kubernetes系列12—二個特色的儲存卷configmap和secret

alonghub發表於2019-02-26

本文收錄在容器技術學習系列文章總目錄

1、configmap

1.1 認識configmap

  ConfigMap用於儲存配置資料的鍵值對,可以用來儲存單個屬性,也可以用來儲存配置檔案。ConfigMapsecret很類似,但它可以更方便地處理不包含敏感資訊的字串。

 

1.2 建立configmap

1.2.1 通過命令列

建立一個名為nginx-configconfigmap,指定埠和server name

[root@master ~]# kubectl create configmap nginx-config --from-literal=nginx_port=80 --from-literal=server_name=myapp.along.com
configmap/nginx-config created
[root@master ~]# kubectl get cm
NAME           DATA      AGE
nginx-config   2         11s
[root@master ~]# kubectl describe cm nginx-config
Name:         nginx-config
Namespace:    default
Labels:       <none>
Annotations:  <none>

Data
====
nginx_port:
----
80
server_name:
----
myapp.along.com
Events:  <none>

  

1.2.2 通過檔案

1)準備檔案

[root@master ~]# mkdir configmap
[root@master ~]# cd configmap
[root@master configmap]# vim www.conf
server {
        server_name myapp.along.com;
        listen 80;
        root /data/web/html/;
}

  

2)建立查詢認證

[root@master configmap]# kubectl create configmap nginx-www --from-file=./www.conf
configmap/nginx-www created
[root@master configmap]# kubectl get cm
NAME           DATA      AGE
nginx-config   2         3m
nginx-www      1         5s
[root@master configmap]# kubectl describe cm nginx-www
Name:         nginx-www
Namespace:    default
Labels:       <none>
Annotations:  <none>

Data
====
www.conf:
----
server {
  server_name myapp.along.com;
  listen 80;
  root /data/web/html/;
}

Events:  <none>

  

1.3 建立pod使用configmap

1.3.1 pod通過環境變數使用configmap

通過使用環境變數傳入podconfigmap,不能實時更新

1)編寫configmapyaml檔案

[root@master configmap]# vim pod-configmap.yaml
apiVersion: v1
kind: Pod
metadata:
  name: pod-cm-1
  namespace: default
  labels:
    app: myapp
    tier: frontend
  annotations:
    along.com/created-by: "cluster admin"
spec:
  containers:
  - name: myapp
    image: ikubernetes/myapp:v1
    ports:
    - name: http
      containerPort: 80
    env:
    - name: NGINX_SERVER_PORT
      valueFrom:
        configMapKeyRef:
          name: nginx-config
          key: nginx_port
    - name: NGINX_SERVER_NAME
      valueFrom:
        configMapKeyRef:
          name: nginx-config
          key: server_name

  

2)建立pod,查詢認證

[root@master configmap]# kubectl apply -f pod-configmap.yaml
pod/pod-cm-1 created
[root@master configmap]# kubectl get pods
NAME                            READY     STATUS    RESTARTS   AGE
pod-cm-1                        1/1       Running   0          41s
---查詢pod內部變數
[root@master configmap]# kubectl exec -it pod-cm-1 -- printenv |grep NGINX_SERVER
NGINX_SERVER_PORT=80
NGINX_SERVER_NAME=myapp.along.com

  

3)通過環境變數匯入configmap,修改configmap後,pod中內容不會更改

使用edit修改configmap,把nginx_port 80改為8080

[root@master configmap]# kubectl edit cm nginx-config
... ...
  nginx_port: "8080"     #把80改為8080
... ...
configmap/nginx-config edited

查詢,configmap被修改,但是pod中變數並未修改

因為configmap只是在容器啟動時載入生效;現在pod已經建立,再修改,不會生效

------cm已經修改------
[root@master configmap]# kubectl describe cm nginx-config   
Data
====
nginx_port:
----
8080
server_name:
----
myapp.along.com
Events:  <none>
------但是pod實際沒有改變------
[root@master configmap]# kubectl exec -it pod-cm-1 -- printenv |grep NGINX_SERVER   
NGINX_SERVER_PORT=80
NGINX_SERVER_NAME=myapp.along.com

  

1.3.2 pod通過儲存卷使用configmap

通過使用儲存卷傳入podconfigmap,可以實時更新

1)編寫configmapyaml檔案,並建立configmap

建立一個volume,使用上邊建立好的名為nginx-configconfigmap

[root@master configmap]# vim pod-configmap-2.yaml
apiVersion: v1
kind: Pod
metadata:
  name: pod-cm-2
  namespace: default
  labels:
    app: myapp
    tier: frontend
  annotations:
    along.com/created-by: "cluster admin"
spec:
  volumes:
  - name: nginxconf
    configMap:
      name: nginx-config
  containers:
  - name: myapp
    image: ikubernetes/myapp:v1
    ports:
    - name: http
      containerPort: 80
    volumeMounts:
    - name: nginxconf
      mountPath: /etc/nginx/config.d/
      readOnly: true
[root@master configmap]# kubectl apply -f pod-configmap-2.yaml
pod/pod-cm-2 created

  

2)登入pod中,查詢驗證

[root@master configmap]# kubectl get pods
NAME       READY     STATUS    RESTARTS   AGE
pod-cm-2   1/1       Running   0          7s
[root@master ~]# kubectl exec -it pod-cm-2 -- /bin/sh
/ # cd /etc/nginx/config.d/
/etc/nginx/config.d # ls
nginx_port   server_name
/etc/nginx/config.d # cat nginx_port
80
/etc/nginx/config.d # cat server_name 
myapp.along.com

  

3)通過環境變數匯入configmap,修改configmap後,pod中內容會更改

使用edit修改configmap,把nginx_port 80改為8080

[root@master ~]# kubectl edit cm nginx-config
apiVersion: v1
data:
  nginx_port: "8080" 
  server_name: myapp.along.com
... ...
configmap/nginx-config edited

再登入pod檢視,發現已經改變

[root@master ~]# kubectl exec -it pod-cm-2 -- /bin/sh
/ # cat /etc/nginx/config.d/nginx_port 
8080/

  

1.4 一個完整的configmap的應用例項

1.4.1 編寫建立podyaml檔案,使用nginx-wwwconfigmap

[root@master configmap]# vim pod-configmap-3.yaml 
apiVersion: v1
kind: Pod
metadata:
  name: pod-cm-3
  namespace: default
  labels:
    app: myapp
    tier: frontend
  annotations:
    along.com/created-by: "cluster admin"
spec:
  volumes:
  - name: nginxconf
    configMap:
      name: nginx-www
  containers:
  - name: myapp
    image: ikubernetes/myapp:v1
    ports:
    - name: http
      containerPort: 80
    volumeMounts:
    - name: nginxconf
      mountPath: /etc/nginx/conf.d/
      readOnly: true

  

1.4.2 建立pod

[root@master configmap]# kubectl apply -f pod-configmap-3.yaml
pod/pod-cm-3 created
[root@master configmap]# kubectl get pods
NAME       READY     STATUS    RESTARTS   AGE
pod-cm-3   1/1       Running   0          24s

  

1.4.3 登入pod,查詢配置是否成功

[root@master configmap]# kubectl exec -it pod-cm-3 -- /bin/sh
/ # cat /etc/nginx/conf.d/www.conf 
server {
    	server_name myapp.along.com;
    	listen 80;
    	root /data/web/html/;
}
/ # nginx -T |tail -7      #-T查詢nginx的配置資訊
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/conf.d/www.conf:
server {
	server_name myapp.along.com;
	listen 80;
	root /data/web/html/;
}
---生成nginx的主頁內容
/ # mkdir -p /data/web/html
/ # vi /data/web/html/index.html
<h1>Nginx Server configured by CM</h1>

  

1.4.4 在其他節點訪問,驗證是否成功

1)在master上新開一個視窗,查詢pod對應的IP

[root@master ~]# kubectl get pods -o wide
NAME                            READY     STATUS    RESTARTS   AGE       IP            NODE
pod-cm-3                        1/1       Running   0          7m        10.244.1.124  node2

  

2)在任意節點上配置host,使其能連通此pod

[root@node1 ~]# vim /etc/hosts
10.244.1.124 myapp.along.com

  

3)訪問pod,成功

[root@node1 ~]# curl myapp.along.com    
<h1>Nginx Server configured by CM</h1>	

  

1.4.5 通過修改configmap,修改podnginx服務的埠

1)修改configmap的配置,將nginx的埠由80改為8888

[root@master ~]# kubectl edit cm nginx-www
apiVersion: v1
data:
  www.conf: "server {
	server_name myapp.along.com;
	listen 8888;
	root /data/web/html/;
}
"
... ...
configmap/nginx-www edited

  

2)在pod內還需要過載nginx配置(現在是手工操作,後面會使用k8s工具完成)

/ # cat /etc/nginx/conf.d/www.conf     查詢configmap的修改是否生效
server {
	server_name myapp.along.com;
	listen 8888;
	root /data/web/html/;
}
/ # nginx -s reload  過載一下nginx配置
2019/02/25 02:32:00 [notice] 16#16: signal process started

  

3)在node節點上訪問驗證,成功

[root@node1 ~]# curl myapp.along.com:8888
<h1>Nginx Server configured by CM</h1>	

 

2、secret

2.1 認識secret

  •  Secret 物件型別用來儲存敏感資訊,例如密碼、OAuth 令牌和 ssh key。將這些資訊放在 secret 中比放在 pod 的定義或者 docker 映象中來說更加安全和靈活。
  •  Secret 是一種包含少量敏感資訊例如密碼、token key 的物件。這樣的資訊可能會被放在 Pod spec 中或者映象中;將其放在一個 secret 物件中可以更好地控制它的用途,並降低意外暴露的風險。
  •  使用者可以建立 secret,同時系統也建立了一些 secret
  •  要使用 secretpod 需要引用 secretPod 可以用兩種方式使用 secret:作為 volume 中的檔案被掛載到 pod 中的一個或者多個容器裡,或者當 kubelet pod 拉取映象時使用。
  •  Secret有三種型別:
    •  Service Account:用來訪問Kubernetes API,由Kubernetes自動建立,並且會自動掛載到Pod/run/secrets/kubernetes.io/serviceaccount目錄中;
    •  Opaquebase64編碼格式的Secret,用來儲存密碼、金鑰等;
    •  kubernetes.io/dockerconfigjson:用來儲存私有docker registry的認證資訊。

 

2.2 建立一個secret

---建立secret
[root@master ~]# kubectl create secret generic mysql-root-passwd --from-literal=password=MyP@ss123
secret/mysql-root-passwd created
---查詢secret資訊
[root@master ~]# kubectl get secret
NAME                  TYPE                                  DATA      AGE
default-token-wjbzf   kubernetes.io/service-account-token   3         35d
mysql-root-passwd     Opaque                                1         11s
---查詢詳細資訊
[root@master ~]# kubectl describe secret mysql-root-passwd
Name:         mysql-root-passwd
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
password:  9 bytes    #已經進行64位加密
---以yaml檔案顯示資訊
[root@master ~]# kubectl get secret mysql-root-passwd -o yaml
apiVersion: v1
data:
  password: TXlQQHNzMTIz
kind: Secret
metadata:
  creationTimestamp: 2018-10-10T03:14:04Z
  name: mysql-root-passwd
  namespace: default
  resourceVersion: "436965"
  selfLink: /api/v1/namespaces/default/secrets/mysql-root-passwd
  uid: 8adbf6ae-cc3a-11e8-bb48-005056277243
type: Opaque
---解密
[root@master ~]# echo TXlQQHNzMTIz |base64 -d
MyP@ss123

  

2.3 通過secretpod注入環境變數

1)編寫yaml檔案,建立pod

[root@master configmap]# vim pod-secret-1.yaml
apiVersion: v1
kind: Pod
metadata:
  name: pod-secret-1
  namespace: default
  labels:
    app: myapp
    tier: frontend
  annotations:
    along.com/created-by: "cluster admin"
spec:
  containers:
  - name: myapp
    image: ikubernetes/myapp:v1
    ports:
    - name: http
      containerPort: 80
    env:
    - name: MYSQL_ROOT_PASSWD
      valueFrom:
        secretKeyRef:
          name: mysql-root-passwd
          key: password
[root@master configmap]# kubectl apply -f pod-secret-1.yaml
pod/pod-secret-1 created

  

2)查詢並認證

[root@master configmap]# kubectl get pods
NAME                            READY     STATUS    RESTARTS   AGE
pod-secret-1                    1/1       Running   0          14s
---驗證,查詢pod中的環境變數,篩選出MYSQL_ROOT_PASSWD
[root@master configmap]# kubectl exec pod-secret-1 -- printenv |grep MYSQL
MYSQL_ROOT_PASSWD=MyP@ss123

  

相關文章