- 配置容器化應(yīng)用的方式:
1.自定義命令行參數(shù)
arg: []
2.把配置文件直接培進(jìn)鏡像
3.環(huán)境變量
env
1.cloud native 的應(yīng)用程序一般可直接通過(guò)環(huán)境變量加載配置
2.通過(guò)entrypoint腳本來(lái)預(yù)處理變?yōu)榄h(huán)境變量配置信息
4.存儲(chǔ)卷
5.comfigmap、secret傳遞或者引用配置信息
一般常用的是第五種航缀,支持動(dòng)態(tài)修改配置信息和共享容器配置更加方便艰山、減少?gòu)?fù)雜的工作量
kubernetes之ConfigMap
ConfigMap用于保存配置數(shù)據(jù)的鍵值對(duì)涣仿,可以用來(lái)保存單個(gè)屬性酬姆,也可以用來(lái)保存配置文件嗜桌。ConfigMap跟secret很類似,但它可以更方便地處理不包含敏感信息的字符串辞色。
應(yīng)用實(shí)例:(可用kubectl create configmap --help 查看幫助信息)
1.命令行臨時(shí)創(chuàng)建:
[root@master-01 base]# kubectl create configmap myhost --from-file=/etc/hosts //默認(rèn)key為文件名骨宠,value為文件內(nèi)容
configmap/myhost created
[root@master-01 base]# kubectl get cm
NAME DATA AGE
myhost 1 4s
[root@master-01 base]# kubectl describe cm
Name: myhost
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
hosts:
----
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.1.1.10 master-01
10.1.1.3 master-02 node-01
10.1.1.4 node-02
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.1.1.10 master-01
10.1.1.3 master-02 node-01
10.1.1.4 node-02
10.1.1.5 harbor-ali.abc.com
Events: <none>
2.直接定義key和值
[root@master-01 base]# kubectl create configmap myhost --from-literal=hostfile=/etc/hosts #自定義key值為hostfile,value為文件內(nèi)容
configmap/myhost created
[root@master-01 base]# kubectl get cm
NAME DATA AGE
myhost 2 7s
[root@master-01 base]# kubectl describe cm myhost
Name: myhost
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
hostfile:
----
/etc/hosts
key1:
----
config1
Events: <none>
3.通過(guò)文件創(chuàng)建comfigmap
新建一個(gè)www.conf作為nginx pod的配置文件添加一下內(nèi)容
[root@master-01 configmap]# cat www.conf
server {
server_name myapp.abc.com
listen 80;
root /data/web/html;
}
創(chuàng)建configmap
[root@master-01 configmap]# kubectl create configmap nginx-www --from-file=./www.conf #key名稱不給默認(rèn)為文件名
configmap/nginx-www created
[root@master-01 configmap]# kubectl get cm
NAME DATA AGE
myhost 2 5m10s
nginx-www 1 6s
[root@master-01 configmap]# kubectl describe cm nginx-www
Name: nginx-www
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
www.conf:
----
server {
server_name myapp.abc.com
listen 80;
root /data/web/html;
}
Events: <none>
4.pod引用configmap(兩種方式相满,1.容器使用env引用层亿,2.通過(guò)volumes引用)
1.容器env方式引用(配置不支持動(dòng)態(tài)修改變量值)
創(chuàng)建一個(gè)configmap實(shí)例
[root@master-01 configmap]# kubectl create configmap nginx-config --from-literal=nginx_port=8080 --from-literal=server_name=www.abc.com
configmap/nginx-config created
[root@master-01 configmap]# kubectl get configmap
NAME DATA AGE
myhost 2 17m
nginx-config 2 8s
nginx-www 1 12m
[root@master-01 configmap]# kubectl describe cm configmap nginx-config
Name: nginx-config
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
nginx_port:
----
8080
server_name:
----
www.abc.com
Events: <none>
創(chuàng)建一個(gè)pod并引用configmap
[root@master-01 configmap]# cat myapp-cm.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp-cm-test
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: myapp
release: canary
template:
metadata:
labels:
app: myapp
release: canary
spec:
imagePullSecrets:
- name: regsecret
hostAliases:
- ip: "10.1.1.5"
hostnames:
- "harbor-ali.abc.com"
containers:
- name: myapp
image: "harbor-ali.abc.com/k8s_img/myapp:v1"
imagePullPolicy: Always
ports:
- name: http
containerPort: 80
env:
- name: NGINX_SERVER_PROT
valueFrom:
configMapKeyRef:
name: nginx-config #configmap的名稱
key: nginx_port #configmap的key名
- name: NGINX_SERVER_NAME
valueFrom:
configMapKeyRef:
name: nginx-config #configmap的名稱
key: server_name #configmap的key名
-----------------------------------------
創(chuàng)建pod
[root@master-01 configmap]# kubectl apply -f myapp-cm.yaml
[root@master-01 configmap]# kubectl get pod
NAME READY STATUS RESTARTS AGE
myapp-cm-test-868d9f6775-g5h5w 1/1 Running 0 37s
myapp-deploy-6c94846d6f-85b45 1/1 Running 0 3h37m
myapp-deploy-6c94846d6f-v8htl 1/1 Running 0 3h37m
myapp-hostpath-596f7f779b-9ctkv 1/1 Running 0 3d8h
myapp-pv-pvc-5b7976486d-wgqvc 1/1 Running 0 3d8h
myapp-volume-749f9b4896-wrm8c 1/1 Running 0 3d8h
secret-nginx 1/1 Running 1 3h55m
[root@master-01 configmap]# kubectl exec myapp-cm-test-868d9f6775-g5h5w -- printenv
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=myapp-cm-test-868d9f6775-g5h5w
NGINX_SERVER_PROT=8080 #環(huán)境變量已經(jīng)傳進(jìn)來(lái)了
NGINX_SERVER_NAME=www.abc.com #環(huán)境變量已經(jīng)傳進(jìn)來(lái)了
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
KUBERNETES_SERVICE_HOST=10.96.0.1
KUBERNETES_SERVICE_PORT=443
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT=tcp://10.96.0.1:443
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP_PORT=443
MYAPP_SVC_PORT_80_TCP_PROTO=tcp
MYAPP_SVC_PORT=tcp://10.98.57.156:80
MYAPP_SVC_PORT_80_TCP_ADDR=10.98.57.156
MYAPP_SVC_SERVICE_HOST=10.98.57.156
MYAPP_SVC_SERVICE_PORT=80
MYAPP_SVC_PORT_80_TCP=tcp://10.98.57.156:80
MYAPP_SVC_PORT_80_TCP_PORT=80
NGINX_VERSION=1.12.2
HOME=/root
2.通過(guò)volumes引用(支持可動(dòng)態(tài)修改變量值)
[root@master-01 configmap]# cat myapp-cm-volume.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp-cm-volume
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: myapp
release: canary
template:
metadata:
labels:
app: myapp
release: canary
spec:
imagePullSecrets:
- name: regsecret
hostAliases:
- ip: "10.1.1.5"
hostnames:
- "harbor-ali.abc.com"
containers:
- name: myapp
image: "harbor-ali.abc.com/k8s_img/myapp:v1"
imagePullPolicy: Always
ports:
- name: http
containerPort: 80
volumeMounts:
- name: nginxconf
mountPath: /etc/nginx/config.d/ #掛載到容器的路徑
volumes:
- name: nginxconf
configMap:
name: nginx-www #configmap的名稱
創(chuàng)建pod
[root@master-01 configmap]# kubectl apply -f myapp-cm-volume.yaml
deployment.apps/myapp-cm-volume created
[root@master-01 configmap]# kubectl get pod
NAME READY STATUS RESTARTS AGE
myapp-cm-test-868d9f6775-g5h5w 1/1 Running 0 59m
myapp-cm-volume-78b9b4fd49-9lfp5 1/1 Running 0 6s
myapp==-deploy-6c94846d6f-85b45 1/1 Running 0 4h36m
myapp-deploy-6c94846d6f-v8htl 1/1 Running 0 4h36m
myapp-hostpath-596f7f779b-9ctkv 1/1 Running 0 3d9h
myapp-pv-pvc-5b7976486d-wgqvc 1/1 Running 0 3d9h
myapp-volume-749f9b4896-wrm8c 1/1 Running 0 3d9h
secret-nginx 1/1 Running 1 4h54m
驗(yàn)證是否在/etc/nginx/config.d/創(chuàng)建了www.conf
[root@master-01 configmap]# kubectl get pod
NAME READY STATUS RESTARTS AGE
myapp-cm-test-868d9f6775-g5h5w 1/1 Running 0 82m
myapp-cm-volume-78b9b4fd49-9lfp5 1/1 Running 0 22m
myapp-deploy-6c94846d6f-85b45 1/1 Running 0 4h59m
myapp-deploy-6c94846d6f-v8htl 1/1 Running 0 4h59m
myapp-hostpath-596f7f779b-9ctkv 1/1 Running 0 3d9h
myapp-pv-pvc-5b7976486d-wgqvc 1/1 Running 0 3d9h
myapp-volume-749f9b4896-wrm8c 1/1 Running 0 3d9h
secret-nginx 1/1 Running 1 5h17m
[root@master-01 configmap]# kubectl exec -it myapp-cm-volume-78b9b4fd49-9lfp5 -- ls /etc/nginx/config.d/
www.conf
[root@master-01 configmap]# kubectl exec -it myapp-cm-volume-78b9b4fd49-9lfp5 -- cat /etc/nginx/config.d/www.conf
server {
server_name myapp.abc.com
listen 80;
root /data/web/html;
}
驗(yàn)證是否支持動(dòng)態(tài)修改configmap把www-nginx里面的key myapp.abc.com改為www.abc.com
[root@master-01 configmap]# kubectl edit cm nginx-www
configmap/nginx-www edited
[root@master-01 configmap]# kubectl exec -it myapp-cm-volume-78b9b4fd49-9lfp5 -- cat /etc/nginx/config.d/www.conf
server {
server_name myapp.abc.com
listen 80;
root /data/web/html;
}
[root@master-01 configmap]# kubectl exec -it myapp-cm-volume-78b9b4fd49-9lfp5 -- cat /etc/nginx/config.d/www.conf
server {
server_name www.abc.com
listen 80;
root /data/web/html;
}
可以看到等待幾秒后修改的server_name 已經(jīng)生效了
kubernetes之secret
Secret解決了密碼、token立美、密鑰等敏感數(shù)據(jù)的配置問題匿又,而不需要把這些敏感數(shù)據(jù)暴露到鏡像或者Pod Spec中,secret跟configmap類似。也是可以在pod中用env或者volumes的方式去引用只不過(guò)是secert一般存放安全性比較高的數(shù)據(jù)建蹄,如密碼碌更,密鑰等需要加密數(shù)據(jù)
- Secret有三種類型:
1.Service Account:用來(lái)訪問Kubernetes API,由Kubernetes自動(dòng)創(chuàng)建洞慎,并且會(huì)自動(dòng)掛載到Pod的/run/secrets/kubernetes.io/serviceaccount目錄中痛单。
2.Opaque:base64編碼格式的Secret,用來(lái)存儲(chǔ)密碼拢蛋、密鑰等
3.kubernetes.io/dockerconfigjson:用來(lái)存儲(chǔ)私有docker registry的認(rèn)證信息桦他。
創(chuàng)建一個(gè)secret用來(lái)保存密碼相關(guān)信息(Opaque類型)
[root@master-01 configmap]# kubectl create secret generic mysql-root-password --from-literal=password=mysql123
secret/mysql-root-password created
[root@master-01 configmap]# kubectl get secret
NAME TYPE DATA AGE
default-token-vwpgh kubernetes.io/service-account-token 3 11d
mysecret Opaque 2 19h
mysql-root-password Opaque 1 7s
[root@master-01 configmap]# kubectl describe secret mysql-root-password
Name: mysql-root-password
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
password: 8 bytes #不顯示內(nèi)容base64加密存放
要是想查看內(nèi)容可以用一下命令
[root@master-01 configmap]# kubectl get secret mysql-root-password -o yaml
apiVersion: v1
data:
password: bXlzcWwxMjM=
kind: Secret
metadata:
creationTimestamp: "2019-11-26T02:14:33Z"
name: mysql-root-password
namespace: default
resourceVersion: "1624147"
selfLink: /api/v1/namespaces/default/secrets/mysql-root-password
uid: 01c27264-6307-4dfb-ba76-f79372fee076
type: Opaque
[root@master-01 configmap]# echo bXlzcWwxMjM= | base64 -d
mysql123
創(chuàng)建一個(gè)pod在env引用secret
[root@master-01 secret]# cat myapp-secret-env.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp-secret-test
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: myapp
release: canary
template:
metadata:
labels:
app: myapp
release: canary
spec:
imagePullSecrets:
- name: regsecret
hostAliases:
- ip: "10.1.1.5"
hostnames:
- "harbor-ali.abc.com"
containers:
- name: myapp-secret-test
image: "harbor-ali.abc.com/k8s_img/myapp:v1"
imagePullPolicy: Always
ports:
- name: http
containerPort: 80
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mysql-root-password #secret的名稱
key: password #secret的key名
創(chuàng)建pod
[root@master-01 secret]# kubectl apply -f myapp-secret.yaml
deployment.apps/myapp-secret-test created
[root@master-01 secret]# kubectl get pod
NAME READY STATUS RESTARTS AGE
myapp-cm-test-868d9f6775-g5h5w 1/1 Running 0 15h
myapp-cm-volume-78b9b4fd49-9lfp5 1/1 Running 0 14h
myapp-deploy-6c94846d6f-85b45 1/1 Running 0 19h
myapp-deploy-6c94846d6f-v8htl 1/1 Running 0 19h
myapp-hostpath-596f7f779b-9ctkv 1/1 Running 0 4d
myapp-pv-pvc-5b7976486d-wgqvc 1/1 Running 0 4d
myapp-secret-test-69cb7cff67-v9t9b 1/1 Running 0 117s
myapp-volume-749f9b4896-wrm8c 1/1 Running 0 4d
secret-nginx 1/1 Running 1 19h
驗(yàn)證是否生效
[root@master-01 secret]# kubectl exec myapp-secret-test-69cb7cff67-v9t9b printenv
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=myapp-secret-test-69cb7cff67-v9t9b
MYSQL_ROOT_PASSWORD=mysql123
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
KUBERNETES_SERVICE_HOST=10.96.0.1
KUBERNETES_SERVICE_PORT=443
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT=tcp://10.96.0.1:443
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP_PORT=443
MYAPP_SVC_PORT_80_TCP_PROTO=tcp
MYAPP_SVC_PORT=tcp://10.98.57.156:80
MYAPP_SVC_PORT_80_TCP_ADDR=10.98.57.156
MYAPP_SVC_SERVICE_HOST=10.98.57.156
MYAPP_SVC_SERVICE_PORT=80
MYAPP_SVC_PORT_80_TCP=tcp://10.98.57.156:80
MYAPP_SVC_PORT_80_TCP_PORT=80
NGINX_VERSION=1.12.2
HOME=/root
創(chuàng)建secret用來(lái)存儲(chǔ)私有docker registry的認(rèn)證信息 (.kubernetes.io/dockerconfigjson類型)
[root@master-01 secret]# kubectl create secret docker-registry regsecret --docker-server=harbor-ali.abc.com --docker-username=admin --docker-password=harbor123 --docker-email=1398569257@qq.com
[root@master-01 secret]# kubectl get secrets regsecret
NAME TYPE DATA AGE
regsecret kubernetes.io/dockerconfigjson 1 30s
在pod中引用secret
[root@master-01 secret]# cat myapp-secret.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp-secret
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: myapp
release: canary
template:
metadata:
labels:
app: myapp
release: canary
spec:
imagePullSecrets:
- name: regsecret
containers:
- name: myapp-secret
image: "harbor-ali.abc.com/k8s_img/myapp:v1"
imagePullPolicy: Always
ports:
- name: http
containerPort: 80
創(chuàng)建pod驗(yàn)證是否成功
[root@master-01 secret]# kubectl get pod
NAME READY STATUS RESTARTS AGE
myapp-secret-6b44f446d-jx7xf 1/1 Running 0 56s
secret在volumes引用
[root@master-01 secret]# cat myapp-secret-volume.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp-secret-volume
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: myapp
release: canary
template:
metadata:
labels:
app: myapp
release: canary
spec:
imagePullSecrets:
- name: regsecret
containers:
- name: myapp-secret-volume
image: "harbor-ali.abc.com/k8s_img/myapp:v1"
imagePullPolicy: Always
ports:
- name: http
containerPort: 80
volumeMounts:
- name: mysql-passwrod
mountPath: /etc/secret #掛載到容器的路徑
volumes:
- name: mysql-password
secret:
secretName: mysql-root-password #secret的名稱
創(chuàng)建pod并驗(yàn)證
[root@master-01 secret]# kubectl apply -f myapp-secret-volume.yaml
deployment.apps/myapp-secret-volume created
[root@master-01 secret]# kubectl get pod
NAME READY STATUS RESTARTS AGE
myapp-secret-6b44f446d-jx7xf 1/1 Running 0 16m
myapp-secret-volume-59dd87d98b-q58wf 1/1 Running 0 11
[root@master-01 secret]# kubectl exec myapp-secret-volume-59dd87d98b-q58wf cat /etc/secret/password
mysql123
