1.Secret的实现.
1.1 secret的详解
secret用来保存小片敏感数据的k8s资源,例如密码,token,或者秘钥。这类数据当然也可以存放在Pod或者镜像中,但是放在Secret中是为了更方便的控制如何使用数据,并减少暴露的风险。
用户可以创建自己的secret,系统也会有自己的secret。
Pod需要先引用才能使用某个secret
2. Secret的使用(1.环境变量的使用.)
2.1 环境变量的使用.
第一步:首先编写一个yaml文件.
[root@master kubernetes]# vim secret.yaml
#创建secret存储mysql的密码和库
apiVersion: v1
kind: Secret
metadata:
name: mysqlpassword
type: Opaque #将secret存储的数据以二进制格式存储
data:
password: MTIzNDU2
database: bXlEYXRhYmFzZQ==
#创建一个mysql的pod
---
apiVersion: v1
kind: Pod
metadata:
name: mysql
spec:
containers:
- name: mysql
image: mysql:5.7
imagePullPolicy: IfNotPresent
ports:
- containerPort: 3306
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mysqlpassword
key: password
- name: MYSQL_DATABASE
valueFrom:
secretKeyRef:
name: mysqlpassword
key: database
第二步: 运行yaml文件,并查看是否创建成功.
[root@master kubernetes]# kubectl apply -f secret.yaml
secret/mysqlpassword created
pod/mysql created
[root@master kubernetes]# kubectl get pod
NAME READY STATUS RESTARTS AGE
mysql 1/1 Running 0 6s
[root@master kubernetes]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
mysql 1/1 Running 0 23s 10.244.104.13 node2 <none> <none>
第三步:进入mysql使用存储好的密码,登录mysql查看mydatabase是否创建好.
也可以通过环境变量查看.
有图可知,实验完成.
2.2 将信息挂载到某个目录
1.编写yaml文件
[root@master kubernetes]# vim secret.yaml
#创建secret存储mysql的密码和库
apiVersion: v1
kind: Secret
metadata:
name: mysqlpassword
type: Opaque #将secret存储的数据以二进制格式存储
data:
password: MTIzNDU2
database: bXlEYXRhYmFzZQ==
#创建一个mysql的pod
---
apiVersion: v1
kind: Pod
metadata:
name: mysql
spec:
containers:
- name: mysql
image: mysql:5.7
imagePullPolicy: IfNotPresent
ports:
- containerPort: 3306
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mysqlpassword
key: password
- name: MYSQL_DATABASE
valueFrom:
secretKeyRef:
name: mysqlpassword
key: database
volumeMounts:
- name: mysql-pass #卷的名称
mountPath: /opt/mysql #挂载到哪个目录
volumes:
- name: mysql-pass
secret:
secretName: mysqlpassword
items:
- key: password
path: password
- key: database
path: database
2.运行并且查看:
[root@master kubernetes]# kubectl apply -f secret.yaml
secret/mysqlpassword unchanged
pod/mysql created
[root@master kubernetes]# kubectl get pod
NAME READY STATUS RESTARTS AGE
mysql 1/1 Running 0 6s
3. 登录容器到指定目录去查看
[root@master kubernetes]# kubectl exec -it mysql /bin/bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
#查看密码
root@mysql:/# cat /opt/mysql/password
123456root@mysql:/#
#查看数据库名称
root@mysql:/# cat /opt/mysql/database
myDatabaseroot@mysql:/#
由图可知,实验完成.
3.ConfigMap的实验(主要是存储一些配置文件.)
3.1 使用命令行方式创建ConfigMap
#第一种方法:指定键值对
[root@master kubernetes]# kubectl create configmap centos --from-literal=user=root
#第二种方法:指定文件进行存储
[root@master kubernetes]# kubectl create configmap centos-yaml --from-file=/etc/nginx/nginx.conf
configmap/centos-yaml created
#第三种方法:存储当前目录下所有文件:
[root@master kubernetes]# kubectl create configmap centos-yaml --from-file=./
查看configmap的内容
kubectl get configmap <configmap-name> -o json
3.2 编写yaml文件创建configmap(以ngixn配置文件为例)
[root@master kubernetes]# vim configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-conf
data:
nginx-level: 1.16.1
nginx-info: 这是一个nginx配置文件
nginx.conf: |
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
1.运行yaml文件并且查看
3.3 编写yaml文件去调用上面创建好的configmap
[root@master kubernetes]# vim nginx-confgmap.yaml
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- name: nginx
image: nginx
imagePullPolicy: IfNotPresent
ports:
- containerPort: 90
envFrom: #调用configmap
- configMapRef:
name: nginx-conf #此处为创建好的configmap名称
运行并且进入容器查看:
[root@master kubernetes]# kubectl apply -f nginx-confgmap.yaml
pod/nginx created
[root@master kubernetes]# kubectl get pod
NAME READY STATUS RESTARTS AGE
mysql 1/1 Running 0 57m
nginx 1/1 Running 0 5s
[root@master kubernetes]# kubeclt exec -it nginx /bin/bash
-bash: kubeclt: command not found
[root@master kubernetes]# kubectl exec -it nginx /bin/bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
root@nginx:/#
输入env进行查看
root@nginx:/# env
nginx.info=这是一个nginx配置文件
nginx.level=1.16.1
nginx.conf=user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
有图可知,实验完成.
3.4 第二种方式用卷去挂载
1.编写yaml文件
[root@master kubernetes]# vim nginx-confgmap.yaml
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- name: nginx
image: nginx
imagePullPolicy: IfNotPresent
volumeMounts:
- name: nginx-config
mountPath: /etc/nginx/nginx.conf
subPath: nginx.conf
volumes:
- name: nginx-config
configMap:
name: nginx-conf
2. 运行bin查看
[root@master kubernetes]# kubectl get pod
NAME READY STATUS RESTARTS AGE
mysql 1/1 Running 0 76m
nginx 1/1 Running 0 7s
3.进入容器去访问我们设置好的90端口
有图可知,实验完成.
扩展,配置文件也可以挂载到其他目录,写法
yaml文件:
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- name: nginx
image: nginx
imagePullPolicy: IfNotPresent
ports:
- containerPort: 90
volumeMounts:
- name: nginx-config
mountPath: /opt/nginx/
volumes:
- name: nginx-config
configMap:
name: nginx-conf
items:
- key: nginx.conf
path: nginx.conf
2.运行并且查看
[root@master kubernetes]# kubectl delete -f nginx-confgmap.yaml
pod "nginx" deleted
[root@master kubernetes]# kubectl apply -f nginx-confgmap.yaml
pod/nginx created
[root@master kubernetes]# kubectl get pod
NAME READY STATUS RESTARTS AGE
mysql 1/1 Running 0 83m
nginx 1/1 Running 0 3s
[root@master kubernetes]# kubectl exec -it nginx /bin/bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
root@nginx:/# ls /opt/nginx/
nginx.conf
root@nginx:/#
4. webAPI实现.
Downward API
用于在容器中获取 POD 的基本信息,kubernetes原生支持
Downward API提供了两种方式用于将 POD 的信息注入到容器内部:
1.环境变量:用于单个变量,可以将 POD 信息直接注入容器内部。
2.Volume挂载:将 POD 信息生成为文件,直接挂载到容器内部中去。
#目前支持的字段
1. 使用 fieldRef 可以声明使用:
spec.nodeName - 宿主机名字
status.hostIP - 宿主机 IP
metadata.name - Pod 的名字
metadata.namespace - Pod 的 Namespace
status.podIP - Pod 的 IP
spec.serviceAccountName - Pod 的 Service Account 的名字
metadata.uid - Pod 的 UID
metadata.labels['<KEY>'] - 指定 <KEY> 的 Label 值
metadata.annotations['<KEY>'] - 指定 <KEY> 的 Annotation 值
metadata.labels - Pod 的所有 Label
metadata.annotations - Pod 的所有 Annotation
所有基本信息可以使用下面的方式去查看(describe方式看不出来):
[root@kub-k8s-master configmap]# kubectl get pod test-webapp -o yaml
实战案例
[root@kub-k8s-master prome]# vim test-env-pod.yml
---
apiVersion: v1
kind: Pod
metadata:
name: test-env-pod
namespace: kube-system
spec:
containers:
- name: test-env-pod
image: daocloud.io/library/nginx
env:
- name: POD_NAME #第一个环境变量的名字
valueFrom: #使用valueFrom方式设置
fieldRef: #关联一个字段metadata.name
fieldPath: metadata.name #这个字段从当前运行的pod详细信息查看
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
[root@kub-k8s-master prome]# kubectl apply -f test-env-pod.yml
pod/test-env-pod created
#查看
[root@kub-k8s-master prome]# kubectl exec -it test-env-pod /bin/bash -n kube-system
root@test-env-pod:/# env | grep POD
POD_NAME=test-env-pod
POD_NAMESPACE=kube-system
POD_IP=10.244.1.35
root@test-env-pod:/#
Volume挂载
通过Downward API将 POD 的 Label、等信息通过 Volume 以文件的形式挂载到容器的某个文件中去,然后在容器中打印出该文件的值来验证。
[root@kub-k8s-master prome]# vim test-volume-pod.yaml
---
apiVersion: v1
kind: Pod
metadata:
name: test-volume-pod
namespace: kube-system
labels:
k8s-app: test-volume
node-env: test
spec:
containers:
- name: test-volume-pod-container
image: daocloud.io/library/nginx
volumeMounts:
- name: podinfo
mountPath: /etc/podinfo
volumes:
- name: podinfo
downwardAPI:
items:
- path: "labels"
fieldRef:
fieldPath: metadata.labels
创建并且运行
[root@kub-k8s-master prome]# kubectl apply -f test-volume-pod.yaml pod/test-volume-pod created
[root@kub-k8s-master prome]# kubectl get pod -n kube-system
[root@k8s-master prome]# kubectl exec -it test-volume-pod /bin/bash -n kube-system
实验完成.