1.案例准备
存储卷以MariaDb来演示,其中每个节点需要准备如下镜像
docker pull mariadb:10.5.2
编写部署mariadb的资源文件:
apiVersion: apps/v1kind: Deploymentmetadata: name: mariadb-demo labels: app: mariadb-demospec: replicas: 1 template: metadata: name: mariadb-demo labels: app: mariadb-demo spec: containers: - name: mariadb-demo image: mariadb:10.5.2 imagePullPolicy: IfNotPresent env: - name: MYSQL_ROOT_PASSWORD value: root #mysql root账户的密码 - name: TZ value: Asia/Shanghai args: - "--character-set-server=utf8mb4" - "--collation-server=utf8mb4_unicode_ci" ports: - containerPort: 3306 restartPolicy: Always selector: matchLabels: app: mariadb-demo---apiVersion: v1kind: Servicemetadata: name: mariadb-svcspec: selector: app: mariadb-demo ports: - port: 3306 targetPort: 3306 nodePort: 13306 type: NodePort
部署运行:
[root@k8s-master01 mariadb]# kubectl apply -f mariadb-demo.yml deployment.apps/mariadb-demo createdservice/mariadb-svc created#查看pod[root@k8s-master01 mariadb]# kubectl get pod -o wideNAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATESmariadb-demo-68f748c9cc-6k6mh 1/1 Running 0 14s 10.81.85.243 k8s-node01 #查看服务[root@k8s-master01 mariadb]# kubectl get serviceNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGEkubernetes ClusterIP 10.1.0.1 443/TCP 6d10hmariadb-svc NodePort 10.1.163.25 3306:30036/TCP 8m57s
使用数据库连接工具测试效果:
2.secret
Secret 解决了密码、token、密钥等敏感数据的配置问题,而不需要把这些敏感数据暴露到镜像或者 Pod Spec中。Secret 可以以 Volume 或者环境变量的方式使用。(案例中mariadb的密码就是配置在spec中)
secret有三种类型:
- Service Account :用来访问 Kubernetes API,由 Kubernetes 自动创建,并且会自动挂载到 Pod的/run/secrets/kubernetes.io/serviceaccount 目录中。
- Opaque :base64编码格式的Secret,用来存储密码、密钥等
- kubernetes.io/dockerconfigjson :用来存储私有 docker registry 的认证信息
2.1 Service Account
#查看系统pods[root@k8s-master01 mariadb]# kubectl get pods -n kube-system NAME READY STATUS RESTARTS AGEcalico-kube-controllers-6b94766748-95bch 1/1 Running 6 6d10hcalico-node-mt6ch 1/1 Running 6 6d10hcalico-node-wxthh 1/1 Running 1 6d10hcalico-node-zf9sl 1/1 Running 6 6d10hcoredns-6955765f44-77tcj 1/1 Running 6 6d10hcoredns-6955765f44-kf6jf 1/1 Running 6 6d10hetcd-k8s-master01 1/1 Running 6 6d10hkube-apiserver-k8s-master01 1/1 Running 8 6d10hkube-controller-manager-k8s-master01 1/1 Running 53 6d10hkube-proxy-7kcln 1/1 Running 6 6d10hkube-proxy-gjlsk 1/1 Running 1 6d10hkube-proxy-hftxh 1/1 Running 6 6d10hkube-scheduler-k8s-master01 1/1 Running 50 6d10h#随机选择一个pod进入,查看sa[root@k8s-master01 mariadb]# kubectl exec -it kube-proxy-7kcln -n kube-system sh# cd /run/secrets/kubernetes.io/serviceaccount# lsca.crt namespace token# cat ca.crt-----BEGIN CERTIFICATE-----MIICyDCCAbCgAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJlcm5ldGVzMB4XDTIwMTIxOTIzMTM1NFoXDTMwMTIxNzIzMTM1NFowFTETMBEGA1UEAxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPE1Z05pJYCZ9tpyEQ4fBarjGxRui909iSnF+hncsLLTHrws07SVRk3U5mo/uHLcJ8l9C1fcv0S5sCSIqgAvh7chDGAdq4K6wOQIcYDiMbGI/Sw0hFDfMYDlO6Bd0OUrprZLy8Fz0m3+IewAfnVAfAIKwoAb7Ya74jTsFaG4vCVX9iu/nVCZsdNKYSjk6X6U5RnZChAtd/D1EWzOYY94qPsFkbeRENTc1hiqRckqvPJDV1pMUf8JGMIMkwDfWzrvFHLqmljqt7ybCH5RspYy+pOAjz4DC97H2A/EjQgmuELHPdgHqLM5RSsnsMvybbaaFSEI2pFFVRZyF6BZanFBomMCAwEAAaMjMCEwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAFcwGgUVKNyYn7YzIxCpkZJdUag6GI/Wna1/WowyklppONFae+ZVo08GuHO/nq9+pzj+tPaqrIWTbtFNRivn7b8DZUj6gFxedO0U+Flt5grsdXjV3nc5J1feY3hRyq/jl8UBE4IAgZ1PVeOlbxXdplkNisdQ+/05sshsj7SF1pf2fpGQQoJ0u0E2ZptEwuhKB4Xu7uP10cxAVq9ye3VuXdsvnziNQDa4eW3hoit0xkjFJ8YQ4QmL/UAUQ+Avy3/M26ZHnpcmqwTbLLvGRrI3iCo3y/JsDaM3ydPk/Jo5dDDfVRAo5My7YeEYOd9H7M/4BXHMxhRnrydEj/kfQbo1g5c=-----END CERTIFICATE-----# exit
2.2 Opaque
base64加密解密
[root@k8s-master01 mariadb]# echo -n "root" | base64cm9vdA==[root@k8s-master01 mariadb]# echo -n "cm9vdA==" |base64 -droot
演示如何使用Opaque 来给mariadb设置root密码,Opaque只支持base64的方式加密。
secret资源配置文件:
apiVersion: v1kind: Secretmetadata: name: secret-demotype: Opaquedata:# k-v形式,这个password可以随便定义,密码采用base64加密 password: cm9vdA==
mariadb的部署配置文件:
apiVersion: apps/v1kind: Deploymentmetadata: name: mariadb-secret labels: app: mariadb-secretspec: replicas: 1 template: metadata: name: mariadb-secret labels: app: mariadb-secret spec: containers: - name: mariadb-secret image: mariadb:10.5.2 imagePullPolicy: IfNotPresent ports: - containerPort: 3306 env: - name: MYSQL_ROOT_PASSWORD #mysql root账户的密码 valueFrom: secretKeyRef: key: password #secret资源的data.key,这个key可以自定义 name: secret-demo #定义secret资源的名称 - name: TZ value: Asia/Shanghai args: - "--character-set-server=utf8mb4" - "--collation-server=utf8mb4_unicode_ci" restartPolicy: Always selector: matchLabels: app: mariadb-secret---apiVersion: v1kind: Servicemetadata: name: mariadb-secret-svcspec: selector: app: mariadb-secret ports: - port: 3306 targetPort: 3306 nodePort: 30036 type: NodePort
注意关键点在:
- name: MYSQL_ROOT_PASSWORD #mysql root账户的密码 valueFrom: secretKeyRef: key: password #secret资源的data.key,这个key可以自定义 name: secret-demo #定义secret资源的名称
key就是secret资源中定义的key,name就是secret的资源name
部署:
#部署,可以使用 .来批量部署当前文件夹下所有的资源文件[root@k8s-master01 secrets]# kubectl apply -f .secret/secret-demo created