhat1
password2=redhat2
[root@master sec]#
以变量的方式引用Opaque的secret
- 定义这个前呢,得先定义secret哈,我下面呢,使用上面定义的secret1里面的password1参数。
编辑pod配置文件
- 编辑pod的yaml文件:
[root@master sec]# cat pod2.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: pod2
name: pod2
spec:
terminationGracePeriodSeconds: 0
containers:
- image: hub.c.163.com/library/mysql
imagePullPolicy: IfNotPresent
name: pod2
resources: {}
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom: #表示引用
secretKeyRef: # 固定格式
name: mysecret1 #选择secret名称
key: password1 #参数名称
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
[root@master sec]#
生成pod并验证
- yaml文件引用了之前创建的mysecret1和其password1。应用yaml文件生成mysql的pod:
下面代码我相信都能看得懂,我就不做解释了。
[root@master sec]# kubectl apply -f pod2.yaml
pod/pod2 created
[root@master sec]# kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
pod2 1/1 Running 0 7s 10.244.166.165 node1 <none> <none>
[root@master sec]#
[root@master sec]# kubectl get secrets mysecret1 -o jsonpath={.data.password1} | base64 -d
redhat1[root@master sec]#
[root@master sec]# mysql -uroot -predhat1 -h 10.244.166.165
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.7.18 MySQL Community Server (GPL)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]>
MySQL [(none)]> quit
Bye
[root@master sec]#
[root@master sec]#
以卷的方式引用Opaque的secret
- 定义这个前呢,得先定义secret哈,我下面呢,使用上面定义的secret2里面的/etc/hosts参数。
- 注意,这是以卷的方式,卷应该知道是什么吧?如果忘了,去我博客中回顾一下卷的使用逻辑哈。
编辑pod配置文件
- 修改pod的yaml文件,并应用:
[root@master sec]# cat pod3.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: pod3
name: pod3
spec:
terminationGracePeriodSeconds: 0
volumes:
- name: v1
secret:
secretName: mysecret2
containers:
- image: nginx
imagePullPolicy: IfNotPresent
name: pod3
resources: {}
volumeMounts:
- name: v1
mountPath: /xx
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
[root@master sec]#
生成pod并验证
- 进入此pod查看secret是否被挂载进来:在/xx目录下有mysecret1的下记录的密码信息。
[root@master sec]# kubectl apply -f pod3.yaml
pod/pod3 created
[root@master sec]# kubectl get pods
NAME READY STATUS RESTARTS AGE
pod2 1/1 Running 0 12m
pod3 1/1 Running 0 6s
[root@master sec]# kubectl exec -it pod3 -- bash
root@pod3:/# ls /xx
hosts
root@pod3:/# cat /xx/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.59.142 master
192.168.59.143 node1
192.168.59.144 node2
root@pod3:/# exit
exit
[root@master sec]#
特殊用法
- 如果只想传递mysecret1下的指定信息,例如password1到容器内,需要修改yaml文件,在mountPath下一行加入subPath,指定password1:
...
- name: pod
mountPath: /xx/password1
subPath: password1
...
-
这样一来,仅会将mysecret1的password1挂载到容器的/xx/下,命名为password1(可修改)。
-
以卷的方式引用Opaque的secret的常用应用:例如将Nginx的配置文件设置为secret,然后在设置Nginx的pod时,将其挂载到/etc/nginx/nginx.conf文件下,这样就传递了Nginx的配置文件,但是不推荐这种方法,在edit secret时,其中的内容是被base64编码的的,不方便修改。
-
当然,像上面那样可能觉得这样做意义不大,那么如果我用来替换配置文件的话,这样可用性就高很多了。
就是我将本机的某个目录中的配置文件通过这种方式一件挂载到容器中,比如http配置。
[root@master sec]# kubectl create secret generic mysecret7 --from-file=/etc/httpd/conf/httpd.conf
secret/mysecret7 created
[root@master sec]#
[root@master sec]# cat pod4.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: pod4
name: pod4
spec:
terminationGracePeriodSeconds: 0
volumes:
- name: v1
secret:
secretName: mysecret7
containers:
- image: nginx
imagePullPolicy: IfNotPresent
name: pod4
resources: {}
volumeMounts:
- name: v1
mountPath: /etc/httpd/conf/httpd.conf
subPath: httpd.conf
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
[root@master sec]#
验证
[root@master sec]# kubectl apply -f pod4.yaml
pod/pod4 created
[root@master sec]# kubectl get pods
NAME READY STATUS RESTARTS AGE
pod2 1/1 Running 0 33m
pod3 1/1 Running 0 21m
pod4 1/1 Running 0 5s
[root@master sec]# kubectl exec -it pod4 -- bash
root@pod4:/# cat /etc/httpd/conf/httpd.conf | head -n 10
#
# This is the main Apache HTTP server configuration file. It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
# In particular, see
# <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
# for a discussion of each configuration directive.
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
root@pod4:/#
configmap–cm
说明
-
使用方式:
- 以变量的方式;
- 以卷的方式。(推荐,来来传递配置文件)
-
这个的使用方式和secret基本一致,且这个以明文的方式存在,不安全,使用较少,而且比secret简单很多,这个以了解为主,我也只是简单做下说明。
cm 常用命令
查看cm
命令:kubectl get cm
[root@master sec]# kubectl get cm
NAME DATA AGE
kube-root-ca.crt 1 5d21h
[root@master sec]#
查看cm定义参数
kubectl describe cm cm_name
[root@master sec]# kubectl describe cm mycm1
Name: mycm1
Namespace: sec
Labels: <none>
Annotations: <none>
Data
====
password1:
----
redhat
Events: <none>
[root@master sec]#
删除cm
语法:kubectl delete cm cm_name
[root@master sec]# kubectl get cm | grep test
cmtest 0 10s
[root@master sec]# kubectl delete cm cmtest
configmap "cmtest" deleted
[root@master sec]#
[root@master sec]# kubectl get cm | grep test
[root@master sec]#
创建Opaque的cm
创建并查看cm
其创建方式和secret类似:这里只说明了以literal的方式创建,同样可以file的方式创建【方式参考上面secret,这种类似明文的方式,使用不多,了解为主】
[root@master sec]#
[root@master sec]# kubectl create cm mycm1 --from-literal=password1=redhat
configmap/mycm1 created
[root@master sec]# kubectl get cm
NAME DATA AGE
kube-root-ca.crt 1 5d21h
mycm1 1 2s
[root@master sec]# kubectl describe cm mycm1
Name: mycm1
Namespace: sec
Labels: <none>
Annotations: <none>
Data
====
password1:
----
redhat
Events: <none>
[root@master sec]#
以yaml文件输出创建内容
当我们以yaml文件输出cm时,可以看到信息没有被base64编码:
[root@master sec]# kubectl get cm mycm1 -o yaml
apiVersion: v1
data:
password1: redhat
kind: ConfigMap
metadata:
creationTimestamp: "2021-08-30T04:45:54Z"
name: mycm1
namespace: sec
resourceVersion: "7309717"
selfLink: /api/v1/namespaces/sec/configmaps/mycm1
uid: 92f71818-5431-44d9-96d8-da6dc03c03be
[root@master sec]#
以变量的方式调用Opaque的cm
编辑pod配置文件
其yaml文件如下:
[root@master sec]# cat pod5.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: pod5
name: pod5
spec:
terminationGracePeriodSeconds: 0
containers:
- image: hub.c.163.com/library/mysql
imagePullPolicy: IfNotPresent
name: pod5
resources: {}
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
configMapKeyRef:
name: mycm1
key: password1
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
[root@master sec]#
生成pod并验证
[root@master sec]# kubectl apply -f pod5.yaml
pod/pod5 created
[root@master sec]# kubectl get pods -o wide | tail -n1
pod5 1/1 Running 0 41s 10.244.219.101 master <none> <none>
[root@master sec]#
[root@master sec]# mysql -uroot -predhat -h10.244.219.101
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.7.18 MySQL Community Server (GPL)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]> quit
Bye
[root@master sec]#
以卷的方式调用Opaque的cm
- 创建mycm2:
[root@master sec]# kubectl create cm mycm2 --from-file=/etc/httpd/conf/httpd.conf
configmap/mycm2 created
[root@master sec]#
编辑pod配置文件
- 编辑pod的yaml文件,将mycm2挂载到指定目录:
其实这个就是secret中的特殊用法罢了。
[root@master sec]# cat pod6.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: pod6
name: pod6
spec:
terminationGracePeriodSeconds: 0
volumes:
- name: v1
configMap: #格式就是这个了
name: mycm2
containers:
- image: nginx
imagePullPolicy: IfNotPresent
name: pod6
resources: {}
volumeMounts:
- name: v1
mountPath: /etc/httpd/conf/httpd.conf
subPath: httpd.conf
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
生成pod并测试
[root@master sec]# kubectl apply -f pod6.yaml
pod/pod6 created
[root@master sec]# kubectl get pods -o wide | tail -n 1
pod6 1/1 Running 0 4s 10.244.166.170 node1 <none> <none>
[root@master sec]# kubectl exec -it pod6 -- bash
root@pod6:/# cat /etc/httpd/conf/httpd.conf |head -n10
#
# This is the main Apache HTTP server configuration file. It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
# In particular, see
# <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
# for a discussion of each configuration directive.
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
root@pod6:/#
cm修改
-
如果想要修改这个httpd的配置文件,仅需要在master上edit对应的cm即可:
kubectl edit cm mycm2【修改后的cm名称】
由于其中保存的信息是明文,方便修改。然后删除掉当前pod,重新创建即可。 -
其实修改这个意义不大,完全可以重新新建一个cm,然后在pod配置文件修改cm名称就是咯。