13 k8s 配置管理

Secret 机密存储

加密数据并存放Etcd中，让Pod的容器以挂载Volume方式访问。
应用场景：凭据
官方文档:

1	https://kubernetes.io/docs/concepts/configuration/secret/

创建 Secret

[root@k8s-master1 demo]# echo -n 'admin' > ./username.txt
[root@k8s-master1 demo]# echo -n '1f2d1e2e67df' > ./password.txt

[root@k8s-master1 demo]# kubectl create secret generic db-user-pass --from-file=./username.txt --from-file=./password.txt
secret/db-user-pass created

[root@k8s-master1 demo]# kubectl get secret
NAME                  TYPE                                  DATA   AGE
db-user-pass          Opaque                                2      27s
default-token-h6969   kubernetes.io/service-account-token   3      36h

# 数据安全
[root@k8s-master1 demo]# kubectl describe secret db-user-pass
Name:         db-user-pass
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
password.txt:  12 bytes
username.txt:  5 bytes

通过 yaml 文件创建

# 数据需要base64位编码

[root@k8s-master1 demo]# echo -n 'admin' | base64
YWRtaW4=
[root@k8s-master1 demo]# echo -n '1f2d1e2e67df' | base64
MWYyZDFlMmU2N2Rm

[root@k8s-master1 demo]# vim secret.yaml

apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  username: YWRtaW4=
  password: MWYyZDFlMmU2N2Rm


[root@k8s-master1 demo]# kubectl create -f secret.yaml 
secret/mysecret created

[root@k8s-master1 demo]# kubectl get secret
NAME                  TYPE                                  DATA   AGE
db-user-pass          Opaque                                2      5m20s
mysecret              Opaque                                2      6s

使用 Secret

通过变量传入

将secret里面的数据通过变量导入pod中

[root@k8s-master1 demo]# vim secret-var.yaml

apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
  - name: nginx
    image: nginx
    env:
      - name: SECRET_USERNAME
        valueFrom:
          # 引用哪个secret，username的值传给SECRET_USERNAME，password的值传给SECRET_PASSWORD
          secretKeyRef:
            name: mysecret
            key: username
      - name: SECRET_PASSWORD
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: password

[root@k8s-master1 demo]# kubectl apply -f secret-var.yaml 
pod/mypod created

# 验证数据
[root@k8s-master1 demo]# kubectl get pods
NAME    READY   STATUS    RESTARTS   AGE
mypod   1/1     Running   0          38s

[root@k8s-master1 demo]# kubectl exec -it mypod bash
root@mypod:/# echo $SECRET_USERNAME
admin

root@mypod:/# echo $SECRET_PASSWORD
1f2d1e2e67df

Volume 形式挂载到pod目录下

会将secret里面的健值以文件挂载到目录下,key作为文件名，value作为内容
可以将敏感的数据创建secret交给k8s管理,等应用的使用再去使用

[root@k8s-master1 demo]# vim secret-vol.yaml 

apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
  - name: nginx
    image: nginx
    volumeMounts:
    - name: foo
      # 挂载到的路径
      mountPath: "/etc/foo"
      readOnly: true
  volumes:
  - name: foo
    secret:
      secretName: mysecret

[root@k8s-master1 demo]# kubectl delete -f secret-var.yaml
[root@k8s-master1 demo]# kubectl apply -f secret-vol.yaml 
pod/mypod created

root@mypod:/# cd /etc/foo/
root@mypod:/etc/foo# ls
password  username

root@mypod:/etc/foo# cat password 
1f2d1e2e67df
root@mypod:/etc/foo# cat username 
admin

ConfigMap 配置文件存储

与Secret类似,区别在于ConfigMap保存的是不需要加密配置信息。
应用场景：应用配置
官方文档

1	https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/

创建 ConfigMap

[root@k8s-master1 demo]# vim redis.properties
redis.hosts=127.0.0.1
redis.port=6379
redis.password=123456

[root@k8s-master1 demo]# kubectl create configmap redis-config --from-file=redis.properties 
configmap/redis-config created

[root@k8s-master1 demo]# kubectl get configmap
[root@k8s-master1 demo]# kubectl get cm
NAME           DATA   AGE
redis-config   1      5s

# configmap 存储的是不需要加密的数据

[root@k8s-master1 demo]# kubectl deseribe cm redis-config
...
Data
====
redis.properties:
----
redis.hosts=127.0.0.1
redis.port=6379
redis.password=123456

Volume 形式挂载到pod目录下

[root@k8s-master1 demo]# vim cm-vol.yaml 

apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
    - name: busybox
      image: busybox
      # redis.properties 名字 = 创建configmap的文件名 deseribe 可以看到
      command: [ "/bin/sh","-c","cat /etc/config/redis.properties" ]
      volumeMounts:
      # 挂载到的目录
      - name: config-volume
        mountPath: /etc/config
  volumes:
    - name: config-volume
      configMap:
        # 指定挂载哪个cm
        name: redis-config
  restartPolicy: Never

[root@k8s-master1 demo]# kubectl apply -f cm-vol.yaml 
pod/mypod created

[root@k8s-master1 demo]# kubectl get pod
NAME    READY   STATUS      RESTARTS   AGE
mypod   0/1     Completed   0          19s

# pod状态是执行完成，查看日志即可
# 生产的时候 将文件 挂载到指定的目录下 让程序读取即可
[root@k8s-master1 demo]# kubectl logs mypod
redis.hosts=127.0.0.1
redis.port=6379
redis.password=123456

通过 yaml创建configmap

[root@k8s-master1 demo]# vim myconfig.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: myconfig
  namespace: default
data:
  special.level: info
  special.type: hello


[root@k8s-master1 demo]# kubectl apply -f myconfig.yaml 
configmap/myconfig created
[root@k8s-master1 demo]# kubectl get cm
NAME           DATA   AGE
myconfig       2      3s
redis-config   1      15m

使用变量方式传入pod

[root@k8s-master1 demo]# vim cm-val.yaml

apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
    - name: busybox
      image: busybox
      # LEVEL 和 TYPE 是传入后的变量名,下面指定
      command: [ "/bin/sh", "-c", "echo $(LEVEL) $(TYPE)" ]
      env:
        - name: LEVEL
          valueFrom:
            configMapKeyRef:
              name: myconfig
              key: special.level
        - name: TYPE
          valueFrom:
            configMapKeyRef:
              name: myconfig
              key: special.type
  restartPolicy: Never

[root@k8s-master1 demo]# kubectl apply -f cm-val.yaml 
pod/mypod created

[root@k8s-master1 demo]# kubectl get pods
NAME    READY   STATUS      RESTARTS   AGE
mypod   0/1     Completed   0          9s

[root@k8s-master1 demo]# kubectl logs mypod
info hello

总结

secret 保存机密数据,数据是加密的
configmap 保存配置数据,数据不加密
secret 可以保存连接harbor的配置
configmap 使用最多的是,管理应用程序的配置文件,通过Volume挂载到指定的程序目录下
configmap 可以代替配置中心