Introduction to this article
1. Confidential configuration abstraction Secret
A Secret is an object that contains a small amount of sensitive information such as a password, token, or secret key. Such information may be placed in the Pod specification or in the image. Using Secret means you don't need to include confidential data in your application code. Because Secrets can be created independently of the Pods that use them, there is less risk of exposing Secrets and their data in the workflow of creating, viewing, and editing Pods.
1. Get to know Secret
Secrets are used 数据加密
, and they are stored in etcd, and then accessed by the Pod container by mounting the Volume. In general, the data stored is not plaintext, but it will be encoded or encrypted. For example, the common one base64
is an encoding method.
Plaintext: Something that can be directly understood.
Use base64 encoding to output the string 'majinjian' as follows;
[root@master ~]# echo -n 'majinjian' | base64
bWFqaW5qaWFu
[root@master ~]#
2. Use of Secret
(1) Create Secret encrypted data
First vi secret.yaml
create a Secret encrypted data (.yaml file), enter the following;
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
username: cm9vdA==
password: cXdlcnR5dWlvcDE5OTkuLg==
as follows:
Execute the yaml file after the creation is successful;
[root@master ~]# kubectl apply -f secret.yaml
Check the secret at this point, you can see that mysecret has been created successfully;
(2) Mount the Secret to the pod container as a variable
vi secret-val.yaml
Create a new yaml file secret-val.yaml;
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: nginx
image: nginx
env:
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
name: mysecret
key: username
- name: SECRET_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: password
Among them: 'valueFrom' means mount as a variable, and the mount point is the mysecret we created in the previous step;
Execute the yaml file after the creation is successful;
[root@master ~]# kubectl apply -f secret-val.yaml
At this point, check the pod in the node and wait for mypod to run (just in the running state);
Finally, enter the container to see if the variable has the value we mounted;
[root@master ~]# kubectl exec -it mypod bash
Use echo $变量名
(e.g. echo $SECRET_USERNAME ) to view our stored variable value.
Second, configure the abstract ConfigMap
A ConfigMap is an API object used to store non-confidential data into key-value pairs. When used, Pods can use it as an environment variable, command-line parameter, or as a configuration file in a storage volume. ConfigMap will separate the environment configuration information from the container image, which is convenient for application configuration modification. But ConfigMap does not provide confidentiality or encryption.
1. Get to know ConfigMap
ConfigMap is similar to Secret, the difference is that Secret stores encrypted data, while ConfigMap stores it 不加密数据
, and the stored procedure is basically the same as Secret.
2. Use of ConfigMap
Tip: Delete the previously created secret and container before the operation to facilitate the distinction.
[root@master ~]# kubectl delete secret --all
[root@master ~]# kubectl delete Pod --all
(1) Create a configuration file
The properties file to be created here vi redis.properties
, enter the following;
redis.host=127.0.0.1
redis.port=6379
redis.password=123456
(2) Create ConfigMap
[root@master ~]# kubectl create configmap redis-config --from-file=redis.properties
configmap/redis-config created
[root@master ~]#
At this point, check the configmap (cm is its abbreviation), and it has been created successfully;
(3) Mount the ConfigMap to the pod container as a variable
vi myconfig.yaml
Create a configuration file myconfig.yaml file and enter the following;
apiVersion: v1
kind: ConfigMap
metadata:
name: myconfig
namespace: default
data:
special.level: info
special.type: hello
Execute the file after the creation is successful;
[root@master ~]# kubectl apply -f myconfig.yaml
configmap/myconfig created
At this point, look at the ConfigMap again, and myconfig is also created successfully;
vi config-var.yaml
Create a mount file config-var.yaml file and enter the following content;
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: busybox
image: busybox
command: [ "/bin/sh", "-c", "echo $(LEVEL) $(TYPE)" ]
env:
- name: LEVEL
valueFrom:
configMapKeyRef:
name: myconfig
key: special.level
- name: TYPE
valueFrom:
configMapKeyRef:
name: myconfig
key: special.type
restartPolicy: Never
Execute the file after the creation is successful;
[root@master ~]# kubectl apply -f config-var.yaml
pod/mypod created
The most popular is to view the container through the log, you can print out 'info hello', and the mount is complete;
[root@master ~]# kubectl logs mypod
[root@master ~]# info hello