k8s快速入门教程-----8 secret and configmap

最新推荐文章于 2024-07-18 23:08:30 发布

cloud_engineer

最新推荐文章于 2024-07-18 23:08:30 发布

阅读量550

点赞数

分类专栏： kubernetes入门教程文章标签： kubernetes docker 运维 configmap secret

本文链接：https://blog.youkuaiyun.com/cloud_engineer/article/details/126850560

版权

kubernetes入门教程专栏收录该内容

8 篇文章

订阅专栏

上一篇: k8s快速入门教程-----7 数据管理

8.1 secret

Secret会以密文的方式存储数据，避免了直接在配置文件中保存敏感信息。Secret 会以Volume的形式被mount 到Pod,容器可通过文件的方式使用Secret 中的敏感数据;此外，容器也可以环境变量的方式使用这些数据。Secret可通过命令行或YAML创建。比如希望Secret 中包含如下信息:用户名admin, 密码123456。以下2种效果是一样的。

8.1.1 创建secret

8.1.1.1 通过–from-env-file

创建密钥文件

cat << EOF > env.txt 
root_password=21vianet
database=wangjinxiong
databaseuser=wangjinxiong
datapassword=123456
EOF

直接执行以下命令，生成的secret数据value值会自动加密。

kubectl create secret generic mysecret0913 --from-env-file=env.txt

查看k8S相关secret信息：

# kubectl get secret mysecret0913 -oyaml
apiVersion: v1
data:
  database: d2FuZ2ppbnhpb25n
  databaseuser: d2FuZ2ppbnhpb25n
  datapassword: MTIzNDU2
  root_password: MjF2aWFuZXQ=
kind: Secret
metadata:
  creationTimestamp: "2022-09-13T08:38:05Z"
  name: mysecret0913
  namespace: default
  resourceVersion: "129446914"
  selfLink: /api/v1/namespaces/default/secrets/mysecret0913
  uid: 5fc183df-740b-48f1-a77e-a3efadf7c32b
type: Opaque

绑定pod：

# cat mysql0913.yaml
kind: Pod
apiVersion: v1
metadata:
  name: mysql0913
  labels:
    app: mysql0913
spec:
  containers:
    - name: mysql0913
      image: mysql
      ports:
        - name: tcp-3306
          containerPort: 3306
          protocol: TCP
      env:
        - name: MYSQL_ROOT_PASSWORD
          valueFrom:
            secretKeyRef:
              name: mysecret0913
              key: root_password
        - name: MYSQL_DATABASE
          valueFrom:
            secretKeyRef:
              name: mysecret0913
              key: database
        - name: MYSQL_USER
          valueFrom:
            secretKeyRef:
              name: mysecret0913
              key: databaseuser
        - name: MYSQL_PASSWORD
          valueFrom:
            secretKeyRef:
              name: mysecret0913
              key: datapassword
      imagePullPolicy: IfNotPresent
  restartPolicy: Always

8.1.1.2 通过yaml创建

value如果需要加密，需要手动用base64操作：

# echo -n 21vianet | base64
MjF2aWFuZXQ=
#echo -n wangjinxiong | base64
d2FuZ2ppbnhpb25n
# echo -n 123456 | base64
MTIzNDU2

直接创建secret后用kubectl apply -f secret0913.yaml

vi secret0913.yaml
apiVersion: v1
kind: Secret
metadata:
  name: mysecret0913
  namespace: default
data:
  database: d2FuZ2ppbnhpb25n
  databaseuser: d2FuZ2ppbnhpb25n
  datapassword: MTIzNDU2
  root_password: MjF2aWFuZXQ=


kubectl apply -f secret0913.yaml

绑定pod:

# cat mysql0913.yaml
kind: Pod
apiVersion: v1
metadata:
  name: mysql0913
  labels:
    app: mysql0913
spec:
  containers:
    - name: mysql0913
      image: mysql
      ports:
        - name: tcp-3306
          containerPort: 3306
          protocol: TCP
      env:
        - name: MYSQL_ROOT_PASSWORD
          valueFrom:
            secretKeyRef:
              name: mysecret0913
              key: root_password
        - name: MYSQL_DATABASE
          valueFrom:
            secretKeyRef:
              name: mysecret0913
              key: database
        - name: MYSQL_USER
          valueFrom:
            secretKeyRef:
              name: mysecret0913
              key: databaseuser
        - name: MYSQL_PASSWORD
          valueFrom:
            secretKeyRef:
              name: mysecret0913
              key: datapassword
      imagePullPolicy: IfNotPresent
  restartPolicy: Always

8.1.2 在pod里面使用secret

8.1.2.1 环境变量方式

创建一个pod绑定secret。

kind: Pod
apiVersion: v1
metadata:
  name: mysql0913
  labels:
    app: mysql0913
spec:
  containers:
    - name: mysql0913
      image: mysql
      ports:
        - name: tcp-3306
          containerPort: 3306
          protocol: TCP
      env:
        - name: MYSQL_ROOT_PASSWORD
          valueFrom:
            secretKeyRef:
              name: mysecret0913
              key: root_password
        - name: MYSQL_DATABASE
          valueFrom:
            secretKeyRef:
              name: mysecret0913
              key: database
        - name: MYSQL_USER
          valueFrom:
            secretKeyRef:
              name: mysecret0913
              key: databaseuser
        - name: MYSQL_PASSWORD
          valueFrom:
            secretKeyRef:
              name: mysecret0913
              key: datapassword
      imagePullPolicy: IfNotPresent
  restartPolicy: Always

8.1.1.1 与8.1.1.2 2种方式均可以正常进入数据库：

# kubectl exec -it mysql0913 /bin/bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
root@mysql0913:/# mysql -uroot -p21vianet
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 8
Server version: 8.0.27 MySQL Community Server - GPL

Copyright (c) 2000, 2021, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| sys                |
| wangjinxiong       |
+--------------------+
5 rows in set (0.03 sec)

mysql> quit
Bye
root@mysql0913:/# mysql -uwangjinxiong -p123456
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 9
Server version: 8.0.27 MySQL Community Server - GPL

Copyright (c) 2000, 2021, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| wangjinxiong       |
+--------------------+
2 rows in set (0.01 sec)

mysql>

8.1.2.2 volume方式

创建一个pod以volume绑定secret

kind: Pod
apiVersion: v1
metadata:
  name: busybox0914
  labels:
    app: busybox0914
spec:
  volumes:
  - name: mysecret0913
    secret:
      secretName: mysecret0913
  containers:
    - name: busybox0914
      image: busybox
      imagePullPolicy: IfNotPresent
      args:
        - /bin/sh
        - -c
        - sleep 10;touch /tmp/healthy;sleep 30000
      volumeMounts:
      - name: mysecret0913
        mountPath: "/etc/foo"
        readOnly: true
  restartPolicy: Always

登录pod:

# kubectl exec -it busybox0914 sh
/ # cat /etc/foo/database
wangjinxiong
/ # cat /etc/foo/databaseuser
wangjinxiong
/ # cat /etc/foo/datapassword
123456
/ # cat /etc/foo/root_password 
21vianet
/ #

8.2 configmap

Secret可以为Pod 提供密码、Token、私钥等敏感数据;对于一些非敏感数据，比如应用的配置信息，则可以用ConfigMap。ConfigMap的创建和使用方式与Secret非常类似，主要的不同是数据以明文的形式存放。ConfigMap 一般用于下面2种方式，一种是环境变量传递；一种是配置文件读写。

8.2.1 创建configmap

创建configmap文件

cat << EOF > env.txt 
root_password=21vianet
database=wangjinxiong
databaseuser=wangjinxiong
datapassword=123456
EOF

直接执行以下命令，生成configmap

kubectl create configmap myconfigmap0914 --from-env-file=env.txt

查看configmap配置，发觉以明文存放：

# kubectl get configmap myconfigmap0914 -oyaml
apiVersion: v1
data:
  root_password: 21vianet
  database: wangjinxiong
  databaseuser: wangjinxiong
  datapassword: 123456
kind: ConfigMap
metadata:
  creationTimestamp: "2022-09-14T02:20:59Z"
  name: myconfigmap0914
  namespace: default
  resourceVersion: "129868649"
  selfLink: /api/v1/namespaces/default/configmaps/myconfigmap0914
  uid: 30ad8371-6267-4e06-8fab-bc7d86c840af

8.2.2 通过yaml创建

直接创建configmap后用kubectl apply -f myconfigmap0914.yaml

kind: ConfigMap
apiVersion: v1
metadata:
  name: myconfigmap1008
data:
  root_password: 21vianet
  database: wangjinxiong
  databaseuser: wangjinxiong
  datapassword: 123456

8.2.3 在pod里面使用configmap

8.2.3.1 环境变量方式

kind: Pod
apiVersion: v1
metadata:
  name: mysql0914
  labels:
    app: mysql0914
spec:
  volumes:
    - name: host-time
      hostPath:
        path: /etc/localtime
        type: ''
    - name: myconfigmap0914
      configMap:
        name: myconfigmap0914
  containers:
    - name: mysql0914
      image: mysql:5.7
      ports:
        - name: tcp-3306
          containerPort: 3306
          protocol: TCP
      env:
        - name: MYSQL_ROOT_PASSWORD
          valueFrom:
            configMapKeyRef:
              name: myconfigmap0914
              key: root_password
        - name: MYSQL_DATABASE
          valueFrom:
            configMapKeyRef:
              name: myconfigmap0914
              key: database
        - name: MYSQL_USER
          valueFrom:
            configMapKeyRef:
              name: myconfigmap0914
              key: databaseuser
        - name: MYSQL_PASSWORD
          valueFrom:
            configMapKeyRef:
              name: myconfigmap0914
              key: datapassword
      volumeMounts:
        - name: host-time
          readOnly: true
          mountPath: /etc/localtime
      imagePullPolicy: IfNotPresent
  restartPolicy: Always

8.2.3.2 volume方式

volume方式一般用于服务的配置文件挂载。
创建文件：

cat my.cnf 
[mysqld]
pid-file        = /var/run/mysqld/mysqld.pid
socket          = /var/run/mysqld/mysqld.sock
datadir         = /var/lib/mysql
secure-file-priv= NULL
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0

# Custom config should go here
!includedir /etc/mysql/conf.d/

default_authentication_plugin= mysql_native_password

创建configmap:

kubectl create configmap mysql-config0914 --from-file=my.cnf

创建deployment绑定configmap:

kind: Deployment
apiVersion: apps/v1
metadata:
  name: mysql0914
  labels:
    app: mysql0914
spec:
  replicas: 1
  selector:
    matchLabels:
      app: mysql0914
  template:
    metadata:
      labels:
        app: mysql0914
    spec:
      volumes:
        - name: host-time
          hostPath:
            path: /etc/localtime
            type: ''
        - name: mysql-config0914
          configMap:
            name: mysql-config0914
            items:
            - key: my.cnf
              path: my.cnf
      containers:
        - name: container0914
          image: 'mysql:8.0'
          ports:
            - name: tcp-3306
              containerPort: 3306
              protocol: TCP
          env:
            - name: MYSQL_ROOT_PASSWORD
              value: gtland2021
          volumeMounts:
            - name: host-time
              readOnly: true
              mountPath: /etc/localtime
            - name: mysql-config0914
              subPath: my.cnf
              mountPath: /etc/mysql/my.cnf
          imagePullPolicy: IfNotPresent