K8S中数据存储之配置存储

配置存储

• 在Kubernetes中，ConfigMap和Secret是两种核心资源，用于存储和管理应用程序的配置数据和敏感信息。理解它们的功能和最佳实践对于提高Kubernetes应用程序的安全性和配置管理的效率至关重要。

 ConfigMap

• ConfigMap是一种API对象，允许你存储非敏感配置数据，如环境变量、数据库URL等。它以键值对的形式存储数据，便于应用程序访问必要的配置。ConfigMap可以直接挂载到容器中或作为环境变量注入到容器中，从而使得应用程序能够访问存储的配置数据，而无需修改应用程序代码。

[root@k8s-master ~]#  vim configmap.yaml
[root@k8s-master ~]# kubectl apply -f configmap.yaml 
configmap/configmap created
[root@k8s-master ~]#  kubectl get configmaps configmap -n test
NAME        DATA   AGE
configmap   1      8s
[root@k8s-master ~]# vim pod-configmap.yaml
[root@k8s-master ~]# kubectl apply -f pod-configmap.yaml 
pod/pod-configmap created
[root@k8s-master ~]# kubectl get pod -n test -o wide
NAME            READY   STATUS              RESTARTS   AGE   IP               NODE        NOMINATED NODE   READINESS GATES
pod-configmap   0/1     ContainerCreating   0          6s    <none>           k8s-node1   <none>           <none>
pod1            1/1     Running             0          22m   10.244.169.129   k8s-node2   <none>           <none>
pod2            1/1     Running             0          22m   10.244.36.74     k8s-node1   <none>           <none>
[root@k8s-master ~]# kubectl get pod -n test -w
NAME            READY   STATUS              RESTARTS   AGE
pod-configmap   0/1     ContainerCreating   0          11s
pod1            1/1     Running             0          22m
pod2            1/1     Running             0          22m
^C[root@k8s-master ~]# kubectl get pod -n test -w
NAME            READY   STATUS              RESTARTS   AGE
pod-configmap   0/1     ContainerCreating   0          14s
pod1            1/1     Running             0          23m
pod2            1/1     Running             0          23m
pod-configmap   1/1     Running             0          25s
^C[root@k8s-master ~]# kubectl exec -it pod-configmap -n test /bin/bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
root@pod-configmap:/# 
root@pod-configmap:/# 
root@pod-configmap:/# cd /configmap/config/
root@pod-configmap:/configmap/config# ll
bash: ll: command not found
root@pod-configmap:/configmap/config# ls
msg
root@pod-configmap:/configmap/config# cat msg 
username: root
address: meiguo
root@pod-configmap:/configmap/config# ex  
bash: ex: command not found
root@pod-configmap:/configmap/config# 
root@pod-configmap:/configmap/config# 
root@pod-configmap:/configmap/config# 
root@pod-configmap:/configmap/config# exit
exit
command terminated with exit code 127
[root@k8s-master ~]# cat pod-configmap.yaml 
---
apiVersion: v1
kind: Pod
metadata:
  name: pod-configmap
  namespace: test
spec:
  containers:
  - name: nginx
    image: nginx:1.17.1
    volumeMounts:
    - name: config
      mountPath: /configmap/config
  volumes:
  - name: config
    configMap:
      name: configmap

Secret

• 在 Kubernetes 中，Secret 对象确实是用来存储敏感信息的一种资源例如密码、秘钥、证书等等。它与 ConfigMap 类似，但设计目的不同。

• Opaque：

  • 这种类型的 Secret 用于存储少量的敏感数据，如密码、令牌或密钥。

  • 数据以 Base64 编码格式存储，这意味着虽然数据在存储时被编码，但仍然可以通过 Base64 解码来查看原始数据，因此安全性相对较低。

[root@k8s-master ~]# echo -n "root"  | base64
cm9vdA==
[root@k8s-master ~]# echo -n "123456"  | base64
MTIzNDU2
[root@k8s-master ~]#  vim secret.yaml
[root@k8s-master ~]# kubectl apply -f secret.yaml 
secret/mysecret created
[root@k8s-master ~]# kubetcl describe secret mysecret 
-bash: kubetcl: command not found
[root@k8s-master ~]# kubectl describe secret mysecret 
Name:         mysecret
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
pass:  6 bytes
user:  4 bytes
[root@k8s-master ~]# kubectl get secret | grep Opaque
mysecret              Opaque                                2      40s
[root@k8s-master ~]# cat secret.yaml 
apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  user: cm9vdA==  # base64编码的"root"
  pass: MTIzNDU2  # base64编码的"123456"