【模块一】kubernetes容器编排进阶实战资源对象之Configmap与Secret简介
kubernetes 资源对象详解及示例
kubernetes 的几个重要概念
资源对象:kubernetes基于声明式API,和资源对象进行交互。
yaml文件:为了方便后期管理,通过使用yaml文件通过API管理资源对象。
yaml必需字段:
-
apiVersion - 创建该对象所使用的 Kubernetes API 的版本
-
kind - 想要创建的对象的类型
-
metadata - 定义识别对象唯一性的数据,包括一个 name 名称、可选的namespace4. spec:定义资源对象的详细规范信息(统一的label标签、容器名称、镜像、端口映射等)
-
status(Pod创建完成后k8s自动生成status状态)
yaml文件及必需字段
每个API对象都有3大类
属性:元数据metadata、
规范spec和状态status。spec和status的区别:
spec是期望状态
status是实际状态
Configmap
Configmap将非机密性信息(如配置信息)和镜像解耦, 实现方式为将配置信息放到configmap对象中,然后在pod的中作为Volume挂载到pod中,从而实现导入配置的目的。
使用场景:
通过Configmap给pod中的容器服务提供配置文件,配置文件以挂载到容器的形式使用。
通过Configmap给pod定义全局环境变量
通过Configmap给pod传递命令行参数,如mysql -u -p中的账户名密码可以通过Configmap传递。
注意事项:
Configmap需要在pod使用它之前创建。
pod只能使用位于同一个namespace的Configmap,即Configmap不能跨namespace使用。
通常用于非安全加密的配置场景。
Configmap通常是小于1MB的配置。
default: | 表示一个多行字符串(block scalar)的开始,其中 | 是多行字符串字面量的指示符。这种语法允许你在YAML文件中直接编写多行文本,而不需要对每一行进行额外的缩进或引用处理。
[root@k8s-master1 case10-configmap]#cat 1-deploy_configmap.yml
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-config
data:
default: |
server {
listen 80;
server_name www.mysite.com;
index index.html index.php index.htm;
location / {
root /data/nginx/html;
if (!-e $request_filename) {
rewrite ^/(.*) /index.html last;
}
}
}
---
#apiVersion: extensions/v1beta1
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
spec:
replicas: 1
selector:
matchLabels:
app: ng-deploy-80
template:
metadata:
labels:
app: ng-deploy-80
spec:
containers:
- name: ng-deploy-80
image: nginx:1.20.2-alpine
ports:
- containerPort: 80
volumeMounts:
- mountPath: /data/nginx/html
name: nginx-static-dir
- name: nginx-config
mountPath: /etc/nginx/conf.d
volumes:
- name: nginx-static-dir
hostPath:
path: /data/nginx/linux39
- name: nginx-config
configMap:
name: nginx-config
items:
- key: default
path: mysite.conf
---
apiVersion: v1
kind: Service
metadata:
name: ng-deploy-80
spec:
ports:
- name: http
port: 81
targetPort: 80
nodePort: 30019
protocol: TCP
type: NodePort
selector:
app: ng-deploy-80
[root@k8s-master1 case10-configmap]#kubectl apply -f 1-deploy_configmap.yml
[root@k8s-master1 case10-configmap]#cat 2-deploy_configmap_env.yml
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-config
data:
username: "user1"
password: "12345678"
---
#apiVersion: extensions/v1beta1
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
spec:
replicas: 1
selector:
matchLabels:
app: ng-deploy-80
template:
metadata:
labels:
app: ng-deploy-80
spec:
containers:
- name: ng-deploy-80
image: nginx
env:
- name: MY_USERNAME
valueFrom:
configMapKeyRef:
name: nginx-config
key: username
- name: MY_PASSWORD
valueFrom:
configMapKeyRef:
name: nginx-config
key: password
######
- name: "password"
value: "123456"
ports:
- containerPort: 80
Secret简介
Secret 的功能类似于 ConfigMap给pod提供额外的配置信息,但是
Secret是一种包含少量敏感信息例如密码、令牌或密钥的对象。
Secret 的名称必须是合法的 DNS 子域名。
每个Secret的大小最多为1MiB,主要是为了避免用户创建非常大的
Secret进而导致API服务器和kubelet内存耗尽,不过创建很多小的
Secret也可能耗尽内存,可以使用资源配额来约束每个名字空间中
Secret的个数。
在通过yaml文件创建secret时,可以设置data或stringData字段,data
和stringData字段都是可选的,data字段中所有键值都必须是base64
编码的字符串,如果不希望执行这种 base64字符串的转换操作,也
可以选择设置stringData字段,其中可以使用任何非加密的字符串作
为其取值。
Pod 可以用三种方式的任意一种来使用 Secret:
作为挂载到一个或多个容器上的卷 中的文件(crt文件、key文件)。
作为容器的环境变量。
由 kubelet 在为 Pod 拉取镜像时使用(与镜像仓库的认证)。
Secret简介类型
Kubernetes默认支持多种不同类型的secret,用于一不同的使用场景,不同类型的secret的配置参数也不一样。
Secret类型-Opaque格式
Opaque格式-data类型数据-事先使用base64加密:
case11-secret# echo admin | base64
case11-secret# echo 123456 | base64
创建secret:
# cat 1-secret-Opaque-data.yaml
apiVersion: v1
kind: Secret
metadata:
name: mysecret-data
namespace: myserver
type: Opaque
data:
user: YWRtaW4K
password: MTIzNDU2Cg== #age: 18 #非base64加密的会报错
# kubectl apply -f 1-secret-Opaque-data.yaml secret/mysecret created
验证secret:
# kubectl get secrets mysecret-data -n myserver -o yaml
Opaque格式stringData类型数据-不用事先加密:创建secret:
# cat 2-secret-Opaque-stringData.yaml
apiVersion: v1
kind: Secret
metadata:
name: mysecret-stringdata
namespace: myserver
type: Opaque
stringData:
user: 'admin'
password: '123456'
# kubectl apply -f 2-secret-Opaque-stringData.yaml
验证secret:
# kubectl get secrets mysecret-stringdata -n myserver -o yaml
Secret的挂载流程
root@k8s-etcd1:~# etcdctl get / --keys-only --prefix | grep mysecret
/registry/secrets/myserver/mysecret-data
/registry/secrets/myserver/mysecret-stringdata
root@k8s-etcd1:~# etcdctl get /registry/secrets/myserver/mysecret-stringdata
root@k8s-node1:~# find /var/lib/kubelet/ -name user
root@k8s-node1:~# cat /var/lib/kubelet/pods/44a2bcca-2b5b-4c33-9d79-5753736331a4/volumes/kubernetes.io~secret/myserver-auth-secret/password123456
root@k8s-node1:~# cat /var/lib/kubelet/pods/44a2bcca-2b5b-4c33-9d79-5753736331a4/volumes/kubernetes.io~secret/myserver-auth-secret/useradmin
Secret类型-kubernetes.io/tls-为nginx提供证书示例
自签名证书:
0220423/case11-secret# mkdir certs
0220423/case11-secret# cd certs/
certs# openssl req -x509 -sha256 -newkey rsa:4096 -keyout ca.key -out ca.crt -days 3560 -nodes -subj '/CN=www.ca.com'
certs# openssl req -new -newkey rsa:4096 -keyout server.key -out server.csr -nodes -subj '/CN=www.mysite.com'
certs# openssl x509 -req -sha256 -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
certs# kubectl create secret tls myserver-tls-key --cert=./server.crt --key=./server.key -n myserver
[root@k8s-master1 case11-secret]#cat 4-secret-tls.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-config
namespace: myserver
data:
default: |
server {
listen 80;
server_name www.mysite.com;
listen 443 ssl;
ssl_certificate /etc/nginx/conf.d/certs/tls.crt;
ssl_certificate_key /etc/nginx/conf.d/certs/tls.key;
location / {
root /usr/share/nginx/html;
index index.html;
if ($scheme = http ){ #未加条件判断,会导致死循环
rewrite / https://www.mysite.com permanent;
}
if (!-e $request_filename) {
rewrite ^/(.*) /index.html last;
}
}
}
---
#apiVersion: extensions/v1beta1
apiVersion: apps/v1
kind: Deployment
metadata:
name: myserver-myapp-frontend-deployment
namespace: myserver
spec:
replicas: 1
selector:
matchLabels:
app: myserver-myapp-frontend
template:
metadata:
labels:
app: myserver-myapp-frontend
spec:
containers:
- name: myserver-myapp-frontend
image: nginx:1.20.2-alpine
ports:
- containerPort: 80
volumeMounts:
- name: nginx-config
mountPath: /etc/nginx/conf.d/myserver
- name: myserver-tls-key
mountPath: /etc/nginx/conf.d/certs
volumes:
- name: nginx-config
configMap:
name: nginx-config
items:
- key: default
path: mysite.conf
- name: myserver-tls-key
secret:
secretName: myserver-tls-key
---
apiVersion: v1
kind: Service
metadata:
name: myserver-myapp-frontend
namespace: myserver
spec:
type: NodePort
ports:
- name: http
port: 80
targetPort: 80
nodePort: 30018
protocol: TCP
- name: htts
port: 443
targetPort: 443
nodePort: 30019
protocol: TCP
selector:
app: myserver-myapp-frontend
Secret类型-kubernetes.io/tls-为nginx提供证书示例:
[root@k8s-master1 case11-secret]#kubectl -n myserver exec -it myserver-myapp-frontend-deployment-5cf6b65d59-m9g8f sh
/ # ls /etc/nginx/conf.d/
certs default.conf myserver
/ # ls /etc/nginx/conf.d/certs/
tls.crt tls.key
配置hosts 解析:
[root@k8s-master1 case11-secret]sudo cat /etc/hosts
10.0.0.113 www.mysite.com
# kubectl exec -it myserver-myapp-frontend-deployment-85fb884bcd-wmb62 sh -n myserver
/ # ls /etc/nginx/conf.d/myserver/*.conf #验证配置文件
/etc/nginx/conf.d/myserver/mysite.conf
/ # ls /etc/nginx/conf.d/certs/ #验证证书
tls.crt tls.key
/ # vi /etc/nginx/nginx.conf #编辑配置文件,默认的官方镜像没有加载自定义配置
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/conf.d/myserver/*.conf;
/ # nginx -s reload
/ # netstat -tanlp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1/nginx: master pro
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1/nginx: master pro
tcp 0 0 :::80 :::* LISTEN 1/nginx: master pro
Secret-kubernetes.io/dockerconfigjson类型的示例
存储docker registry的认证信息,在下载镜像的时候使用,这样每一个node节点就可以不登录也可以下载私有级别的镜像了。
创建secret:
# kubectl create secret --help
方式一:通过命令创建
# kubectl create secret docker-registry Name \
--docker-server=registry.myserver.com \
--docker-username=USER\
--docker-password=PASSWORD
方式二:通过docker认证文件创建:
root@k8s-master1:~# docker/nerdctl login --username=rooroot@aliyun.com registry.cn-qingdao.aliyuncs.com
root@k8s-master1:~# kubectl create secret generic harbor-image-pull-key \
--from-file=.dockerconfigjson=/root/.docker/config.json \
--type=kubernetes.io/dockerconfigjson \
-n myserver
创建pod:
case11-secret# kubectl apply -f 5-secret-imagePull.yaml
[root@k8s-master1 case11-secret]#cat 5-secret-imagePull.yaml
#apiVersion: extensions/v1beta1
apiVersion: apps/v1
kind: Deployment
metadata:
name: myserver-myapp-frontend-deployment
namespace: myserver
spec:
replicas: 1
selector:
matchLabels:
app: myserver-myapp-frontend
template:
metadata:
labels:
app: myserver-myapp-frontend
spec:
containers:
- name: myserver-myapp-frontend
image: harbor.chendd.fun/myserver/nginx:latest
ports:
- containerPort: 80
imagePullSecrets:
- name: harbor-image-pull-key
---
apiVersion: v1
kind: Service
metadata:
name: myserver-myapp-frontend
namespace: myserver
spec:
ports:
- name: http
port: 80
targetPort: 80
nodePort: 30018
protocol: TCP
type: NodePort
selector:
app: myserver-myapp-frontend
[root@k8s-master1 case11-secret]#kubectl apply f 5-secret-imagePull.yaml