configmap
字面值创建
kubectl create configmap my-config --from-literal=key1=config1 --from-literal=key2=config2kubectl get cmkubectl describe cm my-config
通过文件创建
kubectl create configmap my-config-2 --from-file=/etc/resolv.confkubectl describe cm my-config-2
通过目录创建
mkdir testcp /etc/passwd test/cp /etc/fstab test/ls test/
kubectl create configmap my-config-3 --from-file=testkubectl describe cm my-config-3
通过yaml文件创建
vim cm1.yaml
apiVersion: v1
kind: ConfigMap
metadata:name: cm1-config
data:db_host: "172.25.0.250"db_port: "3306"
kubectl apply -f cm1.yamlkubectl describe cm cm1-config
使用configmap设置环境变量
vim pod1.yaml
apiVersion: v1
kind: Pod
metadata:name: pod1
spec:containers:- name: pod1image: busyboxcommand: ["/bin/sh", "-c", "env"]env:- name: key1valueFrom:configMapKeyRef:name: cm1-configkey: db_host- name: key2valueFrom:configMapKeyRef:name: cm1-configkey: db_portrestartPolicy: Never
kubectl apply -f pod1.yamlkubectl logs pod1
kubectl delete pod pod1
vim pod2.yaml
apiVersion: v1
kind: Pod
metadata:name: pod2
spec:containers:- name: pod2image: busyboxcommand: ["/bin/sh", "-c", "env"]envFrom:- configMapRef:name: cm1-configrestartPolicy: Never
kubectl apply -f pod2.yamlkubectl logs pod2
kubectl delete pod pod2
使用conigmap设置命令行参数
vim pod3.yaml
apiVersion: v1
kind: Pod
metadata:name: pod3
spec:containers:- name: pod3image: busyboxcommand: ["/bin/sh", "-c", "echo $(db_host) $(db_port)"]envFrom:- configMapRef:name: cm1-configrestartPolicy: Never
kubectl apply -f pod3.yamlkubectl logs pod3
kubectl delete pod pod3
通过数据卷使用configmap
vim pod4.yaml
apiVersion: v1
kind: Pod
metadata:name: pod4
spec:containers:- name: pod4image: busyboxcommand: ["/bin/sh", "-c", "cat /config/db_host"]volumeMounts:- name: config-volumemountPath: /configvolumes:- name: config-volumeconfigMap:name: cm1-configrestartPolicy: Never
kubectl apply -f pod4.yamlkubectl logs pod4
kubectl delete pod pod4
configmap热更新
vim nginx.conf
server {listen 8000;server_name _;location / {root /usr/share/nginx/html;index index.html index.htm;}
}
kubectl create configmap nginxconf --from-file=nginx.confkubectl describe cm nginxconf
vim my-nginx.yaml
apiVersion: apps/v1
kind: Deployment
metadata:name: my-nginx
spec:replicas: 1selector:matchLabels:app: nginxtemplate:metadata:labels:app: nginxspec:containers:- name: nginximage: nginxvolumeMounts:- name: config-volumemountPath: /etc/nginx/conf.dvolumes:- name: config-volumeconfigMap:name: nginxconf
kubectl apply -f my-nginx.yamlkubectl get pod -o wide
kubectl exec my-nginx-85fb986977-87dff -- cat /etc/nginx/conf.d/nginx.conf
curl 10.244.219.17:8000
编辑cm,修改端口
kubectl edit cm nginxconf
kubectl exec my-nginx-85fb986977-87dff -- cat /etc/nginx/conf.d/nginx.conf
修改cm后,过上几秒配置信息会同步到容器,但是容器内运行的服务并不会加载生效,需要手动刷新
方式一:(推荐)
kubectl delete pod my-nginx-85fb986977-87dff
方式二:(手动触发版本更新,会新建一个replicaset)
kubectl patch deployments.apps my-nginx --patch '{"spec": {"template": {"metadata": {"annotations": {"version/config": "20231103"}}}}}'
kubectl get pod -o wide
curl 10.244.106.133
secrets
从文件创建
echo -n 'admin' > ./username.txtecho -n 'westos' > ./password.txtkubectl create secret generic db-user-pass --from-file=./username.txt --from-file=./password.txtkubectl get secrets db-user-pass -o yaml
编写yaml文件
echo -n 'admin' | base64echo -n 'westos' | base64
vim mysecret.yaml
apiVersion: v1
kind: Secret
metadata:name: mysecret
type: Opaque
data:username: YWRtaW4= #必须编码后的值password: d2VzdG9z
kubectl apply -f mysecret.yamlkubectl get secrets mysecret -o yaml
将Secret挂载到Volume中
vim pod1.yaml
apiVersion: v1
kind: Pod
metadata:name: mysecret
spec:containers:- name: nginximage: nginxvolumeMounts:- name: secretsmountPath: "/secret"readOnly: truevolumes:- name: secretssecret:secretName: mysecret
kubectl apply -f pod1.yamlkubectl get pod
kubectl exec mysecret -- ls /secret
kubectl delete -f pod1.yaml
向指定路径映射 secret 密钥
vim pod2.yaml
apiVersion: v1
kind: Pod
metadata:name: mysecret
spec:containers:- name: nginximage: nginxvolumeMounts:- name: secretsmountPath: "/secret"readOnly: truevolumes:- name: secretssecret:secretName: mysecretitems:- key: usernamepath: my-group/my-username
kubectl apply -f pod2.yamlkubectl exec mysecret -- cat /secret/my-group/my-username
kubectl delete -f pod2.yaml
将Secret设置为环境变量
vim pod3.yaml
apiVersion: v1
kind: Pod
metadata:name: secret-env
spec:containers:- name: pod3image: busyboxcommand: ["/bin/sh", "-c", "env"]env:- name: SECRET_USERNAMEvalueFrom:secretKeyRef:name: mysecretkey: username- name: SECRET_PASSWORDvalueFrom:secretKeyRef:name: mysecretkey: passwordrestartPolicy: Never
kubectl apply -f pod3.yamlkubectl logs secret-env
存储docker registry的认证信息
kubectl create secret docker-registry myregistrykey --docker-server=reg.westos.org --docker-username=admin --docker-password=westos --docker-email=hjl@westos.org
新建私有仓库
vim pod4.yaml
apiVersion: v1
kind: Pod
metadata:name: mypod
spec:containers:- name: game2048image: reg.westos.org/westos/game2048imagePullSecrets:- name: myregistrykey
kubectl apply -f pod4.yamlkubectl get pod
推荐把registrykey绑定到sa,这样yaml文件中就可以不用指定,更加安全。
kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "myregistrykey"}]}'kubectl describe sa default