configMap
configmap概述:
数据会存储在etcd数据库,其应用场景主要在应用程序的配置
configmap支持的类型
(1)键值对
(2)多行数据
pod使用configmap资源有两种常见的方式
(1)变量注入
(2)数据卷挂载
推荐阅读
https://kubernetes.io/docs/concepts/storage/volumes/
https://kubernetes.io/docs/concepts/configuration/configmap/
声明式创建cm资源
[ root@master231 configmaps]
apiVersion: v1
kind: ConfigMap
metadata:
name: game-demo
data:
player_initial_lives: "3"
ui_properties_file_name: "user-interface.properties"
school: oldboyedu
class: linux94
game.properties: |
enemy.types = aliens,monsters
player.maximum-lives= 5
user-interface.properties: |
color.good = purple
color.bad = yellow
allow.textmode = true
my.cnf: |
[ mysqld]
datadir = /var/lib/mysql
basedir = /usr/local/mysql
socket = /tpm/mysql.sock
skip-name-resolve= 1
port = 3306
[ client]
username = admin
password = oldboyedu
创建
root@ubuntu0:~/manifests/configmap
configmap/game-demo created
查看
root@ubuntu0:~/manifests/configmap
NAME DATA AGE
game-demo 7 29s
kube-root-ca.crt 1 23d
root@ubuntu0:~/manifests/configmap
NAME DATA AGE
game-demo 7 33s
删除
root@ubuntu0:~/manifests/configmap
configmap "game-demo" deleted
响应式创建
root@ubuntu0:~/manifests/configmap
configmap/xp created
root@ubuntu0:~/manifests/configmap
NAME DATA AGE
kube-root-ca.crt 1 23d
xp 2 6s
root@ubuntu0:~/manifests/configmap
NAME DATA AGE
xp 2 8s
root@ubuntu0:~/manifests/configmap
Name: xp
Namespace: default
Labels: < none>
Annotations: < none>
Data
== ==
class:
----
linux94
school:
----
oldboyedu
BinaryData
== ==
Events: < none>
基于配置文件创建cm
[ root@master231 configmaps]
-rw-r--r-- 1 root root 4406 Nov 15 17 :40 /root/kube-flannel.yml
[ root@master231 configmaps]
[ root@master231 configmaps]
configmap/oldboyedu-cni created
3.3 查看cm资源
[ root@master231 configmaps]
NAME DATA AGE
oldboyedu-cni 1 8s
[ root@master231 configmaps]
[ root@master231 configmaps]
[ root@master231 configmaps]
[ root@master231 configmaps]
[ root@master231 configmaps]
[ root@master231 configmaps]
3.3 删除cm资源
[ root@master231 configmaps]
NAME DATA AGE
kube-root-ca.crt 1 4d16h
oldboyedu-cni 1 2m27s
oldboyedu-linux94 2 4m38s
[ root@master231 configmaps]
[ root@master231 configmaps]
configmap "oldboyedu-cni" deleted
[ root@master231 configmaps]
[ root@master231 configmaps]
NAME DATA AGE
kube-root-ca.crt 1 4d16h
oldboyedu-linux94 2 5m9s
[ root@master231 configmaps]
root@ubuntu0:~/manifests/configmap
apiVersion: v1
data:
class: linux94
school: oldboyedu
kind: ConfigMap
metadata:
creationTimestamp: "2025-05-02T10:49:39Z"
name: xp
namespace: default
resourceVersion: "670826"
uid: b129e625-7733-4b80-9d9f-55227b473f51
那如何在声明式中引用这个key:vlaue呢
root@ubuntu0:~/manifests/configmap
apiVersion: v1
kind: ReplicationController
metadata:
name: xp-configmap
spec:
replicas: 1
selector:
apps: v1
template:
metadata:
labels:
apps: v1
spec:
nodeName: ubuntu1
containers:
- name: xiuxian-v1
image: registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1
env:
- name: SCHOOL
valueFrom:
configMapKeyRef:
name: "xp"
key: "school"
- name: CLass
valueFrom:
configMapKeyRef:
name: "xp"
key: "class"
root@ubuntu0:~/manifests/configmap
replicationcontroller/xp-configmap created
root@ubuntu0:~/manifests/configmap
SCHOOL = oldboyedu
CLass = linux94
Pod基于存储卷引用cm资源
root@ubuntu0:~/manifests/configmap
apiVersion: v1
kind: ReplicationController
metadata:
name: xpxp
spec:
replicas: 1
selector:
apps: xpxp-v1
template:
metadata:
labels:
apps: xpxp-v1
spec:
nodeName: ubuntu1
volumes:
- name: data
configMap:
name: "xp"
items:
- key: school
path: school.txt
containers:
- name: nginx
image: registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1
volumeMounts:
- name: data
mountPath: /oldboyedu
root@ubuntu0:~/manifests/configmap
replicationcontroller/xpxp created
root@ubuntu0:~/manifests/configmap
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
xpxp-25pwf 1 /1 Running 0 25m 10.100 .2.19 ubuntu1 < none> < none>
root@ubuntu0:~/manifests/configmap
school.txt
root@ubuntu0:~/manifests/configmap
oldboyeduroot@ubuntu0:~/manifests/configmap
将"registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1" 镜像的80端口修改为81端口,要求在不重新打镜像的情况下,使用cm存储卷的方式挂载。
1 .找到nginx的配置文件
root@ubuntu0:~/manifests/configmap
/
/
/etc/nginx/conf.d/default.conf
/
server {
listen 80 ;
listen [ ::] :80;
server_name localhost;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
2 .编写资源清单
root@ubuntu0:~/manifests/configmap
apiVersion: v1
kind: ConfigMap
metadata:
name: game-cm
data:
port.conf: |
server {
listen 81 ;
listen [ ::] :81;
server_name localhost;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
---
apiVersion: v1
kind: ReplicationController
metadata:
name: xiuxian-cm
spec:
replicas: 1
selector:
apps: xpxp-v1
template:
metadata:
labels:
apps: xpxp-v1
spec:
nodeName: ubuntu1
volumes:
- name: data
configMap:
name: "game-cm"
items:
- key: port.conf
path: default.conf
containers:
- name: nginx
image: registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1
volumeMounts:
- name: data
mountPath: /etc/nginx/conf.d/
---
apiVersion: v1
kind: Service
metadata:
name: svc-mysql
spec:
type: NodePort
selector:
apps: xpxp-v1
ports:
- port: 80
targetPort: 81
nodePort: 30081
root@ubuntu0:~/manifests/configmap
configmap/game-cm created
replicationcontroller/xiuxian-cm created
service/svc-mysql created
root@ubuntu0:~/manifests/configmap
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
xiuxian-cm-b52m2 1 /1 Running 0 7s 10.100 .2.21 ubuntu1 < none> < none>
root@ubuntu0:~/manifests/configmap
kubernetes svc-mysql
root@ubuntu0:~/manifests/configmap
Name: svc-mysql
Namespace: default
Labels: < none>
Annotations: < none>
Selector: apps = xpxp-v1
Type: NodePort
IP Family Policy: SingleStack
IP Families: IPv4
IP: 192.168 .116.228
IPs: 192.168 .116.228
Port: < unset> 80 /TCP
TargetPort: 81 /TCP
NodePort: < unset> 30081 /TCP
Endpoints: 10.100 .2.21:81
Session Affinity: None
External Traffic Policy: Cluster
Events: < none>
root@ubuntu0:~/manifests/configmap
< ! DOCTYPE html>
< html>
< head>
< meta charset = "utf-8" />
< title> yinzhengjie apps v1 < /title>
< style>
div img {
width: 900px;
height: 600px;
margin: 0 ;
}
< /style>
< /head>
< body>
< h1 style = "color: green" > 凡人修仙传 v1 < /h1 >
< div>
< img src = "1.jpg" >
< div>
< /body>
< /html>
在进入容器内,已经发生改变了
root@ubuntu0:~/manifests/configmap
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
xiuxian-cm-b52m2 1 /1 Running 0 2m38s 10.100 .2.21 ubuntu1 < none> < none>
root@ubuntu0:~/manifests/configmap
/
server {
listen 81 ;
listen [ ::] :81;
server_name localhost;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
kubectl logs查看Pod日志
1 .实时查看日志
[ root@master231 ~]
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
oldboyedu-xiuxian-cm-844zl 1 /1 Running 0 4m47s 10.100 .1.55 worker232 < none> < none>
[ root@master231 ~]
[ root@master231 ~]
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10 -listen-on-ipv6-by-default.sh: info: can not modify /etc/nginx/conf.d/default.conf ( read-only file system?)
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2024 /11/20 03:10:00 [ notice] 1
2024 /11/20 03:10:00 [ notice] 1
2024 /11/20 03:10:00 [ notice] 1
2024 /11/20 03:10:00 [ notice] 1
2024 /11/20 03:10:00 [ notice] 1
2024 /11/20 03:10:00 [ notice] 1
2024 /11/20 03:10:00 [ notice] 1
2024 /11/20 03:10:00 [ notice] 1
10.100 .0.0 - - [ 20 /Nov/2024:03:10:08 +0000] "GET / HTTP/1.1" 200 357 "-" "curl/7.81.0" "-"
10.100 .0.0 - - [ 20 /Nov/2024:03:10:13 +0000] "GET / HTTP/1.1" 200 357 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" "-"
10.100 .0.0 - - [ 20 /Nov/2024:03:10:13 +0000] "GET /1.jpg HTTP/1.1" 200 233472 "http://10.0.0.231:30080/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" "-"
2024 /11/20 03:10:13 [ error] 24
10.100 .0.0 - - [ 20 /Nov/2024:03:10:13 +0000] "GET /favicon.ico HTTP/1.1" 404 555 "http://10.0.0.231:30080/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" "-"
2 .查看最近5min的日志
[ root@master231 ~]
2024 /11/20 03:16:22 [ error] 24
10.100 .0.0 - - [ 20 /Nov/2024:03:16:22 +0000] "GET /oldboyedu.html HTTP/1.1" 404 153 "-" "curl/7.81.0" "-"
3 .查看指定容器的日志(一般情况下是一个Pod有多个容器时才会使用)
[ root@master231 ~]
2024 /11/20 03:16:22 [ error] 24
10.100 .0.0 - - [ 20 /Nov/2024:03:16:22 +0000] "GET /oldboyedu.html HTTP/1.1" 404 153 "-" "curl/7.81.0" "-"
cm资源存储nginx主配置文件值subPath案例
root@ubuntu0:~/manifests/configmap
apiVersion: v1
kind: ConfigMap
metadata:
name: game-cm
data:
main.conf: |
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024 ;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format oldboyedu_nginx_json '{"@timestamp":"$time_iso8601",'
'"host":"$server_addr",'
'"clientip":"$remote_addr",'
'"SendBytes":$body_bytes_sent,'
'"responsetime":$request_time,'
'"upstreamtime":"$upstream_response_time",'
'"upstreamhost":"$upstream_addr",'
'"http_host":"$host",'
'"uri":"$uri",'
'"domain":"$host",'
'"xff":"$http_x_forwarded_for",'
'"referer":"$http_referer",'
'"tcp_xff":"$proxy_protocol_addr",'
'"http_user_agent":"$http_user_agent",'
'"status":"$status"}' ;
access_log /var/log/nginx/access.log oldboyedu_nginx_json;
sendfile on;
keepalive_timeout 65 ;
include /etc/nginx/conf.d/*.conf;
}
port.conf: |
server {
listen 81 ;
listen [ ::] :81;
server_name localhost;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
---
apiVersion: v1
kind: ReplicationController
metadata:
name: xiuxian-cm
spec:
replicas: 1
selector:
apps: xpxp-v1
template:
metadata:
labels:
apps: xpxp-v1
spec:
nodeName: ubuntu1
volumes:
- name: data
configMap:
name: "game-cm"
items:
- key: port.conf
path: default.conf
- name: data1
configMap:
name: "game-cm"
items:
- key: main.conf
path: nginx.conf
containers:
- name: nginx
image: registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1
volumeMounts:
- name: data
mountPath: /etc/nginx/conf.d/
- name: data1
mountPath: /etc/nginx/nginx.conf
subPath: nginx.conf
---
apiVersion: v1
kind: Service
metadata:
name: svc-mysql
spec:
type: NodePort
selector:
apps: xpxp-v1
ports:
- port: 80
targetPort: 81
nodePort: 30081
root@ubuntu0:~/manifests/configmap
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
xiuxian-cm-8q45n 1 /1 Running 0 7s 10.100 .2.22 ubuntu1 < none> < none>
root@ubuntu0:~/manifests/configmap
< ! DOCTYPE html>
< html>
< head>
< meta charset = "utf-8" />
< title> yinzhengjie apps v1 < /title>
< style>
div img {
width: 900px;
height: 600px;
margin: 0 ;
}
< /style>
< /head>
< body>
< h1 style = "color: green" > 凡人修仙传 v1 < /h1 >
< div>
< img src = "1.jpg" >
< div>
< /body>
< /html>
k8s部署mysql主从
root@ubuntu0:~/manifests/ReplicationController
apiVersion: v1
kind: ConfigMap
metadata:
name: game-demo
data:
master.cnf: |
[ mysqld]
log-bin= mysqllog-bin
server_id = 111
skip-host-cache
skip-name-resolve
datadir = /var/lib/mysql
socket = /var/run/mysqld/mysqld.sock
secure-file-priv= /var/lib/mysql-files
user = mysql
pid-file= /var/run/mysqld/mysqld.pid
[ client]
socket = /var/run/mysqld/mysqld.sock
! includedir /etc/mysql/conf.d/
slave.cnf: |
[ mysqld]
log-bin= mysqllog-bin
server_id = 222
skip-host-cache
skip-name-resolve
datadir = /var/lib/mysql
socket = /var/run/mysqld/mysqld.sock
secure-file-priv= /var/lib/mysql-files
user = mysql
pid-file= /var/run/mysqld/mysqld.pid
[ client]
socket = /var/run/mysqld/mysqld.sock
! includedir /etc/mysql/conf.d/
---
apiVersion: v1
kind: ReplicationController
metadata:
name: mysql-master
spec:
replicas: 1
selector:
apps: v1
template:
spec:
nodeName: ubuntu1
volumes:
- name: data
nfs:
server: ubuntu0
path: /oldboyedu/data/nfs-server/master-lib
- name: data1
configMap:
name: "game-demo"
items:
- key: master.cnf
path: my.cnf
containers:
- name: mysql-v1
image: mysql:5.7.29
ports:
- containerPort: 3306
name: mysqlport
env:
- name: MYSQL_ALLOW_EMPTY_PASSWORD
value: "yes"
- name: MYSQL_USER
value: linux94
- name: MYSQL_PASSWORD
value: 'oldboyedu'
volumeMounts:
- name: data
mountPath: /var/lib/mysql
- name: data1
mountPath: /etc/my.cnf
subPath: my.cnf
args:
- --character-set-server= utf8
- --collation-server= utf8_bin
- --default-authentication-plugin= mysql_native_password
metadata:
labels:
apps: v1
---
apiVersion: v1
kind: Service
metadata:
name: svc-mysql
spec:
selector:
apps: v1
ports:
- port: 3306
name: mysqlport
---
apiVersion: v1
kind: ReplicationController
metadata:
name: mysql-slave
spec:
replicas: 1
selector:
apps: v2
template:
spec:
nodeName: ubuntu1
volumes:
- name: data
nfs:
server: ubuntu0
path: /oldboyedu/data/nfs-server/slave-lib
- name: data1
configMap:
name: "game-demo"
items:
- key: slave.cnf
path: my.cnf
containers:
- name: mysql-v2
image: mysql:5.7.29
env:
- name: MYSQL_ALLOW_EMPTY_PASSWORD
value: "yes"
- name: MYSQL_MASTER_HOST
value: 'svc-mysql'
ports:
- containerPort: 3306
volumeMounts:
- name: data
mountPath: /var/lib/mysql
- name: data1
mountPath: /etc/my.cnf
subPath: my.cnf
metadata:
labels:
apps: v2
---
apiVersion: v1
kind: Service
metadata:
name: svc-slave
spec:
selector:
apps: v2
ports:
- port: 3306
进入主数据库查看
root@ubuntu0:~/manifests/ReplicationController
Welcome to the MySQL monitor. Commands end with ; or \ g.
Your MySQL connection id is 2
Server version: 5.7 .29-log MySQL Community Server ( GPL)
Copyright ( c) 2000 , 2020 , Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
授权用户访问
mysql> GRANT Replication slave ON *.* TO linux94;
Query OK, 0 rows affected ( 0.00 sec)
mysql> SHOW MASTER STATUS\ G
*************************** 1 . row ***************************
File: mysqllog-bin.000004
Position: 353
Binlog_Do_DB:
Binlog_Ignore_DB:
Executed_Gtid_Set:
1 row in set ( 0.00 sec)
mysql> SHOW GRANTS FOR linux94;
+-------------------------------------------------+
| Grants for linux94@% |
+-------------------------------------------------+
| GRANT REPLICATION SLAVE ON *.* TO 'linux94' @'%' |
+-------------------------------------------------+
从库配置
mysql> CHANGE MASTER TO MASTER_HOST = 'svc-mysql' ,MASTER_USER= 'linux94' ,MASTER_PASSWORD= 'oldboyedu' ,MASTER_PORT= 3306 ,MASTER_LOG_FILE= 'mysqllog-bin.000004' ,MASTER_LOG_POS= 353 ,MASTER_CONNECT_RETRY= 3 ;
Query OK, 0 rows affected, 2 warnings ( 0.04 sec)
mysql> STOP SLAVE;
Query OK, 0 rows affected, 1 warning ( 0.00 sec)
mysql> START SLAVE;
Query OK, 0 rows affected ( 0.00 sec)
mysql> SHOW SLAVE STATUS\ G
*************************** 1 . row ***************************
Slave_IO_State: Waiting for master to send event
Master_Host: svc-mysql
Master_User: linux94
Master_Port: 3306
Connect_Retry: 3
Master_Log_File: mysqllog-bin.000004
Read_Master_Log_Pos: 353
Relay_Log_File: mysql-slave-2pgsd-relay-bin.000002
Relay_Log_Pos: 323
Relay_Master_Log_File: mysqllog-bin.000004
Slave_IO_Running: Yes
Slave_SQL_Running: Yes
secret概述
与ConfigMap类似,区别在于secret存储敏感数据,所有的数据都需要经过base64进行编码。
使用secret主要存储的是凭据信息。
参考链接:
https://kubernetes.io/zh/docs/concepts/configuration/secret/
secret资源声明式两种创建方式
2.1 方式一: 基于stringData方式(推荐)
root@ubuntu0:~/manifests/secret
apiVersion: v1
kind: Secret
metadata:
name: user-info
stringData:
username: admin
password: "1"
my.cnf: |
[ mysqld]
basedir = /oldboyedu/softwares/mysql80
port = 3306
datadir = /oldboyedu/data/mysql80
socket = /tmp/mysql80.sock
root@ubuntu0:~/manifests/secret
secret/user-info created
root@ubuntu0:~/manifests/secret
NAME TYPE DATA AGE
default-token-hszqs kubernetes.io/service-account-token 3 26d
user-info Opaque 3 7s
root@ubuntu0:~/manifests/secret
NAME TYPE DATA AGE
user-info Opaque 3 46s
root@ubuntu0:~/manifests/secret
Name: user-info
Namespace: default
Labels: < none>
Annotations: < none>
Type: Opaque
Data
== ==
my.cnf: 113 bytes
password: 1 bytes
username: 5 bytes
root@ubuntu0:~/manifests/secret
apiVersion: v1
data:
my.cnf: W215c3FsZF0KYmFzZWRpcj0vb2xkYm95ZWR1L3NvZnR3YXJlcy9teXNxbDgwCnBvcnQ9MzMwNgpkYXRhZGlyPS9vbGRib3llZHUvZGF0YS9teXNxbDgwCnNvY2tldD0vdG1wL215c3FsODAuc29jawo =
password: MQ ==
username: YWRtaW4 =
kind: Secret
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{ "apiVersion" : "v1" ,"kind" : "Secret" ,"metadata" :{ "annotations" :{ } ,"name" : "user-info" ,"namespace" : "default" } ,"stringData" :{ "my.cnf" : "[mysqld]\n basedir=/oldboyedu/softwares/mysql80\n port=3306\n datadir=/oldboyedu/data/mysql80\n socket=/tmp/mysql80.sock\n " ,"password" : "1" ,"username" : "admin" } }
creationTimestamp: "2025-05-05T02:16:24Z"
name: user-info
namespace: default
resourceVersion: "815355"
uid: 90653274 -1030-4208-a555-032c6484029f
type: Opaque
解密:
root@ubuntu0:~/manifests/secret
DAuc29jawo = '|base64 -d
[mysqld]
basedir=/oldboyedu/softwares/mysql80
port=3306
datadir=/oldboyedu/data/mysql80
socket=/tmp/mysql80.sock
root@ubuntu0:~/manifests/secret# echo ' MQ == '|base64 -d
1root@ubuntu0:~/manifests/secret# echo ' MQ == '| base64 -d| more
1
方式二: 基于方式(不推荐,编写时容易出错)
root@ubuntu0:~/manifests/secret
bGludXg5NAo =
root@ubuntu0:~/manifests/secret
b2xkYm95ZWR1Cg ==
root@ubuntu0:~/manifests/secret
apiVersion: v1
kind: Secret
metadata:
name: admin
data:
username: bGludXg5NAo =
password: b2xkYm95ZWR1Cg ==
root@ubuntu0:~/manifests/secret
bGludXg5NAo =
root@ubuntu0:~/manifests/secret
b2xkYm95ZWR1Cg ==
root@ubuntu0:~/manifests/secret
apiVersion: v1
kind: Secret
metadata:
name: admin
data:
username: bGludXg5NAo =
password: b2xkYm95ZWR1Cg ==
root@ubuntu0:~/manifests/secret
secret/admin created
root@ubuntu0:~/manifests/secret
NAME TYPE DATA AGE
admin Opaque 2 6s
root@ubuntu0:~/manifests/secret
apiVersion: v1
data:
password: b2xkYm95ZWR1Cg ==
username: bGludXg5NAo =
kind: Secret
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{ "apiVersion" : "v1" ,"data" :{ "password" : "b2xkYm95ZWR1Cg==" ,"username" : "bGludXg5NAo=" } ,"kind" : "Secret" ,"metadata" :{ "annotations" :{ } ,"name" : "admin" ,"namespace" : "default" } }
creationTimestamp: "2025-05-05T02:21:09Z"
name: admin
namespace: default
resourceVersion: "815756"
uid: 4e62f0f6-1940-43f7-b81c-16278cda898d
type: Opaque
响应式创建secrets常用选项
root@ubuntu0:~/manifests/secret
secret/test01 created
root@ubuntu0:~/manifests/secret
secret/test02 created
root@ubuntu0:~/manifests/secret
NAME TYPE DATA AGE
test01 Opaque 2 20s
test02 Opaque 2 9s
root@ubuntu0:~/manifests/secret
apiVersion: v1
items:
- apiVersion: v1
data:
SCHOOL: b2xkYm95ZWR1
class: bGludXg5NA ==
kind: Secret
metadata:
creationTimestamp: "2025-05-05T02:39:39Z"
name: test01
namespace: default
resourceVersion: "817317"
uid: 9255edec-24db-4490-a8b3-d0951b21c470
type: Opaque
- apiVersion: v1
data:
Data: YXBpVmVyc2lvbjogdjEKa2luZDogU2VjcmV0Cm1ldGFkYXRhOgogIG5hbWU6IGFkbWluCmRhdGE6CiAgIyBLRVnml6DpnIDlgZrku7vkvZXmk43kvZzvvIxWQUxVRei/m+ihjEJBU0U2NOaJi+WKqOe8lueggQogIHVzZXJuYW1lOiBiR2x1ZFhnNU5Bbz0KICBwYXNzd29yZDogYjJ4a1ltOTVaV1IxQ2c9PQo=
stringData: YXBpVmVyc2lvbjogdjEKa2luZDogU2VjcmV0Cm1ldGFkYXRhOgogIG5hbWU6IHVzZXItaW5mbwpzdHJpbmdEYXRhOgogIHVzZXJuYW1lOiBhZG1pbgogIHBhc3N3b3JkOiAiMSIKCiAgbXkuY25mOiB8CiAgICBbbXlzcWxkXQogICAgYmFzZWRpcj0vb2xkYm95ZWR1L3NvZnR3YXJlcy9teXNxbDgwCiAgICBwb3J0PTMzMDYKICAgIGRhdGFkaXI9L29sZGJveWVkdS9kYXRhL215c3FsODAKICAgIHNvY2tldD0vdG1wL215c3FsODAuc29jawo =
kind: Secret
metadata:
creationTimestamp: "2025-05-05T02:39:50Z"
name: test02
namespace: default
resourceVersion: "817332"
uid: b1476fdd-5182-426d-a784-7ee5b16342c1
type: Opaque
kind: List
metadata:
resourceVersion: ""
selfLink: ""
root@ubuntu0:~/manifests/secret
secret "test01" deleted
secret "test02" deleted
Pod引用secrets的两种方式
基于环境变量引入
1 .先查看一下user-info的变量
root@ubuntu0:~/manifests/secret
NAME TYPE DATA AGE
user-info Opaque 3 4d21h
root@ubuntu0:~/manifests/secret
apiVersion: v1
data:
my.cnf: W215c3FsZF0KYmFzZWRpcj0vb2xkYm95ZWR1L3NvZnR3YXJlcy9teXNxbDgwCnBvcnQ9MzMwNgpkYXRhZGlyPS9vbGRib3llZHUvZGF0YS9teXNxbDgwCnNvY2tldD0vdG1wL215c3FsODAuc29jawo =
password: MQ ==
username: YWRtaW4 =
kind: Secret
2 .基于环境变量引入
root@ubuntu0:~/manifests/secret
apiVersion: v1
kind: ReplicationController
metadata:
name: secret-env
spec:
replicas: 1
selector:
apps: v1
template:
metadata:
labels:
apps: v1
spec:
nodeName: ubuntu1
containers:
- name: xp
image: registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1
env:
- name: env_username
valueFrom:
secretKeyRef:
name: user-info
key: username
- name: env_mycnf
valueFrom:
secretKeyRef:
name: user-info
key: my.cnf
root@ubuntu0:~/manifests/secret
replicationcontroller/secret-env created
root@ubuntu0:~/manifests/secret
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
mysql-master-4zxp6 1 /1 Running 0 5d 10.100 .2.30 ubuntu1 < none> < none>
mysql-slave-2pgsd 1 /1 Running 0 5d 10.100 .2.29 ubuntu1 < none> < none>
secret-env-78xjs 1 /1 Running 0 29s 10.100 .2.32 ubuntu1 < none> < none>
查看环境变量,他会自动的解密
root@ubuntu0:~/manifests/secret
env_username = admin
env_mycnf = [ mysqld]
basedir = /oldboyedu/softwares/mysql80
port = 3306
datadir = /oldboyedu/data/mysql80
socket = /tmp/mysql80.sock
基于存储卷的方式引用
root@ubuntu0:~/manifests/secret
apiVersion: v1
kind: ReplicationController
metadata:
name: oldboyedu-rc-nfs-v1
spec:
replicas: 1
selector:
apps: v1
template:
metadata:
labels:
apps: v1
spec:
nodeName: ubuntu1
volumes:
- name: data
secret:
secretName: user-info
items:
- key: username
path: username.txt
- key: password
path: password.txt
- key: my.cnf
path: my.cnf
containers:
- name: nginx
image: registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1
volumeMounts:
- name: data
mountPath: /oldboyedu
root@ubuntu0:~/manifests/secret
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
mysql-master-4zxp6 1 /1 Running 0 5d 10.100 .2.30 ubuntu1 < none> < none>
mysql-slave-2pgsd 1 /1 Running 0 5d 10.100 .2.29 ubuntu1 < none> < none>
oldboyedu-rc-nfs-v1-5cx5d 1 /1 Running 0 8s 10.100 .2.33 ubuntu1 < none> < none>
root@ubuntu0:~/manifests/secret
/
total 0
lrwxrwxrwx 1 root root 13 May 10 00:42 my.cnf -> .. data/my.cnf
lrwxrwxrwx 1 root root 19 May 10 00:42 password.txt -> .. data/password.txt
lrwxrwxrwx 1 root root 19 May 10 00:42 username.txt -> .. data/username.txt
/
[ mysqld]
basedir = /oldboyedu/softwares/mysql80
port = 3306
datadir = /oldboyedu/data/mysql80
socket = /tmp/mysql80.sock
基于响应式secret实现harbor登录认证案例
1 .响应式创建harbor的认证信息
[ root@master231 case-demo]
secret/oldboyedu-harbor created
[ root@master231 case-demo]
NAME TYPE DATA AGE
oldboyedu-harbor kubernetes.io/dockerconfigjson 1 9s
2 .创建测试
[ root@master231 case-demo]
apiVersion: v1
kind: ReplicationController
metadata:
name: oldboyedu-private-harbor
spec:
replicas: 3
selector:
apps: linux
template:
spec:
imagePullSecrets:
- name: oldboyedu-harbor
containers:
- name: c1
image: harbor.oldboyedu.com/oldboyedu-linux/alpine:latest
imagePullPolicy: Always
stdin: true
metadata:
labels:
apps: linux
[ root@master231 case-demo]
[ root@master231 case-demo]
replicationcontroller/oldboyedu-private-harbor created
[ root@master231 case-demo]
[ root@master231 case-demo]
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
oldboyedu-private-harbor-f7hmj 1 /1 Running 0 4s 10.100 .1.64 worker232 < none> < none>
oldboyedu-private-harbor-gkmtm 1 /1 Running 0 4s 10.100 .2.120 worker233 < none> < none>
oldboyedu-private-harbor-pmf5q 1 /1 Running 0 4s 10.100 .2.119 worker233 < none> < none>
[ root@master231 case-demo]
基于声明式secret实现harbor登录认证案例
1 .harbor创建用户名和密码
用户名称: linux94
密码: Linux@2024
邮箱: linux94@oldboyedu.com
2 .对认证信息进行base64编码
[ root@master231 case-demo]
bGludXg5NDpMaW51eEAyMDI0
[ root@master231 case-demo]
3 .得到最终的认证信息:
{ "auths" :{ "harbor.oldboyedu.com" :{ "username" : "linux94" ,"password" : "Linux@2024" ,"email" : "linux94@oldboyedu.com" ,"auth" : "bGludXg5NDpMaW51eEAyMDI0" } } }
4 .编写资源清单
[ root@master231 case-demo]
apiVersion: v1
kind: Secret
metadata:
name: linux94-harbor
stringData:
.dockerconfigjson: '{"auths":{"harbor.oldboyedu.com":{"username":"linux94","password":"Linux@2024","email":"linux94@oldboyedu.com","auth":"bGludXg5NDpMaW51eEAyMDI0"}}}'
type: kubernetes.io/dockerconfigjson
---
apiVersion: v1
kind: ReplicationController
metadata:
name: oldboyedu-private-harbor
spec:
replicas: 3
selector:
apps: linux
template:
spec:
imagePullSecrets:
- name: linux94-harbor
containers:
- name: c1
image: harbor.oldboyedu.com/oldboyedu-linux/alpine:latest
imagePullPolicy: Always
stdin: true
metadata:
labels:
apps: linux
[ root@master231 case-demo]
[ root@master231 case-demo]
secret/linux94-harbor created
replicationcontroller/oldboyedu-private-harbor created
[ root@master231 case-demo]
[ root@master231 case-demo]
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
oldboyedu-private-harbor-6kf6t 1 /1 Running 0 3s 10.100 .2.124 worker233 < none> < none>
oldboyedu-private-harbor-prqnv 1 /1 Running 0 3s 10.100 .2.125 worker233 < none> < none>
oldboyedu-private-harbor-tcp27 1 /1 Running 0 3s 10.100 .1.68 worker232 < none> < none>
[ root@master231 case-demo]
基于serviceaccounts绑定secret实现harbor认证
root@ubuntu0:/oldboyedu/softwares/harbor
serviceaccounts sa v1 true ServiceAccount
1 .响应式创建账号
root@ubuntu0:/oldboyedu/softwares/harbor
serviceaccount/xixi created
root@ubuntu0:/oldboyedu/softwares/harbor
NAME SECRETS AGE
xixi 1 61s
root@ubuntu0:/oldboyedu/softwares/harbor
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: "2025-05-18T12:03:44Z"
name: xixi
namespace: default
resourceVersion: "1617334"
uid: 8597121b-be87-4e33-a25b-d7f84a2fc43d
secrets:
- name: xixi-token-f4d9p
2 .查看账号后端的Image pull secrets
root@ubuntu0:/oldboyedu/softwares/harbor
Name: xixi
Namespace: default
Labels: < none>
Annotations: < none>
Image pull secrets: < none>
Mountable secrets: xixi-token-f4d9p
Tokens: xixi-token-f4d9p
Events: < none>
由于上面的镜像拉去策略为空,所以更新账号绑定的信息
[ root@master231 serviceaccounts]
serviceaccount/xixi patched
[ root@master231 serviceaccounts]
[ root@master231 serviceaccounts]
Name: xixi
Namespace: default
Labels: < none>
Annotations: < none>
Image pull secrets: oldboyedu-harbor
Mountable secrets: xixi-token-nk9z4
Tokens: xixi-token-nk9z4
Events: < none>
4 .响应式更新账号的信息
[ root@master231 serviceaccounts]
NAME TYPE DATA AGE
oldboyedu-harbor kubernetes.io/dockerconfigjson 1 66m
[ root@master231 serviceaccounts]
[ root@master231 serviceaccounts]
Name: xixi
Namespace: default
Labels: < none>
Annotations: < none>
Image pull secrets: < none>
Mountable secrets: xixi-token-nk9z4
Tokens: xixi-token-nk9z4
Events: < none>
[ root@master231 serviceaccounts]
[ root@master231 serviceaccounts]
serviceaccount/xixi patched
[ root@master231 serviceaccounts]
[ root@master231 serviceaccounts]
Name: xixi
Namespace: default
Labels: < none>
Annotations: < none>
Image pull secrets: oldboyedu-harbor
Mountable secrets: xixi-token-nk9z4
Tokens: xixi-token-nk9z4
Events: < none>
[ root@master231 serviceaccounts]
5 .Pod使用sa账号拉取镜像
[ root@master231 case-demo]
apiVersion: v1
kind: Secret
metadata:
name: linux94-harbor
stringData:
.dockerconfigjson: '{"auths":{"harbor.oldboyedu.com":{"username":"linux94","password":"Linux@2024","email":"linux94@oldboyedu.com","auth":"bGludXg5NDpMaW51eEAyMDI0"}}}'
type: kubernetes.io/dockerconfigjson
---
apiVersion: v1
imagePullSecrets:
- name: linux94-harbor
kind: ServiceAccount
metadata:
name: linux94
namespace: default
---
apiVersion: v1
kind: ReplicationController
metadata:
name: oldboyedu-private-harbor
spec:
replicas: 3
selector:
apps: linux
template:
spec:
serviceAccount: linux94
containers:
- name: c1
image: harbor.oldboyedu.com/oldboyedu-linux/alpine:latest
imagePullPolicy: Always
stdin: true
metadata:
labels:
apps: linux
[ root@master231 case-demo]
pod创建流程
- Pod创建流程:
Pod的创建,删除,修改流程:
1 .执行kubectl命令时会加载"~/.kube/config" ,从而识别到apiserver的地址,端口及认证证书;
2 .apiserver进行证书认证,鉴权,语法检查,若成功则可以进行数据的读取或者写入;
3 .若用户是写入操作( 创建,修改,删除) 则需要修改etcd数据库的信息;
4 .如果创建Pod,此时scheduler负责Pod调度,将Pod调度到合适的worker节点,并将结果返回给ApiServer存储到etcd中;
5 .kubelet组件会周期性上报给apiServer节点,包括Pod内的容器资源( cpu,memory,disk,gpu,.. .) 及worker宿主机节点状态,apiServer并将结果存储到etcd中,若有该节点的任务也会直接返回给该节点进行调度;
6 .kubelet开始调用CRI接口创建容器( 依次创建pause,initContainers,containers) ;
7 .在运行过程中,若Pod容器,正常或者异常退出时,kubelet会根据重启策略是否重启容器( Never,Always,OnFailure) ;
8 .若一个节点怪掉,则需要controller manager介入维护,比如Pod副本数量缺失,则需要创建watch事件,要求控制器的副本数要达到标准,从而要创建新的Pod,此过程重复步骤4-6。
k8s部署jenkins
apiVersion: v1
kind: Namespace
metadata:
name: devops
---
apiVersion: v1
kind: ReplicationController
metadata:
name: oldboyedu-jenkins
namespace: devops
spec:
replicas: 1
selector:
apps: jenkins
template:
spec:
nodeName: worker233
volumes:
- name: data
nfs:
server: 10.0 .0.231
path: /oldboyedu/data/nfs-server/volumes/devops/jenkins
containers:
- name: c1
image: harbor.oldboyedu.com/oldboyedu-devops/jenkins:2.479.1-alpine-jdk21
ports:
- containerPort: 8080
volumeMounts:
- name: data
mountPath: /var/jenkins_home/
metadata:
labels:
apps: jenkins
---
apiVersion: v1
kind: Service
metadata:
name: svc-jenkins
namespace: devops
spec:
type: NodePort
selector:
apps: jenkins
ports:
- port: 8080
nodePort: 30083
[ root@master231 case-demo]
3 .温馨提示:
- 在使用资源清单之前,应该先将Jenkins运行起来,安装常用的插件;
- 再将/var/jenkins_home/数据拷贝到"/oldboyedu/data/nfs-server/volumes/devops/jenkins" 中。