1. Configmap configuration management
(1) Configmap is used to save configuration data, which is stored in the form of key-value pairs.
The configMap resource provides a method for injecting configuration data into the Pod, which aims to decouple the image and the configuration file in order to achieve the portability and reusability of the image.
(2) Typical usage scenarios
1. Fill in the value of environment variables
2. Set the command line parameters in the container
3. Fill the configuration file of the volume
(3) There are 4 ways to create a ConfigMap
1. Create using literal values
kubectl create configmap my-config --from-literal=key1=config1 --from-literal=key2=config2
kubectl get cm
kubectl describe cm my-config
kubectl get cm my-config -o yaml
2. Use file creation
kubectl create configmap my-config-2 --from-file=/etc/resolv.conf #key的名称是文件名称,value的值是这个文件的内容
kubectl describe cm my-config-2
3. Use directory creation
kubectl create configmap my-config-3 --from-file=test #目录中的文件名为key,文件内容是value
4. Write the yaml file creation of configmap
vim cm1.yml
apiVersion: v1
kind: ConfigMap
metadata:
name: cm1-config
data:
db_host: "172.25.2.250"
db_port: "3306"
kubectl apply -f cm1.yml
kubectl describe cm cm1-config
(4) Use configmap
1. Pass directly to pod through environment variables
(1) Redefine the key of cm1-config
vim pod1.yml
apiVersion: v1
kind: Pod
metadata:
name: pod1
spec:
containers:
- name: pod1
image: busyboxplus
command: ["/bin/sh", "-c", "env"]
env:
- name: key1
valueFrom:
configMapKeyRef:
name: cm1-config
key: db_host
- name: key2
valueFrom:
configMapKeyRef:
name: cm1-config
key: db_port
restartPolicy: Never
kubectl apply -f pod1.yml
kubectl logs pod1
(2) Use cm1-config directly
apiVersion: v1
kind: Pod
metadata:
name: pod2
spec:
containers:
- name: pod2
image: busyboxplus
command: ["/bin/sh", "-c", "env"]
#command: ["/bin/sh", "-c", "echo $(db_host) $(db_port)"]
envFrom:
- configMapRef:
name: cm1-config
restartPolicy: Never
2. By running under the command line of the pod
command: ["/bin/sh", "-c", "echo $(db_host) $(db_port)"]
3. Mount into the pod as a volume
(1) The container does not need to be restarted
apiVersion: v1
kind: Pod
metadata:
name: pod3
spec:
containers:
- name: pod3
image: busyboxplus
stdin: true
tty: true
volumeMounts:
- name: config-volume
mountPath: /config
volumes:
- name: config-volume
configMap:
name: cm1-config
# configmap热更新,Pod数据并不会实时更新,需要等待几秒
kubectl edit cm cm1-config
kubectl attach pod3 -it
(2) Like the port modification of nginx and http, the service needs to be restarted and reloaded. After the configmap is hot updated, the container needs to be updated on a rolling basis.
#a configmap创建
vim default.conf
server {
listen 8080;
server_name _;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
kubectl create configmap nginx-config --from-file=default.conf
#b 使用configmap
vim demo.yml
apiVersion: apps/v1
kind: Deployment
metadata:
name: demo
spec:
replicas: 1
selector:
matchLabels:
app: myapp
template:
metadata:
labels:
app: myapp
spec:
containers:
- name: myapp
image: myapp:v1
volumeMounts:
- name: config-volume
mountPath: /etc/nginx/conf.d
volumes:
- name: config-volume
configMap:
name: nginx-config
kubectl apply -f demo.yml
#c 热更新configmap
kubectl edit cm nginx-config
kubectl exec demo-7c9466878-nj5hv -- cat /etc/nginx/conf.d/default.conf
#d 需要手动触发Pod滚动更新, 这样才能再次加载nginx.conf配置文件
每次通过修改“version/config”来触发Pod滚动更新,使用configmap挂载的env环境变量是不会更新的
kubectl patch deployments.apps demo --patch '{"spec": {"template": {"metadata": {"annotations": {"version/config": "2021022601"}}}}}'
2. Secret configuration management
(1) The Secret object type is used to store sensitive information, such as passwords, OAuth tokens, and ssh keys. Sensitive information is more secure and flexible in secret than in Pod definitions or container images.
(2) Pod can use secret in two ways:
1. As a file in the volume, it is mounted to one or more containers in the pod.
2. Used when kubelet pulls images for pod.
(3) Secret type:
1. Service Account: Kubernetes automatically creates a secret containing credentials to access the API, and automatically modifies the pod to use this type of secret.
2. Opaque: Use base64 encoding to store information, and you can get the original data through base64 --decode decoding, so the security is weak.
3.kubernetes.io/dockerconfigjson: used to store the authentication information of the docker registry
kubectl get sa
kubectl describe sa default
kubectl get secrets #每个namespace下有一个名为default的默认的ServiceAccount对象
kubectl describe pod demo-7c9466878-nj5hv #ServiceAccount里有一个名为Tokens的可以作为Volume一样被Mount到Pod里的Secret,当Pod启动时这个Secret会被自动Mount到Pod的指定目录下,用来协助完成Pod中的进程访问API Server时的身份鉴权过程
kubectl exec demo-7c9466878-nj5hv -- ls /var/run/secrets/kubernetes.io/serviceaccount #serviceaccout 创建时 Kubernetes 会默认创建对应的 secret.对应的 secret 会自动挂载到 Pod 的 /run/secrets/kubernetes.io/serviceaccount 目录中
(4) Create
1. Create Secret from file
echo -n 'admin' > ./username.txt
echo -n 'westos' > ./password.txt
kubectl create secret generic db-user-pass --from-file=./username.txt --from-file=./password.txt #如果密码具有特殊字符,则需要使用 \ 字符对其进行转义
kubectl get secrets
kubectl get secrets db-user-pass -o yaml #默认情况下 kubectl get和kubectl describe 为了安全是不会显示密码的内容,可以通过该方式查看
2.yaml file
vim mysecret.yaml
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
username: YWRtaW4=
password: d2VzdG9z
kubectl get secrets
(5) Mount Secret to Volume
1. Mount directly
apiVersion: v1
kind: Pod
metadata:
name: mysecret
spec:
containers:
- name: demo
image: myapp:v1
volumeMounts:
- name: secrets
mountPath: "/secret"
readOnly: true
volumes:
- name: secrets
secret:
secretName: mysecret
#items: #下面的2
#- key: username
# path: my-group/my-username
2. Map the secret key to the specified path
3. Set Secret as an environment variable
apiVersion: v1
kind: Pod
metadata:
name: secret-env
spec:
containers:
- name: nginx
image: myapp:v1
env:
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
name: mysecret
key: username
- name: SECRET_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: password
kubectl apply -f env.yml
kubectl get pod
kubectl exec secret-env -- env #环境变量读取Secret很方便,但无法支撑Secret动态更新
4. Private warehouse certification
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: myapp
image: reg.westos.org/test/myapp:v1
imagePullSecrets:
- name: myregistrykey
# 创建私有仓库认证secret
kubectl create secret docker-registry myregistrykey --docker-server=reg.westos.org --docker-username=admin --docker-password=westos [email protected] #kubernetes.io/dockerconfigjson用于存储docker registry的认证信息
# 查看认证信息
kubectl get secrets myregistrykey -o yaml| less
echo eyJhdXRocyI6eyJyZWcud2VzdG9zLm9yZyI6eyJ1c2VybmFtZSI6ImFkbWluIiwicGFzc3dvcmQiOiJ3ZXN0b3MiLCJlbWFpbCI6InNlcnZlckB0ZXN0Lm9yZyIsImF1dGgiOiJZV1J0YVc0NmQyVnpkRzl6In19fQ== | base64 -d