k8s入门教程十一:ConfigMap与secrets

ConfigMap

ConfigMap 允许您将配置文件与镜像文件分离,以使容器化的应用程序具有可移植性。该页面提供了一系列使用示例,这些示例演示了如何使用存储在 ConfigMap 中的数据创建 ConfigMap 和配置 Pod。ConfigMap API给我们提供了向容器中注入配置信息的机制,ConfigMap可以被用来保存单个属性,也可以用来保存整个配置文件或者JSON二进制大对象。

配置数据可以通过很多种方式在Pods里被使用。ConfigMaps可以被用来:

  1. 设置环境变量的值
  2. 在容器里设置命令行参数
  3. 在数据卷里面创建config文件

用户和系统组件两者都可以在ConfigMap里面存储配置数据。

创建

使用目录或文件创建

你可以使用 kubectl create configmap name --from-file= 从同一目录中的多个文件创建 ConfigMap。

1
2
3
4
5
6
7
8
9
10
11
12
# 创建本地目录
mkdir -p configure-pod-container/configmap/
cd configure-pod-container/configmap/

# 将样本文件下载到 `configure-pod-container/configmap/` 目录
wget https://kubernetes.io/examples/configmap/game.properties
wget https://kubernetes.io/examples/configmap/ui.properties

# 创建 configmap: kubectl create configmap <map-name> <data-source>
# --from-file可以接单个文件,也可以接单个目录
kubectl create cm game-config --from-file=./
kubectl create cm game-config-2 --from-file=game.properties --from-file=ui.properties

运行结果:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
[root@master file]# kubectl get cm
NAME DATA AGE
game-config 2 15s
[root@master file]# kubectl describe cm game-config
Name: game-config
Namespace: default
Labels: <none>
Annotations: <none>

Data
====
game.properties:
----
enemies=aliens
lives=3
enemies.cheat=true
enemies.cheat.level=noGoodRotten
secret.code.passphrase=UUDDLRLRBABAS
secret.code.allowed=true
secret.code.lives=30
ui.properties:
----
color.good=purple
color.bad=yellow
allow.textmode=true
how.nice.to.look=fairlyNice

Events: <none>
[root@master file]#
[root@master file]# kubectl get cm game-config -o yaml
apiVersion: v1
data:
game.properties: |-
enemies=aliens
lives=3
enemies.cheat=true
enemies.cheat.level=noGoodRotten
secret.code.passphrase=UUDDLRLRBABAS
secret.code.allowed=true
secret.code.lives=30
ui.properties: |
color.good=purple
color.bad=yellow
allow.textmode=true
how.nice.to.look=fairlyNice
kind: ConfigMap
metadata:
creationTimestamp: "2020-02-09T02:23:56Z"
name: game-config
namespace: default
resourceVersion: "1688489"
selfLink: /api/v1/namespaces/default/configmaps/game-config
uid: 28c0a18f-2acc-403f-8dad-416f74cc85ce

从env文件创建

当使用多个 --from-env-file 来从多个数据源创建 ConfigMap 时,仅仅最后一个 env 文件有效:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
# 环境文件包含环境变量列表。
# 语法规则:
# env 文件中的每一行必须为 VAR = VAL 格式。
# 以#开头的行(即注释)将被忽略。
# 空行将被忽略。
# 引号没有特殊处理(即它们将成为 ConfigMap 值的一部分)。

# 将样本文件下载到 `configure-pod-container/configmap/` 目录
wget https://kubernetes.io/examples/configmap/game-env-file.properties
[root@master file]# cat game-env-file.properties
enemies=aliens
lives=3
allowed="true"

# This comment and the empty line above it are ignored
[root@master file]# kubectl create configmap game-config-env-file --from-env-file=game-env-file.properties
configmap/game-config-env-file created
[root@master file]# kubectl get cm game-config-env-file -o yaml
apiVersion: v1
data:
allowed: '"true"'
enemies: aliens
lives: "3"
kind: ConfigMap
metadata:
creationTimestamp: "2020-02-09T02:38:37Z"
name: game-config-env-file
namespace: default
resourceVersion: "1690565"
selfLink: /api/v1/namespaces/default/configmaps/game-config-env-file
uid: 9594fa13-5b2c-4848-a88a-77e3d0fd0646

命令创建

可以将 kubectl create configmap--from-literal 参数一起使用,从命令行定义文字值:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[root@master file]# kubectl create configmap special-config --from-literal=special.how=very --from-literal=special.type=charm
configmap/special-config created
[root@master file]# kubectl get configmaps special-config -o yaml
apiVersion: v1
data:
special.how: very
special.type: charm
kind: ConfigMap
metadata:
creationTimestamp: "2020-02-09T02:46:14Z"
name: special-config
namespace: default
resourceVersion: "1691645"
selfLink: /api/v1/namespaces/default/configmaps/special-config
uid: 9adeb82a-bd70-4505-8cb4-df4b5cfb534d

生成器创建

使用 kustomization 目录创建 ConfigMap 对象

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
[root@master kustomization]# cat kustomization.yaml
configMapGenerator:
- name: game-config-4
files:
- game.properties
[root@master kustomization]# kubectl create -k .
configmap/game-config-4-m9dm2f92bt created
[root@master kustomization]# kubectl get configmaps game-config-4-m9dm2f92bt -o yaml
apiVersion: v1
data:
game.properties: |-
enemies=aliens
lives=3
enemies.cheat=true
enemies.cheat.level=noGoodRotten
secret.code.passphrase=UUDDLRLRBABAS
secret.code.allowed=true
secret.code.lives=30
kind: ConfigMap
metadata:
creationTimestamp: "2020-02-09T02:54:22Z"
name: game-config-4-m9dm2f92bt
namespace: default
resourceVersion: "1692798"
selfLink: /api/v1/namespaces/default/configmaps/game-config-4-m9dm2f92bt
uid: 4ef8da56-7091-46d3-8ed6-8ced63239ff0

或者也可以使用生成器来实现。

1
2
3
4
5
6
7
cat <<EOF >./kustomization.yaml
configMapGenerator:
- name: special-config-2
literals:
- special.how=very
- special.type=charm
EOF

使用

env法

使用 configMapKeyRef 传入值:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
apiVersion: v1
data:
special.how: very
special.type: charm
kind: ConfigMap
metadata:
name: special-config

---
apiVersion: v1
kind: Pod
metadata:
name: dapi-test-pod
spec:
containers:
- name: test-container
image: busybox
command: [ "/bin/sh", "-c", "env" ]
env:
# Define the environment variable
- name: SPECIAL_LEVEL_KEY
valueFrom:
configMapKeyRef:
# The ConfigMap containing the value you want to assign to SPECIAL_LEVEL_KEY
name: special-config
# Specify the key associated with the value
key: special.how
restartPolicy: Never

上述yaml表示,新建一个名为SPECIAL_LEVEL_KEY的环境变量,其值来源于configMap里面的special.how

1
2
3
4
5
[root@master file]# kubectl get pod dapi-test-pod
NAME READY STATUS RESTARTS AGE
dapi-test-pod 0/1 Completed 0 22s
[root@master file]# kubectl logs dapi-test-pod |grep -i special
SPECIAL_LEVEL_KEY=very

上一个例子是有指定一个具体的KEY,如果没有指定呢?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
[root@master file]# cat pod-configmap-envFrom.yaml
apiVersion: v1
kind: Pod
metadata:
name: dapi-test-pod
spec:
containers:
- name: test-container
image: busybox
command: [ "/bin/sh", "-c", "env" ]
envFrom:
- configMapRef:
name: special-config
restartPolicy: Never
[root@master file]# kubectl apply -f pod-configmap-envFrom.yaml
pod/dapi-test-pod created
[root@master file]#
[root@master file]# kubectl logs dapi-test-pod |grep -i special
special.type=charm
special.how=very

注意看KEY与VALUE的关系。

挂载文件目录法

可以使用 volumeMounts 方法进行挂载的。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
[root@master file]# cat pod-configmap-volume.yaml
apiVersion: v1
kind: Pod
metadata:
name: dapi-test-pod
spec:
containers:
- name: test-container
image: busybox
command: [ "/bin/sh", "-c", "ls /etc/config/;cat /etc/config/special.how;cat /etc/config/special.type" ]
volumeMounts:
- name: config-volume
mountPath: /etc/config
volumes:
- name: config-volume
configMap:
# Provide the name of the ConfigMap containing the files you want
# to add to the container
name: special-config
restartPolicy: Never

上述yaml表示将special-config这个cm挂载至/etc/config目录下。可以看到,其每一个KEY都是会生成一个文件,文件的内容为value的值。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
[root@master file]# kubectl apply -f pod-configmap-volume.yaml
pod/dapi-test-pod created
[root@master file]# kubectl get po dapi-test-pod
NAME READY STATUS RESTARTS AGE
dapi-test-pod 0/1 Completed 0 96s
[root@master file]# kubectl describe cm special-config
Name: special-config
Namespace: default
Labels: <none>
Annotations: <none>

Data
====
special.how:
----
very
special.type:
----
charm
Events: <none>
[root@master file]# kubectl logs dapi-test-pod
special.how
special.type
verycharm

也可以挂载单独的KEY:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
[root@master file]# cat pod-configmap-volume-specific-key.yaml
apiVersion: v1
kind: Pod
metadata:
name: dapi-test-pod
spec:
containers:
- name: test-container
image: busybox
command: [ "/bin/sh","-c","cat /etc/config/keys;sleep 600" ]
volumeMounts:
- name: config-volume
mountPath: /etc/config
volumes:
- name: config-volume
configMap:
name: special-config
items:
- key: special.how
path: keys
restartPolicy: Never

将KEY special.how挂载到 /etc/config目录下,其文件名使用path变成了keys:

1
2
3
4
[root@master file]# kubectl exec -it dapi-test-pod -- /bin/sh
/ # cat /etc/config/keys
very/ #
/ # exit

热更新的问题

刚上述dapi-test-pod保持运行。使用 kubectl edit cm special-config 去修改special.how的值。可以发现是可以更新的,但时间要超过10S。

1
2
3
4
[root@master file]# kubectl exec -it dapi-test-pod -- cat /etc/config/keys
very[root@master file]#
[root@master file]# kubectl exec -it dapi-test-pod -- cat /etc/config/keys
very222[root@master file]#

使用volumes挂载的方式是可以更新configMap的,但是使用env方式导给POD是更新不了的。

实例:使用CM挂载redis配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
[root@master redis]# ll
total 12
-rw-r--r-- 1 root root 103 Feb 8 21:17 kustomization.yaml
-rw-r--r-- 1 root root 43 Feb 8 21:16 redis-config
-rw-r--r-- 1 root root 619 Feb 8 21:15 redis-pod.yaml
[root@master redis]# cat kustomization.yaml
configMapGenerator:
- name: example-redis-config
files:
- redis-config
resources:
- redis-pod.yaml
[root@master redis]# cat redis-config
maxmemory 2mb
maxmemory-policy allkeys-lru
[root@master redis]# cat redis-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: redis
spec:
containers:
- name: redis
image: redis:5.0.4
command:
- redis-server
- "/redis-master/redis.conf"
env:
- name: MASTER
value: "true"
ports:
- containerPort: 6379
resources:
limits:
cpu: "0.1"
volumeMounts:
- mountPath: /redis-master-data
name: data
- mountPath: /redis-master
name: config
volumes:
- name: data
emptyDir: {}
- name: config
configMap:
name: example-redis-config
items:
- key: redis-config
path: redis.conf

使用 kubectl apply -k . 创建:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
[root@master redis]# kubectl apply -k .
configmap/example-redis-config-dgh9dg555m created
pod/redis created
[root@master redis]# kubectl describe cm example-redis-config-dgh9dg555m
Name: example-redis-config-dgh9dg555m
Namespace: default
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"v1","data":{"redis-config":"maxmemory 2mb\nmaxmemory-policy allkeys-lru\n"},"kind":"ConfigMap","metadata":{"annotations":{}...

Data
====
redis-config:
----
maxmemory 2mb
maxmemory-policy allkeys-lru

Events: <none>

等待redis运行之后,去查看一下redis的配置。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
[root@master redis]# kubectl get po redis
NAME READY STATUS RESTARTS AGE
redis 1/1 Running 0 10m
[root@master redis]# kubectl exec redis -it redis-cli
127.0.0.1:6379> CONFIG GET maxmemory
1) "maxmemory"
2) "2097152"
127.0.0.1:6379> CONFIG GET maxmemory-policy
1) "maxmemory-policy"
2) "allkeys-lru"
127.0.0.1:6379>

[root@master redis]# kubectl exec redis -it /bin/bash
root@redis:/data# cat /redis-master/redis.conf
maxmemory 2mb
maxmemory-policy allkeys-lru
root@redis:/data# ls -l /redis-master-data/
total 0

可以看到/redis-master-data为空目录,而/redis-master是redis的配置文件。

实例:redis更新: https://kubernetes.io/zh/docs/tutorials/configuration/configure-redis-using-configmap/

Secrets

Secret有三种类型:

  • Opaque:base64编码格式的Secret,用来存储密码、密钥等;但数据也通过base64 –decode解码得到原始数据,所以加密性很弱。
  • kubernetes.io/dockerconfigjson:用来存储私有docker registry的认证信息。
  • kubernetes.io/service-account-token: 用于被serviceaccount引用。serviceaccout创建时Kubernetes会默认创建对应的secret。Pod如果使用了serviceaccount,对应的secret会自动挂载到Pod目录/run/secrets/ kubernetes.io/serviceaccount中。

Secret类型

Opaque类型

Opaque类型的数据是一个map类型,要求value是base64编码格式,如果您使用的密码具有特殊字符,则需要使用 \\ 字符对其进行转义。

文件创建

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
[root@master Secret]# echo -n 'admin' > ./username.txt
[root@master Secret]# echo -n '1f2d1e2e67df' > ./password.txt
[root@master Secret]# kubectl create secret generic db-user-pass --from-file=username.txt --from-file=password.txt
secret/db-user-pass created
[root@master Secret]# kubectl create secret generic db-user-pass --from-file=username.txt --from-file=password.txt -o yaml --dry-run
apiVersion: v1
data:
password.txt: MWYyZDFlMmU2N2Rm
username.txt: YWRtaW4=
kind: Secret
metadata:
creationTimestamp: null
name: db-user-pass
#或者使用--from-literal
[root@master Secret]# kubectl create secret generic db-user-pass --from-literal=username=admin --from-literal=password=1f2d1e2e67df -o yaml --dry-run
apiVersion: v1
data:
password: MWYyZDFlMmU2N2Rm
username: YWRtaW4=
kind: Secret
metadata:
creationTimestamp: null
name: db-user-pass

[root@master Secret]# kubectl describe secrets db-user-pass
Name: db-user-pass
Namespace: default
Labels: <none>
Annotations: <none>

Type: Opaque

Data
====
username.txt: 5 bytes
password.txt: 12 bytes

默认情况下,kubectl getkubectl describe 是不会显示密码的内容。 这是为了防止机密被意外地暴露给旁观者或存储在终端日志中。

手工创建

也可以手工创建,如下:

1
2
3
4
echo -n 'admin' | base64
YWRtaW4=
echo -n '1f2d1e2e67df' | base64
MWYyZDFlMmU2N2Rm

现在可以像这样写一个 secret 对象:

1
2
3
4
5
6
7
8
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
username: YWRtaW4=
password: MWYyZDFlMmU2N2Rm

使用stringData字段,是可以加密整个配置文件。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
[root@master Secret]# cat stringData.yaml
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
stringData:
config.yaml: |-
apiUrl: "https://my.api.com/api/v1"
username: admin
password: 1f2d1e2e67df
[root@master Secret]# kubectl apply -f stringData.yaml
secret/mysecret created
[root@master Secret]# kubectl get secrets mysecret -o yaml
apiVersion: v1
data:
config.yaml: YXBpVXJsOiAiaHR0cHM6Ly9teS5hcGkuY29tL2FwaS92MSIKdXNlcm5hbWU6IGFkbWluCnBhc3N3b3JkOiAxZjJkMWUyZTY3ZGY=
kind: Secret
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","kind":"Secret","metadata":{"annotations":{},"name":"mysecret","namespace":"default"},"stringData":{"config.yaml":"apiUrl: \"https://my.api.com/api/v1\"\nusername: admin\npassword: 1f2d1e2e67df"},"type":"Opaque"}
creationTimestamp: "2020-02-09T08:17:33Z"
name: mysecret
namespace: default
resourceVersion: "1738686"
selfLink: /api/v1/namespaces/default/secrets/mysecret
uid: f38d52b1-34fa-44fb-9e35-2c919497059c
type: Opaque

也可以从生成器创建,请查看:生成器

doccker secret

可以直接用kubectl命令来创建用于docker registry认证的secret:

1
2
3
4
5
6
7
$ kubectl create secret docker-registry myregistrykey 
--docker-server=DOCKER_REGISTRY_SERVER
--docker-username=DOCKER_USER
--docker-password=DOCKER_PASSWORD
--docker-email=DOCKER_EMAIL

secret "myregistrykey" created.

service-account-token

用于被serviceaccount引用。serviceaccout创建时Kubernetes会默认创建对应的secret。Pod如果使用了serviceaccount,对应的secret会自动挂载到Pod的/run/secrets/kubernetes.io/serviceaccount目录中。

Secret 是一种包含少量敏感信息例如密码、token 或 key 的对象。这样的信息可能会被放在 Pod spec 中或者镜像中;将其放在一个 secret 对象中可以更好地控制它的用途,并降低意外暴露的风险。

第一个POD都会有一个SA,如下:

1
2
3
4
[root@master redis]# kubectl exec -it myweb-lqr4n -- /bin/bash
root@myweb-lqr4n:/usr/local/tomcat#cd /run/secrets/kubernetes.io/serviceaccount
root@myweb-lqr4n:/run/secrets/kubernetes.io/serviceaccount# ls
ca.crt namespace token

使用方法

Secret 可以作为数据卷被挂载,或作为环境变量暴露出来以供 pod 中的容器使用。它们也可以被系统的其他部分使用,而不直接暴露在 pod 内。 例如,它们可以保存凭据,系统的其他部分应该用它来代表您与外部系统进行交互。

volume挂载法

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
[root@master Secret]# cat pod-volume-secrets.yaml
apiVersion: v1
kind: Pod
metadata:
name: dapi-test-pod
spec:
containers:
- name: test-container
image: busybox
command: [ "/bin/sh","-c","cat /etc/config/keys;sleep 600" ]
volumeMounts:
- name: config-volume
mountPath: /etc/config
volumes:
- name: config-volume
secret:
secretName: mysecret
restartPolicy: Never
[root@master Secret]# kubectl apply -f pod-volume-secrets.yaml
pod/dapi-test-pod created
[root@master Secret]# kubectl exec -it dapi-test-pod -- cat /etc/config/config.yaml
apiUrl: "https://my.api.com/api/v1"
username: admin
password: 1f2d1e2e67df[root@master Secret]#
[root@master Secret]#

也可以将单独的KEY挂载到指定的目录下。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
[root@master Secret]# cat pod-volume-secrets2.yaml
apiVersion: v1
kind: Pod
metadata:
name: dapi-test-pod
spec:
containers:
- name: test-container
image: busybox
command: [ "/bin/sh","-c","cat /etc/config/keys;sleep 600" ]
volumeMounts:
- name: config-volume
mountPath: /etc/config
volumes:
- name: config-volume
secret:
secretName: db-user-pass
items:
- key: username.txt
path: my-group/my-username
restartPolicy: Never

[root@master Secret]# kubectl apply -f pod-volume-secrets2.yaml
pod/dapi-test-pod created
[root@master Secret]# kubectl exec -it dapi-test-pod -- cat /etc/config/my-group/my-username
admin[root@master Secret]#

环境变量引用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
[root@master Secret]# cat pod-env-secrets.yaml
apiVersion: v1
kind: Pod
metadata:
name: dapi-test-pod
spec:
containers:
- name: test-container
image: busybox
command: [ "/bin/sh","-c","env;echo ${SECRET_USERNAME} ${SECRET_PASSWORD}" ]
env:
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
name: db-user-pass
key: username.txt
- name: SECRET_PASSWORD
valueFrom:
secretKeyRef:
name: db-user-pass
key: password.txt
restartPolicy: Never
[root@master Secret]# kubectl apply -f pod-env-secrets.yaml
pod/dapi-test-pod created
[root@master Secret]# kubectl get po dapi-test-pod
NAME READY STATUS RESTARTS AGE
dapi-test-pod 0/1 Completed 0 29s
[root@master Secret]# kubectl logs dapi-test-pod |egrep "admin|SECRET"
SECRET_PASSWORD=1f2d1e2e67df
SECRET_USERNAME=admin
admin 1f2d1e2e67df

Secrets其用法是跟ConfigMap基本上是一致,区别不同是ConfigMap是明文,而Secrets是经过base64加密过的。

参考链接

0%