K8S - 理解volumeMounts 中的subpath

已于 2025-05-11 00:18:56 修改
阅读量2.3k 收藏 24
点赞数 14
CC 4.0 BY-SA版权
分类专栏: K8S 文章标签: kubernetes 容器 云原生
于 2024-09-01 04:37:32 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.youkuaiyun.com/nvd11/article/details/141762021

在上一篇文章中
springboot service如何动态读取外部配置文件

介绍了springboot 中如何实时读取外部配置文件的内容



部署在K8S

接下来我把它部署在k8s



首先, 我们把配置文件放入项目某个目录

这步部是必须的, 毕竟我们要引入是项目外部的文件, 这一步只是方便在不同CICD 环境下的docker 构建
我们就放在 src 外面的configs folder
在这里插入图片描述


修改docker file

# use the basic openjdk image
FROM openjdk:17

# setup working directory
WORKDIR /app

# create /app/config
RUN mkdir -p /app/config/config2

# copy configs files from project folder to /app/config
# When using COPY with more than one source file, the destination must be a directory and end with a /
COPY configs/external-config.properties /app/config/
COPY configs/external-config2.properties /app/config/config2/

# copy and rename jar file into container
COPY target/*.jar app.jar

# expose port
EXPOSE 8080

# define environment variable, and provide a default value
ENV APP_ENVIRONMENT=dev

# define the default startup command, it could be overridden in k8s
# CMD java -jar -Dserver.port=8080 -Dspring.config.name=application-${APP_ENVIRONMENT} app.jar
CMD java -jar -Dserver.port=8080 app.jar --spring.profiles.active=${APP_ENVIRONMENT}

需要创建/app/configs 并把配置文件复制到这里, 因为springboot service 会从这个path读取
注意有两个config 文件, 他们并不在同1个folder
external-config2.properties 在subfolder config2里面



构建镜像和部署镜像到GAR

这一步我们用google cloudbuild 完成
至于cloudbuild 的介绍请参考
初探 Google 云原生的CICD - CloudBuild

cloudbuild-gcr.yaml

# just to update the docker image to GAR with the pom.xml version

steps:
  - id: run maven install
    name: maven:3.9.6-sapmachine-17 # https://hub.docker.com/_/maven
    entrypoint: bash
    args:
      - '-c'
      - |
        whoami
        set -x
        pwd
        mvn install
        cat pom.xml | grep -m 1 "<version>" | sed -e 's/.*<version>\([^<]*\)<\/version>.*/\1/' > /workspace/version.txt
        echo "Version: $(cat /workspace/version.txt)"


  - id: build and push docker image
    name: 'gcr.io/cloud-builders/docker'
    entrypoint: bash
    args:
      - '-c'
      - |
        set -x
        echo "Building docker image with tag: $(cat /workspace/version.txt)"
        docker build -t $_GAR_BASE/$PROJECT_ID/$_DOCKER_REPO_NAME/${_APP_NAME}:$(cat /workspace/version.txt) .
        docker push $_GAR_BASE/$PROJECT_ID/$_DOCKER_REPO_NAME/${_APP_NAME}:$(cat /workspace/version.txt)


logsBucket: gs://jason-hsbc_cloudbuild/logs/
options: # https://cloud.google.com/cloud-build/docs/build-config#options
  logging: GCS_ONLY # or CLOUD_LOGGING_ONLY https://cloud.google.com/cloud-build/docs/build-config#logging



substitutions:
  _DOCKER_REPO_NAME: my-docker-repo
  _APP_NAME: cloud-order
  _GAR_BASE: europe-west2-docker.pkg.dev

部署完成后, 我们得到1个gar的对应image的url
europe-west2-docker.pkg.dev/jason-hsbc/my-docker-repo/cloud-order:1.1.0



编写k8s yaml 和部署到k8s

apiVersion: apps/v1
kind: Deployment
metadata:
  labels: # label of this deployment
    app: cloud-order # custom defined
    author: nvd11
  name: deployment-cloud-order # name of this deployment
  namespace: default
spec:
  replicas: 3            # desired replica count, Please note that the replica Pods in a Deployment are typically distributed across multiple nodes.
  revisionHistoryLimit: 10 # The number of old ReplicaSets to retain to allow rollback
  selector: # label of the Pod that the Deployment is managing,, it's mandatory, without it , we will get this error 
            # error: error validating data: ValidationError(Deployment.spec.selector): missing required field "matchLabels" in io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector ..
    matchLabels:
      app: cloud-order
  strategy: # Strategy of upodate
    type: RollingUpdate # RollingUpdate or Recreate
    rollingUpdate:
      maxSurge: 25% # The maximum number of Pods that can be created over the desired number of Pods during the update
      maxUnavailable: 25% # The maximum number of Pods that can be unavailable during the update
  template: # Pod template
    metadata:
      labels:
        app: cloud-order # label of the Pod that the Deployment is managing. must match the selector, otherwise, will get the error Invalid value: map[string]string{"app":"bq-api-xxx"}: `selector` does not match template `labels`
    spec: # specification of the Pod
      containers:
      - image: europe-west2-docker.pkg.dev/jason-hsbc/my-docker-repo/cloud-order:1.1.0 # image of the container
        imagePullPolicy: Always
        name: container-cloud-order
        command: ["bash"]
        args: 
          - "-c"
          - |
            java -jar -Dserver.port=8080 app.jar --spring.profiles.active=$APP_ENVIRONMENT
        env: # set env varaibles
        - name: APP_ENVIRONMENT # name of the environment variable
          value: prod # value of the environment variable
            
            
      restartPolicy: Always # Restart policy for all containers within the Pod
      terminationGracePeriodSeconds: 10 # The period of time in seconds given to the Pod to terminate gracefully

没什么特别

部署:

gateman@MoreFine-S500:~/projects/coding/k8s-s/service-case/cloud-order$ kubectl apply -f deployment-cloud-order-with-subpath.yaml 
deployment.apps/deployment-cloud-order created
gateman@MoreFine-S500:~/projects/coding/k8s-s/service-case/cloud-order$ kubectl get pods
NAME                                         READY   STATUS      RESTARTS       AGE
deployment-bq-api-service-6f6ffc7866-8djx9   1/1     Running     3 (12d ago)    17d
deployment-bq-api-service-6f6ffc7866-g4854   1/1     Running     12 (12d ago)   61d
deployment-bq-api-service-6f6ffc7866-lwxt7   1/1     Running     14 (12d ago)   63d
deployment-bq-api-service-6f6ffc7866-mxwcq   1/1     Running     11 (12d ago)   61d
deployment-cloud-order-58ddcf894d-8pjsz      1/1     Running     0              5s
deployment-cloud-order-58ddcf894d-mp4js      1/1     Running     0              5s
deployment-cloud-order-58ddcf894d-sszjd      1/1     Running     0              5s

检查容器内的配置文件:

gateman@MoreFine-S500:~/projects/coding/k8s-s/service-case/cloud-order$ kubectl exec -it deployment-cloud-order-58ddcf894d-8pjsz -- /bin/bash
bash-4.4# pwd
/app
bash-4.4# ls config
config2  external-config.properties
bash-4.4# ls config/config2/
external-config2.properties
bash-4.4#



测试api

gateman@MoreFine-S500:~/projects/coding/k8s-s/service-case/cloud-order$ curl http://www.jp-gcp-vms.cloud:8085/cloud-order/actuator/info | jq .
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1842    0  1842    0     0   1827      0 --:--:--  0:00:01 --:--:--  1829
{
  "app": "Cloud Order Service",
  "appEnvProfile": "prod",
  "version": "1.1.0",
  "hostname": "deployment-cloud-order-58ddcf894d-8pjsz",
  "dbUrl": "jdbc:mysql://192.168.0.42:3306/demo_cloud_order?useUnicode=true&characterEncoding=utf-8&useSSL=false&allowPublicKeyRetrieval=true",
  "description": "This is a simple Spring Boot application to for cloud order...",
  "customConfig1": "value of config1",
  "customConfig2": "value of config2",
  }
}

注意 customConfig1 和 customConfig2 的值, 部署是成功的



For customConfig2 使用configMap

由于customConfig2 是实时更新的
我们尝试用configmap 来取代 上面external-config2.properties 的配置
注意这里的值改成 value of config2 - from k8s configmap 方便区分



构建1个external-config2 的configmap 资源对象

configmap-cloud-order-external-config2.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: configmap-cloud-order-external-config2
data:
  external.custom.config2: external.custom.config2=value of config2 - from k8s configmap

部署:

gateman@MoreFine-S500:~/projects/coding/k8s-s/service-case/cloud-order$ kubectl apply -f configmap-cloud-order-external-config2.yaml 
configmap/configmap-cloud-order-external-config2 created
gateman@MoreFine-S500:~/projects/coding/k8s-s/service-case/cloud-order$ kubectl describe cm configmap-cloud-order-external-config2
Name:         configmap-cloud-order-external-config2
Namespace:    default
Labels:       <none>
Annotations:  <none>

Data
====
external.custom.config2:
----
external.custom.config2=value of config2 - from k8s configmap

BinaryData
====

Events:  <none>



修改deployment yaml 引入configmap

apiVersion: apps/v1
kind: Deployment
metadata:
  labels: # label of this deployment
    app: cloud-order # custom defined
    author: nvd11
  name: deployment-cloud-order # name of this deployment
  namespace: default
spec:
  replicas: 3            # desired replica count, Please note that the replica Pods in a Deployment are typically distributed across multiple nodes.
  revisionHistoryLimit: 10 # The number of old ReplicaSets to retain to allow rollback
  selector: # label of the Pod that the Deployment is managing,, it's mandatory, without it , we will get this error 
            # error: error validating data: ValidationError(Deployment.spec.selector): missing required field "matchLabels" in io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector ..
    matchLabels:
      app: cloud-order
  strategy: # Strategy of upodate
    type: RollingUpdate # RollingUpdate or Recreate
    rollingUpdate:
      maxSurge: 25% # The maximum number of Pods that can be created over the desired number of Pods during the update
      maxUnavailable: 25% # The maximum number of Pods that can be unavailable during the update
  template: # Pod template
    metadata:
      labels:
        app: cloud-order # label of the Pod that the Deployment is managing. must match the selector, otherwise, will get the error Invalid value: map[string]string{"app":"bq-api-xxx"}: `selector` does not match template `labels`
    spec: # specification of the Pod
      containers:
      - image: europe-west2-docker.pkg.dev/jason-hsbc/my-docker-repo/cloud-order:1.1.0 # image of the container
        imagePullPolicy: Always
        name: container-cloud-order
        command: ["bash"]
        args: 
          - "-c"
          - |
            java -jar -Dserver.port=8080 app.jar --spring.profiles.active=$APP_ENVIRONMENT
        env: # set env varaibles
        - name: APP_ENVIRONMENT # name of the environment variable
          value: prod # value of the environment variable
        volumeMounts:
          - name: volume-external-config2
            mountPath: /app/config/config2/
	    volumes:
	      - name: volume-external-config2
	        configMap:
	          name: configmap-cloud-order-external-config2
	          items:
	            - key: external.custom.config2
	              path: external-config2.properties # name of the file to be mounted
            
            
      restartPolicy: Always # Restart policy for all containers within the Pod
      terminationGracePeriodSeconds: 10 # The period of time in seconds given to the Pod to terminate gracefully

注意这里使用了 volume 和 volumemount



重新部署 cloud-order service

gateman@MoreFine-S500:~/projects/coding/k8s-s/service-case/cloud-order$ kubectl delete deploy deployment-cloud-order
deployment.apps "deployment-cloud-order" deleted
gateman@MoreFine-S500:~/projects/coding/k8s-s/service-case/cloud-order$ kubectl apply -f deployment-cloud-order-with-subpath.yaml 
deployment.apps/deployment-cloud-order created



测试api

gateman@MoreFine-S500:~/projects/coding/k8s-s/service-case/cloud-order$ curl http://www.jp-gcp-vms.cloud:8085/cloud-order/actuator/info | jq .
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1863    0  1863    0     0   3888      0 --:--:-- --:--:-- --:--:--  3889
{
  "app": "Cloud Order Service",
  "appEnvProfile": "prod",
  "version": "1.1.0",
  "hostname": "deployment-cloud-order-69d4cd76d6-hwtfj",
  "dbUrl": "jdbc:mysql://192.168.0.42:3306/demo_cloud_order?useUnicode=true&characterEncoding=utf-8&useSSL=false&allowPublicKeyRetrieval=true",
  "description": "This is a simple Spring Boot application to for cloud order...",
  "customConfig1": "value of config1",
  "customConfig2": "value of config2 - from k8s configmap",

并没什么大问题, 证明configmap 的配置是可以覆盖docker里面定义的配置文件的



实时修改configmap 的配置

这时我们修改一下 configmap configmap-cloud-order-external-config2 里的值
由 external.custom.config2: external.custom.config2=value of config2 - from k8s configmap
改成 external.custom.config2: external.custom.config2=value of config2 - from k8s configmap updated!

apiVersion: v1
kind: ConfigMap
metadata:
  name: configmap-cloud-order-external-config2
data:
  external.custom.config2: external.custom.config2=value of config2 - from k8s configmap updated!

更新:

gateman@MoreFine-S500:~/projects/coding/k8s-s/service-case/cloud-order$ kubectl apply -f configmap-cloud-order-external-config2.yaml 
configmap/configmap-cloud-order-external-config2 configured

等半分钟后 (1是 k8s 需要时间把 configmap的值刷新到 pods里的volumes, 2时是springboot本身需要定时器去重新获取值)
再测试api

gateman@MoreFine-S500:~/projects/coding/k8s-s/service-case/cloud-order$ curl http://www.jp-gcp-vms.cloud:8085/cloud-order/actuator/info | jq .
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1872    0  1872    0     0   3900      0 --:--:-- --:--:-- --:--:--  3900
{
  "app": "Cloud Order Service",
  "appEnvProfile": "prod",
  "version": "1.1.0",
  "hostname": "deployment-cloud-order-69d4cd76d6-qj98f",
  "dbUrl": "jdbc:mysql://192.168.0.42:3306/demo_cloud_order?useUnicode=true&characterEncoding=utf-8&useSSL=false&allowPublicKeyRetrieval=true",
  "description": "This is a simple Spring Boot application to for cloud order...",
  "customConfig1": "value of config1",
  "customConfig2": "value of config2 - from k8s configmap updated!",

果然customConfig2的值自动更新了, 正是我们想要的
而且容器里的文件也的确更新了

gateman@MoreFine-S500:~/projects/coding/k8s-s/service-case/cloud-order$ kubectl exec -it deployment-cloud-order-69d4cd76d6-hwtfj -- /bin/bash
bash-4.4# pwd
/app
bash-4.4# ls config
config2  external-config.properties
bash-4.4# cat config/config2/external-config2.properties 
external.custom.config2=value of config2 - from k8s configmap updated!



volumes mount 会覆盖整个文件夹(其他文件被删除)

下面来点整活
我们修改一下deployment 的yaml 配置, 把configmap的值 mark成另1个文件名

  volumeMounts:
          - name: volume-external-config2
            mountPath: /app/config/config2/
	    volumes:
	      - name: volume-external-config2
	        configMap:
	          name: configmap-cloud-order-external-config2
	          items:
	            - key: external.custom.config2
	              path: external-config2-1.properties # name of the file to be mounted

按照设想, 容器内的configmap里的
/app/config/config2/ 文件内将会有两个文件

dockerfile 定义的external-config2.properties
和 k8s 定义的 external-config2-1.properties

实际部署测试:

gateman@MoreFine-S500:~/projects/coding/k8s-s/service-case/cloud-order$ curl http://www.jp-gcp-vms.cloud:8085/cloud-order/actuator/info | jq .
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1837    0  1837    0     0    926      0 --:--:--  0:00:01 --:--:--   926
{
  "app": "Cloud Order Service",
  "appEnvProfile": "prod",
  "version": "1.1.0",
  "hostname": "deployment-cloud-order-6878b85d44-cdvlc",
  "dbUrl": "jdbc:mysql://192.168.0.42:3306/demo_cloud_order?useUnicode=true&characterEncoding=utf-8&useSSL=false&allowPublicKeyRetrieval=true",
  "description": "This is a simple Spring Boot application to for cloud order...",
  "customConfig1": "value of config1",
  "customConfig2": "not defined",

customConfig2 居然是not defined
检查容器
发现 external-config2.properties 没了

gateman@MoreFine-S500:~/projects/coding/k8s-s/service-case/cloud-order$ kubectl exec -it deployment-cloud-order-6878b85d44-cdvlc -- /bin/bash
bash-4.4# ls
app.jar  config
bash-4.4# ls config
config2  external-config.properties
bash-4.4# ls config/config2/
external-config2-1.properties
bash-4.4#

原因是 当k8s 把 volume volume-external-config2 mount在 /app/config/config2 中的时候, 原来的文件就会消失



尝试把新文件mount到1个subfolder

解决方法1:
把 volume volume-external-config2 mount在 /app/config/config2/config-sub
应该可以解决

我们修改deployment yaml

  volumeMounts:
          - name: volume-external-config2
            mountPath: /app/config/config2/config-sub
	    volumes:
	      - name: volume-external-config2
	        configMap:
	          name: configmap-cloud-order-external-config2
	          items:
	            - key: external.custom.config2
	              path: external-config2-1.properties # name of the file to be mounted

mountPath 改成了/app/config/config2/config-sub

这种方法是可行的

gateman@MoreFine-S500:~/projects/coding/k8s-s/service-case/cloud-order$ kubectl exec -it deployment-cloud-order-654974f855-cmdz7 -- /bin/bash
bash-4.4# ls
app.jar  config
bash-4.4# cd config
bash-4.4# ls
config2  external-config.properties
bash-4.4# cd config2
bash-4.4# ls
config-sub  external-config2.properties
bash-4.4# cd config-sub
bash-4.4# ls
external-config2-1.properties
bash-4.4#

而且证明了, mountpath中的路径不存在的话, k8s会尝试创建。



利用subpath 去把文件mount在同样的folder

但是上面的做法, 能把新文件mount在1个字母中, 的确不会另旧文件消失,但是并直接真正解决问题

K8S 提供了subpath 的方法:
我们修改deployment yaml

        volumeMounts:
          - name: volume-external-config2
            mountPath: /app/config/config2/external-config2-1.properties # if we need to use subpath, need to provide the filename as well
            subPath: external-config2-1.properties # name of the file to be mounted, if we use subpath, the other files in that same folder will not dispear
      volumes:
        - name: volume-external-config2
          configMap:
            name: configmap-cloud-order-external-config2
            items:
              - key: external.custom.config2
                path: external-config2-1.properties # name of the file to be mounted

注意这里有两个改动:

  1. mountpath 上加上了文件名
  2. 添加subpath 配置, 其值还是文件名

这次的确能令两个配置文件同时存在, 原来的文件external-config2.properties 并没有被抹除

gateman@MoreFine-S500:~/projects/coding/k8s-s/service-case/cloud-order$ kubectl exec -it deployment-cloud-order-7775b8c7cd-jnv7v -- /bin/bash
bash-4.4# pwd
/app
bash-4.4# ls
app.jar  config
bash-4.4# ls config
config2  external-config.properties
bash-4.4# ls config/config2/
external-config2-1.properties  external-config2.properties
bash-4.4#



subpath的一些限制

k8s 设计的 subpath 其实并不是那么直接
参考:
https://hackmd.io/@maelvls/kubernetes-subpath?utm_source=preview-mode&utm_medium=rec

第1个限制就是 subpath 只能1个文件1个文件地mount, 不支持mount整个folder

参考:
https://kubernetes.io/docs/concepts/configuration/configmap/

第2个限制就是, 用subpath mount的configmap , 即使configmap的值被外部修改, 也不会同步到容器…

持续集成部署-k8s-配置与存储-配置管理:SubPath
种一棵树最好的时间是十年前,其次是现在。
11-19 1808
在`Kubernetes (K8s)` 中,`SubPath`是用于指定容器内部目录挂载的一个属性。它可以在Pod中指定某个Volume挂载到容器内部的特定目录下,以便容器可以访问该目录中的文件。
深入解析K8s VolumeMounts中的subPath字段及其应用
菜鸟运维升级之路
03-10 1036
Kubernetes中,挂载存储卷是容器化应用的常见需求。然而当我们将整个卷挂载到容器中的某个目录时,可能会覆盖目标目录中已有的文件,尤其是在共享目录或有多个应用访问同一卷的场景下。为了避免这种情况,subPath字段应运而生,它允许精确指定要挂载的子目录或文件,从而避免覆盖目录中其他重要数据。在这篇文章中,我们将深入探讨subPath字段的使用方法,展示如何通过这一功能实现精准挂载,确保不干扰或覆盖目录中的其他文件。
k8s的yaml文件里的volume跟volumeMount的区别
最新发布
2303_78135757的博客
04-22 566
k8s的yaml文件里的volume跟volumeMount的区别
K8S Volume 中使用 subPath
east4ming的博客
01-11 1711
使用 subPath 有时,在单个 Pod 中共享卷以供多方使用是很有用的。 volumeMounts.subPath 属性可用于指定所引用的卷内的子路径,而不是其根路径。 下面是一个使用同一共享卷的、内含 LAMP 栈(Linux Apache Mysql PHP)的 Pod 的示例。 HTML 内容被映射到卷的 html 文件夹,数据库将被存储在卷的 mysql 文件夹中: apiVersion: v1 kind: Pod metadata: name: my-lamp-site spec:
k8s volume mount subpath
qq_15138049的博客
07-25 465
k8s subPath
云原生k8svolumeMounts.subPath的巧妙用法
匠人精神,持之以恒!
09-03 1万+
有时,在单个 Pod 中共享卷以供多方使用是很有用的。属性可用于指定所引用的卷内的子路径,而不是其根路径。
K8S的mountPath和subPath
Blue summer的博客
03-25 3532
mountPath是容器内部文件系统的挂载点,它定义了容器内部将外部存储卷(如 PersistentVolume、ConfigMap、Secret 等)挂载到哪个路径下。通过 mountPath,容器可以访问这些挂载的数据或配置。
K8S使用Deployment&Configmap操作示例
WEL测试
05-16 6698
基于对当前系统理解及配置的规划,通过K8S部署应用,需要三大利器。configMap用于统一管理配置信息,service用于对外提供服务,deployment用于部署pod及系统升级更新。
k8s部署jenkins
crontab_e的博客
11-28 1640
【代码】k8s部署jenkins。
K8S中部署MySQL高可用工具Orchestrator
sozee910的博客
09-05 1460
Orchestrator 可以部署在物理机、虚拟机或 Kubernetes 集群中,笔者发现目前针对k8s集群部署的方式介绍较少,现通过示例详细阐述Orchestrator 这一功能强大且灵活的工具部署方式,希望学习mysql和k8s的同学提供帮助
自用 K8S 资源对象清单 YAML 配置模板手册-1
云端梦留白的博客
08-07 1386
自用 K8S 资源对象清单 YAML 配置模板手册-1。
ELKB介绍和二进制安装和收集k8s worker日志
weixin_44093727的博客
02-12 1033
ELKB介绍和二进制安装和收集k8s worker日志
k8s volumeMounts 功能 使用时subPath 参数
热门推荐
hubanbei2010的家园
01-31 4万+
写pod的yaml文件时,如果想使用云存储,则volumeMounts这个property, mountPath 为container内部目录 而subPath 虽然紧跟mountpath, 最容易被误解为本地路径,其实其为远端云存储上的子路径 所以进入pod内部看磁盘情况,显示 bbuser@stream-notifications-baseline-learn-tomcat-7cd697-2x...
Kubernets——subPath介绍
xiayping的博客
09-06 2530
KubernetesSubPath的使用介绍
[k8s]subpath解决cm覆盖目录问题
weixin_34362991的博客
01-25 4008
参考 发现cm老覆盖容器原有目录里的内容,后来不得不通过in -s的方式来搞cm, 先将cm挂到/tmp下,然后ln -s文件到指定目录. 后来发现个cm的subpath特性可以解决这个问题 写了busybox的cm和rc测试cm subpath cat &gt; busybox-cm.yaml &lt;&lt;EOF apiVersion: v1 kind: ConfigMap metadat...
k8s configMap中subPath字段和items字段详解
学亮编程手记
07-21 3513
,原来的workspace目录下的文件将会被挂载过来的目录下(可以将configmap看成一个目录,因为每个key都是一个文件)的文件所覆盖,因此workspace中只有configmap中的info和info2文件。如果不想被覆盖,则要以文件的方式进行挂载,如pod2.yaml中所示,注意mountPath和subPath的写法,subPath此时指的就是configMap中的key,也就是文件名。在Linux中,将目录A挂载到目录B,则目录B原有的文件都会被目录A下的文件覆盖。...
kubernetes之configmap,深度解析mountPath,subPath,key,path的关系和作用
monkey的专栏
03-02 5824
kubernetes之configmap,深度解析mountPath,subPath,key,path的关系和作用 参考:https://www.cnblogs.com/breezey/p/6582082.html 我们知道,在几乎所有的应用开发中,都会涉及到配置文件的变更,比如说在web的程序中,需要连接数据库,缓存甚至是队列等等。而我们的一个应用程序从写第一行代码开始,要经历开发环境...
十三、K8S-cm、secret使用SubPath和热更新
爱吃西红柿的博客
01-26 659
4、将目录B内的文件b挂载到容器内指定的目录A,容器的目录A内容不会被覆盖,而且容器目录A还存在挂载来的文件b;2、使用subPath既可以将卷的子目录挂载到容器的指定目录,也可以将文件挂载到容器内指定的目录下的文件。1、subPath是在挂载的卷的子路径,而不是被挂载的容器目录的子路径(volumeMounts)。ConfigMap和Secret的更新方式是一样的 再此只做ConfigMap的更新。3、将目录B挂载到容器内指定的目录A,容器的目录A下的所有内容会被目录B覆盖。
subPath的详解
weixin_44770684的博客
05-08 4491
k8s subPathx详解 subpath 挂载文件巧用 subpath挂载普通文件 subpath挂载configMap和secret巧用
K8S安装elasticsearch-tls
03-27
<think>嗯,用户想了解如何在KubernetesK8S)上安装带有TLS的Elasticsearch。首先,我需要回顾一下Kubernetes中部署Elasticsearch的一般步骤,然后考虑如何集成TLS。用户可能已经有一定的K8S基础,但需要具体指导如何配置安全传输层。 首先,Elasticsearch在K8S中的部署通常使用StatefulSet,因为ES是有状态的应用,需要稳定的网络标识和持久化存储。另外,TLS的配置涉及到证书的生成和管理,可能需要用到像Cert-Manager这样的工具来自动化证书签发,或者手动生成自签名证书。 接下来,我需要考虑如何为Elasticsearch集群启用TLS加密。ES的TLS配置通常需要在elasticsearch.yml中设置相关参数,比如xpack.security.enabled和xpack.security.transport.ssl.enabled等。在K8S环境中,这些配置可以通过ConfigMap挂载到容器中。 然后,证书的问题。用户可能需要为每个节点生成证书,或者使用统一的证书。在K8S中,可以使用Secret来存储证书和私钥,然后在Pod中挂载这些Secret作为文件。需要注意的是,如果使用自签名证书,可能需要配置各个Pod信任该CA证书,否则节点间的通信可能会失败。 另外,Elasticsearch节点之间的发现机制也需要在TLS环境下正确配置。StatefulSet的Headless Service可能会被用来处理节点发现,但需要确保TLS配置正确,使得节点能够通过DNS名称相互验证。 用户还可能关心如何验证TLS是否生效,比如通过curl命令访问ES的HTTPS端点,或者检查日志是否有SSL握手错误。此外,安全性方面,可能需要设置密码,使用Kibana进行管理,或者集成其他安全措施如RBAC。 不过,用户可能遇到的常见问题包括证书配置错误、节点无法加入集群、SSL握手失败等。需要指导用户如何排查这些问题,比如查看ES日志,检查证书的有效期和Subject Alternative Names(SANs)是否正确包含节点的主机名。 此外,是否需要使用Elasticsearch的操作员(Operator)来简化部署?比如ECK(Elastic Cloud on Kubernetes),它可以自动化很多配置,包括TLS和证书管理。如果用户希望更简单的部署方式,推荐ECK可能更合适,但用户的问题可能更倾向于手动配置,以理解底层机制。 总结步骤可能包括: 1. 创建命名空间 2. 生成CA和节点证书,存储为K8S Secret 3. 创建ConfigMap包含elasticsearch.yml配置TLS参数 4. 部署StatefulSet,挂载ConfigMap和Secret 5. 配置Service暴露ES端口 6. 验证TLS连接和集群健康状态 需要确保每个步骤的命令和配置文件示例正确,特别是YAML文件的缩进和语法。例如,StatefulSet中需要正确设置volumeMounts和volumes来挂载证书和配置文件。 可能还需要提醒用户关于持久化存储的配置,虽然用户的问题主要在于TLS,但存储部分对于ES的正常运行也很重要,因此可能需要简要提及StorageClass和PersistentVolumeClaim的设置。 最后,是否需要考虑Elasticsearch的版本差异?不同版本的ES在TLS配置上可能有细微差别,比如某些参数名称的变化,或者默认启用安全功能。需要指出参考的ES版本,或者建议用户查阅对应版本的官方文档。</think>以下是在Kubernetes中安装带TLS加密的Elasticsearch的完整流程,分步骤说明: --- ### **一、准备工作** 1. 创建专属命名空间 ```yaml # elastic-namespace.yaml apiVersion: v1 kind: Namespace metadata: name: elastic ``` 2. 应用配置 ```bash kubectl apply -f elastic-namespace.yaml ``` --- ### **二、生成TLS证书** #### 1. 创建自签名CA证书 ```bash openssl genrsa -out ca.key 2048 openssl req -x509 -new -nodes -key ca.key -subj "/CN=elastic-ca" -days 3650 -out ca.crt ``` #### 2. 生成Elasticsearch节点证书 ```bash openssl genrsa -out elasticsearch.key 2048 openssl req -new -key elasticsearch.key -subj "/CN=elasticsearch.elastic.svc" -out elasticsearch.csr openssl x509 -req -in elasticsearch.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out elasticsearch.crt -days 365 ``` #### 3. 创建Kubernetes Secret存储证书 ```bash kubectl create secret generic elasticsearch-certs -n elastic \ --from-file=ca.crt=ca.crt \ --from-file=elasticsearch.crt=elasticsearch.crt \ --from-file=elasticsearch.key=elasticsearch.key ``` --- ### **三、创建Elasticsearch配置** ```yaml # elasticsearch-config.yaml apiVersion: v1 kind: ConfigMap metadata: name: elasticsearch-config namespace: elastic data: elasticsearch.yml: | cluster.name: elastic-cluster network.host: 0.0.0.0 discovery.seed_hosts: "elasticsearch-0.elasticsearch.elastic.svc.cluster.local" cluster.initial_master_nodes: "elasticsearch-0" xpack.security.enabled: true xpack.security.transport.ssl: enabled: true verification_mode: certificate keystore.path: /usr/share/elasticsearch/config/certs/elasticsearch.p12 truststore.path: /usr/share/elasticsearch/config/certs/elasticsearch.p12 ``` --- ### **四、部署StatefulSet** ```yaml # elasticsearch-statefulset.yaml apiVersion: apps/v1 kind: StatefulSet metadata: name: elasticsearch namespace: elastic spec: serviceName: elasticsearch replicas: 1 selector: matchLabels: app: elasticsearch template: metadata: labels: app: elasticsearch spec: containers: - name: elasticsearch image: docker.elastic.co/elasticsearch/elasticsearch:8.5.1 ports: - containerPort: 9200 name: http - containerPort: 9300 name: transport volumeMounts: - name: config mountPath: /usr/share/elasticsearch/config/elasticsearch.yml subPath: elasticsearch.yml - name: certs mountPath: /usr/share/elasticsearch/config/certs env: - name: ES_JAVA_OPTS value: "-Xms1g -Xmx1g" - name: ELASTIC_PASSWORD value: "your_password" # 替换实际密码 volumes: - name: config configMap: name: elasticsearch-config - name: certs secret: secretName: elasticsearch-certs ``` --- ### **五、创建Service暴露服务** ```yaml # elasticsearch-service.yaml apiVersion: v1 kind: Service metadata: name: elasticsearch namespace: elastic spec: selector: app: elasticsearch ports: - port: 9200 name: http - port: 9300 name: transport clusterIP: None # Headless Service ``` --- ### **六、验证部署** 1. 检查Pod状态 ```bash kubectl get pods -n elastic ``` 2. 检查TLS连接 ```bash kubectl exec -it elasticsearch-0 -n elastic -- curl --cacert /usr/share/elasticsearch/config/certs/ca.crt https://localhost:9200 ``` --- ### **常见问题排查** 1. **证书验证失败** - 检查证书Subject Alternative Names (SAN) 是否包含服务DNS名称 - 确保所有节点使用相同CA签名 2. **节点无法加入集群** - 检查`discovery.seed_hosts`是否指向正确的Headless Service地址 - 验证9300端口通信是否开放 3. **启用自动证书管理(可选)** 使用Cert-Manager自动化证书续期: ```yaml apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: elasticsearch-cert namespace: elastic spec: secretName: elasticsearch-certs duration: 2160h # 90天 renewBefore: 360h # 15天 issuerRef: name: ca-issuer # 需预先配置ClusterIssuer commonName: elasticsearch.elastic.svc dnsNames: - "elasticsearch.elastic.svc" - "elasticsearch.elastic.svc.cluster.local" ``` --- ### **总结** 通过以上步骤可实现: - TLS加密的节点间通信 - 使用StatefulSet保障数据持久性 - 通过Secret安全存储证书 - 符合生产环境安全基线要求 建议在正式环境中使用`ECK (Elastic Cloud on Kubernetes)`进一步简化操作。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

nvd11

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值