K8S-ConfigMap与Secret
source link: https://blog.51cto.com/liqingbiao/5284274
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
K8S-ConfigMap与Secret
推荐 原创一、ConfigMap
1、简介
ConfigMap允许你将配置文件与镜像文件分离,以使容器化的应用程序具有可移植性。ConfigMap API给我们提供了向容器中注入配置信息的机制,ConfigMap可以被用来保存单个属性,也可以用来保存整个配置文件或者JSON二进制大对象。
data 一栏包括了配置数据,ConfigMap 可以被用来保存单个属性,也可以用来保存一个配置文件。 配置数据可以通过很多种方式在 Pods 里被使用。ConfigMaps 可以被用来:
配置数据可以通过很多种方式在Pods里被使用。ConfigMaps可以被用来:
1. 设置环境变量的值
2. 在容器里设置命令行参数
3. 在数据卷里面创建config文件
用户和系统组件两者都可以在ConfigMap里面存储配置数据。
2、创建
2.1、使用目录或文件创建
可以使用kubectl create configmap name --from-file= 从同一个目录中的多个文件创建ConfigMap
1、下载相关的配置 wget https://kubernetes.io/examples/configmap/game.properties wget https://kubernetes.io/examples/configmap/ui.properties 2、创建configmapconfigmap: kubectl create configmap <map-name> <data-source> --from-file可以接单个文件,也可以接目录 ####接目录 [root@k8s-master configmap]# kubectl create configmap dame-config --from-file=./ configmap/dame-config created ####接单个文件 [root@k8s-master configmap]# kubectl create cm game-config2 --from-file=game.properties --from-file=ui.properties configmap/game-config2 created 3、查看相关的配置 [root@k8s-master configmap]# kubectl get cm NAME DATA AGE dame-config 2 7m29s game-config2 2 6m13s kube-root-ca.crt 1 44d [root@k8s-master configmap]# kubectl describe cm/dame-config Name: dame-config Namespace: default Labels: <none> Annotations: <none> game.properties: enemies=aliens lives=3 enemies.cheat=true enemies.cheat.level=noGoodRotten secret.code.passphrase=UUDDLRLRBABAS secret.code.allowed=true secret.code.lives=30 ui.properties: color.good=purple color.bad=yellow allow.textmode=true how.nice.to.look=fairlyNice Events: <none> [root@k8s-master configmap]# kubectl describe cm/game-config2 Name: game-config2 Namespace: default Labels: <none> Annotations: <none> game.properties: enemies=aliens lives=3 enemies.cheat=true enemies.cheat.level=noGoodRotten secret.code.passphrase=UUDDLRLRBABAS secret.code.allowed=true secret.code.lives=30 ui.properties: color.good=purple color.bad=yellow allow.textmode=true how.nice.to.look=fairlyNice Events: <none> |
2.2、从env文件创建
当使用多个--from-env-file来从多个数据源创建configmap时,仅仅最后一个env文件有效。
环境文件包含环境变量列表。
语法规则:
env:文件中的每一行必须为VAR = VAL格式。
以#开头的行(即注释)将被忽略。
空行将被忽略。
引号没有特殊处理(即它们将成为 ConfigMap 值的一部分)。
Makefile 1、下载对应的测试文件 wget https://kubernetes.io/examples/configmap/game-env-file.properties [root@k8s-master configmap]# cat game-env-file.properties enemies=aliens lives=3 allowed="true" 2、创建config-map-env-file配置文件 [root@k8s-master configmap]# kubectl create configmap game-config-env-file --from-env-file=game-env-file.properties configmap/game-config-env-file created [root@k8s-master configmap]# kubectl get cm/game-config-env-file -o yaml apiVersion: v1 data: allowed: '"true"' enemies: aliens lives: "3" kind: ConfigMap metadata: creationTimestamp: "2022-05-09T02:42:04Z" name: game-config-env-file namespace: default resourceVersion: "11386444" uid: 8b1ad825-d3b1-481f-b3b7-8ce606aec388 |
2.3、命令创建
Kubectl create configmap 与--from-literal参数一起使用
1、创建配置文件 [root@k8s-master configmap]# kubectl create configmap special-config --from-literal=special.how=very --from-literal=special.type=charm configmap/special-config created 2、查看和配置 [root@k8s-master configmap]# kubectl get cm NAME DATA AGE dame-config 2 30m game-config-env-file 3 9m43s game-config2 2 28m kube-root-ca.crt 1 44d special-config 2 3s [root@k8s-master configmap]# kubectl get configmap/special-config -o yaml apiVersion: v1 data: special.how: very special.type: charm kind: ConfigMap metadata: creationTimestamp: "2022-05-09T02:51:44Z" name: special-config namespace: default resourceVersion: "11388285" uid: 60d2ca2e-b50f-48a8-910b-c97d4ecb5c9e |
2.4、生成器创建
使用 kustomization 目录创建 ConfigMap 对象
[root@k8s-master configmap]# cat kustomization.yaml configMapGenerator: - name: game-config-4 files: - game.properties [root@k8s-master configmap]# kubectl create -k . configmap/game-config-4-tbg7c4gc77 created [root@k8s-master configmap]# kubectl get configmap/game-config-4-tbg7c4gc77 -o yaml apiVersion: v1 data: game.properties: |- enemies=aliens lives=3 enemies.cheat=true enemies.cheat.level=noGoodRotten secret.code.passphrase=UUDDLRLRBABAS secret.code.allowed=true secret.code.lives=30 kind: ConfigMap metadata: creationTimestamp: "2022-05-09T02:58:42Z" name: game-config-4-tbg7c4gc77 namespace: default resourceVersion: "11389637" uid: 5e82a50f-f933-4c20-8007-0724a6829d7c |
或者也可以使用生成器来实现。
cat <<EOF >./kustomization.yaml configMapGenerator: - name: special-config-2 literals: - special.how=very - special.type=charm |
3、使用
3.1、env
使用 configMapKeyRef 传入值: |
[root@k8s-master configmap]# cat configmap-env.yaml apiVersion: v1 data: special.how: very special.type: charm kind: ConfigMap metadata: name: special-config apiVersion: v1 kind: Pod metadata: name: dapi-test-pod spec: containers: - name: test-container image: busybox command: [ "/bin/sh", "-c", "env" ] - name: SPECIAL_LEVEL_KEY valueFrom: configMapKeyRef: name: special-config key: special.how restartPolicy: Never 2、创建pod [root@k8s-master configmap]# kubectl apply -f configmap-env.yaml configmap/special-config created pod/dapi-test-pod created [root@k8s-master configmap]# kubectl get pod NAME READY STATUS RESTARTS AGE centos 1/1 Running 0 21h dapi-test-pod 0/1 Completed 0 30s 3、查看日志 [root@k8s-master configmap]# kubectl logs dapi-test-pod |grep -i special SPECIAL_LEVEL_KEY=very |
上述yaml表示,新建一个名为SPECIAL_LEVEL_KEY的环境变量,其值来源于configMap里面的special.how
上一个例子是有指定一个具体的KEY,如果没有指定呢?
1、创建yaml [root@k8s-master configmap]# cat configmap-env-no-key.yaml apiVersion: v1 kind: Pod metadata: name: dapi-test-pod2 spec: containers: - name: test-container image: busybox command: [ "/bin/sh", "-c", "env" ] envFrom: - configMapRef: name: special-config restartPolicy: Never 2、创建pod [root@k8s-master configmap]# kubectl apply -f configmap-env-no-key.yaml pod/dapi-test-pod2 created 3、查看日志 [root@k8s-master configmap]# kubectl logs dapi-test-pod2|grep -i special special.type=charm special.how=very |
3.2、挂载文件目录法(可以使用 volumeMounts 方法进行挂载。)
1、创建pod的yml文件 [root@k8s-master configmap]# cat configmap-volumemounts.yaml apiVersion: v1 kind: Pod metadata: name: dapi-test-pod3 spec: containers: - name: test-container image: busybox command: [ "/bin/sh", "-c", "ls /etc/config/;cat /etc/config/special.how;cat /etc/config/special.type" ] volumeMounts: - name: config-volume mountPath: /etc/config volumes: - name: config-volume configMap: name: special-config restartPolicy: Never 2、创建pod并查看日志 [root@k8s-master configmap]# kubectl apply -f configmap-volumemounts.yaml pod/dapi-test-pod3 created [root@k8s-master configmap]# kubectl logs dapi-test-pod3 special.how special.type 上述yaml表示将special-config这个cm挂载至/etc/config目录下。可以看到, 其每一个KEY都是会生成一个文件,文件的内容为value的值。 |
挂载单独的KEY:
[root@k8s-master configmap]# cat configmap-volumemounts-spec-key.yaml apiVersion: v1 kind: Pod metadata: name: dapi-test-pod4 spec: containers: - name: test-container image: busybox command: [ "/bin/sh","-c","cat /etc/config/keys;sleep 600" ] volumeMounts: - name: config-volume mountPath: /etc/config volumes: - name: config-volume configMap: name: special-config items: - key: name.li path: keys restartPolicy: Never [root@k8s-master configmap]# kubectl exec -it dapi-test-pod4 /bin/sh kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead. / # cat /etc/config/keys lqb/ # [root@k8s-master ~]# kubectl exec -it dapi-test-pod4 -- cat /etc/config/keys very20220509 |
4、ConfigMap热更新的问题
Pod的 dapi-test-pod4保持运行。使用 kubectl edit cm special-config 去修改special.how的值。可以发现是可以更新的,但时间要超过30S。
CoffeeScript [root@k8s-master ~]# kubectl exec -it dapi-test-pod4 -- cat /etc/config/keys very20220509[root@k8s-master ~]# kubectl exec -it dapi-test-pod4 -- cat /etc/config/keys very20220510[root@k8s-master ~]# kubectl exec -it dapi-test-pod4 -- cat /etc/config/keys |
注意:使用volumes挂载的方式是可以更新configMap的,但是使用env方式导给POD是更新不了的。 |
5、使用ConfigMap挂载redis配置
1、相关的配置文件 [root@k8s-master configmap-redis]# cat kustomization.yaml configMapGenerator: - name: test-redis-config files: - redis-config resources: - redis-pod.yaml [root@k8s-master configmap-redis]# cat redis-config maxmemory 2mb maxmemory-policy allkeys-lru [root@k8s-master configmap-redis]# cat redis-pod.yaml apiVersion: v1 kind: Pod metadata: name: redis spec: containers: - name: redis image: redis:5.0.4 command: - redis-server - "/redis-master/redis.conf" - name: MASTER value: "true" ports: - containerPort: 6379 resources: limits: cpu: "0.1" volumeMounts: - mountPath: /redis-master-data name: data - mountPath: /redis-master name: config volumes: - name: data emptyDir: {} - name: config configMap: name: test-redis-config items: - key: redis-config path: redis.conf 2、批量执行该文件 [root@k8s-master configmap-redis]# kubectl apply -k . configmap/test-redis-config-hfbhg9b679 created pod/redis created [root@k8s-master ~]# kubectl describe cm/test-redis-config-hfbhg9b679 Name: test-redis-config-hfbhg9b679 Namespace: default Labels: <none> Annotations: <none> redis-config: maxmemory 2mb maxmemory-policy allkeys-lru Events: <none> 3、查看相关的配置 [root@k8s-master ~]# kubectl exec -it redis redis-cli kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead. 127.0.0.1:6379> CONFIG GET maxmemory 1) "maxmemory" 2) "2097152" 127.0.0.1:6379> CONFIG GET maxmemory-policy 1) "maxmemory-policy" 2) "allkeys-lru" 127.0.0.1:6379> exit [root@k8s-master ~]# kubectl exec -it redis /bin/bash kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead. root@redis:/data# cat /redis-master/redis.conf maxmemory 2mb maxmemory-policy allkeys-lru |
二、Secret
2.1、简介
Secret 解决了密码、token、密钥等敏感数据的配置问题,而不需要把这些敏感数据暴露到镜像或者 Pod Spec 中。Secret 可以以 Volume 或者环境变量的方式使用。 |
Secret 有三种类型:
• Service Account :用来访问 Kubernetes API,由 Kubernetes 自动创建,并且会自动挂载到 Pod 的 /run/secrets/kubernetes.io/serviceaccount 目录中;
• Opaque :base64 编码格式的 Secret,用来存储密码、密钥等;
• kubernetes.io/dockerconfigjson :用来存储私有 docker registry 的认证信息。
2.2、Secret类型
2.2.1、Opaque类型
Opaque类型的数据是一个map类型,要求value是base64编码格式,如果您使用的密码具有特殊字符,则需要使用 \\ 字符对其进行转义。
文件创建
[root@k8s-master secret]# echo -n 'admin' > ./username.txt [root@k8s-master secret]# echo -n '1f2d1e2e67df' > ./password.txt [root@k8s-master secret]# kubectl create secret generic db-user-pass --from-file=username.txt --from-file=password.txt secret/db-user-pass created [root@k8s-master secret]# kubectl create secret generic db-user-pass --from-file=username.txt --from-file=password.txt -o yaml --dry-run W0509 16:44:01.992251 9057 helpers.go:557] --dry-run is deprecated and can be replaced with --dry-run=client. apiVersion: v1 data: password.txt: MWYyZDFlMmU2N2Rm username.txt: YWRtaW4= kind: Secret metadata: creationTimestamp: null name: db-user-pass |
默认情况下,kubectl get 和 kubectl describe 是不会显示密码的内容。 这是为了防止机密被意外地暴露给旁观者或存储在终端日志中。
手工创建
Makefile [root@k8s-master secret]# echo -n 'admin'|base64 YWRtaW4= [root@k8s-master secret]# echo -n '1f2d1e2e3e567f'|base64 MWYyZDFlMmUzZTU2N2Y= [root@k8s-master secret]# cat sg-secret.yaml apiVersion: v1 kind: Secret metadata: name: mysecret type: Opaque data: username: YWRtaW4= password: MWYyZDFlMmUzZTU2N2Y= [root@k8s-master secret]# kubectl apply -f sg-secret.yaml secret/mysecret created #####加密整个配置文件 [root@k8s-master secret]# cat stringData.yml apiVersion: v1 kind: Secret metadata: name: mysecret type: Opaque stringData: config.yaml: |- apiUrl: "https://my.api.com/api/v1" username: admin password: 1f2d1e2e67df root@k8s-master secret]# kubectl get secret NAME TYPE DATA AGE db-user-pass Opaque 2 59m default-token-kmq6s kubernetes.io/service-account-token 3 45d mysecret Opaque 1 58s [root@k8s-master secret]# kubectl get secrets mysecret -o yaml apiVersion: v1 data: config.yaml: YXBpVXJsOiAiaHR0cHM6Ly9teS5hcGkuY29tL2FwaS92MSIKdXNlcm5hbWU6IGFkbWluCnBhc3N3b3JkOiAxZjJkMWUyZTY3ZGY= kind: Secret metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"v1","kind":"Secret","metadata":{"annotations":{},"name":"mysecret","namespace":"default"},"stringData":{"config.yaml":"apiUrl: \"https://my.api.com/api/v1\"\nusername: admin\npassword: 1f2d1e2e67df"},"type":"Opaque"} creationTimestamp: "2022-05-09T09:41:51Z" name: mysecret namespace: default resourceVersion: "11466379" uid: 6f69ec7c-3b0e-40f3-86bd-aea262c3483e type: Opaque |
2.2.2、 kubernetes.io/dockerconfigjson
可以直接用 kubectl 命令来创建用于 docker registry 认证的 secret:
CoffeeScript [root@k8s-master secret]# kubectl create secret docker-registry myregistrykey --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL secret/myregistrykey created [root@k8s-master secret]# kubectl get secret/myregistrykey -owide NAME TYPE DATA AGE myregistrykey kubernetes.io/dockerconfigjson 1 28s [root@k8s-master secret]# kubectl describe secret/myregistrykey Name: myregistrykey Namespace: default Labels: <none> Annotations: <none> Type: kubernetes.io/dockerconfigjson .dockerconfigjson: 161 bytes |
2.2.3、Service Account
用于被serviceaccount引用。serviceaccout创建时Kubernetes会默认创建对应的secret。Pod如果使用了serviceaccount,对应的secret会自动挂载到Pod的/run/secrets/kubernetes.io/serviceaccount目录中。
Secret 是一种包含少量敏感信息例如密码、token 或 key 的对象。这样的信息可能会被放在 Pod spec 中或者镜像中;将其放在一个 secret 对象中可以更好地控制它的用途,并降低意外暴露的风险。
Service Account 用来访问 Kubernetes API,由 Kubernetes 自动创建,并且会自动挂载到 Pod 的 /run/secrets/kubernetes.io/serviceaccount 目录中。
[root@k8s-master secret]# kubectl run nginx --image nginx pod/nginx created [root@k8s-master secret]# kubectl exec nginx ls /run/secrets/kubernetes.io/serviceaccount kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead. ca.crt namespace token |
2.3、使用方法
Secret 可以作为数据卷被挂载,或作为环境变量暴露出来以供 pod 中的容器使用。它们也可以被系统的其他部分使用,而不直接暴露在 pod 内。例如,它们可以保存凭据,系统的其他部分应该用它来代表您与外部系统进行交互。 |
volume挂载法
[root@k8s-master secret]# cat pod-volume-secrets.yaml apiVersion: v1 kind: Pod metadata: name: dapi-test-pod spec: containers: - name: test-container image: busybox command: [ "/bin/sh","-c","cat /etc/config/keys;sleep 600" ] volumeMounts: - name: config-volume mountPath: /etc/config volumes: - name: config-volume secret: secretName: mysecret restartPolicy: Never [root@k8s-master secret]# kubectl apply -f pod-volume-secrets.yaml pod/dapi-test-pod created [root@k8s-master secret]# kubectl exec -it dapi-test-pod -- cat /etc/config/config.yaml apiUrl: "https://my.api.com/api/v1" username: admin password: 1f2d1e2e67df |
将单独的key指定到目录下
[root@master Secret]# cat pod-volume-secrets2.yaml apiVersion: v1 kind: Pod metadata: name: dapi-test-pod spec: containers: - name: test-container image: busybox command: [ "/bin/sh","-c","cat /etc/config/keys;sleep 600" ] volumeMounts: - name: config-volume mountPath: /etc/config volumes: - name: config-volume secret: secretName: db-user-pass items: - key: username.txt path: my-group/my-username restartPolicy: Never [root@master Secret]# kubectl apply -f pod-volume-secrets2.yaml pod/dapi-test-pod created [root@master Secret]# kubectl exec -it dapi-test-pod -- cat /etc/config/my-group/my-username admin[root@master Secret]# |
环境变量引用
[root@k8s-master secret]# cat pod-env-secrets.yaml apiVersion: v1 kind: Pod metadata: name: dapi-test-pod3 spec: containers: - name: test-container image: busybox command: [ "/bin/sh","-c","env;echo ${SECRET_USERNAME} ${SECRET_PASSWORD}" ] - name: SECRET_USERNAME valueFrom: secretKeyRef: name: db-user-pass key: username.txt - name: SECRET_PASSWORD valueFrom: secretKeyRef: name: db-user-pass key: password.txt restartPolicy: Never [root@k8s-master secret]# kubectl apply -f pod-env-secrets.yaml pod/dapi-test-pod3 created [root@k8s-master secret]# kubectl logs dapi-test-pod3 |egrep "admin|SECRET" SECRET_PASSWORD=1f2d1e2e67df SECRET_USERNAME=admin admin 1f2d1e2e67df |
Secrets其用法是跟ConfigMap基本上是一致,区别不同是ConfigMap是明文,而Secrets是经过base64加密过的。 |
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK