目录
将secret挂载到volume中,以volume 的形式挂载到 pod 的某个目录下
secret
secret是用来保存密码、token、密钥等敏感数据的k8s资源,这类数据虽然也可以存放在pod 或者镜像中,但是放在 Secret中是为了更方便的控制如何使用数据,并减少暴露的风险。
由于创建 Secret 可以独立于使用它们的 Pod, 因此在创建、查看和编辑 Pod 的工作流程中暴露 Secret(及其数据)的风险较小。 Kubernetes 和在集群中运行的应用程序也可以对 Secret 采取额外的预防措施, 例如避免将机密数据写入非易失性存储。
Secret 类似于ConfigMap但专门用于保存机密数据。
secret有三种类型:
① kubernetes .io/service-account-token:由 Kubernetes自动创建,用来访问 APTServer 的 Secret,Pod会默认使用这个secret 与APIServer 通信,并且会自动挂载到 Pod 的/run/secrets/kubernetes.io/ serviceaccount目录中;
② Opaque : base64编码格式的secret,用来存储用户自定义的密码、密钥等,默认的Secret类型型
③ kubernetes.io/dockerconfigjson :用来存储私有 docker registry 的认证信息。
Pod需要先引用才能使用某个secret,Pod有3种方式来使用secret:
●作为挂载到一个或多个容器上的卷中的文件。
●作为容器的环境变量。
● 由kubelet在为Pod拉取镜像时使用。
应用场景:凭据
https:// kubernetes.io/docs/concepts/configuration/secret/
创建secret
创建俩个文件
[root@master01 ~/secret]# echo -n "zhangsan" > username.txt
[root@master01 ~/secret]# echo "abc123" > passwd.txt
[root@master01 ~/secret]# kubectl create secret generic mysecret --from-file=username.txt --from-file=passwd.txt
secret/mysecret created
[root@master01 ~/secret]# kubectl get secrets
NAME TYPE DATA AGE
basic-auth Opaque 1 42h
default-token-c47tg kubernetes.io/service-account-token 3 5d19h
mysecret Opaque 2 8s
tls-secret kubernetes.io/tls 2 42h
内容用base64编码,创建secret
[root@master01 ~/secret]# cat username.txt |base64
emhhbmdzYW4=
[root@master01 ~/secret]# cat passwd.txt |base64
YWJjMTIzCg==编写一个 Secret 配置文件
[root@master01 ~/secret]# vim mysecret.yaml
apiVersion: v1
kind: Secret
metadata:
name: mysecret02
type: Opaque
data:
username.txt: emhhbmdzYW4=
passwd.txt: YWJjMTIzCg==
[root@master01 ~/secret]# kubectl get secrets
NAME TYPE DATA AGE
basic-auth Opaque 1 42h
default-token-c47tg kubernetes.io/service-account-token 3 5d19h
mysecret Opaque 2 12m
mysecret02 Opaque 2 11s
tls-secret kubernetes.io/tls 2 43h
[root@master01 ~/secret]# kubectl describe secrets mysecret02
Name: mysecret02
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
passwd.txt: 7 bytes
username.txt: 8 bytes使用方式
将secret挂载到volume中,以volume 的形式挂载到 pod 的某个目录下
生成yaml文件
[root@master01 ~/secret]# kubectl run secret-pod1 --image=nginx --port=80 --dry-run=client -o yaml > demo-pod.yaml
[root@master01 ~/secret]# vim demo-pod.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: secret-pod1
name: secret-pod1
spec:
containers:
- image: nginx
name: secret-pod1
ports:
- containerPort: 80
volumeMounts:
- name: mysecret
mountPath: "/opt/mysecret01"
readOnly: true
- name: mysecret02
mountPath: "/opt/mysecret02"
readOnly: true
volumes:
- name: mysecret
secret:
secretName: mysecret
- name: mysecret02
secret:
secretName: mysecret02
[root@master01 ~/secret]# kubectl get pods
NAME READY STATUS RESTARTS AGE
secret-pod1 1/1 Running 0 8s进入容器
[root@master01 ~/secret]# kubectl exec -it secret-pod1 bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
root@secret-pod1:/# cd /opt/
root@secret-pod1:/opt# ls
mysecret01 mysecret02
root@secret-pod1:/opt# cd mysecret01/
root@secret-pod1:/opt/mysecret01# ls
passwd.txt username.txt
root@secret-pod1:/opt/mysecret01# cat passwd.txt
abc123
root@secret-pod1:/opt/mysecret01# cat username.txt
zhangsanroot@secret-pod1:/opt/mysecret01# cd ../mysecret02/
root@secret-pod1:/opt/mysecret02# ls
passwd.txt username.txt
root@secret-pod1:/opt/mysecret02# cat passwd.txt
abc123
root@secret-pod1:/opt/mysecret02# cat username.txt
将secret导出到环境变量中I
首先,再创建一个用户和密码
[root@master01 ~]# echo lisi | base64
bGlzaQo=
[root@master01 ~]# echo 123123 | base64
MTIzMTIzCg==生成mysecret.yaml
[root@master01 ~/secret]# vim mysecret.yaml
apiVersion: v1
kind: Secret
metadata:
name: mysecret03
type: Opaque
data:
username: bGlzaQo=
passwd: MTIzMTIzCg==
[root@master01 ~/secret]# kubectl apply -f mysecret.yaml
secret/mysecret03 created
[root@master01 ~/secret]# kubectl get secrets
NAME TYPE DATA AGE
basic-auth Opaque 1 2d21h
default-token-c47tg kubernetes.io/service-account-token 3 6d22h
mysecret Opaque 2 26h
mysecret02 Opaque 2 26h
mysecret03 Opaque 2 7s
tls-secret kubernetes.io/tls 2 2d21h[root@master01 ~/secret]# kubectl get secrets mysecret03 -o yaml
apiVersion: v1
data:
passwd: MTIzMTIzCg==
username: bGlzaQo=
.....
创建secret pods资源
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: secret-pod2
name: secret-pod2
spec:
containers:
- image: nginx
name: secret-pod2
ports:
- containerPort: 80
env:
- name: SECRET_USERNAEM
valueFrom:
secretKeyRef:
name: mysecret03
key: username
- name: SECRET_PASSWD
valueFrom:
secretKeyRef:
name: mysecret02
key: passwd.txt
[root@master01 ~/secret]# kubectl apply -f secret-test.yaml
pod/secret-pod2 created
[root@master01 ~/secret]# kubectl get pods
NAME READY STATUS RESTARTS AGE
secret-pod1 1/1 Running 0 26h
secret-pod2 1/1 Running 0 21s查看env
[root@master01 ~/secret]# kubectl exec -it secret-pod2 bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future versi on. Use kubectl exec [POD] -- [COMMAND] instead.
root@secret-pod2:/# env
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_SERVICE_PORT=443
HOSTNAME=secret-pod2
PWD=/
PKG_RELEASE=1~bullseye
HOME=/root
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
SECRET_USERNAEM=lisi
NJS_VERSION=0.7.1
TERM=xterm
SHLVL=1
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
SECRET_PASSWD=abc123
KUBERNETES_SERVICE_HOST=10.96.0.1
KUBERNETES_PORT=tcp://10.96.0.1:443
KUBERNETES_PORT_443_TCP_PORT=443
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
NGINX_VERSION=1.21.5
_=/usr/bin/env
root@secret-pod2:/# echo $SECRET_USERNAME
root@secret-pod2:/# echo $SECRET_USERNAME
root@secret-pod2:/# echo $SECRET_USERNAEM
lisi
root@secret-pod2:/# echo $SECRET_PASSWD
abc123小结
创建secret kubectl create secret generic 资源名称--from-file=XXX ... XXXyaml ...... type : Opaque data : KEY: VALUE 文件名 值 作为 卷 挂载到pod 的容器中 volumes: - name: secret: secretName: container: - name : image: volumeMount: - name: mountPath: readonly : true 作为环境变量在容器中使用 container: - name : image: env: - name : valueFrom : secretKeyRef: name: secret资源的名称 key: secret资源中的健的名称
代表的是这个环境变量的值将会引用某个secret资源的某个键的值
ConfigMap
ConfigMap 是一种 API 对象,用来将非机密性的数据保存到键值对中。使用时, Pods 可以将其用作环境变量、命令行参数或者存储卷中的配置文件。
------官方文档
与secret类似,区别在于configMap保存的是不需要加密配置的信息。 ConfigMap 功能在Kubernetes1.2版本中引入,许多应用程序会从配置文件、命令行参数或环境变量中读取配置信息。configMap API 给我们提供了向容器中注入配置信息的机制,ConfigMap可以被用来保存单个属性,也可以用来保存整个配置文件或者JSON二进制对象。
应用场景:应用配置
首先再在configmap目录中,创建俩个用户和密码
[root@master01 ~]# mkdir configMap
[root@master01 ~]# cd configMap/
[root@master01 ~/configMap]# echo zhangsan > username.txt
[root@master01 ~/configMap]# echo lisi > username
[root@master01 ~/configMap]# echo 123123 > passwd.txt
[root@master01 ~/configMap]# echo adc123 > passwd
[root@master01 ~/configMap]# vim passwd.txt
[root@master01 ~/configMap]# ls
passwd passwd.txt username username.txt
[root@master01 ~/configMap]# kubectl create cm mycm01 --from-file=/root/configMap/
configmap/mycm01 created创建configMap
[root@master01 ~/configMap]# kubectl create cm mycm01 --from-file=/root/configMap/
configmap/mycm01 created
[root@master01 ~/configMap]# kubectl get cm
NAME DATA AGE
kube-root-ca.crt 1 6d22h
mycm01 4 14s查看yaml文件
还可以指定多个目录进行创建
[root@master01 ~/configMap]# kubectl create cm mycm02 --from-file=/root/configMap/username --from-file=passwd
configmap/mycm02 created
[root@master01 ~/configMap]# kubectl get cm
NAME DATA AGE
kube-root-ca.crt 1 6d22h
mycm01 4 11m
mycm02 2 4s--from-file指定在目录下的所有文件都会被用在configNap里面创建一个键值对,键的名字就是文件名,值就是文件的内容
使用字面值创建
使用文字值创建,利用--from-literal参数传递配置信息,该参数可以使用多次,格式如下
kubectl create configmap special-config --from-literal=special.how=very --from-literal=special.type = good比如:
[root@master01 ~/configMap]# kubectl create cm mycm03 --from-literal=animal=Dog --from-literal=class=yys
configmap/mycm03 created
[root@master01 ~/configMap]# kubectl get cm
NAME DATA AGE
kube-root-ca.crt 1 6d23h
mycm01 4 20m
mycm02 2 9m23s
mycm03 2 5s
[root@master01 ~/configMap]# kubectl get cm mycm03 -o yaml
apiVersion: v1
data:
animal: Dog
class: yys
kind: ConfigMap
metadata:
creationTimestamp: "2022-05-30T12:31:19Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:animal: {}
f:class: {}
manager: kubectl-create
operation: Update
time: "2022-05-30T12:31:19Z"
name: mycm03
namespace: default
resourceVersion: "49193"
uid: 7a0ae404-d9e0-4cdc-923c-08e71dba914epod的创建
[root@master01 ~/configMap]# vim demo-cm1.yaml
apiVersion: v1
kind: Pod
metadata:
labels:
run: cm-pod1
name: cm-pod1
spec:
containers:
- image: nginx
name: cm-pod1
ports:
- containerPort: 80
env:
- name: CM_USERNAME
valueFrom:
configMapKeyRef:
name: mycm02
key: username
- name: CM_PASSWD
valueFrom:
configMapKeyRef:
name: mycm02
key: passwd
envFrom:
- configMapRef:
name: mycm03
[root@master01 ~/configMap]# kubectl apply -f demo-cm1.yaml
pod/cm-pod1 created
[root@master01 ~/configMap]# kubectl get pods
NAME READY STATUS RESTARTS AGE
cm-pod1 0/1 ContainerCreating 0 5s
secret-pod1 1/1 Running 0 27h
secret-pod2 1/1 Running 0 47m进入容器查看env
使用configMap设置命令行参数
[root@master01 ~/configMap]# vim demo-cm2.yaml
apiVersion: v1
kind: Pod
metadata:
labels:
run: cm-pod2
name: cm-pod2
spec:
containers:
- image: nginx
name: cm-pod2
ports:
- containerPort: 80
env:
- name: CM_USERNAME
valueFrom:
configMapKeyRef:
name: mycm02
key: username
- name: CM_PASSWD
valueFrom:
configMapKeyRef:
name: mycm02
key: passwd
envFrom:
- configMapRef:
name: mycm03
command:
- sh
- -c
- echo "my name is $(CM_USERNAME), my passwd is $(CM_PASSWD)"
restartPolicy: Never
[root@master01 ~/configMap]# kubectl apply -f demo-cm2.yaml
pod/cm-pod2 created
[root@master01 ~/configMap]# kubectl get pods
NAME READY STATUS RESTARTS AGE
cm-pod1 1/1 Running 0 9m30s
cm-pod2 0/1 Completed 0 26s
secret-pod1 1/1 Running 0 27h
secret-pod2 1/1 Running 0 57m
[root@master01 ~/configMap]# kubectl logs cm-pod2
my name is lisi
, my passwd is adc123它是不会重启的
小结
kubectl create cm资源名称--from-file=目录/文件
kubectl create cm资源名称--from-literal=KEY=VALUE ....
container:
- name:
image:
env: 代表的是自定义环境变量,变量值将会引用某个configMap资源的某个键的值
- name:
valueFrom :
configMapKeyRef:
name: configMap资源的名称
key: configMap资源中的键的名称
envFrom: 代表的是将会用configMap资源的键作为容器中的环境变量名,键的值作为变量的值
- configMapRef:
name: configMap资源的名称通过数据卷插件使用configMap
在数据卷里面使用ConfigMap,就是将文件填入数据卷,在这个文件中,键就是文件名,键值就是文件内容
[root@master01 ~/configMap]# vim demo-cm3.yaml
apiVersion: v1
kind: Pod
metadata:
labels:
run: cm-pod3
name: cm-pod3
spec:
containers:
- image: nginx
name: cm-pod3
ports:
- containerPort: 80
volumeMounts:
- name: mycm01
mountPath: "/opt/mycm01"
readOnly: true
- name: mycm02
mountPath: "/opt/mycm02"
readOnly: true
volumes:
- name: mycm01
configMap:
name: mycm01
- name: mycm02
configMap:
name: mycm03挂载结果
[root@master01 ~/configMap]# kubectl apply -f demo-cm3.yaml
pod/cm-pod3 created
[root@master01 ~/configMap]# kubectl get pods
NAME READY STATUS RESTARTS AGE
cm-pod1 1/1 Running 0 24m
cm-pod2 0/1 Completed 0 15m
cm-pod3 1/1 Running 0 29s
secret-pod1 1/1 Running 0 27h
secret-pod2 1/1 Running 0 72m
[root@master01 ~/configMap]# kubectl describe cm mycm01
Name: mycm01
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
passwd:
----
adc123
passwd.txt:
----
123123
username:
----
lisi
username.txt:
----
zhangsan
Events: <none>
[root@master01 ~/configMap]# kubectl exec -it cm-pod3 bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
root@cm-pod3:/# cd opt/
root@cm-pod3:/opt# ls
mycm01 mycm02
root@cm-pod3:/opt# cd mycm01/
root@cm-pod3:/opt/mycm01# ls
passwd passwd.txt username username.txt
root@cm-pod3:/opt/mycm01# cat passwd
adc123
root@cm-pod3:/opt/mycm01# cat passwd.txt
123123
root@cm-pod3:/opt/mycm01# cat username
lisi
root@cm-pod3:/opt/mycm01# cat username.txt
zhangsan
小结
spec:
volumes:
- name: 卷的名称
configMap:
name: CM资源的名称
containers:
- name:
image:
volumeMounts:
- name: 卷的名称
mountPath: 挂戟点
readOnly: true|false容器的挂载目录中文件名 即是CM资源数据的键 文件内容即是键的值
configMap的热更新
比如,修改mycm03的键和值
[root@master01 ~/configMap]# kubectl edit cm mycm03
.....
apiVersion: v1
data:
animal: Cat
class: DevOps
....进入容器,查看是否改变值
[root@master01 ~/configMap]# kubectl exec -it cm-pod3 bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
root@cm-pod3:/# cd /opt/mycm02/
root@cm-pod3:/opt/mycm02# ls
animal class
root@cm-pod3:/opt/mycm02# cat animal
Catroot@cm-pod3:/opt/mycm02# cat class
DevOpsroot@cm-pod3:/opt/mycm02#热更新configMap资源后
使用env 引用configMap资源的变量的值是不会同步更新的
使用volumes挂载引用的方式,文件的内容是会同步更新的(大概10秒左右完成)
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
