关于 Kubernetes中secret、configmap实操的一些笔记
写在前面
- 学习K8s涉及到这些,整理笔记加以记忆
- 博客内容涉及
pod中的配置文件/密码的管理,包括: secret,configmap资源对象创建方式secret,configmap使用方式(变量/卷)- 博文为一些Demo,理论很少,相关理论小伙伴可以到官网看
- https://kubernetes.io/zh/docs/concepts/configuration/secret/
- https://kubernetes.io/zh/docs/concepts/configuration/configmap/
我不再装模作样地拥有很多朋友,而是回到了孤单之中,以真正的我开始了独自的生活。有时我也会因为寂寞而难以忍受空虚的折磨,但我宁愿以这样的方式来维护自己的自尊,也不愿以耻辱为代价去换取那种表面的朋友。 ——余华《在细雨中呼喊》
应用部署的一个最佳实践是 将应用所需的配置信息与程序进行分离,这样可以使得应用程序被更好地复用,通过不同的配置也能实现更灵活的功能。
将应用打包为容器镜像后,可以通过环境变量或者外挂文件的方式在创建容器时进行配置注入,但在大规模容器集群的环境中,对多个容器进行不同的配置将变得非常复杂。从Kubernetes v1.2开始提供了一种统一的应用配置管理方案ConfgMap,ConfigMap 是一种 API 对象,用来将非机密性的数据保存到键值对中。使用时, Pods 可以将其用作环境变量、命令行参数或者存储卷中的配置文件。
Secret 是一种包含少量敏感信息例如密码、令牌或密钥的对象。 这样的信息可能会被放在 Pod 规约中或者镜像中。 使用 Secret 意味着你不需要在应用程序代码中包含机密数据。
由于创建 Secret 可以独立于使用它们的 Pod, 因此在创建、查看和编辑 Pod 的工作流程中暴露 Secret(及其数据)的风险较小。 Kubernetes 和在集群中运行的应用程序也可以对 Secret 采取额外的预防措施, 例如避免将机密数据写入非易失性存储。
secret和configmap供容器使用的典型用法如下。 |
|---|
| 生成为容器内的环境变量。 |
| 设置容器启动命令的启动参数(需设置为环境变量)。 |
| 以Volume的形式挂载为容器内部的文件或目录。 |
config和secret的区别主要是secret加密了,而config没有加密
环境准备
相关镜像拉取
┌──[root@vms81.liruilongs.github.io]-[~/ansible]└─$ansible node -m ping192.168.26.83 | SUCCESS => { "ansible_facts": { "discovered_interpreter_python": "/usr/bin/python" }, "changed": false, "ping": "pong"}192.168.26.82 | SUCCESS => { "ansible_facts": { "discovered_interpreter_python": "/usr/bin/python" }, "changed": false, "ping": "pong"}┌──[root@vms81.liruilongs.github.io]-[~/ansible]└─$ansible node -m shell -a "docker pull hub.c.163.com/library/mysql:latest"┌──[root@vms81.liruilongs.github.io]-[~/ansible]└─$ansible node -m shell -a "docker pull hub.c.163.com/library/wordpress:latest"学习环境准备,新建一个命名空间
┌──[root@vms81.liruilongs.github.io]-[~/ansible]└─$dir=k8s-secret-create;mkdir $dir;cd $dir┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl get nsNAME STATUS AGEdefault Active 66dkube-node-lease Active 66dkube-public Active 66dkube-system Active 66dliruilong Active 65dliruilong-pod-create Active 58dliruilong-volume-create Active 16d┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl create ns liruilong-secret-createnamespace/liruilong-secret-create created┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl config set-context $(kubectl config current-context) --namespace=liruilong-secret-createContext "context1" modified.┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl config view | grep namespace namespace: default namespace: liruilong-secret-create namespace: kube-system┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl config get-contextsCURRENT NAMECLUSTER AUTHINFO NAMESPACE cluster1 default* context1 cluster1 kubernetes-admin1 liruilong-secret-create context2 kube-system┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$secret密码配置管理
secret用于多个镜像的密码管理
mysqlpod创建一个mysql镜像
┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl run mysqlpod --image=hub.c.163.com/library/mysql:latest --image-pull-policy=IfNotPresent --dry-run=client -o yaml >mysqlpod.yaml┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$vim mysqlpod.yaml┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$cat mysqlpod.yamlapiVersion: v1kind: Podmetadata: creationTimestamp: null labels: run: mysqlpod name: mysqlpodspec: containers: - image: hub.c.163.com/library/mysql:latest imagePullPolicy: IfNotPresent name: mysqlpod resources: {} env: - name: MYSQL_ROOT_PASSWORD value: liruilong dnsPolicy: ClusterFirst restartPolicy: Alwaysstatus: {}┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl apply -f mysqlpod.yamlpod/mysqlpod created┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl get pods -o wideNAMEREADY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATESmysqlpod 1/1 Running 0 19s 10.244.171.190 vms82.liruilongs.github.io <none> <none>┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$客户端测试
┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$yum -y install mariadb┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$mysql -uroot -pliruilong -h10.244.171.190Welcome to the MariaDB monitor. Commands end with ; or \g.Your MySQL connection id is 3Server version: 5.7.18 MySQL Community Server (GPL)Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.MySQL [(none)]> quitBye┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$创建 secret
┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl describe pod mysqlpod | grep -A 2 Env Environment: MYSQL_ROOT_PASSWORD: liruilong Mounts:┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$上面的密码我们使用的是明文,但是在实际的生产环境使用明文是很危险的一件事,所以我们需要加密处理
secret主要用于密码的保存
通过键值对的方式创建。直接指定键值对,或者存放中secret中
命令行创建secret
查看secret
┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl get saNAME SECRETS AGEdefault 1 46m┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl get secretsNAME TYPE DATA AGEdefault-token-7q2qj kubernetes.io/service-account-token 3 46m┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$创建secret
┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl create secret generic mysecl --from-literal=mysqlpassword=liruilong --from-literal=rqpassword=rqsecret/mysecl created┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl get secretsNAME TYPE DATA AGEdefault-token-7q2qj kubernetes.io/service-account-token 3 49mmysecl Opaque 2 9s┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$Secret有三种类型:
| Secret有三种类型 |
|---|
| Opaque |
| kubernetes.io/dockerconfigjson |
| kubernetes.io/service-account-token |
查看详细信息
┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl describe secrets myseclName: myseclNamespace: liruilong-secret-createLabels:<none>Annotations: <none>Type: OpaqueData====mysqlpassword: 9 bytesrqpassword: 2 bytes┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl get secrets mysecl -o yamlapiVersion: v1data: mysqlpassword: bGlydWlsb25n rqpassword: cnE=kind: Secretmetadata: creationTimestamp: "2021-12-12T02:45:20Z" name: mysecl namespace: liruilong-secret-create resourceVersion: "1594980" selfLink: /api/v1/namespaces/liruilong-secret-create/secrets/mysecl uid: 05a99a7c-c7f0-48ac-9f67-32eb52ed1558type: Opaque也可以通过解密得到想要的密码
┌──[root@vms81.liruilongs.github.io]-[~]└─$echo bGlydWlsb25n | base64 -dliruilong┌──[root@vms81.liruilongs.github.io]-[~]┌──[root@vms81.liruilongs.github.io]-[~]└─$echo cnE= | base64 -drq┌──[root@vms81.liruilongs.github.io]-[~]直接解密
┌──[root@vms81.liruilongs.github.io]-[~]└─$kubectl get secrets mysecl -o jsonpath='{.data.mysqlpassword}' | base64 -dliruilong┌──[root@vms81.liruilongs.github.io]-[~]└─$文件方式创建secret
一般使用命令行的方式创建,很少使用文件的方式创建
帐密信息文件
liruilong┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$tee cat env.txt <<-'EOF'> user=liruilong> password1=redhat> password2=redhat> EOFuser=liruilongpassword1=redhatpassword2=redhat┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$lsenv.txt mysqlpod.yaml通过--from-env-file文件创建
文件中的键值对
┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl create secret generic mysecret1 --from-env-file=env.txtsecret/mysecret1 created查看创建信息
┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl get secretsNAME TYPE DATA AGEdefault-token-7q2qj kubernetes.io/service-account-token 3 6h34mmysecl Opaque 2 5h45mmysecret1 Opaque 3 32s┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl describe secrets mysecret1Name: mysecret1Namespace: liruilong-secret-createLabels:Annotations: Type: OpaqueData====password1: 6 bytespassword2: 6 bytesuser:9 bytes┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$也可以通过--from-file来创建,文件名是键,文件内容为值
┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl create secret generic mysecret2 --from-file=/etc/hostssecret/mysecret2 created┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl get secrets mysecret2 -o jsonpath='{.data.hosts}'| base64 -d127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4::1 localhost localhost.localdomain localhost6 localhost6.localdomain6192.168.26.81 vms81.liruilongs.github.io vms81192.168.26.82 vms82.liruilongs.github.io vms82192.168.26.83 vms83.liruilongs.github.io vms83┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$使用 secret
secret可以通过卷的方式使用,也可以通过变量的方式使用
┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl create secret generic mysecl --from-literal=mysqlpassword=liruilong --from-literal=rqpassword=rqsecret/mysecl created这里我们使用前面的创建的这个secret
变量的方式使用secret
yaml文件中变量设置密码通过secret的方式:mysqlpodargs.yaml
apiVersion: v1kind: Podmetadata: creationTimestamp: null labels: run: mysqlpod name: mysqlpodspec: containers: - image: hub.c.163.com/library/mysql:latest imagePullPolicy: IfNotPresent name: mysqlpod resources: {} env: - name: MYSQL_ROOT_PASSWORD valueFrom: secretKeyRef: name: mysecl key: mysqlpassword dnsPolicy: ClusterFirst restartPolicy: Alwaysstatus: {}创建pod
┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl apply -f mysqlpodargs.yamlpod/mysqlpod created┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl get pods -o wideNAMEREADY STATUSRESTARTS AGE IPNODE NOMINATED NODE READINESS GATESmysqlpod 0/1 ContainerCreating 0 15s <none> vms83.liruilongs.github.io <none> <none>┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl get pods -o wideNAMEREADY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATESmysqlpod 1/1 Running 0 21s 10.244.70.19 vms83.liruilongs.github.io <none> <none>测试登录
┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$mysql -uroot -h10.244.70.19 -pliruilongWelcome to the MariaDB monitor. Commands end with ; or \g.Your MySQL connection id is 3Server version: 5.7.18 MySQL Community Server (GPL)Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.MySQL [(none)]>以卷的方式使用secret
pod文件nginxsecret.yaml,一般不这样使用
apiVersion: v1kind: Podmetadata: creationTimestamp: null labels: run: nginxsecret name: nginxsecretspec: volumes: - name: v1 secret: secretName: mysecl containers: - image: nginx imagePullPolicy: IfNotPresent name: nginxsecret resources: {} volumeMounts: - name: v1 mountPath: /data dnsPolicy: ClusterFirst restartPolicy: Alwaysstatus: {}创建pod会把加密的文件信息写在pod里的/data目录下
┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl apply -f nginxsecret.yamlpod/nginxsecret created┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl get podsNAME READY STATUS RESTARTS AGEnginxsecret 1/1 Running 0 41s┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl exec -it nginxsecret -- bashroot@nginxsecret:/# lsbin data docker-entrypoint.d etc lib media opt root sbin sys usrboot dev docker-entrypoint.sh home lib64 mnt proc run srv tmp varroot@nginxsecret:/# cd data/;lsmysqlpassword rqpasswordroot@nginxsecret:/data# exitexit如过添加了subPath,会把指定的信息写入文件:nginxsecretsubPth.yaml
apiVersion: v1kind: Podmetadata: creationTimestamp: null labels: run: nginxsecret name: nginxsecretspec: volumes: - name: v1 secret: secretName: mysecl containers: - image: nginx imagePullPolicy: IfNotPresent name: nginxsecret resources: {} volumeMounts: - name: v1 mountPath: /data/mysql subPath: mysqlpassword dnsPolicy: ClusterFirst restartPolicy: Alwaysstatus: {}创建pod测试
┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl apply -f nginxsecretsubPth.yamlpod/nginxsecret created┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl get podsNAME READY STATUS RESTARTS AGEnginxsecret 1/1 Running 0 16s┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl exec -it nginxsecret -- bashroot@nginxsecret:/# cat data/mysqlliruilongroot@nginxsecret:/# exitexitconfigmap(cm)服务配置管理
也是以键值对的方式使用,一般通过命名行的方式创建,也可以通过卷和变量的方式使用
config和secret的区别主要是secret加密了,而config没有加密
configmap(cm)的创建
通过命令行的方式创建
┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl create configmap myconfig1 --from-literal=user=liruilong --from-literal=password=liruilongconfigmap/myconfig1 created查看创建信息
┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl get cmNAME DATA AGEkube-root-ca.crt 1 7h32mmyconfig1 2 81s┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl describe configmaps myconfig1Name: myconfig1Namespace: liruilong-secret-createLabels:<none>Annotations: <none>Data====password:----liruilonguser:----liruilongBinaryData====Events: <none>┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl get cm myconfig1 -o jsonpath='{.data.password}'liruilong┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl get cm myconfig1 -o jsonpath='{.data.user}'liruilong┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$通过文件的方式创建
微服务中常用的配置文件信息
┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$cat application.properties##配置了Web容器的端口号。server.port=8081##配置了当项目出错时跳转去的页面。#server.error.path=/error##配置了session失效时间, 30m表示30分钟,如果不写单位,默认单位是秒。由于Tomcat中配置session过期时间以分 钟为单位,因此这里单位如果是秒的话,该时间会被转换为一个不超过所配置秒数的最大分钟数,例如这里配置了119, 默认单位为秒,则实际session过期时间为1分钟。server.servlet.session.timeout=30m##表示项目名称,不配置时默认为/,如果配置了,就要在访问路径中加上配置的路径。server.servlet.context-path=/##表示配置Tomcat请求编码。server.tomcat.uri-encoding=utf-8##表示Tomcat最大线程数。server.tomcat.threads.max=500##是一个存放Tomcat运行日志和临时文件的目录,若不配置,则默认使用系统的临时目录。server.tomcat.basedir=/home/sang/tmp#HttpServletRequest的属性是否可以覆盖controller中model的同名项spring.freemarker.allow-request-override=false#HttpSession的属性是否可以覆盖controller中model的同名项spring.freemarker.allow-session-override=true#是否开启缓存spring.freemarker.cache=false#模板文件编码spring.freemarker.charset=UTF-8#是否检查模板位置spring.freemarker.check-template-location=true#Content-Type的值spring.freemarker.content-type=text/html#是否将HttpServletRequest中的属性添加到Model中spring.freemarker.expose-request-attributes=false#是否将HttpSession中的属性添加到Model中spring.freemarker.expose-session-attributes=true#模板文件后缀spring.freemarker.suffix=.ftl#模板文件位置spring.freemarker.template-loader-path=classpath:/templates/#是否开启缓存,开发时可设置为false,默认为truespring.thymeleaf.cache=true#是否检查模板是否存在,默认为truespring.thymeleaf.check-template=true#是否检查模板位置是否存在,默认为truespring.thymeleaf.check-template-location=true#模板文件编码spring.thymeleaf.encoding=UTF-8#模板文件位置spring.thymeleaf.prefix=classpath:/templates/#Content-Type配置spring.thymeleaf.servlet.content-type=text/html#模板文件后缀spring.thymeleaf.suffix=.html#spring.mvc.view.prefix=/WEB-INF/jsp/##spring.mvc.view.suffix=.jspspring.redis.database=0spring.redis.host=192.168.66.130spring.redis.port=6379spring.redis.password=123@456spring.redis.lettuce.pool.max-active=spring.redis.lettuce.pool.max-idle=spring.redis.lettuce.pool.max-wait=spring.redis.lettuce.pool.min-idle=spring.redis.lettuce.shutdown-timeout=#连接池最大连接数spring.redis.jedis.pool.max-active=8#连接池中的最大空闲连接spring.redis.jedis.pool.max-idle=8#连接池最大阻塞等待时间(使用负值表示没有限制)spring.redis.jedis.pool.max-wait=-1ms#连接池中的最小空闲连接spring.redis.jedis.pool.min-idle=0┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl create configmap myconfig2 --from-file=./application.propertiesconfigmap/myconfig2 created┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$cat env.txtuser=liruilongpassword1=redhatpassword2=redhat┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl create configmap myconfig3 --from-env-file=./env.txtconfigmap/myconfig3 created查看创建的全部configMap
┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl get cmNAME DATA AGEkube-root-ca.crt 1 8hmyconfig1 2 37mmyconfig2 1 9m16smyconfig3 3 18s┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$configmap(cm)的使用
用卷的方式使用configmap
configmap通常使用卷的方式使用,一般可以在微服务中抽离配置文件: ngingconfig.yaml
apiVersion: v1kind: Podmetadata: creationTimestamp: null labels: run: nginxsecret name: nginxsecretspec: volumes: - name: config configMap: name: myconfig2 containers: - image: nginx imagePullPolicy: IfNotPresent name: nginxsecret resources: {} volumeMounts: - name: config mountPath: /app/java readOnly: true dnsPolicy: ClusterFirst restartPolicy: Alwaysstatus: {}测试,查看配置文件
┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl apply -f ngingconfig.yamlpod/nginxsecret created┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl get podsNAME READY STATUS RESTARTS AGEnginxsecret 1/1 Running 0 40s┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl exec -it nginxsecret -- bashroot@nginxsecret:/# cd /app/java/;lsapplication.propertiesroot@nginxsecret:/app/java# cat application.properties##配置了Web容器的端口号。server.port=8081##配置了当项目出错时跳转去的页面。#server.error.path=/error##配置了session失效时间, 30m表示30分钟,如果不写单位,默认单位是秒。由于Tomcat中配置session过期时间以分 钟为单位,因此这里单位如果是秒的话,该时间会被转换为一个不超过所配置秒数的最大分钟数,例如这里配置了119, 默认单位为秒,则实际session过期时间为1分钟。server.servlet.session.timeout=30m##表示项目名称,不配置时默认为/,如果配置了,就要在访问路径中加上配置的路径。server.servlet.context-path=/##表示配置Tomcat请求编码。server.tomcat.uri-encoding=utf-8.........修改kube-prosy的负载策略,修改其中的 mode: " iptables/ipvs",修改之后需要重启对应的pod
┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl get cm -n kube-systemNAME DATA AGEcalico-config 4 66dcoredns 1 66dextension-apiserver-authentication 6 66dkube-proxy 2 66dkube-root-ca.crt1 66dkubeadm-config 2 66dkubelet-config-1.21 1 66dkubelet-config-1.22 1 54d┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl edit cm kube-proxy -n kube-system变量的方式使用configMap
┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl get configmaps myconfig3 -o yamlapiVersion: v1data: password1: redhat password2: redhat user: liruilongkind: ConfigMapmetadata: creationTimestamp: "2021-12-12T10:04:42Z" name: myconfig3 namespace: liruilong-secret-create resourceVersion: "1645816" selfLink: /api/v1/namespaces/liruilong-secret-create/configmaps/myconfig3 uid: b75bef31-05a8-4d67-8d5c-dea42aedea67编写pod资源文件
apiVersion: v1kind: Podmetadata: creationTimestamp: null labels: run: mysqlpod name: mysqlpodspec: containers: - image: hub.c.163.com/library/mysql:latest imagePullPolicy: IfNotPresent name: mysqlpod resources: {} env: - name: MYSQL_ROOT_PASSWORD valueFrom: configMapKeyRef: name: myconfig3 key: user dnsPolicy: ClusterFirst restartPolicy: Alwaysstatus: {}创建pod
┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl apply -f mysqlpodconfig.yamlpod/mysqlpod created┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$kubectl get pods -o wideNAMEREADY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATESmysqlpod 1/1 Running 0 3m19s 10.244.171.130 vms82.liruilongs.github.io <none> <none>┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$测试使用
┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-secret-create]└─$mysql -uroot -h10.244.171.130 -pliruilongWelcome to the MariaDB monitor. Commands end with ; or \g.Your MySQL connection id is 3Server version: 5.7.18 MySQL Community Server (GPL)Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.MySQL [(none)]>