1、ConfigMap
幾乎所有應用程序都會涉及到配置問題,configmap的作用就是方便管理應用配置
創建configmap可以從目錄,文件或者字符,格式:
kubectl create configmap
從目錄創建configmap:game-config
目錄中的每一個文件名:內容,在這個configmap下是一對k:v
創建
mkdir configmap
wget https://k8s.io/docs/tasks/configure-pod-container/configmap/kubectl/game.properties -O configmap/game.properties
wget https://k8s.io/docs/tasks/configure-pod-container/configmap/kubectl/ui.properties -O configmap/ui.properties
kubectl create configmap game-config --from-file=configmap/
查看
kubectl describe configmaps game-config
kubectl get configmaps game-config -o yaml
apiVersion: v1
data:
game.properties: |
enemies=aliens
lives=3
enemies.cheat=true
enemies.cheat.level=noGoodRotten
secret.code.passphrase=UUDDLRLRBABAS
secret.code.allowed=true
secret.code.lives=30
ui.properties: |
color.good=purple
color.bad=yellow
allow.textmode=true
how.nice.to.look=fairlyNice
kind: ConfigMap
metadata:
creationTimestamp: 2016-02-18T18:52:05Z
name: game-config
namespace: default
resourceVersion: “516”
selfLink: /api/v1/namespaces/default/configmaps/game-config
uid: b4952dc3-d670-11e5-8cd0-68f728db1985
從文件創建configmap
使用–from-file創建congfigmap:一次創建可以傳入多個文件
kubectl create configmap game-config-2 --from-file=configmap/game.properties --from-file=configmap/ui.properties
使用–from-env-file創建configmap:文件中的每一行作爲一個k:v保存在configmap中,例如lives=3,使用多個文件只有最後一個文件生效
kubectl create configmap game-config-env-file --from-env-file=configmap/game-env-file.properties
通過–from-file創建congfigmap,自定義key:
kubectl create configmap game-config-3 --from-file=game-special-key=configmap/game.properties
通過命令行字符串創建configmap:
使用–from-literal創建configmap:通過命令行字符串傳入k:v
kubectl create configmap special-config --from-literal=special.how=very --from-literal=special.type=charm
ConfigMap在容器內的使用
1、作爲pod中的環境變量使用,-name可以使用多次,從多個configmap中引入作爲環境變量
apiVersion: v1
kind: Pod
metadata:
name: dapi-test-pod
spec:
containers:
- name: test-container
image: k8s.gcr.io/busybox
command: [ “/bin/sh”, “-c”, “env” ]
env:
# Define the environment variable
- name: SPECIAL_LEVEL_KEY
valueFrom:
configMapKeyRef:
# The ConfigMap containing the value you want to assign to SPECIAL_LEVEL_KEY
name: special-config
# Specify the key associated with the value
key: special.how
restartPolicy: Never
2、作爲數據卷掛在到pod制定路徑:
apiVersion: v1
kind: Pod
metadata:
name: dapi-test-pod
spec:
containers:
- name: test-container
image: k8s.gcr.io/busybox
command: [ “/bin/sh”,"-c",“cat /etc/config/keys” ]
volumeMounts:
- name: config-volume
mountPath: /etc/config
volumes:
- name: config-volume
configMap:
name: special-config
items:
- key: special.level
path: keys
restartPolicy: Never
2、Secret
secret對象用來保存敏感信息,比如密碼,OAuth,ssh密鑰,token等信息。Secret可以作爲環境變量使用,也可以作爲數據卷在容器內使用,kubelet會定期檢查secret是否是最新的,secret的大小限制爲1MB.
1、自動創建secret
Create files needed for rest of example.
$ echo -n ‘admin’ > ./username.txt
$ echo -n ‘1f2d1e2e67df’ > ./password.txt
$ kubectl create secret generic db-user-pass --from-file=./username.txt --from-file=./password.txt
secret “db-user-pass” created
查看創建結果
$ kubectl get secrets
NAME TYPE DATA AGE
db-user-pass Opaque 2 51s
$ kubectl describe secrets/db-user-pass
Name: db-user-pass
Namespace: default
Labels:
Annotations:
Type: Opaque
Data
password.txt: 12 bytes
username.txt: 5 bytes
2、手動創建secret
$ echo -n ‘admin’ | base64
YWRtaW4=
$ echo -n ‘1f2d1e2e67df’ | base64
MWYyZDFlMmU2N2Rm
$ vim secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
username: YWRtaW4=
password: MWYyZDFlMmU2N2Rm
$ kubectl create -f ./secret.yaml
secret "mysecret” created
$ kubectl get secret mysecret -o yaml
apiVersion: v1
data:
username: YWRtaW4=
password: MWYyZDFlMmU2N2Rm
kind: Secret
metadata:
creationTimestamp: 2016-01-22T18:41:56Z
name: mysecret
namespace: default
resourceVersion: “164619”
selfLink: /api/v1/namespaces/default/secrets/mysecret
uid: cfee02d6-c137-11e5-8d73-42010af00002
type: Opaque
decode
$ echo ‘MWYyZDFlMmU2N2Rm’ | base64 --decode
1f2d1e2e67df
3、這是在卷中安裝密鑰的pod的示例:
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mypod
image: redis
volumeMounts:- name: foo
mountPath: “/etc/foo”
readOnly: true
volumes:
- name: foo
- name: foo
secret:
secretName: mysecret
向特定路徑映射secret:
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mypod
image: redis
volumeMounts:- name: foo
mountPath: “/etc/foo”
readOnly: true
volumes:
- name: foo
- name: foo
secret:
secretName: mysecret
items:- key: username
path: my-group/my-username
- key: username
secret文件權限:
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mypod
image: redis
volumeMounts:- name: foo
mountPath: “/etc/foo”
volumes:
- name: foo
- name: foo
secret:
secretName: mysecret
defaultMode: 256