在Kubernetes(K8s)中,ConfigMap 和 Secret 是用来存储应用程序配置信息和敏感数据的两种资源类型。它们可以帮助你将配置和密钥管理与应用程序的部署分离开来,从而提高安全性和灵活性。
定义
ConfigMap
ConfigMap 用于存储非敏感的配置数据,比如环境变量、配置文件等。它可以通过多种方式注入到 Pod 中,例如作为环境变量、命令行参数或者挂载为文件。
// ConfigMap holds configuration data for pods to consume.
type ConfigMap struct {
metav1.TypeMeta `json:",inline"`
// Standard object's metadata.
// More info: <https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata>
// +optional
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
// Immutable, if set to true, ensures that data stored in the ConfigMap cannot
// be updated (only object metadata can be modified).
// If not set to true, the field can be modified at any time.
// Defaulted to nil.
// +optional
Immutable *bool `json:"immutable,omitempty" protobuf:"varint,4,opt,name=immutable"`
// Data contains the configuration data.
// Each key must consist of alphanumeric characters, '-', '_' or '.'.
// Values with non-UTF-8 byte sequences must use the BinaryData field.
// The keys stored in Data must not overlap with the keys in
// the BinaryData field, this is enforced during validation process.
// +optional
Data map[string]string `json:"data,omitempty" protobuf:"bytes,2,rep,name=data"`
// BinaryData contains the binary data.
// Each key must consist of alphanumeric characters, '-', '_' or '.'.
// BinaryData can contain byte sequences that are not in the UTF-8 range.
// The keys stored in BinaryData must not overlap with the ones in
// the Data field, this is enforced during validation process.
// Using this field will require 1.10+ apiserver and
// kubelet.
// +optional
BinaryData map[string][]byte `json:"binaryData,omitempty" protobuf:"bytes,3,rep,name=binaryData"`
}Secret
Secret 用于存储敏感数据,比如密码、API 密钥等。Secret 中的数据会被存储为 Base64 编码,但需要注意的是,这并不是加密,只是一种编码方式。
type Secret struct {
metav1.TypeMeta `json:",inline"`
// Standard object's metadata.
// More info: <https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata>
// +optional
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
// Immutable, if set to true, ensures that data stored in the Secret cannot
// be updated (only object metadata can be modified).
// If not set to true, the field can be modified at any time.
// Defaulted to nil.
// +optional
Immutable *bool `json:"immutable,omitempty" protobuf:"varint,5,opt,name=immutable"`
// Data contains the secret data. Each key must consist of alphanumeric
// characters, '-', '_' or '.'. The serialized form of the secret data is a
// base64 encoded string, representing the arbitrary (possibly non-string)
// data value here. Described in <https://tools.ietf.org/html/rfc4648#section-4>
// +optional
Data map[string][]byte `json:"data,omitempty" protobuf:"bytes,2,rep,name=data"`
// stringData allows specifying non-binary secret data in string form.
// It is provided as a write-only input field for convenience.
// All keys and values are merged into the data field on write, overwriting any existing values.
// The stringData field is never output when reading from the API.
// +k8s:conversion-gen=false
// +optional
StringData map[string]string `json:"stringData,omitempty" protobuf:"bytes,4,rep,name=stringData"`
// Used to facilitate programmatic handling of secret data.
// More info: <https://kubernetes.io/docs/concepts/configuration/secret/#secret-types>
// +optional
Type SecretType `json:"type,omitempty" protobuf:"bytes,3,opt,name=type,casttype=SecretType"`
}对比
资源名称 | 相同点 | 不同点 |
ConfigMap | 注入到 Pod 中的环境变量或者挂载为文件,且都为key:value 方式(map 类型) | 内容为明文,适合存放配置文件路径 |
Secret | 注入到 Pod 中的环境变量或者挂载为文件,且都为key:value 方式(map 类型) | 内容进行了 Base64 编码,密码等,通过 Type 字段可以进行内容限制 |
使用方式
创建 ConfigMap
你可以通过命令行或者 YAML 文件创建 ConfigMap。以下是一个创建 ConfigMap 的示例 YAML 文件:
apiVersion: v1
kind: ConfigMap
metadata:
name: my-config-map
data:
key1: config-value-1
key2: config-value-2在 Pod 中使用 ConfigMap
你可以在 Pod 的定义中引用 ConfigMap。
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mycontainer
image: ljtian/http-server-gen:v0.2
env:
- name: KEY1
valueFrom:
configMapKeyRef:
name: my-config-map
key: key1
volumeMounts:
- name: config-volume
mountPath: /etc/config
volumes:
- name: config-volume
configMap:
name: my-config-map创建 Secret
你可以通过命令行或者 YAML 文件创建 Secret。以下是一个创建 Secret 的示例 YAML 文件:
apiVersion: v1
kind: Secret
metadata:
name: my-secret
type: Opaque
data:
username: dXNlcm5hbWU= # Base64 编码的用户名
password: cGFzc3dvcmQ= # Base64 编码的密码在 Pod 中使用 Secret
你可以在 Pod 的定义中引用 Secret。
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mycontainer
image: ljtian/http-server-gen:v0.2
env:
- name: DB_USERNAME
valueFrom:
secretKeyRef:
name: my-secret
key: username
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: my-secret
key: password
volumeMounts:
- name: secret-volume
readOnly: true
mountPath: "/etc/secret-volume"
volumes:
- name: secret-volume
secret:
secretName: my-secret演示
使用 uccps 演示
configmap 演示
通过 yaml 文件创建
查看结果
Secret 演示
通过 yaml 文件创建
结果
总结
ConfigMap 用于存储非敏感的配置数据,而 Secret 用于存储敏感数据。它们可以帮助你将配置信息和敏感数据与应用程序的部署分离开来,提高了安全性和灵活性。
