计算机系统

5G云计算

第三章 LINUX Kubernetes 配置资源管理

一、Secret

Secret 是用来保存密码、token、密钥等敏感数据的 k8s 资源，这类数据虽然也可以存放在 Pod 或者镜像中，但是放在 Secret 中是为了更方便的控制如何使用数据，并减少暴露的风险

1.Secret 四种类型

1）kubernetes.io/service-account-token

由 Kubernetes 自动创建，用来访问 APIServer 的 Secret，Pod 会默认使用这个 Secret 与 APIServer 通信， 并且会自动挂载到 Pod 的 /run/secrets/kubernetes.io/serviceaccount 目录中

2）Opaque

base64 编码格式的 Secret，用来存储用户自定义的密码、密钥等，默认的 Secret 类型

3）kubernetes.io/dockerconfigjson

用来存储私有 docker registry 的认证信息

4）kubernetes.io/tls

用来存储 TLS 证书和私钥信息

2.Pod 需要先引用才能使用某个 secret，Pod 有 3 种方式来使用 secret

1）作为挂载到一个或多个容器上的卷 中的文件

2）作为容器的环境变量

3）由 kubelet 在为 Pod 拉取镜像时使用

应用场景：凭据
https://kubernetes.io/docs/concepts/configuration/secret///创建 Secret
1、用kubectl create secret命令创建Secret
echo -n 'zhangsan' > username.txt
echo -n 'abc1234' > password.txtkubectl create secret generic mysecret --from-file=username.txt --from-file=password.txtkubectl get secrets
NAME                                 TYPE                                  DATA   AGE
default-token-sggl5                  kubernetes.io/service-account-token   3      6d21h
mysecret                             Opaque                                2      3s
nfs-client-provisioner-token-xpkn5   kubernetes.io/service-account-token   3      3d2hkubectl describe secret mysecret
Name:         mysecret
Namespace:    default
Labels:       <none>
Annotations:  <none>Type:  OpaqueData
====
username.txt:  8 bytes
password.txt:  7 bytes//get或describe指令都不会展示secret的实际内容，这是出于对数据的保护的考虑2、内容用 base64 编码，创建Secret
echo -n zhangsan | base64
emhhbmdzYW4K=echo -n abc1234 | base64
YWJjMTIzNAo==kubectl create secret generic mysecret1 --from-literal=myname=lisikubectl get secrets
NAME                                 TYPE                                  DATA   AGE
default-token-sggl5                  kubernetes.io/service-account-token   3      6d21h
mysecret                             Opaque                                2      6m
mysecret1                            Opaque                                1      12s
nfs-client-provisioner-token-xpkn5   kubernetes.io/service-account-token   3      3d2hkubectl get secret mysecret1 -o yaml
apiVersion: v1
data:myname: bGlzaQ==
kind: Secret
metadata:creationTimestamp: "2023-08-17T09:04:08Z"managedFields:- apiVersion: v1fieldsType: FieldsV1fieldsV1:f:data:.: {}f:myname: {}f:type: {}manager: kubectl-createoperation: Updatetime: "2023-08-17T09:04:08Z"name: mysecret1namespace: defaultresourceVersion: "160205"selfLink: /api/v1/namespaces/default/secrets/mysecret1uid: 53c6b51e-4089-456a-8ee7-9aefba21db40
type: Opaque//使用方式 
1、将 Secret 挂载到 Volume 中，以 Volume 的形式挂载到 Pod 的某个目录下
vim secret-test.yaml
apiVersion: v1
kind: Pod
metadata:name: mypod
spec:containers:- name: nginximage: nginxvolumeMounts:- name: secretsmountPath: "/etc/secrets"readOnly: truevolumes:- name: secretssecret:secretName: mysecretkubectl create -f secret-test.yamlkubectl get pods
NAME                                      READY   STATUS    RESTARTS   AGE
mypod                                     1/1     Running   0          46s
nfs-client-provisioner-55bbbfbb9f-bwrhm   1/1     Running   0          2d1hkubectl exec -it mypod bash
# cd /etc/secrets/
# ls
password.txt  username.txt
# cat username.txt
zhangsan# 2、将 Secret 导出到环境变量中
vim secret-test1.yaml
apiVersion: v1
kind: Pod
metadata:name: mypod1
spec:containers:- name: nginximage: nginxenv:- name: TEST_USERvalueFrom:secretKeyRef:name: mysecretkey: username.txt- name: TEST_PASSWORDvalueFrom:secretKeyRef:name: mysecretkey: password.txtenvFrom:- secretRef:name: mysecret1kubectl apply -f secret-test1.yaml kubectl get pods
NAME         READY   STATUS    RESTARTS   AGE
NAME                                      READY   STATUS    RESTARTS   AGE
mypod                                     1/1     Running   0          3m9s
mypod1                                    1/1     Running   0          30s
nfs-client-provisioner-55bbbfbb9f-bwrhm   1/1     Running   0          2d1hkubectl exec -it mypod1 bash
# echo $TEST_USER
zhangsan
# echo $TEST_PASSWORD
abc1234

二.ConfigMap

与Secret类似，区别在于ConfigMap保存的是不需要加密配置的信息
ConfigMap 功能在 Kubernetes1.2 版本中引入，许多应用程序会从配置文件、命令行参数或环境变量中读取配置信息。ConfigMap API 给我们提供了向容器中注入配置信息的机制，ConfigMap 可以被用来保存单个属性，也可以用来保存整个配置文件或者JSON二进制大对象

应用场景：应用配置//创建 ConfigMap
1、使用目录创建
mkdir /opt/configmap/vim /opt/configmap/game.config
enemy.types=aliens,monsters
player.maximum-lives=5 vim /opt/configmap/ui.config
color.good=purple
color.bad=yellow
allow.textmode=truels /opt/configmap/
game.config
ui.configkubectl create configmap game-config --from-file=/opt/configmap/
//--from-file 指定在目录下的所有文件都会被用在 ConfigMap 里面创建一个键值对，键的名字就是文件名，值就是文件的内容kubectl get cm
NAME               DATA   AGE
game-config        2      3s
kube-root-ca.crt   1      6d21hkubectl get cm game-config -o yaml
apiVersion: v1
data:game.config: "enemy.types=aliens,monsters\nplayer.maximum-lives=5 \n"ui.config: |color.good=purplecolor.bad=yellowallow.textmode=true
kind: ConfigMap
metadata:creationTimestamp: "2023-08-17T09:13:28Z"managedFields:- apiVersion: v1fieldsType: FieldsV1fieldsV1:f:data:.: {}f:game.config: {}f:ui.config: {}manager: kubectl-createoperation: Updatetime: "2023-08-17T09:13:28Z"name: game-confignamespace: defaultresourceVersion: "161245"selfLink: /api/v1/namespaces/default/configmaps/game-configuid: b198ecb4-2d62-4d5e-bbd8-3fe609986ec42、使用文件创建 
只要指定为一个文件就可以从单个文件中创建 ConfigMap
--from-file 这个参数可以使用多次，即可以使用两次分别指定上个实例中的那两个配置文件，效果就跟指定整个目录是一样的kubectl create configmap game-config-2 --from-file=/opt/configmap/game.config --from-file=/opt/configmap/ui.configkubectl get configmaps game-config-2 -o yamlkubectl describe cm game-config-23、使用字面值创建 
使用文字值创建，利用 --from-literal 参数传递配置信息，该参数可以使用多次，格式如下
kubectl create configmap special-config --from-literal=special.how=very --from-literal=special.type=goodkubectl get configmaps special-config -o yaml
apiVersion: v1
data:special.how: veryspecial.type: good
kind: ConfigMap
metadata:creationTimestamp: "2023-08-17T09:16:42Z"managedFields:- apiVersion: v1fieldsType: FieldsV1fieldsV1:f:data:.: {}f:special.how: {}f:special.type: {}manager: kubectl-createoperation: Updatetime: "2023-08-17T09:16:42Z"name: special-confignamespace: defaultresourceVersion: "161613"selfLink: /api/v1/namespaces/default/configmaps/special-configuid: be38184f-ac39-4e38-92df-87e01a2b7a60kubectl delete cm --all
kubectl delete pod --all//Pod 中使用 ConfigMap 
1、使用 ConfigMap 来替代环境变量
vim env.yaml
apiVersion: v1
kind: ConfigMap
metadata:name: special-confignamespace: default
data:special.how: veryspecial.type: good
---
apiVersion: v1
kind: ConfigMap
metadata:name: env-confignamespace: default
data:log_level: INFOkubectl apply -f env.yaml kubectl get cm
NAME               DATA   AGE
env-config         1      3s
kube-root-ca.crt   1      57s
special-config     2      3s//Pod的创建
vim test-pod.yaml
apiVersion: v1
kind: Pod
metadata:name: test-pod
spec:containers:- name: busyboximage: busybox:1.28.4command: [ "/bin/sh", "-c", "env" ]env:- name: SPECIAL_HOW_KEYvalueFrom:configMapKeyRef:name: special-configkey: special.how- name: SPECIAL_TYPE_KEYvalueFrom:configMapKeyRef:name: special-configkey: special.typeenvFrom:- configMapRef:name: env-configrestartPolicy: Neverkubectl apply -f test-pod.yamlkubectl get pods
NAME                                      READY   STATUS      RESTARTS   AGE
nfs-client-provisioner-55bbbfbb9f-s2fcr   1/1     Running     0          2m8s
test-pod                                  0/1     Completed   0          20skubectl logs test-pod
KUBERNETES_SERVICE_PORT=443
KUBERNETES_PORT=tcp://10.0.0.1:443
HOSTNAME=test-pod
SHLVL=1
SPECIAL_HOW_KEY=very            #赋值变量 SPECIAL_HOW_KEY 的值为 special-config 的 special.how: very
HOME=/root
SPECIAL_TYPE_KEY=good
KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_PROTO=tcp
log_level=INFO                  #引入 env-config 的变量 log_level: INFO
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443
KUBERNETES_SERVICE_HOST=10.0.0.1
PWD=/2、用 ConfigMap 设置命令行参数 
vim test-pod2.yaml
apiVersion: v1
kind: Pod
metadata:name: test-pod2
spec:containers:- name: busyboximage: busybox:1.28.4command: - /bin/sh- -c- echo "$(SPECIAL_HOW_KEY) $(SPECIAL_TYPE_KEY)"env:- name: SPECIAL_HOW_KEYvalueFrom:configMapKeyRef:name: special-configkey: special.how- name: SPECIAL_TYPE_KEYvalueFrom:configMapKeyRef:name: special-configkey: special.typeenvFrom:- configMapRef:name: env-configrestartPolicy: Neverkubectl apply -f test-pod2.yamlkubectl get pods
NAME                                      READY   STATUS      RESTARTS   AGE
nfs-client-provisioner-55bbbfbb9f-s2fcr   1/1     Running     0          4m10s
test-pod                                  0/1     Completed   0          2m22s
test-pod2                                 0/1     Completed   0          7skubectl logs test-pod2
very good3、通过数据卷插件使用ConfigMap 
在数据卷里面使用 ConfigMap，就是将文件填入数据卷，在这个文件中，键就是文件名，键值就是文件内容
vim test-pod3.yaml
apiVersion: v1
kind: Pod
metadata:name: test-pod3
spec:containers:- name: busyboximage: busybox:1.28.4command: [ "/bin/sh", "-c", "sleep 36000" ]volumeMounts:- name: config-volumemountPath: /etc/configvolumes:- name: config-volumeconfigMap:name: special-configrestartPolicy: Neverkubectl apply -f test-pod3.yaml kubectl get pods
NAME                                      READY   STATUS      RESTARTS   AGE
nfs-client-provisioner-55bbbfbb9f-s2fcr   1/1     Running     0          5m20s
test-pod                                  0/1     Completed   0          3m32s
test-pod2                                 0/1     Completed   0          77s
test-pod3                                 1/1     Running     0          6skubectl exec -it test-pod3 sh# cd /etc/config/# ls
special.how   special.type# vi special.how # vi special.type RESTARTS   AGE
nfs-client-provisioner-55bbbfbb9f-s2fcr   1/1     Running     0          5m20s
test-pod                                  0/1     Completed   0          3m32s
test-pod2                                 0/1     Completed   0          77s
test-pod3                                 1/1     Running     0          6skubectl exec -it test-pod3 sh# cd /etc/config/# ls
special.how   special.type# vi special.how # vi special.type