emptyDir+hostPath+configMap+secret+pv/pvc
1、emptyDir
临时挂载卷。当pod删除之后,emptyDir也会立即删除。
emptyDir : 是pod调度到节点上时创建的一个空目录,当pod被删除时,emptyDir中的数据也随即被删除,emptyDir长用于容器间分享文件,或者用于创建临时目录。
注:emptyDir不能够用来做数据持久化
加密的配置中心,Secret中的配置文件全部使用base64加密过后的内容
作用是不同的pod共享文件
例如:
数据库的用户名和密码,
1、创建一个存储卷
2、挂载
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: emptydir
spec:
replicas: 2
selector:
matchLabels:
app: emptydir
template:
metadata:
labels:
app: emptydir
spec:
containers:
- name: busybox
image: busybox
command:
- '/bin/sh'
- '-c'
- 'while true; do echo `hostname` > /opt/test/index.html; sleep 1; done'
volumeMounts:
- mountPath: /opt/test/
name: test01
volumes:
- name: test01
emptyDir: {}
[root@k8s-master-01 k8s]# vim emptydir.yaml (见上面) [root@k8s-master-01 k8s]# kubectl apply -f emptydir.yaml
[root@k8s-master-01 k8s]# kubectl get pods
[root@k8s-master-01 test]# kubectl exec -it emptydir-84c65dfd77-l7hxq
error: you must specify at least one command for the container
[root@k8s-master-01 test]# kubectl exec -it emptydir-84c65dfd77-l7hxq -- sh
/ # cd /opt/test
/opt/test # ls
index.html
/opt/test # cat index.html
emptydir-84c65dfd77-l7hxq
/opt/test #
2、hostPath
在宿主主机上创建一个存储卷。
hostPath类似于docker -v参数,将宿主主机中的文件挂载pod中,但是hostPath比docker -v参数更强大,(Pod调度到哪个节点,则直接挂载到当前节点上)
容器部署到那一台主机上,就相当于跟当前主机创建一个存储卷。
怎样保证容器内部的时间统一?
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: hostname
spec:
selector:
matchLabels:
app: hostname
template:
metadata:
labels:
app: hostname
spec:
containers:
- name: nginx
image: nginx
volumeMounts:
- mountPath: /usr/share/nginx/html/
name: test01
volumes:
- name: test01
hostPath:
path: /opt
[root@k8s-master-01 k8s]# vim hostname.yaml
[root@k8s-master-01 k8s]# kubectl apply -f hostname.yaml
[root@k8s-master-01 k8s]# kubectl get pods -o wide
[root@k8s-master-01 k8s]# curl 10.244.1.102
<head><title>403 Forbidden</title></head>
此时容器在node01节点
[root@k8s-node-01 ~]# cd /opt
[root@k8s-node-01 opt]# echo `hostname` > index.html
[root@k8s-node-01 opt]# cat index.html
#重新访问
[root@k8s-master-01 k8s]# curl 10.244.1.102
k8s-node-01
3、configMap
修改configmap中的文件,可以同步到所有的挂载此configmap的容器中(仅仅同步到容器中),但是如果使用subPath参数,则热更新失效。
configMap挂载会直接覆盖原来的目录,如果不覆盖则需要使用subPath参数(subPath参数只能够针对文件,同时不支持热更新)
将配置资源化
configmap 一旦挂载,当前目录中所有的文件全部删除。
subPath
热更新
pod的配置中心,一般主要用于存放配置文件(明文存放)
注意:挂载存储卷会将挂载的目录中的所有文件全部删除。
支持一个热更新功能。
一旦使用了subPath,那么configMap的热更新功能将丧失
例如:
MySQL的配置文件需要挂载到Pod中,一般就使用configMap
1、映射成一个文件
2、映射成一个环境变量
3.1.映射成文件
kind: ConfigMap
apiVersion: v1
metadata:
name: configmap
data:
MYSQL_ROOT_PASSWORD: '123456'
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: configmap
spec:
selector:
matchLabels:
app: configmap
template:
metadata:
labels:
app: configmap
spec:
containers:
- name: mysql
image: nginx
volumeMounts:
- mountPath: /opt
name: password
volumes:
- name: password
configMap:
name: configmap
items:
- key: MYSQL_ROOT_PASSWORD
path: ./MYSQL_ROOT_PASSWORD
[root@k8s-master-01 k8s]# vim configmap.yaml
[root@k8s-master-01 k8s]# kubectl apply -f configmap.yaml
[root@k8s-master-01 k8s]# kubectl get pods
NAME READY STATUS RESTARTS AGE
configmap-6fc657c5f9-tv7sp 1/1 Running 0 25s
[root@k8s-master-01 k8s]# kubectl exec -it configmap-6fc657c5f9-tv7sp -- bash
root@configmap-6fc657c5f9-tv7sp:/opt# cat MYSQL_ROOT_PASSWORD
123456root@configmap-6fc657c5f9-tv7sp:/opt# #这里是映射成文件,但是mysql不认这个,要映射成环境变量
3.2.映射成一个环境变量
---
kind: ConfigMap
apiVersion: v1
metadata:
name: configmap
data:
MYSQL_ROOT_PASSWORD: '123456'
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: configmap
spec:
selector:
matchLabels:
app: configmap
template:
metadata:
labels:
app: configmap
spec:
containers:
- name: mysql
image: nginx
envFrom:
- configMapRef:
name: configmap
optional: true
[root@k8s-master-01 k8s]# vim configmap.yaml
[root@k8s-master-01 k8s]# kubectl apply -f configmap.yaml
[root@k8s-master-01 k8s]# kubectl get pods
NAME READY STATUS RESTARTS AGE
configmap-6fc657c5f9-tv7sp 1/1 Running 0 9m18s
[root@k8s-master-01 k8s]# kubectl exec -it configmap-74cfcb9db6-npwdw -- bash
root@configmap-74cfcb9db6-npwdw:/# printenv
3.3 案例:部署nginx
---
kind: ConfigMap
apiVersion: v1
metadata:
name: nginx
data:
nginx.conf: |
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 4096;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
}
default.conf: |
server {
listen 80;
server_name www.test.com;
location / {
root /opt/;
index index.html;
}
}
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: nginx
spec:
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx
volumeMounts:
- mountPath: /etc/nginx/
name: nginxconf
volumes:
- name: nginxconf
configMap:
name: nginx
items:
- key: nginx.conf
path: ./nginx.conf
- key: default.conf
path: ./conf.d/default.conf
[root@k8s-master-01 k8s]# vim nginx.yaml
[root@k8s-master-01 k8s]# kubectl apply -f nginx.yaml
[root@k8s-master-01 k8s]# kubectl get pods
浏览器进入http://192.168.15.101:20080/ 概要——default——nginx——文件浏览器——etc——nginx——可以查看到default.conf和nginx.conf
原因是:configmap 一旦挂载,当前目录中所有的文件全部删除。那怎么做才能看到所有文件呢?subpath,subpath只能挂载一个文件,不能挂载文件夹,subpath指定文件的名字
---
kind: ConfigMap
apiVersion: v1
metadata:
name: nginx
data:
nginx.conf: |
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 4096;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
server {
listen 80;
listen [::]:80;
server_name _;
root /usr/share/nginx/html;
include /etc/nginx/default.d/*.conf;
error_page 404 /404.html;
location = /404.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}
default.conf: |
server {
listen 80;
server_name www.test.com;
location /{
root /opt/;
index index.html;
}
}
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: nginx
spec:
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx
volumeMounts:
- mountPath: /etc/nginx/nginx.conf
name: nginxconf
subPath: nginx.conf
- mountPath: /etc/nginx/conf.d/default.conf
name: defaultconf
subPath: default.conf
volumes:
- name: nginxconf
configMap:
name: nginx
items:
- key: nginx.conf
path: nginx.conf
- name: defaultconf
configMap:
name: nginx
items:
- key: default.conf
path: default.conf
[root@k8s-master-01 k8s]# vim nginx.yaml
[root@k8s-master-01 k8s]# kubectl apply -f nginx.yaml
[root@k8s-master-01 k8s]# kubectl get pods -w
[root@k8s-master-01 k8s]# kubectl exec -it nginx-858b66f7b9-d7fcd -- bash
root@nginx-858b66f7b9-d7fcd:/opt# cd /etc/nginx
root@nginx-858b66f7b9-d7fcd:/etc/nginx# ls -l
total 24
drwxr-xr-x 2 root root 26 Dec 29 19:28 conf.d
-rw-r--r-- 1 root root 1007 Dec 28 15:28 fastcgi_params
-rw-r--r-- 1 root root 5349 Dec 28 15:28 mime.types
lrwxrwxrwx 1 root root 22 Dec 28 15:40 modules -> /usr/lib/nginx/modules
-rw-r--r-- 1 root root 1031 Jan 10 13:24 nginx.conf
-rw-r--r-- 1 root root 636 Dec 28 15:28 scgi_params
-rw-r--r-- 1 root root 664 Dec 28 15:28 uwsgi_params
热更新:文件不重启,但是配置文件改变了
---
kind: ConfigMap
apiVersion: v1
metadata:
name: nginx
data:
nginx.conf: |
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 4096;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
server {
listen 80;
listen [::]:80;
server_name _;
root /usr/share/nginx/html;
include /etc/nginx/default.d/*.conf;
error_page 404 /404.html;
location = /404.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}
default.conf: |
server {
listen 80;
server_name www.test.com;
location /{
root /opt/;
index index.html;
}
}
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: nginx
spec:
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx
volumeMounts:
- mountPath: /etc/nginx/conf.d
name: defaultconf
volumes:
- name: defaultconf
configMap:
name: nginx
items:
- key: default.conf
path: ./default.conf
[root@k8s-master-01 k8s]# kubectl exec -it nginx-7c6468cb6-pz4f9 -- bash
root@nginx-7c6468cb6-pz4f9:/# cd /etc/nginx/conf.d
root@nginx-7c6468cb6-pz4f9:/etc/nginx/conf.d# ls
default.conf
root@nginx-7c6468cb6-pz4f9:/etc/nginx/conf.d# cat default.conf
server {
listen 80;
server_name www.test.com;
location /{
root /opt/;
index index.html;
}
}
将default.conf中的www.test.com改为bbs.test.com
重新部署
[root@k8s-master-01 k8s]# vim nginx.yaml
[root@k8s-master-01 k8s]# kubectl apply -f nginx.yaml
[root@k8s-master-01 k8s]# kubectl describe configmaps nginx
default.conf:
server_name bbs.test.com;
进入容器查看:
root@nginx-7c6468cb6-pz4f9:/etc/nginx/conf.d# cat default.conf
server {
listen 80;
server_name bbs.test.com;
但是一旦加上了subpath,热更新立即失效
4、secret
加密版的configmap。
加密的配置中心,Secret中的配置文件全部使用base64加密过后的内容
例如:
数据库的用户名和密码,
[root@k8s-master-01 k8s]# echo -n `123456` | base64
[root@k8s-master-01 k8s]# echo -n `MTIzNDU2` | base64 -d
1、普通类型
---
kind: Secret
apiVersion: v1
metadata:
name: secret
data:
MYSQL_ROOT_PASSWORD: YTZYQXUlKlZpXktiW0RVUk1ZI3gyc2cjZyNecm1oLl0=
type:
http://192.168.15.101:20080/kubernetes/kubernetes/namespace/default/secret ——配置中心——密文
[root@k8s-master-01 k8s]# kubectl get secrets
NAME TYPE DATA AGE
default-token-xhw9z kubernetes.io/service-account-token 3 9d
test01 Opaque 1 32s
2、存放docker仓库用户名密码
#手动创建
[root@k8s-master-01 ~]# kubectl create secret docker-registry aliyun01 --docker-server=registry.cn-hangzhou.aliyuncs.com --docker-username=yangyang091022 --docker-password=123456
#图形化工具创建(见下面的图)
3、存放集群秘钥证书
#证书
---
apiVersion: v1
data:
tls.crt: >-
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQm1UQ0NBUUlDQVFBd1dURUxNQWtHQTFVRUJoTUNRMDR4RVRBUEJnTlZCQWdNQ0ZOb1lXNW5TR0ZwTVE4dwpEUVlEVlFRSERBWlJhVzVuVUhVeEVEQU9CZ05WQkFvTUIxTnZiV1ZDYjNreEZEQVNCZ05WQkFNTUMwaGhibVJUCmIyMWxRbTk1TUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FDbUpNZHYyd2ZmZStrcWovYisKckwyaFd4dDNFM245dDJrbG5WWmRkSnltSzVzaGlsSE1XSVpOWkxhdzJtejQreDVlc0pNRjlQL2VjQjQvQVBSWgpWVnFNaHIvN0RkUExwM0xjazlIV2VjOVpMbFQvdDZ0ang3MUxPaHBIS2F0WGJJU0ZPcjV2S2d3Vnp5UWZYWFhwCmJkWHI3UEx6Rm1ld0NzaUVRbnZiVkhhR2hRSURBUUFCb0FBd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ1lFQWRUdVkKbXNMcFhoVlRhZ1NJZkUrQVRsbW5Mdmpkd0Z2d0NzQTZJR1FwS09uYXBZUWRLNWkybElYZFh1MW1NZjUrNkpLeAo1aHNQN3B3Uk9JZS9XNVRTdUpPUS9yRndRYldUNVBlOUYzUURwcHA4YVZ4Q0VFV3hXcS9YTStIYStZdnRIblRGCkpMSE9xVmxYZ3JMN3I4UndFNEJCanlrSDZLZkF6UlFHQncvNGp2bz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0t
tls.key: >-
LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpQcm9jLVR5cGU6IDQsRU5DUllQVEVECkRFSy1JbmZvOiBJREVBLUNCQywxRkEwOERFQzcxM0NBNkEyCgowUzZEMFNncURGMUJlUFdQZVZSTDVyZm1COWU5U2dSZmNENVpmR2lwMDJBcU1nRHJKeHdUajdTcG9YOHdDMzIzCnJMSUxsbzVCTnlxVXl1TjMvY1B1ZkpwbzcrK3hnT3gzSTRpeHNKb3pUT3dXT3BhdUxsMUU1aG04bmZoQ2tHYi8KT05mRkJ0b2RmOVFtRjBENkVQamxWZlFucnVvL2dad2NyekFYRWxBOFNLQ3JkQnk0OTh0UkR1RnQ4S1VpOC9IZApPM3R6YjlzY0c5ZkNMVkhNQlExRytpQnQ0WVQvTlJhczc0NkoxaDNYSkZ3YjJJeU9Qbk51WGJ2MWdBdFlJMjRFCnJPdmlvYXRlWUVBYUdZZGw0aEVDSXVPeHJMbTh4NXY5L1dKL0FpV1BsQW1pVmlUOFNHQkhFekFjdUxid2JZQTkKcjZ2UjNKMkE3eWFqQ2VkejBxT21VZjYzTEdpU1lGNlUyR1VOdE45blNDY253VHdnUHhyNVIyYmVIZlFVL2pubgpYOVRtNDdrWG5DY0hTcnQ4dFN5TnljMTdqWWpjakd0VkVoTmlnbVFBUnE2cTllNTliNnl0b09xcnJMM09jRVRKCjRzeDRhLzNNTTBvV2ZIVk8wZEUzUnJiZFA3MDlBb09vWTBCVWJCTk45WWJHS3NHYzV3QTdTYnBLRmNIZk1SNE0KRDlST2xzZitNR1ZtZTRjODdOZ2J4L2xFQzlVZ1Uwd1JUTmlSMGtsNWo2TDl5elpqdW56UjRlNysxOHcyY1hDbgpESm9Nc3p4dFJxTmdVc3REN2R2UVh5aHNEV2dyRVR4NGFQQ1RyQU1ncjBPUVc1UUZ4QmlwVU96VEtIRVpwcWpSCnhjZVpJN1BIUlpvSGZlcVZieU9qbmJ4MTF2UG16UktpZGZvYXlWaVM1cEtsNld2TmJsZUhSTU1oWVlZOVREWi8KR1F3MkJ5UXRNek5QeUwzRmdrUlA0VDg4cTVwMVpXaFZQb2xCVjRReWx0bkJORkNjZm5GYk5HTlNaZHM4RTJJWAp4QXF1RkF5UXE0cVNBVkpPaGFpREJlOHA3YzFyaUIyVmQrMDZIcTlFZVA4PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQ==
kind: Secret
metadata:
name: www-test-com
namespace: default
type: kubernetes.io/tls
#部署https
---
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
name: www-test-com
spec:
tls:
- hosts:
- www.test.com
secretName: www-test-com
rules:
- http:
paths:
- backend:
serviceName: aliyun01
servicePort: 80
host: www.test.com
---
kind: Service
apiVersion: v1
metadata:
name: aliyun01
spec:
selector:
app: aliyun01
ports:
- port: 80
targetPort: 80
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: aliyun01
spec:
selector:
matchLabels:
app: aliyun01
template:
metadata:
labels:
app: aliyun01
spec:
imagePullSecrets:
- name: aliyun
- name: aliyun01
containers:
- name: aliyun01
image: registry.cn-hangzhou.aliyuncs.com/alvinos/nginx:v12
5、pv/pvc
nfs使得我们可以挂载已经存在的共享到我们的Pod中,和emptyDir不同的是,当Pod被删除时,emptyDir也会被删除。但是nfs不会被删除,仅仅是解除挂在状态而已,这就意味着NFS能够允许我们提前对数据进行处理,而且这些数据可以在Pod之间相互传递,并且nfs可以同时被多个pod挂在并进行读写。
pv : 存储
pvc : 存储请求
1、pv
[root@k8s-master-01 k8s]# mkdir -p /nfs/v{1..5}
[root@k8s-master-01 k8s]# cd /nfs/v1
[root@k8s-master-01 v1]# yum install nfs-utils rpcbind -y
[root@k8s-master-01 v1]# vim /etc/exports
/nfs/v1 192.168.15.0/24(rw,sync,all_squash,anonuid=666,anongid=666)
/nfs/v2 192.168.15.0/24(rw,sync,all_squash,anonuid=666,anongid=666)
/nfs/v3 192.168.15.0/24(rw,sync,all_squash,anonuid=666,anongid=666)
/nfs/v4 192.168.15.0/24(rw,sync,all_squash,anonuid=666,anongid=666)
/nfs/v5 192.168.15.0/24(rw,sync,all_squash,anonuid=666,anongid=666)
~
#查看挂在
[root@k8s-master-01 v1]# showmount -e
[root@k8s-master-01 v1]# systemctl start rpcbind nfs-server
---
kind: PersistentVolume
apiVersion: v1
metadata:
name: pv001
labels:
app: pv001
spec:
nfs:
path: /nfs/v2
server: 192.168.15.101
accessModes:
- "ReadWriteMany"
- "ReadWriteOnce"
capacity:
storage: 2Gi
---
kind: PersistentVolume
apiVersion: v1
metadata:
name: pv002
labels:
app: pv002
spec:
nfs:
path: /nfs/v1
server: 192.168.15.101
accessModes:
- "ReadWriteMany"
- "ReadWriteOnce"
capacity:
storage: 10Gi
[root@k8s-master-01 v1]# vim pv.yaml
[root@k8s-master-01 v1]# kubectl apply -f pv.yaml
[root@k8s-master-01 v1]# kubectl get pv
RECLAIM POLICY 回收策略
[root@k8s-master-01 v1]# vim pvc.yaml
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: pvc
namespace: default
spec:
accessModes:
- "ReadWriteMany"
resources:
requests:
storage: "6Gi"
[root@k8s-master-01 v1]# kubectl apply -f pv.yaml
[root@k8s-master-01 v1]# kubectl get pvc
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
pvc Bound pv002 10Gi RWO,RWX 113s
[root@k8s-master-01 v1]# kubectl get pv
NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS REASON AGE
pv001 2Gi RWO,RWX Retain Available 9m35s
pv002 10Gi RWO,RWX Retain Bound default/pvc 10s
上面创建了pv\pvc,那么如何使用储存?
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: pv-pvc
spec:
selector:
matchLabels:
app: pv-pvc
template:
metadata:
labels:
app: pv-pvc
spec:
containers:
- name: nginx
image: nginx
volumeMounts:
- mountPath: /usr/share/nginx/html
name: pvc
volumes:
- name: pvc
persistentVolumeClaim:
claimName: pvc
[root@k8s-master-01 v1]# vim pvc.yaml
[root@k8s-master-01 v1]# kubectl apply -f pvc.yaml
[root@k8s-master-01 v1]# kubectl get pods
[root@k8s-master-01 nfs]# cd v1
[root@k8s-master-01 v1]# echo "hahahah"> index.html
[root@k8s-master-01 v1]# curl 10.244.1.154
hahahah
5.1、访问策略
pv的访问策略有三种:
1、ReadWriteMany : 多路可读可写
2、ReadWriteOnce :单路可读可写
3、ReadOnlyMany :多路只读
4、ReadWriteOncePod : 当节点只读(1.22+)
