Kebernetes 學習總結(7) configmap 和 secret

原創 meteor_hy 2019-03-17 13:45

爲了把配置文件從image中解耦,增強應用的可移植性、可複用性,k8s提供了configmap和seret。

configmap
configmap就是一系列配置數據的集合。而這些數據將來可以注入到pod中的container中。注入方式有兩種:1)、把configmap做存存儲卷,然後掛載;2)、使用ENV的valueFrom方式去引用configmap中所保存的數據。
configmap中保存着k:v格式的數據。value長度沒有限制。pod啓動時可以到configmap中獲取相關的配置項。
1、創建configmap
語法如下
kubectl create configmap cmName --from-file=/path/file_name
或 --from-file=key1=/path/file_name
方式一:

[root@k8s-master-dev volumes]# kubectl create configmap nginx-config --from-literal=nginx_port=80 --from-literal=server_name=myapp.inspiry.cn
configmap/nginx-config created
[root@k8s-master-dev volumes]# kubectl get cm
NAME           DATA      AGE
nginx-config   2         7s
[root@k8s-master-dev volumes]# kubectl describe cm nginx-config
Name:         nginx-config
Namespace:    default
Labels:       <none>
Annotations:  <none>

Data
====
nginx_port:
----
80
server_name:
----
myapp.inspiry.cn
Events:  <none>
[root@k8s-master-dev volumes]# cd ../

方式二:

[root@k8s-master-dev manifests]# mkdir configmap
[root@k8s-master-dev manifests]# cd configmap/
[root@k8s-master-dev configmap]# vim www.conf
[root@k8s-master-dev configmap]# cat www.conf
server {
    server_name myapp.inspiry.cn;
    listen 80;
    root /usr/share/nginx/html;
}
[root@k8s-master-dev configmap]# kubectl create configmap nginx-www --from-file=./www.conf
configmap/nginx-www created
[root@k8s-master-dev configmap]# kubectl get cm
NAME           DATA      AGE
nginx-config   2         2m
nginx-www      1         6s
[root@k8s-master-dev configmap]# kubectl describe cm nginx-www
Name:         nginx-www
Namespace:    default
Labels:       <none>
Annotations:  <none>

Data
====
www.conf:
----
server {
    server_name myapp.inspiry.cn;
    listen 80;
    root /usr/share/nginx/html;
}

Events:  <none>
[root@k8s-master-dev configmap]# kubectl get cm nginx-www -o json
{
    "apiVersion": "v1",
    "data": {
        "www.conf": "server {\n    server_name myapp.inspiry.cn;\n    listen 80;\n    root /usr/share/nginx/html;\n}\n"
    },
    "kind": "ConfigMap",
    "metadata": {
        "creationTimestamp": "2019-03-07T06:44:36Z",
        "name": "nginx-www",
        "namespace": "default",
        "resourceVersion": "117824",
        "selfLink": "/api/v1/namespaces/default/configmaps/nginx-www",
        "uid": "7965f8b2-40a4-11e9-8de3-000c295011ce"
    }
}
[root@k8s-master-dev configmap]#

2、configmap的使用
例1、

[root@k8s-master-dev configmap]# vim pod-configmap.yaml
[root@k8s-master-dev configmap]# cat pod-configmap.yaml
apiVersion: v1
kind: Pod
metadata:
  name: pod-cm-1
  namespace: default
  labels:
    app: myapp
    tier: frontend
  annotations:
    inspiry.com/author: "cluster admin"
spec:
  containers:
  - name: myapp
    image: ikubernetes/myapp:v1
    ports:
    - name: http
      containerPort: 80
    env:
    - name: NGINX_SERVER_PORT
      valueFrom:
        configMapKeyRef:
          name: nginx-config
          key: nginx_port
          optional: false
    - name: NGINX_SERVER_NAME
      valueFrom:
        configMapKeyRef:
          name: nginx-config
          key: server_name
          optional: false
[root@k8s-master-dev configmap]# kubectl apply -f pod-configmap.yaml
pod/pod-cm-1 created
[root@k8s-master-dev configmap]# kubectl get pods
NAME          READY     STATUS    RESTARTS   AGE
pod-cm-1      1/1       Running   0          22s
[root@k8s-master-dev configmap]# kubectl exec -it pod-cm-1 -- printenv
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=pod-cm-1
TERM=xterm
NGINX_SERVER_PORT=80
NGINX_SERVER_NAME=myapp.inspiry.cn
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
KUBERNETES_SERVICE_HOST=10.96.0.1
KUBERNETES_SERVICE_PORT=443
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT=tcp://10.96.0.1:443
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
MYAPP_SVC_PORT_80_TCP_PROTO=tcp
MYAPP_SVC_PORT=tcp://10.98.57.156:80
MYAPP_SVC_PORT_80_TCP_ADDR=10.98.57.156
MYAPP_SVC_SERVICE_HOST=10.98.57.156
MYAPP_SVC_SERVICE_PORT=80
MYAPP_SVC_PORT_80_TCP=tcp://10.98.57.156:80
MYAPP_SVC_PORT_80_TCP_PORT=80
NGINX_VERSION=1.12.2
HOME=/root
[root@k8s-master-dev configmap]#

它只在pod啓動時有效,如果pod啓動後再次kubectl edit cm nginx-config ,該pod將無法應用新的值 。

例2、

[root@k8s-master-dev configmap]# kubectl delete -f pod-configmap.yaml
pod "pod-cm-1" deleted
[root@k8s-master-dev configmap]# vim pod-configmap2.yaml
[root@k8s-master-dev configmap]# cat pod-configmap2.yaml
apiVersion: v1
kind: Pod
metadata:
  name: pod-cm-2
  namespace: default
  labels:
    app: myapp
    tier: frontend
  annotations:
    inspiry.com/author: "cluster admin"
spec:
  containers:
  - name: myapp
    image: ikubernetes/myapp:v1
    ports:
    - name: http
      containerPort: 80
    volumeMounts:
    - name: nginxconf
      mountPath: /etc/nginx/con.d
      readOnly: true
  volumes:
  - name: nginxconf
    configMap:
      name: nginx-config
[root@k8s-master-dev configmap]# vim pod-configmap2.yaml
[root@k8s-master-dev configmap]#
[root@k8s-master-dev configmap]# kubectl apply -f pod-configmap2.yaml
pod/pod-cm-2 created
[root@k8s-master-dev configmap]# kubectl exec -it pod-cm-2 -- ls /etc/nginx/conf.d/
nginx_port   server_name
[root@k8s-master-dev configmap]# kubectl exec -it pod-cm-2 -- cat /etc/nginx/conf.d/nginx_port
80[root@k8s-master-dev configmap]#
[root@k8s-master-dev configmap]# kubectl exec -it pod-cm-2 -- cat /etc/nginx/conf.d/server_name
myapp.inspiry.cn[root@k8s-master-dev configmap]#
[root@k8s-master-dev configmap]#

當 kubectl edit cm nginx-config 將port 改爲8088之後,等待同步時間 ,然後再看容器內的變化:

/etc/nginx/config.d # cat nginx_port
8088/etc/nginx/config.d #
/etc/nginx/config.d #
[root@k8s-master-dev configmap]# kubectl delete -f pod-configmap2.yaml
pod "pod-cm-2" deleted
[root@k8s-master-dev configmap]#

例3、

[root@k8s-master-dev configmap]# vim pod-configmap3.yaml
[root@k8s-master-dev configmap]# cat pod-configmap3.yaml
apiVersion: v1
kind: Pod
metadata:
  name: pod-cm-3
  namespace: default
  labels:
    app: myapp
    tier: frontend
  annotations:
    inspiry.com/author: "cluster admin"
spec:
  containers:
  - name: myapp
    image: ikubernetes/myapp:v1
    ports:
    - name: http
      containerPort: 80
    volumeMounts:
    - name: nginxconf
      mountPath: /etc/nginx/conf.d
      readOnly: true
  volumes:
  - name: nginxconf
    configMap:
      name: nginx-www
[root@k8s-master-dev configmap]#
[root@k8s-master-dev configmap]# kubectl apply -f pod-configmap3.yaml
pod/pod-cm-3 created
[root@k8s-master-dev configmap]# kubectl get pods
NAME       READY     STATUS    RESTARTS   AGE
pod-cm-3   1/1       Running   0          30s
[root@k8s-master-dev configmap]# kubectl exec -it pod-cm-3 -- ls /etc/nginx/conf.d/
www.conf
[root@k8s-master-dev configmap]# kubectl exec -it pod-cm-3 -- cat /etc/nginx/conf.d/www.conf
server {
    server_name myapp.inspiry.cn;
    listen 80;
    root /usr/share/nginx/html;
}
[root@k8s-master-dev configmap]# kubectl exec -it pod-cm-3 -- /bin/sh
/ # nginx -T
.........
# configuration file /etc/nginx/conf.d/www.conf:
server {
    server_name myapp.inspiry.cn;
    listen 80;
    root /usr/share/nginx/html;
}

如果此時如果kubectl edit cm nginx-www 修改了port,等待同步時間 ,container內的配置會自動修改爲新port, 但還需要nginx -s reload ,nginx 才能生效新port。
如果需要mount掛載其中一部分配置,而不是全部配置:可以使用configMap.items

Secret
Secret是用來保存小片敏感數據的k8s資源,例如密碼,token,或者祕鑰。這類數據當然也可以存放在Pod或者鏡像中,但是放在Secret中是爲了更方便的控制如何使用數據,並減少暴露的風險。
1、創建secret

[root@k8s-master-dev configmap]# kubectl create secret generic mysql-root-passwd --from-literal=password=P@ssw0rd
secret/mysql-root-passwd created
[root@k8s-master-dev configmap]# kubectl get secret
NAME                  TYPE                                  DATA      AGE
default-token-lc8dv   kubernetes.io/service-account-token   3         1d
mysql-root-passwd     Opaque                                1         9s
[root@k8s-master-dev configmap]# kubectl describe secret mysql-root-passwd
Name:         mysql-root-passwd
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
password:  8 bytes
[root@k8s-master-dev configmap]# kubectl get secret mysql-root-passwd -o yaml
apiVersion: v1
data:
  password: UEBzc3cwcmQ=
kind: Secret
metadata:
  creationTimestamp: 2019-03-07T07:54:00Z
  name: mysql-root-passwd
  namespace: default
  resourceVersion: "123811"
  selfLink: /api/v1/namespaces/default/secrets/mysql-root-passwd
  uid: 2b4babc4-40ae-11e9-8de3-000c295011ce
type: Opaque
[root@k8s-master-dev configmap]# echo UEBzc3cwcmQ= | base64 -d
P@ssw0rd[root@k8s-master-dev configmap]#
[root@k8s-master-dev configmap]#

2、使用secret (將secret映射到pod中)

[root@k8s-master-dev configmap]# vim pod-secret.yaml
[root@k8s-master-dev configmap]# cat pod-secret.yaml
apiVersion: v1
kind: Pod
metadata:
  name: pod-secret-1
  namespace: default
  labels:
    app: myapp
    tier: frontend
  annotations:
    inspiry.com/author: "cluster admin"
spec:
  containers:
  - name: myapp
    image: ikubernetes/myapp:v1
    ports:
    - name: http
      containerPort: 80
    env:
    - name: MYSQL_ROOT_PASSWORD
      valueFrom:
        secretKeyRef:
          name: mysql-root-passwd
          key: password
[root@k8s-master-dev configmap]#
[root@k8s-master-dev configmap]# kubectl apply -f pod-secret.yaml
pod/pod-secret-1 created
[root@k8s-master-dev configmap]# kubectl get pods
NAME           READY     STATUS    RESTARTS   AGE
pod-secret-1   1/1       Running   0          13s
[root@k8s-master-dev configmap]# kubectl exec pod-secret-1 -- printenv
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=pod-secret-1
MYSQL_ROOT_PASSWORD=P@ssw0rd
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
KUBERNETES_SERVICE_HOST=10.96.0.1
KUBERNETES_SERVICE_PORT=443
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT=tcp://10.96.0.1:443
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
KUBERNETES_PORT_443_TCP_PROTO=tcp
MYAPP_SVC_PORT_80_TCP_PROTO=tcp
MYAPP_SVC_PORT=tcp://10.98.57.156:80
MYAPP_SVC_PORT_80_TCP_ADDR=10.98.57.156
MYAPP_SVC_SERVICE_HOST=10.98.57.156
MYAPP_SVC_SERVICE_PORT=80
MYAPP_SVC_PORT_80_TCP=tcp://10.98.57.156:80
MYAPP_SVC_PORT_80_TCP_PORT=80
NGINX_VERSION=1.12.2
HOME=/root
[root@k8s-master-dev configmap]#
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

ConfigMap掛載與Subpath在Nginx容器中的應用

本文分享自華爲雲社區《nginx.conf以configmap文件形式掛載到nginx容器中以及subpath使用場景》,作者:可以交個朋友。 背景 nginx.conf通過configmap文件形式掛載到容器內,可以更加方便的修改ngi

原創 2024-03-05 22:53:39

電腦宕機後恢復K8s Pod啓動

1. 先開機看看集羣狀態是不是正常的 kubectl get cs 2. 看看pod狀態: kubectl -n xxx get pod 3. 進到nfs目錄內modeling mariab的文件夾 /dockerdata-nfs 4

liuskyter 2020-07-08 11:16:26

k8s(二)

佔位

6moji6 2020-07-08 10:26:30

利用 kubeadm 簡單搭建k8s(已更新爲V1.13.0版本)

1. 基本系統環境 1.1 系統內核 查看當前系統內核(我這裏是5.0.5-1.el7.elrepo.x86_64): uname -a 版本必須大於等於3.10,否則需要升級內核: # ELRepo 倉庫(可以先看一下 /et

jacksonary 2020-07-08 10:04:33

3.2 控制器——副本控制器(ReplicationController)

3.2 副本控制器(ReplicationController)  ReplicationController(在kubectl命令中經常縮寫爲rc或rcs)是實際確保特定數量的Pod副本在任意時刻的運行。如果Pod副本超過指定數

jacksonary 2020-07-08 10:04:33

3.5 控制器——DaemonSet(守護線程集)

3.5 控制器——DaemonSet(守護線程集)  每個DaemonSet可以確保某些甚至全部節點運行一個Pod的副本,當node加入集羣時,Pod就會加入這些節點,同樣的,當節點從集羣中移除時,這些pods被垃圾回收。刪除一個

jacksonary 2020-07-08 10:04:33

3.3 控制器——Deployments(部署)

3.3 Deployments(部署)  Deployments控制器(Deployment controller,Deployment應該也是控制器的一種吧)提供了Pod和ReplicaSets的聲明式更新。在Deploymen

jacksonary 2020-07-08 10:04:33

3.1 控制器——ReplicaSet

3. 控制器(Controller) 3.1 副本集(ReplicaSet) 定義:副本集(ReplicaSet)的目的是爲了保證一組穩定的Pod副本在任意給定時刻都在運行。因此,它通常用於保證特定數量的相同Pod的可用性。  副

jacksonary 2020-07-08 10:04:33

centos7搭建kubernetes v1.17.1集羣

機器 hostname 10.211.55.64 k8sMaster 10.211.55.65 k8sNode1 10.211.55.66 k8sNode2 所有機器執行以下操作 (1-13) 配置y

夜幕.思年华 2020-07-08 06:16:44

雲原生Tekton之觸發器Trigger

背景 前面的文章講了tekton中pipeline的教程和使用案例,大家有沒有想過,每次都要運行taskrun或者pipelineRun才能真正運行流水線。那怎麼做到自動化執行taskrun和pipelineRun呢?我想了下有

云原生手记 2020-07-08 03:27:17

kubernetes -- 結點調度控制的幾種方式

簡介 調度器通過 kubernetes 的 watch 機制來發現集羣中新創建且尚未被調度到 Node上的 Pod。調度器會將發現的每一個未調度的 Pod 調度到一個合適的 Node 上來運行。 kube-scheduler 是

生命热力٩( 'ω' )و 2020-07-08 02:17:36

k8s創建資源的兩種方式、訪問pod

創建資源 1.用kubectl命令直接創建,   #kubectl run httpd-app --image=reg.yunwei.edu/learn/httpd:latest --replicas=2 在命令行中通過參數指定資源的

PpikachuP 2020-07-08 01:52:27

O-RAN notes(3)---Bronze SMO deployment (2)

(continued) Most of the problems are related to 'docker pull'. Before you execute the install script(./dep/smo/bin/inst

zhenggao2 2020-07-07 23:48:07

centos安裝k8s集羣

一、集羣方式 機器配置:centos 4.4內核以上,cpu大於1核 1.主機配置 配置 規格 內存配置 2G CPU配置 2核 系統版本 Centos7.7 kubelet版本 1.5.1 do

意林飞笑 2020-07-07 18:12:18

kubernetes存儲 -- Volumes管理(三)StatefulSet控制器、StatefulSet部署mysql主從集羣

StatefulSet控制器 StatefulSet可以通過Headless Service維持Pod的拓撲狀態. StatefulSet將應用狀態抽象成了兩種情況: 拓撲狀態:應用實例必須按照某種順序啓動。新創建的Pod必須

生命热力٩( 'ω' )و 2020-07-07 02:59:20