一、ConfigMap介绍、创建及使用
1、什么是ConfigMap
- kubernetes集群可以使用ConfigMap来实现对容器中应用的配置管理。
- 可以把ConfigMap看作是一个挂载到pod中的存储卷。
2、创建ConfigMap的4种方式
2.1、命令行指定参数创建
通过直接在命令行中指定configmap参数创建,即
--from-literal=key=value;
[root@k8s-master01 ~]# mkdir configmap
[root@k8s-master01 ~]# cd configmap/
[root@k8s-master01 configmap]# kubectl create configmap cm1 --from-literal=host=127.0.0.1 --from-literal=port=3306
configmap/cm1 created
[root@k8s-master01 configmap]# kubectl get configmaps cm1
NAME DATA AGE
cm1 2 86s
[root@k8s-master01 configmap]# kubectl describe configmaps cm1
Name: cm1
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
host:
----
127.0.0.1
port:
----
3306
Events: <none>
2.2、在命令行中通过多个文件创建
通过指定文件创建,即将一个配置文件创建为一个ConfigMap,
--from-file=文件路径;
[root@k8s-master01 configmap]# kubectl create configmap cm2 --from-file=./host --from-file=./port
configmap/cm2 created
[root@k8s-master01 configmap]# ls
host port
[root@k8s-master01 configmap]# kubectl describe configmaps cm2
Name: cm2
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
host:
----
127.0.0.1
port:
----
3306
Events: <none>
2.3、在命令行通过文件提供多个键值对创建
通过一个文件内多个键值对,
--from-env-file=文件路径;
[root@k8s-master01 configmap]# vim env.txt
[root@k8s-master01 configmap]# cat env.txt
host=127.0.0.1
port=3306
[root@k8s-master01 configmap]# kubectl create configmap cm3 --from-env-file=env.txt
configmap/cm3 created
[root@k8s-master01 configmap]# kubectl describe configmaps cm3
Name: cm3
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
port:
----
3306
host:
----
127.0.0.1
Events: <none>
2.4、通过YAML资源清单文件创建
通过 kubectl create/apply -f YMAL文件 创建
[root@k8s-master01 configmap]# vim cm4.yaml
[root@k8s-master01 configmap]# cat cm4.yaml
kind: ConfigMap
apiVersion: v1
metadata:
name: cm4
namespace: default
data:
host: 127.0.0.1
port: "3306"
[root@k8s-master01 configmap]# kubectl apply -f cm4.yaml
configmap/cm4 created
[root@k8s-master01 configmap]# kubectl describe cm cm4
Name: cm4
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
host:
----
127.0.0.1
port:
----
3306
Events: <none>
3、ConfigMap的2种使用方式
3.1、通过环境变量的方式传递给pod
[root@k8s-master01 configmap]# vim pod1-cm1.yaml
[root@k8s-master01 configmap]# cat pod1-cm1.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-cm1
namespace: default
spec:
containers:
- name: busybox
image: busybox
args: ["/bin/sh","-c","sleep 10000"]
envFrom:
- configMapRef:
name: cm1
[root@k8s-master01 configmap]# kubectl apply -f pod1-cm1.yaml
pod/pod-cm1 created
[root@k8s-master01 configmap]# kubectl get pod
NAME READY STATUS RESTARTS AGE
nfs-client-provisioner-856696f4c-cmlgq 1/1 Running 1 11d
pod-cm1 1/1 Running 0 23s
[root@k8s-master01 configmap]# kubectl exec pod-cm1 -- env
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=pod-cm1
host=127.0.0.1
port=3306
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
KUBERNETES_SERVICE_HOST=10.96.0.1
KUBERNETES_SERVICE_PORT=443
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT=tcp://10.96.0.1:443
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
HOME=/root
[root@k8s-master01 configmap]#
3.2、通过volume的方式挂载到pod中
[root@k8s-master01 configmap]# vim pod2-cm2.yaml
[root@k8s-master01 configmap]# cat pod2-cm2.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-cm2
namespace: default
spec:
containers:
- name: busybox
image: busybox
args: ["/bin/sh","-c","sleep 10000"]
volumeMounts: # 用挂载的方式
- name: vol-cm # 对应下面的volume名
mountPath: "/etc/mysql" # 挂载到容器的路径
readOnly: true # 只读
volumes: # 存储卷
- name: vol-cm # 名称
configMap: # 类型为ConfigMap
name: cm2 #ConfigMap的名称
[root@k8s-master01 configmap]# kubectl apply -f pod2-cm2.yaml
pod/pod-cm2 created
[root@k8s-master01 configmap]# kubectl exec pod-cm2 -- ls /etc/mysql
host
port
[root@k8s-master01 configmap]# kubectl exec pod-cm2 -- cat /etc/mysql/host
127.0.0.1
[root@k8s-master01 configmap]# kubectl exec pod-cm2 -- cat /etc/mysql/port
3306
[root@k8s-master01 configmap]#
4、ConfigMap的热更新
4.1、ConfigMap热更新方式
如果修改了value,那么容器内部会不会更新?
- 通过环境变量的方式传递给pod。这种方式不会热更新
- 通过volume的方式挂载到pod内。这种方式会热更新,大概需要半分钟左右。
4.2、ConfigMap热更新验证
4.2.1、通过环境变量方式
此种方式不会热更新
编辑对应的ConfigMap
3306[root@k8s-master01 configmap]# kubectl edit cm cm1
# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
host: 127.0.0.1
port: "3307" # 将端口修改为3307
kind: ConfigMap
metadata:
creationTimestamp: "2024-03-04T02:07:27Z"
name: cm1
namespace: default
resourceVersion: "8761925"
uid: 4f7af7a2-3574-497a-9f40-d1736fcdc62b
configmap/cm1 edited
验证一下pod中的端口是否发生改变
[root@k8s-master01 configmap]# kubectl exec pod-cm1 -- env
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=pod-cm1
host=127.0.0.1
port=3306 # 没有改变
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
KUBERNETES_SERVICE_HOST=10.96.0.1
KUBERNETES_SERVICE_PORT=443
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT=tcp://10.96.0.1:443
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
HOME=/root
4.2.2、通过volume方式
修改对应的ConfigMap
[root@k8s-master01 configmap]# kubectl edit configmaps cm2
# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
host: 127.0.0.1
port: "3308" # 将端口改为3308
kind: ConfigMap
metadata:
creationTimestamp: "2024-03-04T02:13:06Z"
name: cm2
namespace: default
resourceVersion: "8763163"
uid: a283b89e-181a-4e71-9977-4789e1f8cb15
configmap/cm2 edited
验证对应pod的变化,一段时间后会改变(卷挂载方式)
[root@k8s-master01 configmap]# kubectl exec pod-cm2 -- cat /etc/mysql/port
3308 # 大概半分钟后会更新
[root@k8s-master01 configmap]#
二、Secret介绍、创建及使用
1、什么是Secret
- Secret与ConfigMap类似,主要的区别是ConfigMap存储的是明文,而Secret存储的是密文
- ConfigMap可以用配置文件管理,而Secret可用于密码、密钥、token等敏感数据的配置管理。
2、Secret类型
- Opaque: base64编码格式的Secret,用来存储密码、密钥、信息、证书等,类型标识符为generic
- Service Account: 用来访问Kubernetes API,由Kubernetes自动创建,并且会自动挂载到Pod的/var/run/secrets/kubernetes.o/serviceaccount日录中
- kubernetes.io/dockerconfigjson:用来存储私有docker registry的认证信息,类型标识为docker-registry。
- kubernetes.io/tls: 用于为SSL通信模式存储证书和私钥文件,命令式创建类型标识为tls。
[root@k8s-master01 configmap]# kubectl create secret -h
Create a secret using specified subcommand.
Available Commands:
docker-registry Create a secret for use with a Docker registry
generic Create a secret from a local file, directory or literal value
tls Create a TLS secret
Usage:
kubectl create secret [flags] [options]
Use "kubectl <command> --help" for more information about a given command.
Use "kubectl options" for a list of global command-line options (applies to all commands).
3、Secret应用案例
创建mysql管理员密码Secret案例,使用Opaque类型来创建mysql密码Secret
3.1、将明文密码进行base64编码
Opaque类型密码需要进行base64编码
[root@k8s-master01 configmap]# echo -n 123 |base64
MTIz
# 假设密码为123,得到的编码为MTIz
3.2、编写secret的YAML文件、创建secret并确认
[root@k8s-master01 configmap]# vim secret-mysql.yaml
[root@k8s-master01 configmap]# cat secret-mysql.yaml
apiVersion: v1
kind: Secret
metadata:
name: secret-msyql
namespace: default
type: Opaque
data:
password: MTIz
[root@k8s-master01 configmap]# kubectl apply -f secret-mysql.yaml
secret/secret-msyql created
[root@k8s-master01 configmap]# kubectl get secret | grep secret-msyql
secret-msyql Opaque 1 93s
[root@k8s-master01 configmap]# kubectl describe secrets secret-msyql
Name: secret-msyql
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
password: 3 bytes
4、secret的两种使用方式
4.1、通过环境变量的方式传递到pod中
编写一个mysql应用
[root@k8s-master01 configmap]# vim mysql-cs-01.yaml
apiVersion: v1
kind: Pod
metadata:
name: mysql-cs-01
namespace: default
spec:
containers:
- name: mysql-cs-01
image: mysql:5.7
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: secret-msyql # 对应创建的secret名字
key: password
[root@k8s-master01 configmap]# kubectl apply -f mysql-cs-01.yaml
pod/mysql-cs-01 created
[root@k8s-master01 configmap]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
mysql-cs-01 1/1 Running 0 6s 10.244.79.123 k8s-worker01 <none> <none>
nfs-client-provisioner-856696f4c-cmlgq 1/1 Running 1 11d 10.244.39.234 k8s-worker03 <none> <none>
验证变量传入pod是否成功
## 查看变量是否改变
[root@k8s-master01 configmap]# kubectl exec -it mysql-cs-01 -- /bin/bash
root@mysql-cs-01:/# env |grep MYSQL_ROOT_PASSWORD
MYSQL_ROOT_PASSWORD=123
## 测试登录
root@mysql-cs-01:/# mysql -uroot -p123
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.7.36 MySQL Community Server (GPL)
Copyright (c) 2000, 2021, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
注意:使用env传递的变量,若使用kubectl edit secrets secret-msyql 命令修改文件中的密码,对应的pod的env环境变量不会改变
4.2、通过volume的方式挂载到pod内
编写一个busybox应用
[root@k8s-master01 configmap]# vim pod-mysql-secret.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-mysql-secret2
spec:
containers:
- name: busybox
image: busybox
args:
- /bin/sh
- -c
- sleep 100000
volumeMounts:
- name: vol-secret
mountPath: "/opt/password"
readOnly: true
volumes:
- name: vol-secret
secret:
secretName: secret-msyql
[root@k8s-master01 configmap]# kubectl apply -f pod-mysql-secret.yaml
pod/pod-mysql-secret2 created
[root@k8s-master01 configmap]# kubectl get pod
NAME READY STATUS RESTARTS AGE
mysql-cs-01 1/1 Running 0 25m
nfs-client-provisioner-856696f4c-cmlgq 1/1 Running 1 11d
pod-mysql-secret2 1/1 Running 0 50s
验证pod包含的密码
[root@k8s-master01 configmap]# kubectl exec pod-mysql-secret2 -- cat /opt/password/password
123
[root@k8s-master01 configmap]#
热更新测试
123[root@k8s-master01 configmap]# echo -n haha123 |base64
aGFoYTEyMw==
[root@k8s-master01 configmap]# kubectl edit secrets secret-msyql
# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
password: aGFoYTEyMw==
kind: Secret
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","data":{"password":"MTIz"},"kind":"Secret","metadata":{"annotations":{},"name":"secret-msyql","namespace":"default"},"type":"Opaque"}
creationTimestamp: "2024-03-04T05:47:16Z"
name: secret-msyql
namespace: default
resourceVersion: "8810807"
uid: 86b497cb-c165-4208-bb61-fdcf5c6d018c
type: Opaque
secret/secret-msyql edited
[root@k8s-master01 configmap]# kubectl exec pod-mysql-secret2 -- cat /opt/password/password
haha123 # 密码已经发生改变
[root@k8s-master01 configmap]
评论区