Linux学习-Kubernetes之Secret和ConfigMap

Posted 丢爸

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Linux学习-Kubernetes之Secret和ConfigMap相关的知识,希望对你有一定的参考价值。

Secret

将加密数据存储在etcd,Pod容器可以通过挂载Volume方式或通过变量方式访问

#通过yaml创建Secret
apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  username: bG90dXM=    #以bash64方式加密username
  password: MTIzNDU2    #以bash64方式加密password
[root@k8s-master k8syaml]# kubectl apply -f secret.yaml 

#通过变量形式使用Secret中信息
apiVersion: v1
kind: Pod
metadata:
  name: mypodvarsecret
spec:
  containers:
  - name: nginx
    image: nginx
    env:
    - name: SECRET_USERNAME
      valueFrom:
        secretKeyRef:
          name: mysecret
          key: username
    - name: SECRET_PASSWORD
      valueFrom:
        secretKeyRef:
          name: mysecret
          key: password
[root@k8s-master k8syaml]# kubectl exec -it mypodvarsecret bash
root@mypodvarsecret:/# echo $SECRET_USERNAME
lotus
root@mypodvarsecret:/# echo $SECRET_PASSWORD
123456

#以存储卷方式挂载Secret
apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
  - name: nginx
    image: nginx
    volumeMounts:
    - name: foo
      mountPath: "/etc/foo"
  volumes:
  - name: foo
    secret:
      secretName: mysecret
#进入容器查看变量情况
[root@k8s-master k8syaml]# kubectl exec -it mypod bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
root@mypod:/# ls /etc/foo    
password  username
root@mypod:/# cat /etc/foo/password
123456

ConfigMap

存储不加密数据到etcd,让Pod以变量或者Volume挂载到容器中,一般用于配置文件

#创建一个redis配置文件
[root@k8s-master k8syaml]# cat redis.properties 
redis.host=127.0.0.1
redis.port=6379
redis.password=123456
#创建configmap
[root@k8s-master k8syaml]# kubectl create configmap redis-config --from-file=redis.properties
configmap/redis-config created
[root@k8s-master k8syaml]# kubectl get configmap
NAME               DATA   AGE
kube-root-ca.crt   1      108d
redis-config       1      7s
#查看详细信息
[root@k8s-master k8syaml]# kubectl describe configmap redis-config
Name:         redis-config
Namespace:    default
Labels:       <none>
Annotations:  <none>

Data
====
redis.properties:
----
redis.host=127.0.0.1
redis.port=6379
redis.password=123456


BinaryData
====

Events:  <none>
#以volume方式挂载
apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
  - name: busybox
    image: busybox
    command: ["/bin/sh","-c","cat /etc/config/redis.properties"]
    volumeMounts:
    - name: config-volume
      mountPath: /etc/config
  volumes:
    - name: config-volume
      configMap:
        name: redis-config
  restartPolicy: Never
[root@k8s-master k8syaml]# kubectl get pods
NAME                   READY   STATUS      RESTARTS   AGE
mypod                  0/1     Completed   0          24s
[root@k8s-master k8syaml]# kubectl logs mypod
redis.host=127.0.0.1
redis.port=6379
redis.password=123456
#以变量形式挂载
apiVersion: v1
kind: ConfigMap
metadata:
  name: myconfig
  namespace: default
data:
  special.level: info
  special.type: hello
[root@k8s-master k8syaml]# kubectl apply -f configmap_var.yaml
configmap/myconfig created
[root@k8s-master k8syaml]# kubectl get configmap
NAME               DATA   AGE
kube-root-ca.crt   1      108d
myconfig           2      13s
redis-config       1      21m

apiVersion: v1
kind: Pod
metadata: 
  name: mypod
spec:
  containers:
  - name : busybox
    image: busybox
    command: ["/bin/sh","-c","echo $(LEVEL)  $(TYPE)"]
    env:
    - name: LEVEL
      valueFrom:
        configMapKeyRef:
          name: myconfig
          key: special.level
    - name: TYPE
      valueFrom:
        configMapKeyRef:
          name: myconfig
          key: special.type
  restartPolicy: Never

[root@k8s-master k8syaml]# kubectl apply -f configmap_pod_var.yaml 
pod/mypod created
[root@k8s-master k8syaml]# kubectl logs mypod
info hello


以上是关于Linux学习-Kubernetes之Secret和ConfigMap的主要内容,如果未能解决你的问题,请参考以下文章

Linux企业运维——Kubernetes存储之Secret配置管理

Kubernetes存储之Secret

kubernetes之secret

Kubernetes之ConfigMap和Secret

Kubernetes(k8s)之Secret私密凭据

Kubernetes进阶之secret及configmap配置管理