Docker Kubernetes存储--Configmap配置管理、Secret配置管理
裴姚石
1. Configmap配置管理
- Configmap用于保存配置数据,以键值对形式存储。
configMap 资源提供了向 Pod 注入配置数据的方法。
旨在让镜像和配置文件解耦,以便实现镜像的可移植性和可复用性。
典型的使用场景:
1.填充环境变量的值
2.设置容器内的命令行参数
3.填充卷的配置文件 ##使用较多
- 创建ConfigMap的方式有4种:
1.使用字面值创建
2.使用文件创建
3.使用目录创建
4.编写configmap的yaml文件创建
- 1.使用字面值创建
$ kubectl create configmap my-config --from-literal=key1=config1 --from-literal=key2=config2
- 2.使用文件创建
$ kubectl create configmap my-config-2 --from-file=/etc/resolv.conf
key的名称是文件名称,value的值是这个文件的内容
- 3.使用目录创建
$ kubectl create configmap my-config-3 --from-file=test
目录中的文件名为key,文件内容是value
- 4.编写configmap的yaml文件
$ vim cm1.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: cm1-config
data:
db_host: "172.25.16.250"
db_port: "3306"
$ kubectl create -f cm1.yaml
1.1 清理实验环境
##删除namespace
[root@server2 ~]# kubectl get ns ##查看所有namespace,并删除
[root@server2 ~]# kubectl delete pod --all -n demo --force ##先删除里面pod在删除ns会快一点
[root@server2 ~]# kubectl delete ns demo
[root@server2 ~]# kubectl delete pod --all -n test --force
[root@server2 ~]# kubectl delete ns test
##删除pod
[root@server2 ~]# kubectl get pod
[root@server2 ~]# kubectl delete pod nginx --force
[root@server2 ~]# kubectl delete deployments.apps deployment
[root@server2 ~]# kubectl delete pod demo --force
##删除服务
[root@server2 ~]# kubectl get svc
[root@server2 ~]# kubectl delete svc nginx-svc
##删除ingress服务
[root@server2 ~]# kubectl delete ingress ingress-demo
## 删除网络策略
[root@server2 ~]# kubectl delete networkpolicies. --all
[root@server2 ~]# kubectl get networkpolicies.
No resources found in default namespace.
1.2 使用字面值创建
[root@server2 ~]# kubectl get cm
NAME DATA AGE
kube-root-ca.crt 1 37d
[root@server2 ~]# kubectl create configmap my-config --from-literal=key1=config1 --from-literal=key2=config2
configmap/my-config created
[root@server2 ~]# kubectl describe cm my-config
1.3 使用文件创建
[root@server2 ~]# kubectl create configmap my-config-2 --from-file=/etc/resolv.conf
configmap/my-config-2 created
[root@server2 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 114.114.114.114
[root@server2 ~]# kubectl describe cm my-config-2
1.4 使用目录创建
[root@server2 ~]# mkdir congfigmap
[root@server2 ~]# cd congfigmap/
[root@server2 congfigmap]# mkdir test
[root@server2 congfigmap]# cp /etc/resolv.conf test/
[root@server2 congfigmap]# cp /etc/fstab test/
[root@server2 congfigmap]# ls test/
fstab resolv.conf
[root@server2 congfigmap]# kubectl create configmap my-config-3 --from-file=test
configmap/my-config-3 created
[root@server2 congfigmap]# kubectl describe cm my-config-3
1.5 编写configmap的yaml文件
[root@server2 congfigmap]# vim cm1.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: cm1-config
data:
db_host: "172.25.16.250"
db_port: "3306"
[root@server2 congfigmap]# kubectl apply -f cm1.yaml ##应用
[root@server2 congfigmap]# kubectl describe cm cm1-config
2.如何使用configmap
- 如何使用configmap:
1.通过环境变量的方式直接传递给pod
2.通过在pod的命令行下运行的方式
3.作为volume的方式挂载到pod内 ##此方式最常用
2.1 使用configmap设置环境变量
[root@server2 congfigmap]# vim pod1.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod1
spec:
containers:
- name: pod1
image: busyboxplus
command: ["/bin/sh", "-c", "env"]
env:
- name: key1
valueFrom:
configMapKeyRef:
name: cm1-config
key: db_host
- name: key2
valueFrom:
configMapKeyRef:
name: cm1-config
key: db_port
restartPolicy: Never
[root@server2 congfigmap]# kubectl apply -f pod1.yaml
pod/pod1 created
[root@server2 congfigmap]# kubectl get pod
NAME READY STATUS RESTARTS AGE
pod1 0/1 Completed 0 5s
[root@server2 congfigmap]# kubectl logs pod1 ##查看日志是否有cm1-config信息
key1=172.25.16.250
key2=3306
2.2 使用conigmap设置命令行参数
[root@server2 congfigmap]# vim pod2.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod2
spec:
containers:
- name: pod2
image: busyboxplus
command: ["/bin/sh", "-c", "echo $(db_host) $(db_port)"]
envFrom:
- configMapRef:
name: cm1-config
restartPolicy: Never
[root@server2 congfigmap]# kubectl apply -f pod2.yaml
pod/pod2 created
[root@server2 congfigmap]# kubectl get pod
NAME READY STATUS RESTARTS AGE
pod1 0/1 Completed 0 7m51s
pod2 0/1 Completed 0 19s
[root@server2 congfigmap]# kubectl logs pod2
172.25.16.250 3306
2.3 通过数据卷使用configmap
[root@server2 congfigmap]# vim pod3.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod3
spec:
containers:
- name: pod3
image: busyboxplus
command: ["/bin/sh", "-c", "cat /config/db_host"]
volumeMounts:
- name: config-volume
mountPath: /config
volumes:
- name: config-volume
configMap:
name: cm1-config
restartPolicy: Never
[root@server2 congfigmap]# kubectl apply -f pod3.yaml
pod/pod3 created
[root@server2 congfigmap]# kubectl get pod
NAME READY STATUS RESTARTS AGE
pod1 0/1 Completed 0 13m
pod2 0/1 Completed 0 5m55s
pod3 0/1 Completed 0 4s
[root@server2 congfigmap]# kubectl logs pod3
172.25.16.250[root@server2 congfigmap]#
2.4 configmap热更新(使用数据卷)
[root@server2 congfigmap]# kubectl delete pod pod3
pod "pod3" deleted
## 1. 配置并查看数据卷内容
[root@server2 congfigmap]# vim pod3.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod3
spec:
containers:
- name: pod3
image: busyboxplus
stdin: true
tty: true
volumeMounts:
- name: config-volume
mountPath: /config
volumes:
- name: config-volume
configMap:
name: cm1-config
[root@server2 congfigmap]# kubectl apply -f pod3.yaml
[root@server2 congfigmap]# kubectl get pod
[root@server2 congfigmap]# kubectl attach pod3 -it ##进入pod3并查看数据卷内容
[ root@pod3:/ ]$ cd /config/
[ root@pod3:/config ]$ ls
db_host db_port
[ root@pod3:/config ]$ cat *
172.25.16.250 3306[ root@pod3:/config ]$
## 2. 准备热更新
[root@server2 congfigmap]# kubectl describe cm cm1-config ##编辑文件内容
[root@server2 congfigmap]# kubectl attach pod3 -it #查看pod3是否运行
Defaulting container name to pod3.
Use 'kubectl describe pod/pod3 -n default' to see all of the containers in this pod.
If you don't see a command prompt, try pressing enter.
[ root@pod3:/config ]$ cd /config/
[ root@pod3:/config ]$ cat *
172.25.16.2408080[ root@pod3:/config ]$ ##内容更新成功
2.5 pod滚动更新
configmap热更新后,并不会触发相关Pod的滚动更新,需要手动触发。
[root@server2 congfigmap]# kubectl delete -f pod1.yaml
[root@server2 congfigmap]# kubectl delete -f pod2.yaml
[root@server2 congfigmap]# kubectl delete -f pod3.yaml
[root@server2 congfigmap]# kubectl get pod
No resources found in default namespace.
[root@server2 congfigmap]# vim demo.yml
apiVersion: apps/v1
kind: Deployment
metadata:
name: demo
spec:
replicas: 1
selector:
matchLabels:
app: myapp
template:
metadata:
labels:
app: myapp
spec:
containers:
- name: myapp
image: myapp:v1
volumeMounts:
- name: config-volume
mountPath: /etc/nginx/conf.d
volumes:
- name: config-volume
configMap:
name: nginx-config
[root@server2 congfigmap]# vim default.conf
server {
listen 8080; ##此处自己书写的测试文件端口是8080
server_name _;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
[root@server2 congfigmap]# kubectl create configmap nginx-config --from-file=default.conf ##创建cm
configmap/nginx-config created
[root@server2 congfigmap]# kubectl get cm
[root@server2 congfigmap]# kubectl describe cm nginx-config
[root@server2 congfigmap]# kubectl apply -f demo.yml ##创建pod
deployment.apps/demo created
[root@server2 congfigmap]# kubectl get pod
NAME READY STATUS RESTARTS AGE
demo 1/1 Running 0 28m
demo-75679c99b4-zs92h 1/1 Running 0 6s
[root@server2 congfigmap]# kubectl describe pod demo-75679c99b4-zs92h
[root@server2 congfigmap]# kubectl get pod -o wide ##查看pod详细信息
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
demo 1/1 Running 0 30m 10.244.22.11 server4 <none> <none>
demo-75679c99b4-zs92h 1/1 Running 0 83s 10.244.141.198 server3 <none> <none>
[root@server2 congfigmap]# curl 10.244.141.198:8080 ##使用8080端口访问成功
Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a>
[root@server2 congfigmap]# kubectl exec -it demo-75679c99b4-zs92h -- sh ##进入终端查看nginx的默认conf文件
/ # cd /etc/nginx/conf.d/
/etc/nginx/conf.d # ls
default.conf
/etc/nginx/conf.d # cat default.conf
2.5.1 使用命令更新(打补丁)
[root@server2 congfigmap]# kubectl edit cm nginx-config ##编辑文件,修改端口号为80
[root@server2 congfigmap]# kubectl describe cm nginx-config ##查看cm信息,发现热更新成功
[root@server2 congfigmap]# curl 10.244.141.198:8080 ##发现更新成功后还是只能使用8080进行访问,这是因为pod没有更新
Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a>
[root@server2 congfigmap]# curl 10.244.141.198
curl: (7) Failed connect to 10.244.141.198:80; Connection refused
[root@server2 congfigmap]# kubectl exec -it demo-75679c99b4-zs92h -- sh ##查看配置文件是否是热更新
/ # cat /etc/nginx/conf.d/default.conf
server {
listen 80;
server_name _;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
/ # netstat -antlp ##查看端口发现还是8080
[root@server2 congfigmap]# kubectl patch deployments.apps demo --patch '{"spec": {"template": {"metadata": {"annotations": {"version/config": "2021022401"}}}}}' ##打补丁
deployment.apps/demo patched
[root@server2 congfigmap]# kubectl get pod
NAME READY STATUS RESTARTS AGE
demo 1/1 Running 0 41m
demo-75679c99b4-zs92h 0/1 Terminating 0 13m
demo-7f476857fb-bdh65 1/1 Running 0 6s
[root@server2 congfigmap]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
demo 1/1 Running 0 42m 10.244.22.11 server4 <none> <none>
demo-75679c99b4-zs92h 0/1 Terminating 0 13m <none> server3 <none> <none>
demo-7f476857fb-bdh65 1/1 Running 0 20s 10.244.22.12 server4 <none> <none>
[root@server2 congfigmap]# curl 10.244.22.12 ##使用80端口访问成功
Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a>
[root@server2 congfigmap]# kubectl exec -it demo-7f476857fb-bdh65 -- sh
/ # netstat -antlp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1/nginx: master pro
2.5.2 直接删除pod更新
[root@server2 congfigmap]# kubectl edit cm nginx-config ##把端口改成8080
configmap/nginx-config edited
[root@server2 congfigmap]# kubectl get pod
NAME READY STATUS RESTARTS AGE
demo 1/1 Running 0 50m
demo-7f476857fb-bdh65 1/1 Running 0 9m12s
[root@server2 congfigmap]# kubectl delete pod demo-7f476857fb-bdh65
pod "demo-7f476857fb-bdh65" deleted
[root@server2 congfigmap]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
demo 1/1 Running 0 53m 10.244.22.11 server4 <none> <none>
demo-7f476857fb-wwhdm 1/1 Running 0 23s 10.244.141.199 server3 <none> <none>
[root@server2 congfigmap]# curl 10.244.141.199
curl: (7) Failed connect to 10.244.141.199:80; Connection refused
[root@server2 congfigmap]# curl 10.244.141.199:8080
Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a>
3.Secret配置管理
- Secret 对象类型用来保存敏感信息,例如密码、OAuth 令牌和 ssh key。
- 敏感信息放在 secret 中比放在 Pod 的定义或者容器镜像中来说更加安全和灵活。
- Pod 可以用两种方式使用 secret:
作为 volume 中的文件被挂载到 pod 中的一个或者多个容器里。
当 kubelet 为 pod 拉取镜像时使用。
- Secret的类型:
Service Account:Kubernetes 自动创建包含访问 API 凭据的 secret,并自动修改 pod 以使用此类型的 secret。
Opaque:使用base64编码存储信息,可以通过base64 --decode解码获得原始数据,因此安全性弱。
kubernetes.io/dockerconfigjson:用于存储docker registry的认证信息。
3.1 默认secret
每个namespace下有一个名为default的默认的ServiceAccount对象
ServiceAccount里有一个名为Tokens的可以作为Volume一样被Mount到Pod里的Secret,当Pod启动时这个Secret会被自动Mount到Pod的指定目录下,用来协助完成Pod中的进程访问API Server时的身份鉴权过程。
3.2 简单操作
[root@server2 secret]# vim mysecret.yaml
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
username: YWRtaW4=
password: d2VzdG9z
[root@server2 secret]# echo YWRtaW4= | base64 -d
admin[root@server2 secret]# echo d2VzdG9z | base64 -d
westos[root@server2 secret]# kubectl apply -f mysecret.yaml
secret/mysecret created
[root@server2 secret]# kubectl get secrets
NAME TYPE DATA AGE
basic-auth Opaque 1 8d
default-token-s98h6 kubernetes.io/service-account-token 3 37d
mysecret Opaque 2 6s
tls-secret kubernetes.io/tls 2 7d21h
[root@server2 secret]# kubectl describe secrets mysecret
Name: mysecret
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
password: 6 bytes
username: 5 bytes
[root@server2 secret]# kubectl get secrets mysecret -o yaml
apiVersion: v1
data:
password: d2VzdG9z
username: YWRtaW4=
3.3 将Secret挂载到Volume,向指定路径映射secret密钥
将Secret挂载到Volume
[root@server2 secret]# kubectl get pod
NAME READY STATUS RESTARTS AGE
demo 1/1 Running 0 98m
demo-7f476857fb-wwhdm 1/1 Running 0 45m
[root@server2 secret]# kubectl delete deployments.apps demo
[root@server2 secret]# kubectl delete pod demo
[root@server2 secret]# vim pod1.yaml
[root@server2 secret]# kubectl apply -f pod1.yaml
pod/mysecret created
[root@server2 secret]# kubectl exec mysecret -- ls /secret
password
username
[root@server2 secret]# kubectl exec mysecret -- cat /secret/username
admin[root@server2 secret]# kubectl exec mysecret -- cat /secret/password
westos[root@server2 secret]# kubectl get pod
[root@server2 secret]# kubectl delete -f pod1.yaml
向指定路径映射secret密钥
[root@server2 secret]# vim pod1.yaml
apiVersion: v1
kind: Pod
metadata:
name: mysecret
spec:
containers:
- name: demo
image: myapp:v1
volumeMounts:
- name: secrets
mountPath: "/secret"
readOnly: true
volumes:
- name: secrets
secret:
secretName: mysecret
items:
- key: username
path: my-group/my-username
[root@server2 secret]# kubectl apply -f pod1.yaml
pod/mysecret created
[root@server2 secret]# kubectl get pod
NAME READY STATUS RESTARTS AGE
mysecret 1/1 Running 0 5s
[root@server2 secret]# kubectl exec mysecret -- ls /secret
my-group
[root@server2 secret]# kubectl exec mysecret -- cat /secret/my-group/my-username
admin[root@server2 secret]#
3.4 将Secret设置为环境变量
[root@server2 secret]# kubectl delete pod mysecret --force
[root@server2 secret]# vim pod2.yaml
apiVersion: v1
kind: Pod
metadata:
name: secret-env
spec:
containers:
- name: nginx
image: myapp:v1
env:
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
name: mysecret
key: username
- name: SECRET_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: password
[root@server2 secret]# kubectl apply -f pod2.yaml
pod/secret-env created
[root@server2 secret]# kubectl get pod
NAME READY STATUS RESTARTS AGE
secret-env 1/1 Running 0 9s
[root@server2 secret]# kubectl exec secret-env -- env
3.5 拉取未公开仓库镜像
[root@server2 secret]# kubectl delete pod secret-env --force
[root@server2 secret]# vim pod3.yaml
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: game2048
image: reg.westos.org/westos/game2048
imagePullSecrets: ##没有这一部分是拉取不成功的
- name: myregistrykey
[root@server2 secret]# kubectl create secret docker-registry myregistrykey --docker-server=reg.westos.org --docker-username=admin --docker-password=westos --docker-email=自己仓库邮箱
[root@server2 secret]# kubectl get secrets
[root@server2 secret]# kubectl describe secrets myregistrykey
[root@server2 secret]# kubectl get secrets myregistrykey -o yaml
[root@server2 secret]# echo eyJhdXRocyI6eyJyZWcud2VzdG9zLm9yZyI6eyJ1c2VybmFtZSI6ImFkbWluIiwicGFzc3dvcmQiOiJ3ZXN0b3MiLCJlbWFpbCI6IjYyNjQzODY2MUBxcS5jb20iLCJhdXRoIjoiWVdSdGFXNDZkMlZ6ZEc5eiJ9fX0 | base64 -d
[root@server2 secret]# kubectl apply -f pod3.yaml
pod/mypod created
[root@server2 secret]# kubectl get pod
NAME READY STATUS RESTARTS AGE
mypod 1/1 Running 0 26s
[root@server2 secret]# kubectl describe pod mypod
类似资料: