舟山市建设工程造价管理协会网站,网站建设规划设计公司排名,seo研究中心晴天,高端的科技网站建设目录
Secret
创建 Secret
1、用kubectl create secret命令创建Secret
2、内容用 base64 编码#xff0c;创建Secret
使用方式
1、将 Secret 挂载到 Volume 中#xff0c;以 Volume 的形式挂载到 Pod 的某个目录下
2、将 Secret 导出到环境变量中
ConfigMap
创建 Co…目录
Secret
创建 Secret
1、用kubectl create secret命令创建Secret
2、内容用 base64 编码创建Secret
使用方式
1、将 Secret 挂载到 Volume 中以 Volume 的形式挂载到 Pod 的某个目录下
2、将 Secret 导出到环境变量中
ConfigMap
创建 ConfigMap
1、使用目录创建
2、使用文件创建
3、使用字面值创建
Pod 中使用 ConfigMap
1、使用 ConfigMap 来替代环境变量
Pod的创建
2、用 ConfigMap 设置命令行参数
3、通过数据卷插件使用ConfigMap
ConfigMap 的热更新
ConfigMap 更新后滚动更新 Pod Secret
Secret 是用来保存密码、token、密钥等敏感数据的 k8s 资源这类数据虽然也可以存放在 Pod 或者镜像中但是放在 Secret 中是为了更方便的控制如何使用数据并减少暴露的风险。
Secret 有四种类型 ●kubernetes.io/service-account-token由 Kubernetes 自动创建用来访问 APIServer 的 SecretPod 会默认使用这个 Secret 与 APIServer 通信 并且会自动挂载到 Pod 的 /run/secrets/kubernetes.io/serviceaccount 目录中; ●Opaque base64 编码格式的 Secret用来存储用户自定义的密码、密钥等默认的 Secret 类型; ●kubernetes.io/dockerconfigjson 用来存储私有 docker registry 的认证信息。 ●kubernetes.io/tls 用来存储 TLS 证书和私钥信息。
Pod 需要先引用才能使用某个 secretPod 有 3 种方式来使用 secret ●作为挂载到一个或多个容器上的卷 中的文件。 ●作为容器的环境变量。 ●由 kubelet 在为 Pod 拉取镜像时使用。
应用场景凭据 https://kubernetes.io/docs/concepts/configuration/secret/
创建 Secret
1、用kubectl create secret命令创建Secret
echo -n zhangsan username.txt
echo -n abc1234 password.txt
kubectl create secret generic mysecret --from-fileusername.txt --from-filepassword.txt
kubectl get secret
NAME TYPE DATA AGE
default-token-xtqxc kubernetes.io/service-account-token 3 8d
mysecret Opaque 2 16s
nfs-client-provisioner-token-rcmnm kubernetes.io/service-account-token 3 3d2hkubectl describe secret mysecret
Name: mysecret
Namespace: default
Labels: none
Annotations: noneType: OpaqueDatapassword.txt: 6 bytes
username.txt: 3 bytes
get或describe指令都不会展示secret的实际内容这是出于对数据的保护的考虑
2、内容用 base64 编码创建Secret
echo -n ggl | base64
Z2dsecho -n abc123 | base64
YWJjMTIzvim secret.yaml
apiVersion: v1
kind: Secret
metadata:name: mysecret1
type: Opaque
data:username: Z2dspassword: YWJjMTIzkubectl create -f secret.yaml
kubectl get secret
NAME TYPE DATA AGE
default-token-xtqxc kubernetes.io/service-account-token 3 8d
mysecret Opaque 2 14m
mysecret1 Opaque 2 24s
nfs-client-provisioner-token-rcmnm kubernetes.io/service-account-token 3 3d2h kubectl get secret mysecret1 -o yaml
apiVersion: v1
data:password: YWJjMTIzusername: Z2ds
kind: Secret
metadata:creationTimestamp: 2023-08-17T10:44:46ZmanagedFields:- apiVersion: v1fieldsType: FieldsV1fieldsV1:f:data:.: {}f:password: {}f:username: {}f:type: {}manager: kubectl-createoperation: Updatetime: 2023-08-17T10:44:46Zname: mysecret1namespace: defaultresourceVersion: 170478selfLink: /api/v1/namespaces/default/secrets/mysecret1uid: ce798087-b395-482b-a907-239f79aadbdb
type: Opaque使用方式
1、将 Secret 挂载到 Volume 中以 Volume 的形式挂载到 Pod 的某个目录下
vim secret-test.yaml
apiVersion: v1
kind: Pod
metadata:name: mypod
spec:containers:- name: nginximage: nginxvolumeMounts:- name: secretsmountPath: /etc/secretsreadOnly: truevolumes:- name: secretssecret:secretName: mysecret1
kubectl create -f secret-test.yaml
kubectl get pods
NAME READY STATUS RESTARTS AGE
busybox-0 0/1 ContainerCreating 0 24h
my-nginx-74f49bdcf5-rfmgf 1/1 Running 1 22h
mypod 0/1 ContainerCreating 0 41s
nfs-client-provisioner-5fc8d4f6fd-kx9qv 0/1 ContainerCreating 0 24h
test-pod 0/1 Completed 0 23h
test-pod2 0/1 Completed 0 23h
test-pod3 1/1 Running 0 23hkubectl exec -it mypod bash# cd /etc/secrets/# ls
password username# vi password# vi username
2、将 Secret 导出到环境变量中
vim secret-test1.yaml
apiVersion: v1
kind: Pod
metadata:name: mypod1
spec:containers:- name: nginximage: nginxenv:- name: TEST_USERvalueFrom:secretKeyRef:name: mysecretkey: username- name: TEST_PASSWORDvalueFrom:secretKeyRef:name: mysecretkey: passwordenvFrom:- secretRef:name: mysecret1
kubectl apply -f secret-test1.yaml
kubectl get pods
NAME READY STATUS RESTARTS AGE
busybox-0 0/1 ContainerCreating 0 24h
my-nginx-74f49bdcf5-rfmgf 1/1 Running 1 23h
mypod 1/1 Running 0 18m
mypod1 1/1 Running 0 20s
nfs-client-provisioner-5fc8d4f6fd-kx9qv 0/1 ContainerCreating 0 24h
test-pod 0/1 Completed 0 23h
test-pod2 0/1 Completed 0 23h
kubectl exec -it mypod1 bash
echo $TEST_USER
ggl
echo $TEST_PASSWORD
abc123ConfigMap
与Secret类似区别在于ConfigMap保存的是不需要加密配置的信息。 ConfigMap 功能在 Kubernetes1.2 版本中引入许多应用程序会从配置文件、命令行参数或环境变量中读取配置信息。ConfigMap API 给我们提供了向容器中注入配置信息的机制ConfigMap 可以被用来保存单个属性也可以用来保存整个配置文件或者JSON二进制大对象。 应用场景应用配置
创建 ConfigMap
1、使用目录创建
mkdir /opt/configmap/
vim /opt/configmap/game.config
enemy.typesaliens,monsters
player.maximum-lives5
vim /opt/configmap/ui.config
color.goodpurple
color.badyellow
allow.textmodetrue
ls /opt/configmap/
game.config
ui.config
kubectl create configmap game-config --from-file/opt/configmap/
--from-file 指定在目录下的所有文件都会被用在 ConfigMap 里面创建一个键值对键的名字就是文件名值就是文件的内容
kubectl get cm
NAME DATA AGE
game-config 2 108s
kube-root-ca.crt 1 7d2h
kubectl get cm game-config -o yaml
apiVersion: v1
data:game.config: enemy.typesaliens,monsters\nplayer.maximum-lives5 \nui.config: |color.goodpurplecolor.badyellowallow.textmodetrue
kind: ConfigMap
metadata:creationTimestamp: 2023-08-16T10:03:47ZmanagedFields:- apiVersion: v1fieldsType: FieldsV1fieldsV1:f:data:.: {}f:game.config: {}f:ui.config: {}manager: kubectl-createoperation: Updatetime: 2023-08-16T10:03:47Zname: game-confignamespace: defaultresourceVersion: 158070selfLink: /api/v1/namespaces/default/configmaps/game-configuid: f4689dd7-1c29-4a3f-9ada-23b07b283a00
2、使用文件创建
只要指定为一个文件就可以从单个文件中创建 ConfigMap --from-file 这个参数可以使用多次即可以使用两次分别指定上个实例中的那两个配置文件效果就跟指定整个目录是一样的
kubectl create configmap game-config-2 --from-file/opt/configmap/game.config --from-file/opt/configmap/ui.config
kubectl get configmaps game-config-2 -o yaml
apiVersion: v1
data:game.config: enemy.typesaliens,monsters\nplayer.maximum-lives5 \nui.config: |color.goodpurplecolor.badyellowallow.textmodetrue
kind: ConfigMap
metadata:creationTimestamp: 2023-08-16T10:17:24ZmanagedFields:- apiVersion: v1fieldsType: FieldsV1fieldsV1:f:data:.: {}f:game.config: {}f:ui.config: {}manager: kubectl-createoperation: Updatetime: 2023-08-16T10:17:24Zname: game-config-2namespace: defaultresourceVersion: 159117selfLink: /api/v1/namespaces/default/configmaps/game-config-2uid: c6981168-c4d0-4c00-aec9-3a4e0ae57b86kubectl describe cm game-config-2
Name: game-config-2
Namespace: default
Labels: none
Annotations: noneDatagame.config:
----
enemy.typesaliens,monsters
player.maximum-lives5ui.config:
----
color.goodpurple
color.badyellow
allow.textmodetrueEvents: none
3、使用字面值创建
使用文字值创建利用 --from-literal 参数传递配置信息该参数可以使用多次格式如下
kubectl create configmap special-config --from-literalspecial.howvery --from-literalspecial.typegood
kubectl get configmaps special-config -o yaml
apiVersion: v1
data:special.how: veryspecial.type: good #键值对
kind: ConfigMap
metadata:creationTimestamp: 2023-08-16T10:19:38ZmanagedFields:- apiVersion: v1fieldsType: FieldsV1fieldsV1:f:data:.: {}f:special.how: {}f:special.type: {}manager: kubectl-createoperation: Updatetime: 2023-08-16T10:19:38Zname: special-confignamespace: defaultresourceVersion: 159235selfLink: /api/v1/namespaces/default/configmaps/special-configuid: b34351e8-420f-4f76-bec5-8ea1876d556fkubectl delete cm --all
kubectl delete pod --all
Pod 中使用 ConfigMap
1、使用 ConfigMap 来替代环境变量
vim env.yaml
apiVersion: v1
kind: ConfigMap
metadata:name: special-confignamespace: default
data:special.how: veryspecial.type: good
---
apiVersion: v1
kind: ConfigMap
metadata:name: env-confignamespace: default
data:log_level: INFO
kubectl create -f env.yaml
kubectl get cm
NAME DATA AGE
env-config 1 2m26s
kube-root-ca.crt 1 31m
special-config 2 2m26s
Pod的创建
vim test-pod.yaml
apiVersion: v1
kind: Pod
metadata:name: test-pod
spec:containers:- name: busyboximage: busybox:1.28.4command: [ /bin/sh, -c, env ]env:- name: SPECIAL_HOW_KEYvalueFrom:configMapKeyRef:name: special-configkey: special.how- name: SPECIAL_TYPE_KEYvalueFrom:configMapKeyRef:name: special-configkey: special.typeenvFrom:- configMapRef:name: env-configrestartPolicy: Never
kubectl create -f test-pod.yaml
kubectl get pods
NAME READY STATUS RESTARTS AGE
busybox-0 0/1 ContainerCreating 0 54m
nfs-client-provisioner-5fc8d4f6fd-kx9qv 0/1 ContainerCreating 0 55m
test-pod 0/1 Completed 0
kubectl logs test-pod
KUBERNETES_SERVICE_PORT443
KUBERNETES_PORTtcp://10.96.0.1:443
HOSTNAMEtest-pod
SHLVL1
SPECIAL_HOW_KEYvery #赋值变量 SPECIAL_HOW_KEY 的值为 special-config 的
HOME/root
SPECIAL_TYPE_KEYgood #赋值变量 SPECIAL_TYPE_KEY 的值为 special-config 的
KUBERNETES_PORT_443_TCP_ADDR10.96.0.1
PATH/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
KUBERNETES_PORT_443_TCP_PORT443
KUBERNETES_PORT_443_TCP_PROTOtcp
log_levelINFO #引入 env-config 的变量 log_level: INFO
KUBERNETES_SERVICE_PORT_HTTPS443
KUBERNETES_PORT_443_TCPtcp://10.96.0.1:443
KUBERNETES_SERVICE_HOST10.96.0.1
PWD/
2、用 ConfigMap 设置命令行参数
apiVersion: v1
kind: Pod
metadata:name: test-pod2
spec:containers:- name: busyboximage: busybox:1.28.4command:- /bin/sh- -c- echo $(SPECIAL_HOW_KEY) $(SPECIAL_TYPE_KEY)env:- name: SPECIAL_HOW_KEYvalueFrom:configMapKeyRef:name: special-configkey: special.how- name: SPECIAL_TYPE_KEYvalueFrom:configMapKeyRef:name: special-configkey: special.typeenvFrom:- configMapRef:name: env-configrestartPolicy: Neverkubectl create -f test-pod2.yaml
kubectl get pods
NAME READY STATUS RESTARTS AGE
busybox-0 0/1 ContainerCreating 0 67m
nfs-client-provisioner-5fc8d4f6fd-kx9qv 0/1 ContainerCreating 0 68m
test-pod 0/1 Completed 0 13m
test-pod2 0/1 Completed
kubectl logs test-pod2
very good
3、通过数据卷插件使用ConfigMap
在数据卷里面使用 ConfigMap就是将文件填入数据卷在这个文件中键就是文件名键值就是文件内容
vim test-pod3.yaml
apiVersion: v1
kind: Pod
metadata:name: test-pod3
spec:containers:- name: busyboximage: busybox:1.28.4command: [ /bin/sh, -c, sleep 36000 ]volumeMounts:- name: config-volumemountPath: /etc/configvolumes:- name: config-volumeconfigMap:name: special-configrestartPolicy: Neverkubectl create -f test-pod3.yaml
kubectl get pods
NAME READY STATUS RESTARTS AGE
busybox-0 0/1 ContainerCreating 0 73m
nfs-client-provisioner-5fc8d4f6fd-kx9qv 0/1 ContainerCreating 0 74m
test-pod 0/1 Completed 0 19m
test-pod2 0/1 Completed 0 6m8s
test-pod3 1/1 Running
kubectl exec -it test-pod3 sh
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
/ # cd /etc/config/
/etc/config # ls
special.how special.typeConfigMap 的热更新
vim test-pod4.yaml
apiVersion: v1
kind: ConfigMap
metadata:name: log-confignamespace: default
data:log_level: INFO
---
apiVersion: apps/v1
kind: Deployment
metadata:name: my-nginx
spec:replicas: 1selector:matchLabels:run: my-nginxtemplate:metadata:labels:run: my-nginxspec:containers:- name: my-nginximage: nginxports:- containerPort: 80volumeMounts:- name: config-volumemountPath: /etc/configvolumes:- name: config-volumeconfigMap:name: log-configkubectl apply -f test-pod4.yaml
kubectl get pods
NAME READY STATUS RESTARTS AGE
busybox-0 0/1 ContainerCreating 0 90m
my-nginx-7b8755d996-275rd 1/1 Running 0 102s
nfs-client-provisioner-5fc8d4f6fd-kx9qv 0/1 ContainerCreating 0 91m
test-pod 0/1 Completed 0 36m
test-pod2 0/1 Completed 0 22m
test-pod3
kubectl exec -it my-nginx-76b6489f44-6dwxh -- cat /etc/config/log_level
INFO
kubectl edit configmap log-config
# Please edit the object below. Lines beginning with a # will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:log_level: DEBUG #INFO 修改成 DEBUG
kind: ConfigMap
metadata:annotations:kubectl.kubernetes.io/last-applied-configuration: |{apiVersion:v1,data:{log_level:INFO},kind:ConfigMap,metadata: {annotations:{},name:log-config,namespace:default}} #INFO 修改成 DEBUGcreationTimestamp: 2023-08-16T11:46:54Zname: log-confignamespace: defaultresourceVersion: 166013selfLink: /api/v1/namespaces/default/configmaps/log-configuid: d82c89a6-3668-423a-8edc-17d46065c0a6
等大概10秒左右使用该 ConfigMap 挂载的 Volume 中的数据同步更新
kubectl exec -it my-nginx-7b8755d996-275rd -- cat /etc/config/log_level
DEBUG
ConfigMap 更新后滚动更新 Pod
更新 ConfigMap 目前并不会触发相关 Pod 的滚动更新可以通过在 .spec.template.metadata.annotations 中添加 version/config 每次通过修改 version/config 来触发滚动更新
kubectl patch deployment my-nginx --patch {spec: {template: {metadata: {annotations: {version/config: 20210525 }}}}}
kubectl get pods
NAME READY STATUS RESTARTS AGE
busybox-0 0/1 ContainerCreating 0 103m
my-nginx-74f49bdcf5-rfmgf 1/1 Running 0 22s
my-nginx-7b8755d996-275rd 0/1 Terminating 0 14m
nfs-client-provisioner-5fc8d4f6fd-kx9qv 0/1 ContainerCreating 0 104m
test-pod 0/1 Completed 0 49m
test-pod2 0/1 Completed 0 36m
test-pod3 1/1 Running 0 1/1 Running 0
kubectl get pods
NAME READY STATUS RESTARTS AGE
busybox-0 0/1 ContainerCreating 0 104m
my-nginx-74f49bdcf5-rfmgf 1/1 Running 0 73s
nfs-client-provisioner-5fc8d4f6fd-kx9qv 0/1 ContainerCreating 0 105m
test-pod 0/1 Completed 0 50m
test-pod2 0/1 Completed 0 37m
test-pod3 1/1 Running 0 31m
PS更新 ConfigMap 后 ●使用该 ConfigMap 挂载的 Env 不会同步更新。 ●使用该 ConfigMap 挂载的 Volume 中的数据需要一段时间实测大概10秒才能同步更新。
