Kubernetes 配置管理介绍
1.Secret
作用:加密数据并存放Etcd中,让Pod的容器以挂载Volume方式访问
1.1手动创建用户和密码
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
[root@m7-autocv-gpu01 demo]# echo -n 'testuser' > ./username.txt [root@m7-autocv-gpu01 demo]# echo -n '123456' > ./password..txt [root@m7-autocv-gpu01 demo]# cat username.txt password..txt testuser123456
用户密码文件创建之后,手动创建secret,并指定用户和密码文件
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
[root@m7-autocv-gpu01 demo]# kubectl create secret generic db-user-pass --from-file=./username.txt --from-file=./password..txt secret/db-user-pass created 查看创建的secret [root@m7-autocv-gpu01 demo]# kubectl get secret NAME TYPE DATA AGE db-user-pass Opaque 2 8s [root@m7-autocv-gpu01 demo]#
1.2通过yaml文件创建
首先对创建的用户密码通过base64编码
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
[root@m7-autocv-gpu01 demo]# echo -n 'usertest' | base64 dXNlcnRlc3Q= [root@m7-autocv-gpu01 demo]# echo -n '123456' | base64 MTIzNDU2
创建secret的yaml文件
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
[root@m7-autocv-gpu01 demo]# cat secret.yaml apiVersion: v1 kind: Secret metadata: name: mysecret type: Opaque data: username: dXNlcnRlc3Q= ###通过base64编码后的用户 password: MTIzNDU2 ###通过base64编码后的用户密码 执行创建 [root@m7-autocv-gpu01 demo]# kubectl create -f secret.yaml secret/mysecret created [root@m7-autocv-gpu01 demo]# kubectl get secret NAME TYPE DATA AGE db-user-pass Opaque 2 9m9s mysecret Opaque 2 10s
2.secret的使用方法
2.1通过变量的方式使用
将创建好的secret 的键值在yaml文件配置
例子:
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
[root@m7-autocv-gpu01 demo]# cat secret-var.yaml apiVersion: v1 kind: Pod metadata: name: podtest8 spec: containers: - name: nginx110302 image: nginx env: - name: SECRET_USERNAME valueFrom: secretKeyRef: name: mysecret ###之前创建好的secret key: username ###secret中对应的用户 - name: SECRET_PASSWORD valueFrom: secretKeyRef: name: mysecret ###之前创建好的secret key: password ###secret 中对应的密码
创建并测试
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
[root@m7-autocv-gpu01 demo]# kubectl apply -f secret-var.yaml pod/podtest8 created [root@m7-autocv-gpu01 demo]# kubectl get pods NAME READY STATUS RESTARTS AGE podtest8 1/1 Running 0 5s 登陆到pod 查看用户密码 [root@m7-autocv-gpu01 demo]# kubectl exec -it podtest8 bash root@podtest8:/# echo $SECRET_USERNAME usertest root@podtest8:/# echo $SECRET_PASSWORD 123456
此方法是以变量的形式导入到pod中
2.2以volume方式挂载到pod中的目录中
将创建好的secret 的键值在yaml文件配置
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
[root@m7-autocv-gpu01 demo]# cat secret-vol.yaml apiVersion: v1 kind: Pod metadata: name: nginx110303 spec: containers: - name: nginx image: nginx volumeMounts: - name: foo mountPath: "/etc/foo" readOnly: true volumes: - name: foo secret: secretName: mysecret
创建并测试
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
[root@m7-autocv-gpu01 demo]# kubectl create -f secret-vol.yaml pod/nginx110303 create [root@m7-autocv-gpu01 demo]# kubectl get pods NAME READY STATUS RESTARTS AGE nginx110303 1/1 Running 0 14s 进入pod 查看目录 [root@m7-autocv-gpu01 demo]# kubectl exec -it nginx110303 bash root@nginx110303:/# ls /etc/foo/ password username root@nginx110303:/# cat /etc/foo/username usertest root@nginx110303:/# cat /etc/foo/password 123456 root@nginx110303:/#
3.CinfigMap
3.1通过环境变量导入使用
首相创建configmap
例子:
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
创建configmap的yaml文件 [root@m7-autocv-gpu01 demo]# cat myconfigmap.yaml apiVersion: v1 kind: ConfigMap metadata: name: myconfigmap namespace: default data: special.level: info special.type: hello 创建configmap [root@m7-autocv-gpu01 demo]# kubectl create -f myconfigmap.yaml configmap/myconfigmap created 查看configmap [root@m7-autocv-gpu01 demo]# kubectl get configmap NAME DATA AGE myconfigmap 2 20s redis-config 1 18h 查看configmap内容 [root@m7-autocv-gpu01 demo]# kubectl describe configmap myconfigmap Name: myconfigmap Namespace: default Labels: <none> Annotations: <none> Data ==== special.level: ---- info special.type: ---- hello Events: <none>
利用confingmap创建pod
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
创建pod配置yaml [root@m7-autocv-gpu01 demo]# cat pod10.yaml apiVersion: v1 kind: Pod metadata: name: podtest10 spec: containers: - name: busybox image: busybox command: ["/bin/sh", "-c", "echo $(LEVEL) $(TYPE)" ] env: - name: LEVEL valueFrom: configMapKeyRef: name: myconfigmap key: special.level - name: TYPE valueFrom: configMapKeyRef: name: myconfigmap key: special.type restartPolicy: Never 创建pod [root@m7-autocv-gpu01 demo]# kubectl apply -f pod10.yaml pod/podtest10 created 查看pod [root@m7-autocv-gpu01 demo]# kubectl get pods NAME READY STATUS RESTARTS AGE podtest10 0/1 Completed 0 21s 查看pod日志输出 [root@m7-autocv-gpu01 demo]# kubectl logs podtest10 info hello
3.2通过挂载volume方式使用
以volume 挂载到pod中示例
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
[root@m7-autocv-gpu01 demo]# cat pod9.yaml apiVersion: v1 kind: Pod metadata: name: podtest9 spec: containers: - name: busybox image: busybox command: [ "/bin/sh","-c","cat /etc/config/redis.properties" ] volumeMounts: - name: config-volume mountPath: /etc/config volumes: - name: config-volume configMap: name: redis-config restartPolicy: Never
挂载volume创建pod并测试
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
[root@m7-autocv-gpu01 demo]# kubectl create -f pod9.yaml pod/podtest9 created [root@m7-autocv-gpu01 demo]# kubectl get pods NAME READY STATUS RESTARTS AGE podtest9 0/1 Completed 0 7s pod的log已经显示配置数据所以挂载正常 [root@m7-autocv-gpu01 demo]# kubectl logs podtest9 redis.host=127.0.0.1 redis.port=6379 redis.password=123456