ConfigMap:方便将配置文件与镜像(image)分离,以保障容器化应用程序的可移植性。
mysql:username:张三 username:李四
Secret:对象允许存储和管理敏感信息,比如密码,OAuth令牌和ssh秘钥。将此数据放入在secret里面。然后通过pod读取这样会更加安全灵活。
配置configMap
apiVersionv1
kindConfigMap
metadata
name:test-config
data
usernamezhangsan
passwordyuanke
usernamelisi
[root@master demo]# vi configMap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: test-config
data:
username: zhangsan
password: yuanke
username: lisi
[root@master demo]# kubectl create -f configMap.yaml
configmap/test-config created
[root@master demo]# vi configMap.yaml
[root@master demo]# kubectl get configMaps
NAME DATA AGE
test-config 2 45s
[root@master demo]# kubectl describe configmaps test-config
Name: test-config
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
password:
----
yuanke
username:
----
lisi
Events: <none>
使用configMap
vi test-configMap-env-pod
apiVersionv1
kindPod
metadata
nametest-configmap-env-pod
spec
containers
nametest-container
imageradial/busyboxplus
imagePullPolicyIfNotPresent
command"/bin/sh""-c""sleep 1000000"
envFrom
configMapRef
nametest-config
[root@master demo]# kubectl create -f test-configMap-env-pod
pod/test-configmap-env-pod created
[root@master demo]# kubectl get pod
NAME READY STATUS RESTARTS AGE
test-configmap-env-pod 1/1 Running 0 42s
[root@master demo]# kubectl exec -it test-configmap-env-pod -- env
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=test-configmap-env-pod
TERM=xterm
username=lisi
password=yuanke
环境变量的另一种方式
apiVersionv1
kindPod
metadata
nametest-configmap-env-pod
spec
containers
nametest-container
imageradial/busyboxplus
imagePullPolicyIfNotPresent
command"/bin/sh""-c""echo ${MYSQLUSER} ${MYSQLPASSWD};sleep 1000000"
env
nameMYSQLUSER
valueFrom
configMapKeyRef
nametest-config
keyusername
nameMYSQLPASSWD
valueFrom
configMapKeyRef
nametest-config
keypassword
[root@master demo]# kubectl delete -f test-configMap-env-pod
pod "test-configmap-env-pod" deleted
[root@master demo]# kubectl create -f test-configMap-env-pod
pod/test-configmap-env-pod created
[root@master demo]# kubectl get pod
NAME READY STATUS RESTARTS AGE
pc-job-xtn4s 0/1 Completed 0 13d
test-configmap-env-pod 1/1 Running 0 5s
[root@master demo]# kubectl exec -it test-configmap-env-pod -- env
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=test-configmap-env-pod
TERM=xterm
MYSQLUSER=lisi
MYSQLPASSWD=yuanke
手动创建SECRET
可以先以 json 或 yaml 格式在文件中创建一个 secret 对象,然后创建该对象。
每一项必须是 base64 编码:
$ echo -n "admin" | base64
YWRtaW4=
$ echo -n "1f2d1e2e67df" | base64
MWYyZDFlMmU2N2Rm
解密
echo 'YWRtaW4=' | base64 --decode
返回admin
vi secret-env.yaml
apiVersion: v1
kind: Secret
metadata:
name: mysecret-env
type: Opaque
data:
username: YWRtaW4=
password: MWYyZDFlMmU2N2Rm
kubectl get secrets
[root@master demo]# kubectl create -f secret-env.yaml
secret/mysecret-env created
[root@master demo]# kubectl get secrets
NAME TYPE DATA AGE
default-token-mp2h9 kubernetes.io/service-account-token 3 21d
mysecret-env Opaque 2 10s
tls-secret kubernetes.io/tls 2 23h
vi secret-pod-env1.yaml
apiVersionv1
kindPod
metadata
nameenvfrom-secret
spec
containers
nametest-nginx
imagenginx
envFrom
secretRef
namemysecret-env
kubectl create -f secret-pod-env1.yaml
kubectl exec -it envfrom-secret -- env
另一种引入方式
apiVersionv1
kindPod
metadata
nametest-configmap-env-pod
spec
containers
nametest-container
imageradial/busyboxplus
imagePullPolicyIfNotPresent
command"/bin/sh""-c""echo ${MYSQLUSER} ${MYSQLPASSWD};sleep 1000000"
env
nameMYSQLUSER
valueFrom
secretKeyRef
namemysecret-env
keyusername
nameMYSQLPASSWD
valueFrom
secretKeyRef
namemysecret-env
keypassword
root@master demo# kubectl create -f test-secret-env-pod
pod/test-configmap-env-pod created
root@master demo# kubectl get pod
NAME READY STATUS RESTARTS AGE
deployment-example-868795bc5b-g2x7n 1/1 Running 0 5h29m
test-configmap-env-pod 1/1 Running 0 4s
root@master demo# kubectl exec -it test-configmap-env-pod -- env
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=test-configmap-env-pod
TERM=xterm
MYSQLPASSWD=1f2d1e2e67df
MYSQLUSER=admin
