一、Secret
Secret 是用来保存密码、token、密钥等敏感数据的 k8s 资源,这类数据虽然也可以存放在 Pod 或者镜像中,但是放在 Secret 中是为了更方便的控制如何使用数据,并减少暴露的风险。
1.1 Secret 四种类型
● kubernetes.io/service-account-token:由 Kubernetes 自动创建,用来访问 APIServer 的 Secret,Pod 会默认使用这个 Secret 与 APIServer 通信, 并且会自动挂载到 Pod 的 /run/secrets/kubernetes.io/serviceaccount 目录中;
● Opaque :base64 编码格式的 Secret,用来存储用户自定义的密码、密钥等,默认的 Secret 类型;
● kubernetes.io/dockerconfigjson :用来存储私有 docker registry 的认证信息。
● kubernetes.io/tls :用来存储 TLS 证书和私钥信息。
1.2 Secret 使用条件
Pod 需要先引用才能使用某个 secret,Pod 有 3 种方式来使用 secret:
● 作为挂载到一个或多个容器上的卷 中的文件。
● 作为容器的环境变量。
● 由 kubelet 在为 Pod 拉取镜像时使用。
应用场景:凭据
https://kubernetes.io/docs/concepts/configuration/secret/
二、Secret 使用方式
2.1 基于Opaque创建 Secret
kubectl create secret generic -h
#用kubectl create secret命令创建Secret
echo -n 'zhangsan' > username.txt
echo -n 'abc1234' > password.txt
kubectl create secret generic mysecret --from-file=username.txt --from-file=password.txt
kubectl get secrets
kubectl describe secret mysecret
#get或describe指令都不会展示secret的实际内容,这是出于对数据的保护的考虑
2.2 内容用 base64 编码,创建Secret
echo -n zhangsan | base64
emhhbmdzYW4=
echo -n abc1234 | base64
YWJjMTIzNA==
vim secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: mysecret1
type: Opaque
data:
username: emhhbmdzYW4=
password: YWJjMTIzNA==
kubectl create -f secret.yaml
kubectl get secrets
kubectl get secret mysecret1 -o yaml
2.3 将 Secret 挂载到 Volume 中,以 Volume 的形式挂载到 Pod 的某个目录下
//master01节点
//创建一个自主式Pod
cd /opt/secret
kubectl run myapp --image=soscscs/myapp:v1 --port=80 --dry-run=client -oyaml > myapp.yaml
cp myapp.yaml myapp-demo1.yaml
vim myapp-demo1.yaml
apiVersion: v1
kind: Pod
metadata:
labels:
run: myapp-demo1
name: myapp-demo1
spec:
volumes:
- name: vol-harbor
secret:
secretName: mysecret1
containers:
- image: soscscs/myapp:v1
name: myapp-demo1
ports:
- containerPort: 80
volumeMounts:
- name: vol-harbor
mountPath: /opt/secret
readOnly: true
kubectl apply -f myapp-demo1.yaml
kubectl get pods -owide
kubectl exec -it myapp-demo1 sh
2.4 将 Secret 导出到环境变量中
//再用 base64 编码,创建一个Secret mysecret2.yaml
vim mysecret-demo2.yaml
apiVersion: v1
kind: Pod
metadata:
labels:
run: myapp-demo2
name: myapp-demo2
spec:
containers:
- image: soscscs/myapp:v1
name: myapp-demo2
ports:
- containerPort: 80
env:
- name: mysecret1_USER
valueFrom:
secretKeyRef:
name: mysecret1
key: username
- name: mysecret2_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret2
key: password
envFrom:
- secretRef:
name: mysecret1
2.5 使用secret配置免密交互拉取habor私有仓库镜像
使用secret配置免密交互拉取habor私有仓库镜像 , 在搭建好docker的私有仓库后,在使用私有仓库时需要通过docker login指令来登录到私有仓库中。但同时在使用的过程中也会把habor仓库的用户名和密码暴露在命令行中,存在一定的安全隐患。k8s中的secret配置的运用能够实现并且规避这一问题的存在
//另外准备两台安装docker引擎和docker-compose的服务器
//部署 docker引擎
yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
yum install -y docker-ce docker-ce-cli containerd.io
cd /etc/docker/
cat > /etc/docker/daemon.json <<EOF
{
"registry-mirrors": ["https://6iuzoxz4.mirror.aliyuncs.com",
"https://dockerhub.icu",
"https://docker.chenby.cn",
"https://docker.1panel.live",
"https://docker.awsl9527.cn",
"https://docker.anyhub.us.kg",
"https://dhub.kubesre.xyz"],
"exec-opts": ["native.cgroupdriver=systemd"],
"log-driver": "json-file",
"log-opts": {
"max-size": "500m","max-file": "3"
}
}
EOF
systemctl start docker.service
systemctl enable docker.service
上传docker-compose
mv docker-compose /usr/local/bin/
chmod +x !$/docker-compose
docker-compose -version
//在其中一台装docker引擎和docker-compose的服务器安装harbor
//上传harbor-offline-installer-v1.10.18.tgz
//下载运行registry镜像
docker pull registry
vim /etc/docker/daemon.json
......
"insecure-registries": ["http://192.168.154.13"],
......
cd /opt
tar xf harbor-offline-installer-v1.10.18.tgz
cd harbor/
vim harbor.yml
//master01节点
kubectl create secret docker-registry myharbor --docker-server=192.168.154.13 --docker-username=admin --docker-password=Harbor12345 --docker-email=admin@harbor.com
docker-registry —— secret资源类型
myharbor —— secret资源名称
--docker-server=192.168.154.13 —— 私有仓库IP地址
--docker-username=admin —— 私有仓库登录账号
--docker-password=Harbor12345 —— 私有仓库登录密码
--docker-email=admin@harbor.com —— 私有仓库登录邮箱
kubectl get secrets
//harbor服务器加载镜像和启动 Harbor
./prepare
./install.sh
docker-compose ps
docker pull nginx:1.20
打开浏览器输入账户密码即可登录
新建一个项目
//上传nginx镜像到私有仓库
docker login -u admin -p Harbor12345 http://192.168.154.13
docker images
nginx镜像就推送上去了
从私有仓库拉取镜像
先删除集群所有节点的nginx镜像
docker rmi -f nginx:latest
//master01
cd /opt/secret
vim myapp-demo3.yaml
apiVersion: v1
kind: Pod
metadata:
labels:
run: nginx
name: nginx
spec:
containers:
- image: 192.168.154.13/k8s/nginx:1.20
name: nginx
ports:
- containerPort: 80
这时执行pod是报错的
//先在所有node节点上把私有仓库ip加上
vim /etc/docker/daemon.json
"insecure-registries": ["http://192.168.154.13"],
//再保存重启docker服务
systemctl restart docker.service
//master01
cd /opt/secret
vim myapp-demo3.yaml
apiVersion: v1
kind: Pod
metadata:
labels:
run: nginx
name: nginx
spec:
containers:
- image: 192.168.154.13/k8s/nginx:1.20
name: nginx
ports:
- containerPort: 80
imagePullSecrets:
- name: myharbor
通过私有仓库拉取镜像成功
日志上也看到拉取镜像了
三、ConfigMap
与Secret类似,区别在于ConfigMap保存的是不需要加密配置的信息。
ConfigMap 功能在 Kubernetes1.2 版本中引入,许多应用程序会从配置文件、命令行参数或环境变量中读取配置信息。ConfigMap API 给我们提供了向容器中注入配置信息的机制,ConfigMap 可以被用来保存单个属性,也可以用来保存整个配置文件或者JSON二进制大对象。
应用场景:应用配置
3.1 使用目录创建
//创建 ConfigMap
mkdir /opt/configmap/
vim /opt/configmap/game.config
enemy.types=aliens,monsters
player.maximum-lives=5
vim /opt/configmap/ui.config
color.good=purple
color.bad=yellow
allow.textmode=true
ls /opt/configmap/
game.config
ui.config
kubectl create configmap game-config --from-file=/opt/configmap/
//--from-file 指定在目录下的所有文件都会被用在 ConfigMap 里面创建一个键值对,键的名字就是文件名,值就是文件的内容
kubectl get cm
mkdir /opt/configmap/cm
cd /opt/configmap/cm
cp -r /etc/passwd /etc/shadow /etc/yum.repos.d/ /etc/yum.conf /etc/fstab /etc/hosts ./
kubectl create cm cm-demo1 --from-file=/opt/configmap/cm
kubectl describe cm cm-demo1
ConfigMap 只加载第一层目录的第一层文件,子目录和其下文件都不会加载出来
而且 ConfigMap 的键值是以明文的方式展示出来,这也是和 secret 的区别之一
3.2 通过键值对创建
使用文字值创建,利用 --from-literal 参数传递配置信息,该参数可以使用多次,格式如下
kubectl create configmap special-config --from-literal=special.how=very --from-literal=special.type=good
kubectl create cm mycm-demo1 --from-literal=class=demo1 --from-literal=name=test
kubectl get cm
kubectl describe cm mycm-demo1
3.3 通过挂载的方式使用
cd /opt/secret/
vim myapp-demo4.yaml
apiVersion: v1
kind: Pod
metadata:
labels:
run: myapp-demo4
name: myapp-demo4
spec:
volumes:
- name: vol-cm
configMap:
name: cm-demo1
containers:
- image: soscscs/myapp:v1
name: myapp-demo4
ports:
- containerPort: 80
volumeMounts:
- name: vol-cm
mountPath: /opt/ConfigMap
readOnly: true
3.4 通过环境变量的方式使用
cd /opt/secret
cp myapp-demo2.yaml myapp-demo5.yaml
vim myapp-demo5.yaml
apiVersion: v1
kind: Pod
metadata:
labels:
run: myapp-demo5
name: myapp-demo5
spec:
containers:
- image: soscscs/myapp:v1
name: myapp-demo5
ports:
- containerPort: 80
env:
- name: ConfigMap_USER
valueFrom:
configMapKeyRef:
name: mycm-demo1
key: name
- name: MYCLASS
valueFrom:
configMapKeyRef:
name: mycm-demo1
key: class
envFrom:
- configMapRef:
name: mycm-demo1
3.5 在容器启动时直接引用变量值
vim myapp-demo5.yaml
apiVersion: v1
kind: Pod
metadata:
labels:
run: myapp-demo6
name: myapp-demo6
spec:
containers:
- image: busybox:1.28
name: myapp-demo6
command:
- /bin/sh
- -c
- echo "${ConfigMap_USER} is in ${MYCLASS}" > /var/env.txt ;sleep 3600
ports:
- containerPort: 80
env:
- name: ConfigMap_USER
valueFrom:
configMapKeyRef:
name: mycm-demo1
key: name
- name: MYCLASS
valueFrom:
configMapKeyRef:
name: mycm-demo1
key: class
envFrom:
- configMapRef:
name: mycm-demo1
3.6 将现有nginx配置文件替换掉容器里默认nginx配置文件
cd /opt/secret
vim myapp-demo6.yaml
apiVersion: v1
kind: Pod
metadata:
labels:
run: cm-demo6
name: cm-demo6
spec:
containers:
- image: soscscs/myapp:v1
name: cm-demo6
ports:
- containerPort: 80
dnsPolicy: ClusterFirst
restartPolicy: Always
//准备开始替换
//上传nginx.conf
cd /opt/secret
kubectl create configmap mycm-nginx --from-file=./nginx.conf
vim nginx.conf
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 80;
server_name localhost;
charset utf-8;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.php;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
location ~ \.php$ {
root html;
fastcgi_pass 172.18.0.30:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /usr/local/nginx/html$fastcgi_script_name;
include fastcgi_params;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
# }
#}
# HTTPS server
#
#server {
# listen 443 ssl;
# server_name localhost;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
#}
}
错误示例:
vim cm-nginx.yaml
apiVersion: v1
kind: Pod
metadata:
labels:
run: cm-demo6
name: cm-demo6
spec:
volumes:
- name: nginx-conf
configMap:
name: mycm-nginx
containers:
- image: soscscs/myapp:v1
name: cm-demo6
ports:
- containerPort: 80
volumeMounts:
- name: nginx-conf
mountPath: /etc/nginx/nginx.conf
readOnly: true
vim cm-nginx.yaml
apiVersion: v1
kind: Pod
metadata:
labels:
run: cm-demo6
name: cm-demo6
spec:
volumes:
- name: nginx-conf
configMap:
name: mycm-nginx
containers:
- image: soscscs/myapp:v1
name: cm-demo6
ports:
- containerPort: 80
volumeMounts:
- name: nginx-conf
mountPath: /etc/nginx/nginx.conf
subPath: nginx.conf
readOnly: true
3.7 ConfigMap 热更新
想修改 nginx.conf 里的某个参数值,不要在容器里的 nginx.conf 里修改,不然需要重启服务,容器也会宕掉。
- 只支持以目录的方式挂载的cm卷进行热更新
- 不支持以文件的方式挂载的cm卷进行热更新
//以目录的方式更新
cd /opt/secret
cp nginx.conf nginx2.conf
vim nginx2.conf
server {
location / {
root /var/www/html;
index index.html;
}
location ~ \.php$ {
root html;
fastcgi_pass 172.18.0.30:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /usr/local/nginx/html$fastcgi_script_name;
include fastcgi_params;
}
}
kubectl create cm mycm-nginx2 --from-file=./nginx2.conf
vim cm-demo.yaml
apiVersion: v1
kind: Pod
metadata:
labels:
run: cm-demo
name: cm-demo
spec:
volumes:
- name: nginx-conf
configMap:
name: mycm-nginx2
containers:
- image: soscscs/myapp:v1
name: cm-demo
ports:
- containerPort: 80
volumeMounts:
- name: nginx-conf
mountPath: /etc/nginx/conf.d
readOnly: true
kubectl apply -f cm-demo.yaml
kubectl exec -it cm-demo sh
3.8 ConfigMap 动态更新
kubectl edit cm mycm-nginx2
3.9 滚动更新
陈述式管理资源配置的方式 修改或添加 资源对象的配置
kubectl patch 资源类型 资源名 --patch '{"第一层字段": {"第一层字段": ...}}'
kubectl create deployment myapp-deploy --image=soscscs/myapp:v1 --port=80 --replicas=2
//修改副本集并使用打补丁的方式修改
kubectl edit deployments.apps myapp-deploy
kubectl patch deployments.apps myapp-deploy --patch '{"spec":{"replicas":4}}'
//打补丁的方式添加字段
kubectl patch deployments.apps myapp-deploy --patch '{"spec":{"template":{"metadata":{"annotations":{"version/config":"2024v1"}}}}}'
//打补丁的方式修改镜像
kubectl patch deployments.apps myapp-deploy --patch '{"spec":{"template":{"spec":{"containers":[{"name":"myapp","image":"soscscs/myapp:v3"}]}}}}'
扫一扫
974
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
