本文收錄在容器技術學習系列文章總目錄
1、configmap
1.1 認識configmap
ConfigMap用於儲存配置資料的鍵值對,可以用來儲存單個屬性,也可以用來儲存配置檔案。ConfigMap跟secret很類似,但它可以更方便地處理不包含敏感資訊的字串。
1.2 建立configmap
1.2.1 通過命令列
建立一個名為nginx-config的configmap,指定埠和server name
[root@master ~]# kubectl create configmap nginx-config --from-literal=nginx_port=80 --from-literal=server_name=myapp.along.com configmap/nginx-config created [root@master ~]# kubectl get cm NAME DATA AGE nginx-config 2 11s [root@master ~]# kubectl describe cm nginx-config Name: nginx-config Namespace: default Labels: <none> Annotations: <none> Data ==== nginx_port: ---- 80 server_name: ---- myapp.along.com Events: <none>
1.2.2 通過檔案
(1)準備檔案
[root@master ~]# mkdir configmap [root@master ~]# cd configmap [root@master configmap]# vim www.conf server { server_name myapp.along.com; listen 80; root /data/web/html/; }
(2)建立查詢認證
[root@master configmap]# kubectl create configmap nginx-www --from-file=./www.conf configmap/nginx-www created [root@master configmap]# kubectl get cm NAME DATA AGE nginx-config 2 3m nginx-www 1 5s [root@master configmap]# kubectl describe cm nginx-www Name: nginx-www Namespace: default Labels: <none> Annotations: <none> Data ==== www.conf: ---- server { server_name myapp.along.com; listen 80; root /data/web/html/; } Events: <none>
1.3 建立pod使用configmap
1.3.1 pod通過環境變數使用configmap
通過使用環境變數傳入pod的configmap,不能實時更新
(1)編寫configmap的yaml檔案
[root@master configmap]# vim pod-configmap.yaml apiVersion: v1 kind: Pod metadata: name: pod-cm-1 namespace: default labels: app: myapp tier: frontend annotations: along.com/created-by: "cluster admin" spec: containers: - name: myapp image: ikubernetes/myapp:v1 ports: - name: http containerPort: 80 env: - name: NGINX_SERVER_PORT valueFrom: configMapKeyRef: name: nginx-config key: nginx_port - name: NGINX_SERVER_NAME valueFrom: configMapKeyRef: name: nginx-config key: server_name
(2)建立pod,查詢認證
[root@master configmap]# kubectl apply -f pod-configmap.yaml pod/pod-cm-1 created [root@master configmap]# kubectl get pods NAME READY STATUS RESTARTS AGE pod-cm-1 1/1 Running 0 41s ---查詢pod內部變數 [root@master configmap]# kubectl exec -it pod-cm-1 -- printenv |grep NGINX_SERVER NGINX_SERVER_PORT=80 NGINX_SERVER_NAME=myapp.along.com
(3)通過環境變數匯入configmap,修改configmap後,pod中內容不會更改
① 使用edit修改configmap,把nginx_port 80改為8080
[root@master configmap]# kubectl edit cm nginx-config ... ... nginx_port: "8080" #把80改為8080 ... ... configmap/nginx-config edited
② 查詢,configmap被修改,但是pod中變數並未修改
因為configmap只是在容器啟動時載入生效;現在pod已經建立,再修改,不會生效
------cm已經修改------ [root@master configmap]# kubectl describe cm nginx-config Data ==== nginx_port: ---- 8080 server_name: ---- myapp.along.com Events: <none> ------但是pod實際沒有改變------ [root@master configmap]# kubectl exec -it pod-cm-1 -- printenv |grep NGINX_SERVER NGINX_SERVER_PORT=80 NGINX_SERVER_NAME=myapp.along.com
1.3.2 pod通過儲存卷使用configmap
通過使用儲存卷傳入pod的configmap,可以實時更新
(1)編寫configmap的yaml檔案,並建立configmap
建立一個volume,使用上邊建立好的名為nginx-config的configmap
[root@master configmap]# vim pod-configmap-2.yaml apiVersion: v1 kind: Pod metadata: name: pod-cm-2 namespace: default labels: app: myapp tier: frontend annotations: along.com/created-by: "cluster admin" spec: volumes: - name: nginxconf configMap: name: nginx-config containers: - name: myapp image: ikubernetes/myapp:v1 ports: - name: http containerPort: 80 volumeMounts: - name: nginxconf mountPath: /etc/nginx/config.d/ readOnly: true [root@master configmap]# kubectl apply -f pod-configmap-2.yaml pod/pod-cm-2 created
(2)登入pod中,查詢驗證
[root@master configmap]# kubectl get pods NAME READY STATUS RESTARTS AGE pod-cm-2 1/1 Running 0 7s [root@master ~]# kubectl exec -it pod-cm-2 -- /bin/sh / # cd /etc/nginx/config.d/ /etc/nginx/config.d # ls nginx_port server_name /etc/nginx/config.d # cat nginx_port 80 /etc/nginx/config.d # cat server_name myapp.along.com
(3)通過環境變數匯入configmap,修改configmap後,pod中內容會更改
① 使用edit修改configmap,把nginx_port 80改為8080
[root@master ~]# kubectl edit cm nginx-config apiVersion: v1 data: nginx_port: "8080" server_name: myapp.along.com ... ... configmap/nginx-config edited
② 再登入pod檢視,發現已經改變
[root@master ~]# kubectl exec -it pod-cm-2 -- /bin/sh / # cat /etc/nginx/config.d/nginx_port 8080/
1.4 一個完整的configmap的應用例項
1.4.1 編寫建立pod的yaml檔案,使用nginx-www的configmap
[root@master configmap]# vim pod-configmap-3.yaml apiVersion: v1 kind: Pod metadata: name: pod-cm-3 namespace: default labels: app: myapp tier: frontend annotations: along.com/created-by: "cluster admin" spec: volumes: - name: nginxconf configMap: name: nginx-www containers: - name: myapp image: ikubernetes/myapp:v1 ports: - name: http containerPort: 80 volumeMounts: - name: nginxconf mountPath: /etc/nginx/conf.d/ readOnly: true
1.4.2 建立pod
[root@master configmap]# kubectl apply -f pod-configmap-3.yaml pod/pod-cm-3 created [root@master configmap]# kubectl get pods NAME READY STATUS RESTARTS AGE pod-cm-3 1/1 Running 0 24s
1.4.3 登入pod,查詢配置是否成功
[root@master configmap]# kubectl exec -it pod-cm-3 -- /bin/sh / # cat /etc/nginx/conf.d/www.conf server { server_name myapp.along.com; listen 80; root /data/web/html/; } / # nginx -T |tail -7 #-T查詢nginx的配置資訊 nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful # configuration file /etc/nginx/conf.d/www.conf: server { server_name myapp.along.com; listen 80; root /data/web/html/; } ---生成nginx的主頁內容 / # mkdir -p /data/web/html / # vi /data/web/html/index.html <h1>Nginx Server configured by CM</h1>
1.4.4 在其他節點訪問,驗證是否成功
(1)在master上新開一個視窗,查詢pod對應的IP
[root@master ~]# kubectl get pods -o wide NAME READY STATUS RESTARTS AGE IP NODE pod-cm-3 1/1 Running 0 7m 10.244.1.124 node2
(2)在任意節點上配置host,使其能連通此pod
[root@node1 ~]# vim /etc/hosts 10.244.1.124 myapp.along.com
(3)訪問pod,成功
[root@node1 ~]# curl myapp.along.com <h1>Nginx Server configured by CM</h1>
1.4.5 通過修改configmap,修改pod內nginx服務的埠
(1)修改configmap的配置,將nginx的埠由80改為8888
[root@master ~]# kubectl edit cm nginx-www apiVersion: v1 data: www.conf: "server { server_name myapp.along.com; listen 8888; root /data/web/html/; } " ... ... configmap/nginx-www edited
(2)在pod內還需要過載nginx配置(現在是手工操作,後面會使用k8s工具完成)
/ # cat /etc/nginx/conf.d/www.conf 查詢configmap的修改是否生效 server { server_name myapp.along.com; listen 8888; root /data/web/html/; } / # nginx -s reload 過載一下nginx配置 2019/02/25 02:32:00 [notice] 16#16: signal process started
(3)在node節點上訪問驗證,成功
[root@node1 ~]# curl myapp.along.com:8888 <h1>Nginx Server configured by CM</h1>
2、secret
2.1 認識secret
- Secret 物件型別用來儲存敏感資訊,例如密碼、OAuth 令牌和 ssh key。將這些資訊放在 secret 中比放在 pod 的定義或者 docker 映象中來說更加安全和靈活。
- Secret 是一種包含少量敏感資訊例如密碼、token 或 key 的物件。這樣的資訊可能會被放在 Pod spec 中或者映象中;將其放在一個 secret 物件中可以更好地控制它的用途,並降低意外暴露的風險。
- 使用者可以建立 secret,同時系統也建立了一些 secret。
- 要使用 secret,pod 需要引用 secret。Pod 可以用兩種方式使用 secret:作為 volume 中的檔案被掛載到 pod 中的一個或者多個容器裡,或者當 kubelet 為 pod 拉取映象時使用。
- Secret有三種型別:
- Service Account:用來訪問Kubernetes API,由Kubernetes自動建立,並且會自動掛載到Pod的/run/secrets/kubernetes.io/serviceaccount目錄中;
- Opaque:base64編碼格式的Secret,用來儲存密碼、金鑰等;
- kubernetes.io/dockerconfigjson:用來儲存私有docker registry的認證資訊。
2.2 建立一個secret
---建立secret [root@master ~]# kubectl create secret generic mysql-root-passwd --from-literal=password=MyP@ss123 secret/mysql-root-passwd created ---查詢secret資訊 [root@master ~]# kubectl get secret NAME TYPE DATA AGE default-token-wjbzf kubernetes.io/service-account-token 3 35d mysql-root-passwd Opaque 1 11s ---查詢詳細資訊 [root@master ~]# kubectl describe secret mysql-root-passwd Name: mysql-root-passwd Namespace: default Labels: <none> Annotations: <none> Type: Opaque Data ==== password: 9 bytes #已經進行64位加密 ---以yaml檔案顯示資訊 [root@master ~]# kubectl get secret mysql-root-passwd -o yaml apiVersion: v1 data: password: TXlQQHNzMTIz kind: Secret metadata: creationTimestamp: 2018-10-10T03:14:04Z name: mysql-root-passwd namespace: default resourceVersion: "436965" selfLink: /api/v1/namespaces/default/secrets/mysql-root-passwd uid: 8adbf6ae-cc3a-11e8-bb48-005056277243 type: Opaque ---解密 [root@master ~]# echo TXlQQHNzMTIz |base64 -d MyP@ss123
2.3 通過secret向pod注入環境變數
(1)編寫yaml檔案,建立pod
[root@master configmap]# vim pod-secret-1.yaml apiVersion: v1 kind: Pod metadata: name: pod-secret-1 namespace: default labels: app: myapp tier: frontend annotations: along.com/created-by: "cluster admin" spec: containers: - name: myapp image: ikubernetes/myapp:v1 ports: - name: http containerPort: 80 env: - name: MYSQL_ROOT_PASSWD valueFrom: secretKeyRef: name: mysql-root-passwd key: password [root@master configmap]# kubectl apply -f pod-secret-1.yaml pod/pod-secret-1 created
(2)查詢並認證
[root@master configmap]# kubectl get pods NAME READY STATUS RESTARTS AGE pod-secret-1 1/1 Running 0 14s ---驗證,查詢pod中的環境變數,篩選出MYSQL_ROOT_PASSWD [root@master configmap]# kubectl exec pod-secret-1 -- printenv |grep MYSQL MYSQL_ROOT_PASSWD=MyP@ss123