文章目錄
前言
一:secret配置管理
1.1:Secret機密
官網地址:https://kubernetes.io/zh/docs/concepts/configuration/secret/
Secret解決了密碼、token、密鑰等敏感數據的配置問題,將加密數據存放在etcd中,而不需要把這些敏感數據暴露到鏡像或者Pod Spec中。Secret可以以Volume或者環境變量的方式使用。
Secret是用來保存小片敏感數據的k8s資源,例如密碼,token,或者祕鑰。這類數據當然也可以存放在Pod或者鏡像中,但是放在Secret中是爲了更方便的控制如何使用數據,並減少暴露的風險。
用戶可以創建自己的secret,系統也會有自己的secret。
Pod需要先引用才能使用某個secret,Pod有2種方式來使用secret:
1、作爲volume的一個域被一個或多個容器掛載;
2、在拉取鏡像的時候被kubelet引用。
1.2:創建secret
1.2.1:方式一:基於文件創建secret
-
1、創建用戶與密碼文件
[root@master ~]# echo -n 'zhangsan' > /root/username.txt [root@master ~]# echo -n 'zhangsan123' > /root/password.txt [root@master ~]# kubectl create secret generic db-user-pass --from-file=/root/username.txt --from-file=/root/password.txt secret/db-user-pass created '//可以使用 kubectl create secret --help查看命令幫助'
-
2、查看secret資源
[root@master ~]# kubectl get secret NAME TYPE DATA AGE db-user-pass Opaque 2 11s default-token-x8jtv kubernetes.io/service-account-token 3 21d [root@master ~]# kubectl describe secret db-user-pass Name: db-user-pass Namespace: default Labels: <none> Annotations: <none> Type: Opaque Data ==== password.txt: 11 bytes username.txt: 8 bytes
1.2.2:方式二:基於參數創建secret
-
1、創建變量參數(進行base64解碼 )
[root@master ~]# echo -n 'zhangsan' | base64 emhhbmdzYW4= [root@master ~]# echo -n 'zhangsan123' | base64 emhhbmdzYW4xMjM=
-
2、創建yaml文件
[root@master ~]# vim secret.yaml apiVersion: v1 kind: Secret '//指定secret類型' metadata: name: mysecret type: Opaque data: username: emhhbmdzYW4= '//輸入解碼後的參數' password: emhhbmdzYW4xMjM=
-
3、創建secret資源並查看詳細信息
[root@master ~]# kubectl create -f secret.yaml secret/mysecret created [root@master ~]# kubectl get secret NAME TYPE DATA AGE db-user-pass Opaque 2 9m32s default-token-x8jtv kubernetes.io/service-account-token 3 21d mysecret Opaque 2 9s [root@master ~]# kubectl describe secret mysecret Name: mysecret Namespace: default Labels: <none> Annotations: <none> Type: Opaque Data ==== password: 11 bytes username: 8 bytes
1.3:pod使用secret
1.3.1:方式一:使用secret中的變量導入到pod中
-
1、調用secret資源中的變量
key: username賦值給SECRET_USERNAME
key: password 賦值給SECRET_PASSWORD
[root@master ~]# kubectl get secret mysecret -o yaml apiVersion: v1 data: password: emhhbmdzYW4xMjM= username: emhhbmdzYW4= kind: Secret metadata: creationTimestamp: 2020-05-20T15:05:48Z name: mysecret namespace: default resourceVersion: "362715" selfLink: /api/v1/namespaces/default/secrets/mysecret uid: 635765b5-9aab-11ea-8c4f-000c294b2dd3 type: Opaque
-
2、創建yaml文件並創建資源
[root@master ~]# vim secret-pod.yaml apiVersion: v1 kind: Pod metadata: name: mypod spec: containers: - name: nginx image: nginx env: - name: SECRET_USERNAME valueFrom: secretKeyRef: name: mysecret '//指定mysecret資源pod' key: username '//指定用戶名' - name: SECRET_PASSWORD valueFrom: secretKeyRef: name: mysecret '//指定mysecret資源pod' key: password '//指定密碼' [root@master ~]# kubectl apply -f secret-pod.yaml pod/mypod created [root@master ~]# kubectl get pod NAME READY STATUS RESTARTS AGE mypod 1/1 Running 0 22s
-
3、登陸pod資源驗證用戶名和密碼
[root@master ~]# kubectl exec -it mypod bash root@mypod:/# echo $SECRET_USERNAME zhangsan root@mypod:/# echo $SECRET_PASSWORD zhangsan123 root@mypod:/# exit exit
1.3.2:方拾:二:使用掛載
-
以volume的形式掛載到pod的某個目錄下
-
1、創建yaml文件資源
[root@master ~]# vim secret-volume.yaml apiVersion: v1 kind: Pod metadata: name: mypod01 spec: containers: - name: nginx01 image: nginx volumeMounts: - name: foo mountPath: "/etc/foo" '//容器內的掛載路徑' readOnly: true volumes: - name: foo secret: secretName: mysecret [root@master ~]# kubectl create -f secret-volume.yaml pod/mypod01 created [root@master ~]# kubectl get pod NAME READY STATUS RESTARTS AGE mypod 1/1 Running 0 6m36s mypod01 1/1 Running 0 36s
-
2、登陸pod資源驗證用戶密碼
[root@master ~]# kubectl exec -it mypod01 bash root@mypod01:/# cd /etc/foo root@mypod01:/etc/foo# ls password username root@mypod01:/etc/foo# cat password zhangsan123root@mypod01:/etc/foo# cat username zhangsanroot@mypod01:/etc/foo# exit exit
二:ConfigMap配置管理
configmap與Secret類似,區別在於ConfigMap保存的是不需要加密配置的信息
應用場景:應用配置
有兩種創建方式:1、使用kubectl創建(yaml文件)2、使用變量參數創建
2.1:方法一:使用kubectl創建
-
1、編寫redis服務需要的配置並創建configmap資源
[root@master ~]# vim redis.properties redis.host=127.0.0.1 redis.port=6379 redis.password=123456 [root@master ~]# kubectl create configmap redis-config --from-file=redis.properties configmap/redis-config created
-
2、查看configmap資源
[root@master ~]# kubectl get configmap NAME DATA AGE redis-config 1 7s [root@master ~]# kubectl get cm '//configmap可以縮寫成cm' NAME DATA AGE redis-config 1 15s [root@master ~]# kubectl describe configmap redis-config Name: redis-config Namespace: default Labels: <none> Annotations: <none> Data ==== redis.properties: ---- redis.host=127.0.0.1 redis.port=6379 redis.password=123456 Events: <none>
-
3、編寫yaml文件並創建pod資源
[root@master ~]# vim cm.yaml apiVersion: v1 kind: Pod metadata: name: mypod-2 spec: containers: - name: busybox image: busybox command: [ "/bin/sh","-c","cat /etc/config/redis.txt" ] volumeMounts: - name: config-volume mountPath: /etc/config volumes: - name: config-volume configMap: name: redis-config restartPolicy: Never [root@master ~]# kubectl apply -f cm.yaml pod/mypod02 created [root@master ~]# kubectl get pod -w NAME READY STATUS RESTARTS AGE mypod 1/1 Running 0 26m mypod01 1/1 Running 0 20m mypod02 0/1 ContainerCreating 0 6s mypod02 0/1 Completed 0 43s
-
4、驗證結果
^C[root@master ~]# kubectl logs mypod02 redis.host=127.0.0.1 redis.port=6379 redis.password=123456
2.2:使用變量參數形式創建configmap資源
-
1、創建configmap資源
[root@master ~]# vim myconfig.yaml apiVersion: v1 kind: ConfigMap metadata: name: myconfig namespace: default data: special.level: info special.type: hello [root@master ~]# kubectl create -f myconfig.yaml configmap/myconfig created [root@master ~]# kubectl get cm NAME DATA AGE myconfig 2 5s redis-config 1 15m
-
2、創建測試pod
[root@master ~]# vim configmap-test.yaml apiVersion: v1 kind: Pod metadata: name: configmap-test spec: containers: - name: busybox image: busybox command: [ "/bin/sh", "-c", "echo $(LEVEL) $(TYPE)" ] env: - name: LEVEL valueFrom: configMapKeyRef: name: myconfig key: special.level - name: TYPE valueFrom: configMapKeyRef: name: myconfig key: special.type restartPolicy: Never [root@master ~]# kubectl apply -f configmap-test.yaml pod/configmap-test created [root@master ~]# kubectl get pod NAME READY STATUS RESTARTS AGE configmap-test 0/1 Completed 0 24s mypod 1/1 Running 0 33m mypod01 1/1 Running 0 27m mypod02 0/1 Completed 0 7m40s
-
3、查看變量輸出結果
[root@master ~]# kubectl logs configmap-test info hello