Configmap
1.Configmap配置管理
Configmap用于保存配置数据,以键值对形式存储。
ConfigMap 资源提供了向 Pod 注入配置数据的方法。
旨在让镜像和配置文件解耦,以便实现镜像的可移植性和可复用性。
典型的使用场景:填充环境变量的值、设置容器内的命令行参数、填充卷的配置文件
创建configmap目录
mkdir configmap
cd configmap/
1.1使用字面值创建
kubectl create configmap my-config --from-literal=key1=config1 --from-literal=key2=config2
kubectl describe cm my-config
1.2使用文件创建
kubectl create configmap my-config-2 --from-file=/etc/resolv.conf
kubectl get cm
kubectl describe cm my-config-2
1.3使用目录创建
mkdir test
cp /etc/passwd test/
cp /etc/fstab test/
ls test/
kubectl create configmap my-config-3 --from-file=test
kubectl get cm
kubectl describe cm my-config-3
1.4编写configmap的yaml文件
[root@server2 congfigmap]# vim cm1.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: cm1-config
data:
db_host: "172.25.14.250"
db_port: "3306"
[root@server2 congfigmap]# kubectl apply -f cm1.yaml ##应用
[root@server2 congfigmap]# kubectl describe cm cm1-config ##描述详细信息
2.使用configmap
使用configmap设置环境变量
编辑配置文件
[root@server2 configmap]# vim pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod1
spec:
containers:
- name: pod1
image: busyboxplus
command: ["/bin/sh", "-c", "env"]
env:
- name: key1
valueFrom:
configMapKeyRef:
name: cm1-config
key: db_host
- name: key2
valueFrom:
configMapKeyRef:
name: cm1-config
key: db_port
restartPolicy: Never
拉起并查看pod
[root@server2 configmap]# kubectl apply -f pod.yaml
[root@server2 configmap]# kubectl get pod
容器已执行完成,在pod日志中查看结果
kubectl logs pod1
编写pod2.yaml文件
拉起并查看
vim pod3.yaml
拉起并查看
以上信息来源cm1-config
kubectl describe cm cm1-config
更新nginx的配置文件,修改端口为8080
vim nginx.conf
通过文件创建cm
kubectl create configmap nginxconf --from-file=nginx.conf
kubectl get cm
kubectl describe cm nginxconf
编写清单挂载覆盖nginx配置文件
vim nginx.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx
volumeMounts:
- name: config-volume
mountPath: /etc/nginx/conf.d
volumes:
- name: config-volume
configMap:
name: nginxconf
应用并查看端口号
访问8080端口
curl 10.244.22.12:8080
修改nginx.conf中的端口号为8000
kubectl edit cm nginxconf
再次访问curl 10.244.22.12:8000发现被拒绝
刷新副本后发现ip变更
kubectl patch deployments.apps my-nginx --patch '{"spec": {"template": {"metadata": {"annotations": {"version/config": "20200219"}}}}}'
访问新ip的8000端口,成功访问到nginx
3.Secret
3.1从文件中创建Secret
创建认证文本文件
[root@server2 configmap]# echo -n 'admin' > ./username.txt
[root@server2 configmap]# echo -n 'westos' > ./password.txt
通过文件创建
[root@server2 configmap]# kubectl create secret generic db-user-pass --from-file=./username.txt --from-file=./password.txt
secret/db-user-pass created
[root@server2 configmap]# kubectl describe secrets db-user-pass
Name: db-user-pass
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
password.txt: 6 bytes
username.txt: 5 bytes
查看认证信息,该加密是base64位加密,安全性不高,容易破解
echo d2VzdG9z | base64 -d
编写一个secret对象
[root@server2 configmap]# vim secret.yaml
[root@server2 configmap]# cat secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
username: YWRtaW4=
password: d2VzdG9z
3.2将Secret挂载到Volume,向指定路径映射secret密钥
[root@server2 configmap]# vim 1.yaml
apiVersion: v1
kind: Pod
metadata:
name: mysecret
spec:
containers:
- name: nginx
image: nginx
volumeMounts:
- name: secrets
mountPath: "/secret"
readOnly: true
volumes:
- name: secrets
secret:
secretName: mysecret
[root@server2 configmap]# kubectl apply -f 1.yaml
pod/mysecret created
[root@server2 configmap]# kubectl exec mysecret -- ls /secret
password
username
[root@server2 configmap]# kubectl exec mysecret -- cat /secret/username
admin
[root@server2 configmap]# kubectl exec mysecret -- cat /secret/password
westos
[root@server2 configmap]# kubectl delete pod mysecret
向指定路径映射secret密钥
apiVersion: v1
kind: Pod
metadata:
name: mysecret
spec:
containers:
- name: nginx
image: nginx
volumeMounts:
- name: secrets
mountPath: "/secret"
readOnly: true
volumes:
- name: secrets
secret:
secretName: mysecret
items:
- key: username
path: my-group/my-username
[root@server2 configmap]# vim pod1.yaml
[root@server2 configmap]# kubectl apply -f pod1.yaml
pod/mysecret created
[root@server2 configmap]# kubectl get pod
NAME READY STATUS RESTARTS AGE
my-nginx-6b67dc79c9-cv6l9 1/1 Running 0 13m
mysecret 1/1 Running 0 7s
nginx-deployment-c5fbbb494-8hm2q 1/1 Running 0 12m
nginx-deployment-c5fbbb494-t5pmr 1/1 Running 0 12m
nginx-deployment-c5fbbb494-v22q8 1/1 Running 0 12m
[root@server2 configmap]# kubectl exec mysecret -- ls /secret
my-group
[root@server2 configmap]# kubectl exec mysecret -- cat /secret/my-group/my-username
admin[root@server2 configmap]#
3.3将Secret设置为环境变量
[root@server2 configmap]# vim pod2.yaml
apiVersion: v1
kind: Pod
metadata:
name: secret-env
spec:
containers:
- name: nginx
image: nginx
env:
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
name: mysecret
key: username
- name: SECRET_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: password
[root@server2 configmap]# kubectl apply -f pod2.yaml
pod/secret-env created
[root@server2 configmap]# kubectl get pod
NAME READY STATUS RESTARTS AGE
secret-env 1/1 Running 0 32s
[root@server2 configmap]# kubectl exec secret-env -- env
kubernetes.io/dockerconfigjson用于存储docker registry的认证信息。
拉取未公开仓库镜像
[root@server2 configmap]# kubectl create secret docker-registry myregistrykey --docker-server=reg.westos.org --docker-username=admin --docker-password=westos --docker-email=gy@gy.org
secret/myregistrykey created
[root@server2 configmap]# vim mypod.yaml
vim mypod.yaml
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: game2048
image: reg.westos.org/westos/game2048
imagePullSecrets:
- name: myregistrykey
[root@server2 configmap]# kubectl apply -f mypod.yaml
[root@server2 configmap]# kubectl get pod
NAME READY STATUS RESTARTS AGE
mypod 1/1 Running 0 25s
[root@server2 configmap]# kubectl describe pod mypod
查看pod节点详细信息,可以看到已成功拉取