一、Secret介绍
Secret作用:将加密数据存入etcd,让Pod以挂载Volume的方式进行访问
Secret使用场景:用作数据凭证,数据加密
示例说明:
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
username: YWRtaW4= # echo -n "admin" | base64 进行加密编码
password: MTIzNDU2YWJj # echo -n "123456abc" | base64 进行加密编码
1.执行yaml,创建Secret配置管理:
[root@master-146 ~]# kubectl apply -f secret.yaml
secret/mysecret created
[root@master-146 ~]# kubectl get secret
NAME TYPE DATA AGE
default-token-ks8wd kubernetes.io/service-account-token 3 2d8h
mysecret Opaque 2 18s
2.创建Pod
2.1 挂载方式一:用变量的方式
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: nginx
image: nginx
env:
- name: SECRET_USERNAME #用于保存Secret中的data.username
valueFrom:
secretKeyRef:
name: mysecret
key: username #对应Secret中的data.username的值
- name: SECRET_PASSWORD #用于保存Secret中的data.password
valueFrom:
secretKeyRef:
name: mysecret
key: password #对应Secret中的data.password的值
执行Pod的yaml
[root@master-146 ~]# kubectl apply -f secret-env.yaml
pod/mypod created
[root@master-146 ~]# kubectl get pod
NAME READY STATUS RESTARTS AGE
mypod 1/1 Running 0 25s
进入Pod查看结果:
[root@master-146 ~]# kubectl exec -it mypod -- bash
root@mypod:/# echo $SECRET_USERNAME
admin
root@mypod:/# echo $SECRET_PASSWORD
123456abc
2.2 挂载方式二:用数据卷Volume的方式
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: nginx
image: nginx
volumeMounts:
- name: foo
mountPath: "/etc/foo"
readOnly: true
volumes:
- name: foo
secret:
secretName: mysecret
执行yaml:
[root@master-146 ~]# kubectl delete -f secret-env.yaml
pod "mypod" deleted
[root@master-146 ~]# kubectl apply -f secret-vol.yaml
pod/mypod created
[root@master-146 ~]# kubectl get Pod mypod
NAME READY STATUS RESTARTS AGE
mypod 1/1 Running 0 25s
查看结果(分别存入文件):
[root@master-146 ~]# kubectl exec -it mypod -- bash
root@mypod:/# cat /etc/foo/username
adminroot@mypod:/# cat /etc/foo/password
123456abcroot@mypod:/#
二、ConfigMap介绍
ConfigMap作用:将非加密数据存入etcd,让Pod以挂载Volume的方式进行访问
ConfigMap使用场景:配置文件
示例说明:
1.快速创建
创建配置文件,并创建ConfigMap:
[root@master-146 ~]# cat config.txt
ip=127.0.0.1
port=6379
passwd=123456
[root@master-146 ~]# kubectl create configmap myconfig --from-file=myconfig.txt
configmap/myconfig created
[root@master-146 ~]# kubectl get cm
NAME DATA AGE
myconfig 1 17s
查看ConfigMap里的配置信息:
[root@master-146 ~]# kubectl describe cm myconfig
Name: myconfig
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
myconfig.txt:
----
ip=127.0.0.1
port=6379
passwd=123456
Events: <none>
ConfigMap的yaml格式:
[root@master-146 ~]# kubectl create configmap myconfig --from-file=myconfig.txt --dry-run=client -o yaml
apiVersion: v1
data:
myconfig.txt: |
ip=127.0.0.1
port=6379
passwd=123456
kind: ConfigMap
metadata:
creationTimestamp: null
name: myconfig
2.以变量的方式挂载到Pod
创建一个ConfigMap:
[root@master-146 ~]# cat cm.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: myconfig
namespace: default
data:
special.level: info
special.type: hello
生成ConfigMap:
[root@master-146 ~]# kubectl apply -f cm.yaml
configmap/myconfig created
[root@master-146 ~]# kubectl get cm
NAME DATA AGE
myconfig 2 4s
创建Pod,并用变量挂载ConfigMap中的参数:
[root@master-146 ~]# cat cm-env.yaml
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: busybox
image: busybox
command: ["/bin/sh", "-c", "echo $(LEVEL) $(TYPE)"]
env:
- name: LEVEL
valueFrom:
configMapKeyRef:
name: myconfig
key: special.level
- name: TYPE
valueFrom:
configMapKeyRef:
name: myconfig
key: special.type
restartPolicy: Never
运行Pod:
[root@master-146 ~]# kubectl apply -f cm-env.yaml
pod/mypod created
[root@master-146 ~]# kubectl get pod mypod
NAME READY STATUS RESTARTS AGE
mypod 0/1 Completed 0 114s
结果:
[root@master-146 ~]# kubectl logs mypod
info hello
3.以Volume方式挂载到Pod
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: busybox
image: busybox
command: ["/bin/sh", "-c", "cat /etc/config/myconfig.txt"]
volumeMounts:
- name: config-volume
mountPath: /etc/config
volumes:
- name: config-volume
configMap:
name: myconfig
restartPolicy: Never
执行yaml创建Pod并将配置文件挂载进Pod:
[root@master-146 ~]# kubectl apply -f cm-vol.yaml
pod/mypod created
[root@master-146 ~]# kubectl get pods mypod
NAME READY STATUS RESTARTS AGE
mypod 0/1 Completed 0 49s
Pod的输出结果:
[root@master-146 ~]# kubectl logs mypod
ip=127.0.0.1
port=6379
passwd=123456