kubernetes-配置管理(十一)
阿新 • • 發佈:2018-12-26
Secret
https://kubernetes.io/docs/concepts/configuration/secret/
Secret解決了密碼、token、金鑰等敏感資料的配置問題,而不需要把這些敏感資料暴露到映象或者Pod Spec中。Secret可以以Volume或者環境變數的方式使用。
使用kubectl建立secret
[[email protected] secret]# echo -n 'admin' > ./username.txt [[email protected]-master1 secret]# echo -n '1f2d1e2e67df' > ./password.txt [[email protected]-master1 secret]# kubectl create secret generic db-user-pass --from-file=./username.txt --from-file=./password.txt secret/db-user-pass created
檢視secret資訊
[[email protected]master1 secret]# kubectl get secret NAME TYPE DATA AGE db-user-pass Opaque 2 15s default-token-7vs6s kubernetes.io/service-account-token 3 6d23h registry-pull-secret kubernetes.io/dockerconfigjson 1 5d3h sslexample-foo-com kubernetes.io/tls 2 66m [[email protected]-master1 secret]# kubectl describe secret/db-user-pass Name: db-user-pass Namespace: default Labels: <none> Annotations: <none> Type: Opaque Data ==== password.txt: 12 bytes username.txt: 5 bytes
使用yaml檔案建立secret
[[email protected] secret]# echo -n 'admin' | base64 YWRtaW4= [[email protected]-master1 secret]# echo -n '1f2d1e2e67df' | base64 MWYyZDFlMmU2N2Rm [[email protected]-master1 secret]# vim secret.yaml apiVersion: v1 kind: Secret metadata: name: mysecret type: Opaque data: username: YWRtaW4= password: MWYyZDFlMmU2N2Rm [[email protected]-master1 secret]# kubectl create -f secret.yaml secret/mysecret created
Pod 可以通過 Volume 的方式使用 Secret
[[email protected] secret]# vim secret-vol.yaml apiVersion: v1 kind: Pod metadata: name: pod-secret spec: containers: - name: pod-secret image: busybox args: - /bin/sh - -c - sleep 10;touch /tmp/healthy;sleep 30000 volumeMounts: - name: foo mountPath: "/etc/foo" readOnly: true volumes: - name: foo secret: secretName: mysecret [[email protected]-master1 secret]# kubectl apply -f secret-vol.yaml pod/pod-secret created
進入容器檢視
[[email protected] secret]# kubectl exec -it pod-secret sh / # ls /etc/foo/ password username/ # cat /etc/foo/username admin/ # / # cat /etc/foo/password 1f2d1e2e67df/ #
以 Volume 方式使用的 Secret 支援動態更新:Secret 更新後,容器中的資料也會更新。
[[email protected]master1 secret]# vim secret.yaml apiVersion: v1 kind: Secret metadata: name: mysecret type: Opaque data: username: YWRtaW4= password: MWt3OG4zbDQ4Yg== [[email protected]-master1 secret]# kubectl apply -f secret.yaml Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply secret/mysecret configured [[email protected]-master1 secret]# kubectl exec -it pod-secret sh/ # cat /etc/foo/password 1kw8n3l48b/ # / #
Pod 可以通過 環境變數 的方式使用 Secret
[[email protected] secret]# vim secret-env.yaml apiVersion: v1 kind: Pod metadata: name: pod-secret-env spec: containers: - name: pod-secret-env image: busybox args: - /bin/sh - -c - sleep 10;touch /tmp/healthy;sleep 30000 env: - name: SECRET_USERNAME valueFrom: secretKeyRef: name: mysecret key: username - name: SECRET_PASSWORD valueFrom: secretKeyRef: name: mysecret key: password [[email protected]-master1 secret]# kubectl apply -f secret-env.yaml pod/pod-secret-env created [[email protected]-master1 secret]# kubectl exec -it pod-secret-env sh / # echo $SECRET_USERNAME admin / # echo $SECRET_PASSWORD 1kw8n3l48b
通過環境變數 SECRET_USERNAME 和 SECRET_PASSWORD 成功讀取到 Secret 的資料。
需要注意的是,環境變數讀取 Secret 很方便,但無法支撐 Secret 動態更新。
Secret 可以為 Pod 提供密碼、Token、私鑰等敏感資料;對於一些非敏感資料,比如應用的配置資訊,則可以用 ConfigMap
ConfigMap
https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/
configmap是讓配置檔案從映象中解耦,讓映象的可移植性和可複製性。許多應用程式會從配置檔案、命令列引數或環境變數中讀取配置資訊。這些配置資訊需要與docker image解耦,你總不能每修改一個配置就重做一個image吧?ConfigMap API給我們提供了向容器中注入配置資訊的機制,ConfigMap可以被用來儲存單個屬性,也可以用來儲存整個配置檔案或者JSON二進位制大物件。
configmap的建立
命令建立configmap
[[email protected] configmap]# kubectl create configmap nginx-config --from-literal=nginx_port=80 --from-literal=server_name=myapp.magedu.com configmap/nginx-config created [[email protected]-master1 configmap]# kubectl get cm NAME DATA AGE nginx-config 2 8s [[email protected]-master1 configmap]# kubectl describe cm nginx-config Name: nginx-config Namespace: default Labels: <none> Annotations: <none> Data ==== nginx_port: ---- 80 server_name: ---- myapp.magedu.com Events: <none>
通過 --from-file:每個檔案內容對應一個資訊條目。
[[email protected]master1 configmap]# vim www.conf server { server_name myapp.magedu.com; listen 80; root /data/web/html; } [[email protected]-master1 configmap]# kubectl create configmap nginx-www --from-file=./www.conf configmap/nginx-www created [[email protected]-master1 configmap]# kubectl get cm NAME DATA AGE nginx-config 2 16m nginx-www 1 8s [[email protected]-master1 configmap]# kubectl get cm nginx-www -o yaml apiVersion: v1 data: www.conf: | server { server_name myapp.magedu.com; listen 80; root /data/web/html; } kind: ConfigMap metadata: creationTimestamp: "2018-12-26T03:49:22Z" name: nginx-www namespace: default resourceVersion: "518908" selfLink: /api/v1/namespaces/default/configmaps/nginx-www uid: 3add1507-08c1-11e9-ad5d-000c2977dc9c
使用configmap
環境變數方式注入到pod
[[email protected] configmap]# vim pod-configmap.yaml apiVersion: v1 kind: Pod metadata: name: pod-cm-1 namespace: default labels: app: myapp tier: frontend annotations: magedu.com/created-by: "cluster admin" spec: containers: - name: myapp image: ikubernetes/myapp:v1 ports: - name: http containerPort: 80 env: - name: NGINX_SERVER_PORT valueFrom: configMapKeyRef: name: nginx-config key: nginx_port - name: NGINX_SERVER_NAME valueFrom: configMapKeyRef: name: nginx-config key: server_name [[email protected]-master1 configmap]# kubectl apply -f pod-configmap.yaml pod/pod-cm-1 created [[email protected]-master1 configmap]# kubectl exec -it pod-cm-1 -- /bin/sh / # echo $NGINX_SERVER_PORT 80 / # echo $NGINX_SERVER_NAME myapp.magedu.com
修改埠,可以發現使用環境變化注入pod中的埠不會根據配置的更改而變化
[[email protected] configmap]# kubectl edit cm nginx-config configmap/nginx-config edited [[email protected]-master1 configmap]# kubectl exec -it pod-cm-1 -- /bin/sh / # echo $NGINX_SERVER_PORT 80
儲存卷方式掛載configmap:
Volume 形式的 ConfigMap 也支援動態更新
[[email protected] configmap]# vim pod-configmap-vol.yaml apiVersion: v1 kind: Pod metadata: name: pod-cm-2 namespace: default labels: app: myapp tier: frontend annotations: magedu.com/created-by: "cluster admin" spec: containers: - name: myapp image: ikubernetes/myapp:v1 ports: - name: http containerPort: 80 volumeMounts: - name: nginxconf mountPath: /etc/nginx/config.d/ readOnly: true volumes: - name: nginxconf configMap: name: nginx-config [[email protected]-master1 configmap]# kubectl apply -f pod-configmap-vol.yaml pod/pod-cm-2 created [[email protected]-master1 configmap]# kubectl exec -it pod-cm-2 -- /bin/sh # cd /etc/nginx/config.d/ # ls nginx_port server_name # cat server_name myapp.magedu.com
以nginx-www配置nginx
[[email protected] configmap]# vim pod-configmap-ngx.yaml apiVersion: v1 kind: Pod metadata: name: pod-cm-3 namespace: default labels: app: myapp tier: frontend annotations: magedu.com/created-by: "cluster admin" spec: containers: - name: myapp image: ikubernetes/myapp:v1 ports: - name: http containerPort: 80 volumeMounts: - name: nginxconf mountPath: /etc/nginx/conf.d/ readOnly: true volumes: - name: nginxconf configMap: name: nginx-www [[email protected]-master1 configmap]# kubectl apply -f pod-configmap-ngx.yaml pod/pod-cm-3 created [[email protected]-master1 configmap]# kubectl exec -it pod-cm-3 -- /bin/sh / # cd /etc/nginx/conf.d/ /etc/nginx/conf.d # ls www.conf /etc/nginx/conf.d # cat www.conf server { server_name myapp.magedu.com; listen 80; root /data/web/html; }