Error message here!

Hide Error message here!

忘记密码?

Error message here!

请输入正确邮箱

Hide Error message here!

密码丢失?请输入您的电子邮件地址。您将收到一个重设密码链接。

Error message here!

返回登录

Close

kubernetes系列12—二个特色的存储卷configmap和secret

alonghub 2019-02-26 10:03:00 阅读数:190 评论数:0 点赞数:0 收藏数:0

本文收录在容器技术学习系列文章总目录

1、configmap

1.1 认识configmap

ConfigMap用于保存配置数据的键值对,可以用来保存单个属性,也可以用来保存配置文件。ConfigMap跟secret很类似,但它可以更方便地处理不包含敏感信息的字符串。

 

1.2 创建configmap

1.2.1 通过命令行

创建一个名为nginx-config的configmap,指定端口和server name[root@master ~]/# kubectl create configmap nginx-config --from-literal=nginx_port=80 --from-literal=server_name=myapp.along.com configmap/nginx-config created [root@master ~]/# kubectl get cm NAME DATA AGE nginx-config 2 11s [root@master ~]/# kubectl describe cm nginx-config Name: nginx-config Namespace: default Labels: Annotations: Data ==== nginx_port: ---- 80 server_name: ---- myapp.along.com Events:

1.2.2 通过文件

(1)准备文件[root@master ~]/# mkdir configmap [root@master ~]/# cd configmap [root@master configmap]/# vim www.conf server { server_name myapp.along.com; listen 80; root /data/web/html/; }

(2)创建查询认证[root@master configmap]/# kubectl create configmap nginx-www --from-file=./www.conf configmap/nginx-www created [root@master configmap]/# kubectl get cm NAME DATA AGE nginx-config 2 3m nginx-www 1 5s [root@master configmap]/# kubectl describe cm nginx-www Name: nginx-www Namespace: default Labels: Annotations: Data ==== www.conf: ---- server { server_name myapp.along.com; listen 80; root /data/web/html/; } Events:

1.3 创建pod使用configmap

1.3.1 pod通过环境变量使用configmap

通过使用环境变量传入pod的configmap,不能实时更新

(1)编写configmap的yaml文件[root@master configmap]/# vim pod-configmap.yaml apiVersion: v1 kind: Pod metadata: name: pod-cm-1 namespace: default labels: app: myapp tier: frontend annotations: along.com/created-by: "cluster admin" spec: containers: - name: myapp image: ikubernetes/myapp:v1 ports: - name: http containerPort: 80 env: - name: NGINX_SERVER_PORT valueFrom: configMapKeyRef: name: nginx-config key: nginx_port - name: NGINX_SERVER_NAME valueFrom: configMapKeyRef: name: nginx-config key: server_name

(2)创建pod,查询认证[root@master configmap]/# kubectl apply -f pod-configmap.yaml pod/pod-cm-1 created [root@master configmap]/# kubectl get pods NAME READY STATUS RESTARTS AGE pod-cm-1 1/1 Running 0 41s ---查询pod内部变量 [root@master configmap]/# kubectl exec -it pod-cm-1 -- printenv |grep NGINX_SERVER NGINX_SERVER_PORT=80 NGINX_SERVER_NAME=myapp.along.com

(3)通过环境变量导入configmap,修改configmap后,pod中内容不会更改

① 使用edit修改configmap,把nginx_port 80改为8080[root@master configmap]/# kubectl edit cm nginx-config ... ... nginx_port: "8080" /#把80改为8080 ... ... configmap/nginx-config edited

② 查询,configmap被修改,但是pod中变量并未修改

因为configmap只是在容器启动时加载生效;现在pod已经创建,再修改,不会生效------cm已经修改------ [root@master configmap]/# kubectl describe cm nginx-config Data ==== nginx_port: ---- 8080 server_name: ---- myapp.along.com Events: ------但是pod实际没有改变------ [root@master configmap]/# kubectl exec -it pod-cm-1 -- printenv |grep NGINX_SERVER NGINX_SERVER_PORT=80 NGINX_SERVER_NAME=myapp.along.com

1.3.2 pod通过存储卷使用configmap

通过使用存储卷传入pod的configmap,可以实时更新

(1)编写configmap的yaml文件,并创建configmap

创建一个volume,使用上边创建好的名为nginx-config的configmap[root@master configmap]/# vim pod-configmap-2.yaml apiVersion: v1 kind: Pod metadata: name: pod-cm-2 namespace: default labels: app: myapp tier: frontend annotations: along.com/created-by: "cluster admin" spec: volumes: - name: nginxconf configMap: name: nginx-config containers: - name: myapp image: ikubernetes/myapp:v1 ports: - name: http containerPort: 80 volumeMounts: - name: nginxconf mountPath: /etc/nginx/config.d/ readOnly: true [root@master configmap]/# kubectl apply -f pod-configmap-2.yaml pod/pod-cm-2 created

(2)登入pod中,查询验证[root@master configmap]/# kubectl get pods NAME READY STATUS RESTARTS AGE pod-cm-2 1/1 Running 0 7s [root@master ~]/# kubectl exec -it pod-cm-2 -- /bin/sh / /# cd /etc/nginx/config.d/ /etc/nginx/config.d /# ls nginx_port server_name /etc/nginx/config.d /# cat nginx_port 80 /etc/nginx/config.d /# cat server_name myapp.along.com

(3)通过环境变量导入configmap,修改configmap后,pod中内容会更改

① 使用edit修改configmap,把nginx_port 80改为8080[root@master ~]/# kubectl edit cm nginx-config apiVersion: v1 data: nginx_port: "8080" server_name: myapp.along.com ... ... configmap/nginx-config edited

② 再登入pod查看,发现已经改变

[root@master ~]/# kubectl exec -it pod-cm-2 -- /bin/sh / /# cat /etc/nginx/config.d/nginx_port 8080/

1.4 一个完整的configmap的应用实例

1.4.1 编写创建pod的yaml文件,使用nginx-www的configmap

[root@master configmap]/# vim pod-configmap-3.yaml apiVersion: v1 kind: Pod metadata: name: pod-cm-3 namespace: default labels: app: myapp tier: frontend annotations: along.com/created-by: "cluster admin" spec: volumes: - name: nginxconf configMap: name: nginx-www containers: - name: myapp image: ikubernetes/myapp:v1 ports: - name: http containerPort: 80 volumeMounts: - name: nginxconf mountPath: /etc/nginx/conf.d/ readOnly: true

1.4.2 创建pod

[root@master configmap]/# kubectl apply -f pod-configmap-3.yaml pod/pod-cm-3 created [root@master configmap]/# kubectl get pods NAME READY STATUS RESTARTS AGE pod-cm-3 1/1 Running 0 24s

1.4.3 登入pod,查询配置是否成功

[root@master configmap]/# kubectl exec -it pod-cm-3 -- /bin/sh / /# cat /etc/nginx/conf.d/www.conf server { server_name myapp.along.com; listen 80; root /data/web/html/; } / /# nginx -T |tail -7 /#-T查询nginx的配置信息 nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful /# configuration file /etc/nginx/conf.d/www.conf: server { server_name myapp.along.com; listen 80; root /data/web/html/; } ---生成nginx的主页内容 / /# mkdir -p /data/web/html / /# vi /data/web/html/index.html

Nginx Server configured by CM

1.4.4 在其他节点访问,验证是否成功

(1)在master上新开一个窗口,查询pod对应的IP[root@master ~]/# kubectl get pods -o wide NAME READY STATUS RESTARTS AGE IP NODE pod-cm-3 1/1 Running 0 7m 10.244.1.124 node2

(2)在任意节点上配置host,使其能连通此pod[root@node1 ~]/# vim /etc/hosts 10.244.1.124 myapp.along.com

(3)访问pod,成功[root@node1 ~]/# curl myapp.along.com

Nginx Server configured by CM

1.4.5 通过修改configmap,修改pod内nginx服务的端口

(1)修改configmap的配置,将nginx的端口由80改为8888[root@master ~]/# kubectl edit cm nginx-www apiVersion: v1 data: www.conf: "server {ntserver_name myapp.along.com;ntlisten 8888;ntroot /data/web/html/;n}n" ... ... configmap/nginx-www edited

(2)在pod内还需要重载nginx配置(现在是手工操作,后面会使用k8s工具完成)/ /# cat /etc/nginx/conf.d/www.conf 查询configmap的修改是否生效 server { server_name myapp.along.com; listen 8888; root /data/web/html/; } / /# nginx -s reload 重载一下nginx配置 2019/02/25 02:32:00 [notice] 16/#16: signal process started

(3)在node节点上访问验证,成功[root@node1 ~]/# curl myapp.along.com:8888

Nginx Server configured by CM

 

2、secret

2.1 认识secret

  •  Secret 对象类型用来保存敏感信息,例如密码、OAuth 令牌和ssh key。将这些信息放在 secret 中比放在 pod 的定义或者docker镜像中来说更加安全和灵活。
  •  Secret 是一种包含少量敏感信息例如密码、token或key的对象。这样的信息可能会被放在Pod spec中或者镜像中;将其放在一个secret对象中可以更好地控制它的用途,并降低意外暴露的风险。
  •  用户可以创建 secret,同时系统也创建了一些secret。
  •  要使用 secret,pod需要引用secret。Pod可以用两种方式使用secret:作为 volume 中的文件被挂载到pod中的一个或者多个容器里,或者当kubelet为pod拉取镜像时使用。
  •  Secret有三种类型:
  •  Service Account:用来访问Kubernetes API,由Kubernetes自动创建,并且会自动挂载到Pod的/run/secrets/kubernetes.io/serviceaccount目录中;
  •  Opaque:base64编码格式的Secret,用来存储密码、密钥等;
  •  kubernetes.io/dockerconfigjson:用来存储私有docker registry的认证信息。

 

2.2 创建一个secret

---创建secret [root@master ~]/# kubectl create secret generic mysql-root-passwd --from-literal=password=MyP@ss123 secret/mysql-root-passwd created ---查询secret信息 [root@master ~]/# kubectl get secret NAME TYPE DATA AGE default-token-wjbzf kubernetes.io/service-account-token 3 35d mysql-root-passwd Opaque 1 11s ---查询详细信息 [root@master ~]/# kubectl describe secret mysql-root-passwd Name: mysql-root-passwd Namespace: default Labels: Annotations: Type: Opaque Data ==== password: 9 bytes /#已经进行64位加密 ---以yaml文件显示信息 [root@master ~]/# kubectl get secret mysql-root-passwd -o yaml apiVersion: v1 data: password: TXlQQHNzMTIz kind: Secret metadata: creationTimestamp: 2018-10-10T03:14:04Z name: mysql-root-passwd namespace: default resourceVersion: "436965" selfLink: /api/v1/namespaces/default/secrets/mysql-root-passwd uid: 8adbf6ae-cc3a-11e8-bb48-005056277243 type: Opaque ---解密 [root@master ~]/# echo TXlQQHNzMTIz |base64 -d MyP@ss123

2.3 通过secret向pod注入环境变量

(1)编写yaml文件,创建pod[root@master configmap]/# vim pod-secret-1.yaml apiVersion: v1 kind: Pod metadata: name: pod-secret-1 namespace: default labels: app: myapp tier: frontend annotations: along.com/created-by: "cluster admin" spec: containers: - name: myapp image: ikubernetes/myapp:v1 ports: - name: http containerPort: 80 env: - name: MYSQL_ROOT_PASSWD valueFrom: secretKeyRef: name: mysql-root-passwd key: password [root@master configmap]/# kubectl apply -f pod-secret-1.yaml pod/pod-secret-1 created

(2)查询并认证[root@master configmap]/# kubectl get pods NAME READY STATUS RESTARTS AGE pod-secret-1 1/1 Running 0 14s ---验证,查询pod中的环境变量,筛选出MYSQL_ROOT_PASSWD [root@master configmap]/# kubectl exec pod-secret-1 -- printenv |grep MYSQL MYSQL_ROOT_PASSWD=MyP@ss123

版权声明
本文为[alonghub]所创,转载请带上原文链接,感谢
https://www.cnblogs.com/along21/p/10435468.html

编程之旅,人生之路,不止于编程,还有诗和远方。
阅代码原理,看框架知识,学企业实践;
赏诗词,读日记,踏人生之路,观世界之行;