啃k8s之secret和configmap的配置管理
一:secret配置管理
1.1:Secret机密
-
官网地址:https://kubernetes.io/zh/docs/concepts/configuration/secret/
-
Secret解决了密码、token、密钥等敏感数据的配置问题,将加密数据存放在etcd中,而不需要把这些敏感数据暴露到镜像或者Pod Spec中。Secret可以以Volume或者环境变量的方式使用。
-
Secret是用来保存小片敏感数据的k8s资源,例如密码,token,或者秘钥。这类数据当然也可以存放在Pod或者镜像中,但是放在Secret中是为了更方便的控制如何使用数据,并减少暴露的风险。
-
用户可以创建自己的secret,系统也会有自己的secret。
-
Pod需要先引用才能使用某个secret,Pod有2种方式来使用secret:
- 1、作为volume的一个域被一个或多个容器挂载;
- 2、在拉取镜像的时候被kubelet引用。
1.2:创建secret
1.2.1:方式一:基于文件创建secret
- 1、创建用户与密码文件
[root@master ~]# cd test/
[root@master test]# ls
coredns.yaml nginx-service.yaml pod2.yaml pod8.yaml
cronjob.yaml nginx-test01.yaml pod3.yaml registry-pull-secret.yaml
ds.yaml nginx-test02.yaml pod4.yaml sts.yaml
headless.yaml nginx-test.yaml pod5.yaml tomcat-deployment.yaml
job.yaml nodeselector.yaml pod6.yaml
nginx-deployment.yaml pod1.yaml pod7.yaml
[root@master test]# echo -n 'admin' > ./username.txt
[root@master test]# echo -n 'abc123' > ./password.txt
[root@master test]# kubectl create secret generic db-user-pass --from-file=./username.txt --from-file=./password.txt
secret/db-user-pass created
'可以使用 kubectl create secret --help查看命令帮助'
[root@master test]# kubectl get secret '查看secret资源'
NAME TYPE DATA AGE
db-user-pass Opaque 2 12s
default-token-dljps kubernetes.io/service-account-token 3 6d8h
[root@master test]# kubectl describe secret db-user-pass
Name: db-user-pass
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
username.txt: 5 bytes
password.txt: 6 bytes
1.2.2:方式二:基于参数创建secret
- 1、创建变量参数(进行base64解码 )
[root@master ~]# echo -n '' | base64
YWRtaW4x
[root@master ~]# echo -n 'abc' | base64
YWJjMTIz
- 创建yaml文件
[root@master test]# vim secret.yaml
apiVersion: v1
kind: Secret '指定secret类型'
metadata:
name: mysecret
type: Opaque
data:
username: YWRtaW4x '输入解码后的参数'
password: YWJjMTIz
[root@master test]# kubectl create -f secret.yaml '创建secret资源'
secret/mysecret created
[root@master test]# kubectl get secret
mysecret Opaque 2 11s
[root@master ~]# kubectl describe secret mysecret '查看详细信息'
Name: mysecret
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
password: 11 bytes
username: 8 bytes
1.3:pod使用secret
1.3.1:方式一:使用secret中的变量导入到pod中
-
1、调用secret资源中的变量
key: username赋值给SECRET_USERNAME
key: password 赋值给SECRET_PASSWORD
[root@master test]# kubectl get secret mysecret -o yaml
apiVersion: v1
data:
password: YWJjMTIz
username: YWRtaW4x
kind: Secret
metadata:
creationTimestamp: 2020-10-15T10:35:02Z
name: mysecret
namespace: default
resourceVersion: "194917"
selfLink: /api/v1/namespaces/default/secrets/mysecret
uid: 15104830-0ed2-11eb-ba66-000c29115408
type: Opaque
- 2、创建yaml文件并创建资源
[root@master test]# vim secret-var.yaml
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: nginx
image: nginx
env:
- name: SECRET_USERNAME '定义的第一个变量名'
valueFrom:
secretKeyRef:
name: mysecret
key: username 'key: username赋值给SECRET_USERNAME'
- name: SECRET_PASSWORD '定义的第二个变量名'
valueFrom:
secretKeyRef:
name: mysecret
key: password 'key: password 赋值给SECRET_PASSWORD'
[root@master test]# kubectl apply -f secret-var.yaml
pod/mypod created
[root@master test]# kubectl get pods
NAME READY STATUS RESTARTS AGE
mypod 1/1 Running 0 117s
[root@master test]# kubectl exec -it mypod bash '登陆pod资源验证用户名和密码'
# echo $SECRET_USERNAME
admin1
# echo $SECRET_PASSWORD
abc123
1.3.2:方拾:二:使用挂载
- 以volume的形式挂载到pod的某个目录下
- 1、创建yaml文件资源
[root@master test]# vim secret-vol.yaml
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: nginx
image: nginx
volumeMounts:
- name: foo
mountPath: "/etc/foo" '容器内的挂载路径'
readOnly: true
volumes:
- name: foo
secret:
secretName: mysecret '想要获取mysecret资源,只要将foo挂载'
[root@master test]# kubectl create -f secret-vol.yaml
pod/mypod created
[root@master test]# kubectl get pods
NAME READY STATUS RESTARTS AGE
mypod 1/1 Running 0 7m4s
[root@master test]# kubectl exec -it mypod bash '登陆pod资源验证用户密码'
root@mypod:/# ls /etc/foo/
password username
root@mypod:/# ls /etc/foo/username
/etc/foo/username
root@mypod:/# ls /etc/foo/password
/etc/foo/password
二:ConfigMap配置管理
-
configmap与Secret类似,区别在于ConfigMap保存的是不需要加密配置的信息
-
应用场景:应用配置
-
有两种创建方式:1、使用kubectl创建(yaml文件)2、使用变量参数创建
2.1:方法一:使用kubectl创建
- 1、编写redis服务需要的配置并创建configmap资源
[root@master test]# vim redis.properties
redis.host=127.0.0.1
redis.port=6379
redis.password=123456
[root@master test]# kubectl create configmap redis-config --from-file=redis.properties
configmap/redis-config created
[root@master test]# kubectl get configmap '查看configmap资源'
NAME DATA AGE
redis-config 1 12s
[root@master test]# kubectl get cm 'configmap可以缩写成cm'
NAME DATA AGE
redis-config 1 23s
[root@master test]# kubectl describe cm redis-config
Name: redis-config
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
redis.properties:
----
redis.host=127.0.0.1
redis.port=6379
redis.password=123456
Events: <none>
2、编写yaml文件并创建pod资源
[root@master test]# vim cm.yaml
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: busybox
image: busybox
command: [ "/bin/sh","-c","cat /etc/config/redis.properties" ]
volumeMounts:
- name: config-volume
mountPath: /etc/config
volumes:
- name: config-volume
configMap:
name: redis-config
restartPolicy: Never
[root@master test]# kubectl apply -f cm.yaml
pod/mypod created
[root@master test]# kubectl get pods -w
NAME READY STATUS RESTARTS AGE
mypod 0/1 ContainerCreating 0 13s
mypod 0/1 Completed 0 39s
[root@master test]# kubectl get pods
NAME READY STATUS RESTARTS AGE
mypod 0/1 Completed 0 89s
[root@master test]# kubectl logs mypod '查看log,进行验证结果'
redis.host=127.0.0.1
redis.port=6379
redis.password=123456
2.2:使用变量参数形式创建configmap资源
- 1、创建configmap资源
apiVersion: v1
kind: ConfigMap
metadata:
name: myconfig
namespace: default
data:
special.level: info
special.type: hello
- 2、创建测试pod
[root@master test]# vim config-var.yaml
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: busybox
image: busybox
command: [ "/bin/sh", "-c", "echo $(LEVEL) $(TYPE)" ]
env:
- name: LEVEL
valueFrom:
configMapKeyRef:
name: myconfig
key: special.level
- name: TYPE
valueFrom:
configMapKeyRef:
name: myconfig
key: special.type
restartPolicy: Never
[root@master test]# kubectl delete pod mypod
pod "mypod" deleted
[root@master test]# kubectl apply -f config-var.yaml
pod/mypod created
[root@master test]# kubectl get pods -w
NAME READY STATUS RESTARTS AGE
mypod 0/1 ContainerCreating 0 17s
mypod 0/1 Completed 0 27s
[root@master ~]# kubectl logs config-var.yaml '查看变量输出结果'
info hello