K8S 配置管理
1. ConfigMap用途:应用配置管理,实现配置数据和应用程序代码分离典型场景:替换环境变量替换配置文件热更新:挂载的 ENV 不会同步更新挂载的 Volume 延迟更新 (10s左右)1.1 创建配置# 使用字面值创建kubectl create configmap mysql-config --from-literal=db.host=192.168.3.100 --from-litera
1. ConfigMap
用途:应用配置管理,实现配置数据和应用程序代码分离
典型场景:
- 替换环境变量
- 替换配置文件
热更新:
- 挂载的 ENV 不会同步更新
- 挂载的 Volume 延迟更新 (10s左右)
1.1 创建配置
# 使用字面值创建
kubectl create configmap mysql-config --from-literal=db.host=192.168.3.100 --from-literal=db.port=3306
# 通过文件创建
kubectl create configmap redis-config --from-file=./redis.conf
kubectl create configmap redis-config --from-file=redis-master.conf=./redis.conf # 修改默认名称
# 目录下多个文件
kubectl create configmap multi-config --from-file=./configs
资源文件:
apiVersion: v1
kind: ConfigMap
metadata:
name: cm-demo
data:
db.host: localhost
db.port: "3306"
redis.conf: |
host=127.0.0.1
port=6379
1.2 环境变量
1)单值引用
spec.containers[].env.valueFrom.configMapKeyRef
apiVersion: v1
kind: ConfigMap
metadata:
name: special-config
data:
special.how: very
special.type: charm
---
apiVersion: v1
kind: Pod
metadata:
name: configmap-env-1
spec:
containers:
- name: busybox
image: busybox
command: [ "/bin/sh", "-c", "env" ]
env:
- name: SPECIAL_LEVEL_KEY
valueFrom:
configMapKeyRef:
name: special-config
key: special.how
restartPolicy: Never
2)多值引用
spec.containers[i].envFrom.configMapRef
apiVersion: v1
kind: ConfigMap
metadata:
name: tomcat-cfg
data:
JAVA_HOME: "/usr/lib/jvm/java-8-openjdk-amd64"
CATALINA_HOME: "/usr/local/apache-tomcat-7.0.69"
---
apiVersion: v1
kind: Pod
metadata:
name: configmap-env
spec:
containers:
- name: busybox
image: busybox
command: [ "/bin/sh","-c", "echo $(JAVA_HOME) $(CATALINA_HOME)" ]
envFrom:
- configMapRef:
name: tomcat-cfg
restartPolicy: Never
1.3 挂载文件
spec.volume[i].configMap
apiVersion: v1
kind: ConfigMap
metadata:
name: redis-cfg
data:
redis.conf: |
dir /data/
maxmemory 2mb
maxmemory-policy allkeys-lru
---
apiVersion: v1
kind: Pod
metadata:
name: redis
spec:
containers:
- name: redis
image: redis
command:
- redis-server
- "/etc/redis/redis.conf"
env:
- name: MASTER
value: "true"
ports:
- containerPort: 6379
resources:
limits:
cpu: "0.1"
volumeMounts:
- mountPath: /data
name: data
- mountPath: /etc/redis
name: config
volumes:
- name: data
emptyDir: {}
- name: config
configMap:
name: redis-cfg
items:
- key: redis.conf
path: redis.conf
验证结果:
$ kubectl exec -it redis -- redis-cli
127.0.0.1:6379> CONFIG GET maxmemory
1) "maxmemory"
2) "2097152"
2. Secret
用途:解决密码、token、密钥等敏感数据的配置问题
典型场景:
- 环境变量
- volume 挂载
Secret 类型:
内置类型 | 用法 |
---|---|
Opaque | base64 编码,用来存储密码、密钥等 |
kubernetes.io/service-account-token | 用来访问 Kubernetes API,默认由 kubernetes 自动创建,并挂载到 Pod 的 /run/secrets/kubernetes.io/serviceaccount/ |
kubernetes.io/dockercfg | ~/.dockercfg 文件的序列化形式 |
kubernetes.io/dockerconfigjson | 用来存储私有 docker registry 的认证信息,~/.docker/config.json |
kubernetes.io/basic-auth | 用于基本身份认证的凭据 |
kubernetes.io/ssh-auth | 用于 SSH 身份认证的凭据 |
kubernetes.io/tls | 用来存储 TLS 证书 |
bootstrap.kubernetes.io/token | 启动引导令牌数据 |
2.1 Service Account
SA 是 k8s 的一种 内置服务账户,它绑定了一个特殊的 Secret,ServiceAccountToken 保存了授权信息等内容。任何在 k8s 集群上运行的应用,都必须使用 token 中的授权信息,才能合法访问 API Server
$ kubectl describe pod nginx-845d4d9dff-4v7p8
...
Containers:
nginx:
...
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-fgghg (ro)
...
Volumes:
kube-api-access-fgghg:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 3607
ConfigMapName: kube-root-ca.crt
ConfigMapOptional: <nil>
DownwardAPI: true
$ kubectl exec -it nginx-845d4d9dff-4v7p8 -- ls /run/secrets/kubernetes.io/serviceaccount
ca.crt namespace token
2.2 Opaque
# 1. 直接创建
$ kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
stringData: # 如果使用data,数据先要base64
user: root
pass: "123456"
EOF
# 2. 使用字面值创建
$ kubectl create secret generic login-credential --from-literal=username=root --from-literal=password=123456
# 3. 通过文件创建
$ cat > user.txt <<EOF
username=root
password=123456
EOF
$ kubectl create secret generic certification --from-file=user.txt
2.2.1 环境变量
apiVersion: v1
kind: Secret
metadata:
name: account-cfg
type: Opaque
stringData:
username: root
password: 123456
---
apiVersion: v1
kind: Pod
metadata:
name: secret-env
spec:
containers:
- name: busybox
image: busybox
command: [ "/bin/sh","-c", "echo $(TEST_USERNAME) $(TEST_PASSWORD)" ]
env:
- name: TEST_USERNAME
valueFrom:
secretKeyRef:
name: account-cfg
key: username
- name: TEST_PASSWORD
valueFrom:
secretKeyRef:
name: account-cfg
key: password
restartPolicy: Never
2.2.2 挂载文件
将账号信息挂载到 “/etc/secrets” 下
apiVersion: v1
kind: Pod
metadata:
name: secret-volume
spec:
containers:
- image: busybox
name: busybox
command:
- /bin/sleep
- "3600"
volumeMounts:
- name: secret
mountPath: "/etc/secrets"
readOnly: true
volumes:
- name: secret
secret:
secretName: account-cfg # 生成两个文件:username & password
2.3 DockerConfigJson
# 创建 docker-registry 认证信息
kubectl create secret docker-registry myregistrykey --docker-server=registry.xtwl.io --docker-username=admin --docker-password=Admin123 --docker-email=admin@xtwl.io
apiVersion: v1
kind: Pod
metadata:
name: docker-registry-json
spec:
containers:
- name: busybox
image: registry.xtwl.io/library/busybox
imagePullSecrets:
- name: myregistrykey
2.4 TLS
1)创建 tls
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=elihe.io/O=elihe.io"
$ kubectl create secret tls elihe-secret --key tls.key --cert tls.crt
$ kubectl get secret elihe-secret -o yaml
apiVersion: v1
kind: Secret
metadata:
name: elihe-secret
type: kubernetes.io/tls
data:
tls.crt: **************************
tls.key: **************************
2)使用 tls
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-tls
spec:
tls:
- hosts:
- elihe.io
secretName: elihe-secret
rules:
- host: elihe.io
http:
paths:
- path: /
backend:
serviceName: nginx-svc
servicePort: 30080
3. DownwardAPI
作用:让 Pod 中的容器,能够直接获取该 Pod API 对象本身的信息
3.1 挂载文件
.spec.volumes[].downwardAPI.items[].fieldRef.fieldPath
apiVersion: v1
kind: Pod
metadata:
name: downward-api-volume
labels:
zone: CST
app: busybox
annotations:
version: "1.2"
builder: gopher
spec:
containers:
- name: busybox
image: busybox
command: ["sh", "-c"]
args:
- while true; do;
if [[ -e /etc/podinfo/labels ]]; then
echo -en '\n\n'; cat /etc/podinfo/labels; fi;
if [[ -e /etc/podinfo/annotations ]]; then
echo -en '\n\n'; cat /etc/podinfo/annotations; fi;
sleep 5;
done
volumeMounts:
- name: podinfo
mountPath: /etc/podinfo
volumes:
- name: podinfo
downwardAPI:
items:
- path: "labels"
fieldRef:
fieldPath: metadata.labels
- path: "annotations"
fieldRef:
fieldPath: metadata.annotations
3.2 环境变量
.spec.containers[*].env.valueFrom.fieldRef.fieldPath
apiVersion: v1
kind: Pod
metadata:
name: downward-api-env
spec:
restartPolicy: Never
containers:
- name: busybox
image: busybox
command: ["/bin/sh", "-c", "env"]
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
更多推荐
所有评论(0)