Pod 配置管理
Key |
Value |
独立资源 |
ConfigMap |
|
Secret |
|
ServiceAccount |
Pod.spec |
Resources |
|
SecurityContext |
|
InitContainers |
ConfigMap
用途
- 管理容器运行时所需要的配置文件、环境变量、命令行参数等可变配置
- 用于解耦容器镜像和可变配置,从而保证工作负载(Pod)的可移植性
创建
指定键值对
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
| $ kubectl create configmap special-config --from-literal=special.how=very --from-literal=special.type=charm configmap/special-config created
$ kubectl get configmaps special-config -o yaml apiVersion: v1 data: special.how: very special.type: charm kind: ConfigMap metadata: creationTimestamp: "2021-07-12T07:37:10Z" name: special-config namespace: default resourceVersion: "15441" selfLink: /api/v1/namespaces/default/configmaps/special-config uid: 03b63c92-9103-4eac-8d93-5cf69adfd594
|
指定文件
info.json1 2 3 4 5 6
| { "name": "zhongmingmao", "other": { "location": "Guang Zhou" } }
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
| $ kubectl create configmap info-config --from-file=info.json configmap/info-config created
$ kubectl get configmaps info-config -o yaml apiVersion: v1 data: info.json: |- { "name": "zhongmingmao", "other": { "location": "Guang Zhou" } } kind: ConfigMap metadata: creationTimestamp: "2021-07-12T07:40:54Z" name: info-config namespace: default resourceVersion: "15602" selfLink: /api/v1/namespaces/default/configmaps/info-config uid: 5d0ac44b-69fb-4dbf-9c61-d26024f3c12b
|
使用
环境变量
cm-env-test.yml1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
| apiVersion: v1 kind: Pod metadata: name: cm-env-test spec: containers: - name: test-container image: busybox command: - /bin/sh - '-c' - env env: - name: SPECIAL_LEVEL_KEY valueFrom: configMapKeyRef: name: special-config key: special.how restartPolicy: Never
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
| $ kubectl apply -f cm-env-test.yaml pod/cm-env-test created
$ kubectl get pods NAME READY STATUS RESTARTS AGE cm-env-test 0/1 Completed 0 16s
$ kubectl logs cm-env-test KUBERNETES_SERVICE_PORT=443 KUBERNETES_PORT=tcp://10.96.0.1:443 HOSTNAME=cm-env-test SHLVL=1 HOME=/root KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin KUBERNETES_PORT_443_TCP_PORT=443 KUBERNETES_PORT_443_TCP_PROTO=tcp SPECIAL_LEVEL_KEY=very KUBERNETES_SERVICE_PORT_HTTPS=443 KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443 KUBERNETES_SERVICE_HOST=10.96.0.1 PWD=/
|
命令行参数
cm-cmd-test.yaml1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
| apiVersion: v1 kind: Pod metadata: name: cm-cmd-test spec: containers: - name: test-container image: busybox command: - /bin/sh - '-c' - echo $(SPECIAL_LEVEL_KEY) env: - name: SPECIAL_LEVEL_KEY valueFrom: configMapKeyRef: name: special-config key: special.how restartPolicy: Never
|
1 2 3 4 5 6 7 8 9
| $ kubectl apply -f cm-cmd-test.yaml pod/cm-cmd-test created
$ kubectl get pods NAME READY STATUS RESTARTS AGE cm-cmd-test 0/1 Completed 0 6s
$ kubectl logs cm-cmd-test very
|
挂载 Volume
cm-volume-test.yaml1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
| apiVersion: v1 kind: Pod metadata: name: cm-volume-test spec: containers: - name: test-container image: busybox command: - /bin/sh - '-c' - ls /etc/config volumeMounts: - name: config-volume mountPath: /etc/config volumes: - name: config-volume configMap: name: special-config restartPolicy: Never
|
ConfigMap中指定的内容以文件的形式挂载到容器中
1 2 3 4 5 6 7 8 9 10
| $ kubectl apply -f cm-volume-test.yaml pod/cm-volume-test created
$ kubectl get pods NAME READY STATUS RESTARTS AGE cm-volume-test 0/1 Completed 0 6s
$ kubectl logs cm-volume-test special.how special.type
|
注意事项
- ConfigMap 文件大小的限制:1MB(Etcd)
- Pod 只能引用相同 Namespce 中的 ConfigMap
- Pod 引用的 ConfigMap 不存在时,Pod 无法创建成功
- 使用 valueFrom 从 ConfigMap 来配置环境变量时
- ConfigMap 中某些 Key 被认为无效,该环境变量不会被注入容器,但 Pod 可以正常创建
- 只有通过 Kubernetes API 创建的 Pod 才能使用 ConfigMap
Secret
用途
- 在集群中,用于存储密码、Token 等敏感信息
- 敏感数据采用 Base64 编码(编码 != 加密)
- 类型
- Opaque:普通的 Secret 文件
- service-account-token:用于 Service Account 身份认证的 Secret
- dockerconfigjson:用于拉取私有仓库镜像的 Secret
- bootstrap.token:用于节点接入集群校验用的 Secret
创建
Secret 可以用户自己创建,或者系统自动创建
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
| $ kubectl create secret generic my-secret --from-literal=username=zhongmingmao --from-literal=password=123 secret/my-secret created
$ kubectl get secrets NAME TYPE DATA AGE default-token-c9smw kubernetes.io/service-account-token 3 16h my-secret Opaque 2 12s
$ kubectl get secrets my-secret -o yaml apiVersion: v1 data: password: MTIz username: emhvbmdtaW5nbWFv kind: Secret metadata: creationTimestamp: "2021-07-12T08:27:51Z" name: my-secret namespace: default resourceVersion: "17716" selfLink: /api/v1/namespaces/default/secrets/my-secret uid: b99400ef-5375-4ca2-9e73-183afb7e732b type: Opaque
|
使用
Secret 主要被 Pod 使用,一般是通过挂载 Volume 的方式
用户定义 Secret
my-pod.yaml1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
| apiVersion: v1 kind: Pod metadata: name: my-pod spec: containers: - name: my-pod image: busybox command: - /bin/sh - '-c' - ls /etc/secret/ && cat /etc/secret/* volumeMounts: - name: secret-volume mountPath: /etc/secret readOnly: true volumes: - name: secret-volume secret: secretName: my-secret restartPolicy: Never
|
1 2 3 4 5 6 7 8 9 10 11
| $ kubectl apply -f my-pod.yaml pod/my-pod created
$ kubectl get pods NAME READY STATUS RESTARTS AGE my-pod 0/1 Completed 0 31s
$ kubectl logs my-pod password username 123zhongmingmao
|
系统定义 Secret
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36
| $ kubectl get secrets NAME TYPE DATA AGE default-token-c9smw kubernetes.io/service-account-token 3 16h my-secret Opaque 2 25m
$ kubectl describe secrets default-token-c9smw Name: default-token-c9smw Namespace: default Labels: <none> Annotations: kubernetes.io/service-account.name: default kubernetes.io/service-account.uid: 17de15bb-32c1-48be-9daf-0277d1a1fc05
Type: kubernetes.io/service-account-token
Data ==== ca.crt: 1111 bytes namespace: 7 bytes token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9rZW4tYzlzbXciLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjE3ZGUxNWJiLTMyYzEtNDhiZS05ZGFmLTAyNzdkMWExZmMwNSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.fw6HUYI6GAjd7P_uuSQZxa3cAOsxoAtdjExMOM_OWtXZu7sFqDd2jUsEJdY41eFhA19Zl9ASlsby_pE-3brVV-TceMknZhriF1XgWDVLozyJSoOO_ias04ed8XFNYB5MsxpcyKEmkgeOAXlJwSE73sPF-YNUKvMfhK55qDMzIylDD0KIH2LGaIpuH5TdbcHwDlMZmUCe0JtSUlYurltcb5ZJSZ-36Vuquy9oc_5xivdpi8505uXRb7Y00ieBiYgQ0O18aIOM8w-WV7ppS83vjo5GciOsGSssEzvix9Fh2W5BOZGXsq1I1zoHxtUefJ3B8aUq9wTRmy1BLRIKVYPTwg
$ kubectl get serviceaccounts NAME SECRETS AGE default 1 16h
$ kubectl get serviceaccounts default -o yaml apiVersion: v1 kind: ServiceAccount metadata: creationTimestamp: "2021-07-11T16:02:40Z" name: default namespace: default resourceVersion: "359" selfLink: /api/v1/namespaces/default/serviceaccounts/default uid: 17de15bb-32c1-48be-9daf-0277d1a1fc05 secrets: - name: default-token-c9smw
|
my-pod-for-service-account-token.yaml1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
| apiVersion: v1 kind: Pod metadata: name: my-pod-for-service-account-token spec: containers: - name: my-pod-for-service-account-token image: busybox command: - /bin/sh - '-c' - ls /etc/secret/ volumeMounts: - name: default-token-c9smw mountPath: /etc/secret readOnly: true volumes: - name: default-token-c9smw secret: secretName: default-token-c9smw restartPolicy: Never
|
1 2 3 4 5 6 7
| $ kubectl apply -f my-pod-for-service-account-token.yaml pod/my-pod-for-service-account-token created
$ kubectl logs my-pod-for-service-account-token ca.crt namespace token
|
注意事项
- Secret 文件大小限制:1MB
- Secret 采用 Base64 编码(编码 != 加密,可选方案:Kubernetes + Vault)
- 由于 List/Watch 会获取 Namespace 下所有的 Secret,建议使用 Get
ServiceAccount
用途
- 用于解决 Pod 在集群中的身份认证问题
- 认证使用的授权信息,通过Secret(kubernetes.io/service-account-token)进行管理
实践
- ServiceAccount.secrets:指定 ServiceAccount 使用哪个 Secret,由 Kubernetes 自动添加
- ca.crt:用于校验服务端的证书信息
- token:用于 Pod 的身份认证
- service-account.uid:Secret 关联的 ServiceAccount
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
| $ kubectl get serviceaccounts NAME SECRETS AGE default 1 16h
$ kubectl get serviceaccounts default -o yaml apiVersion: v1 kind: ServiceAccount metadata: creationTimestamp: "2021-07-11T16:02:40Z" name: default namespace: default resourceVersion: "359" selfLink: /api/v1/namespaces/default/serviceaccounts/default uid: 17de15bb-32c1-48be-9daf-0277d1a1fc05 secrets: - name: default-token-c9smw
$ kubectl get secrets default-token-c9smw -o yaml apiVersion: v1 data: ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCakNDQWU2Z0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwdGFXNXAKYTNWaVpVTkJNQjRYRFRJeE1EY3dOakUwTWpnd05Wb1hEVE14TURjd05URTBNamd3TlZvd0ZURVRNQkVHQTFVRQpBeE1LYldsdWFXdDFZbVZEUVRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBUHpDCjR1eWpiV3FLa2UyaDVuQVZlYlV0cjFLT2Frd1ZPamRDS3NUeFlwemduYWpXT3JNaVhOdkZWakVzT2pDa0pLeHMKSGkveHlicURvMEFaK0NZTW9LTFN2Nkk1amF0NnlPUTU1OW9MUEpKcVlobThySUtnVndVK1d0WHNSM0lMeU13Vgp4bDdjaVFqMFRIV01NSGNLS3lLZlI0SDltTzdsY2hNS3FkRUhNelBUOExZUkllTlpuaTN1RHYvSlVrVmdtSnlSClNRYllhUFdodWNkbkpVWW53UVR6d1Rtamd0ZEtQd2JkV05hOXFkY2t1blEzV0NJeHRPMHhuM3Jld3RLMkNqekwKaXc0dWhLWmg3TWJCSGhXNzJDdU1MbEkwYlVEaHRLd1pHdTRUN0ttWDc1L0hVVmNnUUM4dWp4WnBpa0JYdXJBRwpUNGw4a0VGVXpjQlJzYkZaajdjQ0F3RUFBYU5oTUY4d0RnWURWUjBQQVFIL0JBUURBZ0trTUIwR0ExVWRKUVFXCk1CUUdDQ3NHQVFVRkJ3TUNCZ2dyQmdFRkJRY0RBVEFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQjBHQTFVZERnUVcKQkJSQm9RdytFVWNxc3l6VXFVbXRvZENpTnBHOUFEQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFqR2E5R2xDQwpWRVFpc2lpajdicHY1VmxCb2Z2QW00U0lTNXlPOFVlTENJTDN2MVg4cHdKWDN6S1hNY2hYSTNiMTlrOExHdStiCjUwWWR3cEhjNUg5VmplTkhWcTVOdGZRZzlNcE5zclB6OC9Cb1BOV08wRE1yTXhUN1JmVXBQMDViZWFjOVZZRDAKTzA3TnowRDRWK0t1cUdXaXdjam53Qld6b0I1cmE5VS9Cb2g4L1FHdEplb3BxdjJWb1pQYmlXM3RBTGdwb0hKawpoL1NrYXo2OU9ERS9iZmRNeWlTc0xYUDZpSlZoOFdTdHlxelZXMFhWVlVBRjdGR2p0ek11SlZZQ2t0RVhxNURPCkIra3Y0N0V1VmFHZHpnQ2VPRG5xNkF3WFlMUTYwQ2J4NjBDRW9EeE40TmRTWjRuYmpxV0xWL1d0cG9sc2ZlQ0EKWXNLRFJmWWd1TDhnd1E9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== namespace: ZGVmYXVsdA== token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklpSjkuZXlKcGMzTWlPaUpyZFdKbGNtNWxkR1Z6TDNObGNuWnBZMlZoWTJOdmRXNTBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5dVlXMWxjM0JoWTJVaU9pSmtaV1poZFd4MElpd2lhM1ZpWlhKdVpYUmxjeTVwYnk5elpYSjJhV05sWVdOamIzVnVkQzl6WldOeVpYUXVibUZ0WlNJNkltUmxabUYxYkhRdGRHOXJaVzR0WXpsemJYY2lMQ0pyZFdKbGNtNWxkR1Z6TG1sdkwzTmxjblpwWTJWaFkyTnZkVzUwTDNObGNuWnBZMlV0WVdOamIzVnVkQzV1WVcxbElqb2laR1ZtWVhWc2RDSXNJbXQxWW1WeWJtVjBaWE11YVc4dmMyVnlkbWxqWldGalkyOTFiblF2YzJWeWRtbGpaUzFoWTJOdmRXNTBMblZwWkNJNklqRTNaR1V4TldKaUxUTXlZekV0TkRoaVpTMDVaR0ZtTFRBeU56ZGtNV0V4Wm1Nd05TSXNJbk4xWWlJNkluTjVjM1JsYlRwelpYSjJhV05sWVdOamIzVnVkRHBrWldaaGRXeDBPbVJsWm1GMWJIUWlmUS5mdzZIVVlJNkdBamQ3UF91dVNRWnhhM2NBT3N4b0F0ZGpFeE1PTV9PV3RYWnU3c0ZxRGQyalVzRUpkWTQxZUZoQTE5Wmw5QVNsc2J5X3BFLTNiclZWLVRjZU1rblpocmlGMVhnV0RWTG96eUpTb09PX2lhczA0ZWQ4WEZOWUI1TXN4cGN5S0Vta2dlT0FYbEp3U0U3M3NQRi1ZTlVLdk1maEs1NXFETXpJeWxERDBLSUgyTEdhSXB1SDVUZGJjSHdEbE1abVVDZTBKdFNVbFl1cmx0Y2I1WkpTWi0zNlZ1cXV5OW9jXzV4aXZkcGk4NTA1dVhSYjdZMDBpZUJpWWdRME8xOGFJT004dy1XVjdwcFM4M3ZqbzVHY2lPc0dTc3NFenZpeDlGaDJXNUJPWkdYc3ExSTF6b0h4dFVlZkozQjhhVXE5d1RSbXkxQkxSSUtWWVBUd2c= kind: Secret metadata: annotations: kubernetes.io/service-account.name: default kubernetes.io/service-account.uid: 17de15bb-32c1-48be-9daf-0277d1a1fc05 creationTimestamp: "2021-07-11T16:02:40Z" name: default-token-c9smw namespace: default resourceVersion: "355" selfLink: /api/v1/namespaces/default/secrets/default-token-c9smw uid: a467ae46-fa55-405e-b836-e383f98e103b type: kubernetes.io/service-account-token
|
Pod 访问 Kubernetes 集群
- Pod 创建时 Admission Controller 会根据指定的 ServiceAccount(默认是 default) 把对应的 Secret 挂载到容器中的固定目录(**/var/run/secrets/kubernetes.io/serviceaccount**)
- 当 Pod 访问集群时,默认利用 Secret 中的 token 来认证 Pod 身份(ca.art 用于校验服务端)
- Pod 通过身份认证后,其权限需要通过 RBAC 来配置,默认是 GET 权限
Resource
spec.containers[].resources
- 内部支持的资源类型(配置时,指定的数量必须是整数)
- CPU:单位 millicore(1 core = 1000 millicore)
- 内存:单位 Byte
- 临时存储:单位 Byte
- requests:申明需要的资源
- limits: 申明需要资源的边界
Qos
- 分类
- Guaranteed
- Pod 里的每个容器都必须有内存和 CPU 的 requests 和 limits,且必须一样
- Burstable(可爆)
- Pod 里至少有一个容器有内存或 CPU 的 requests
- BestEffort
- !Guaranteed && !BestEffort
- 当节点上资源不足时,驱逐 Pod 的优先级顺序:BestEffort、Burstable、Guaranteed
SecurityContext
- 主要用于限制容器行为,从而保障系统和其他容器的安全
- 不是 Kubernetes 或者 Container Runtime 本身的能力,而是依赖于内核机制
- 级别
- 容器级别的SecurityContext:仅对指定容器生效
- Pod 级别的SecurityContext:对指定 Pod 中的所有容器生效
- Pod Security Policies:对集群内所有 Pod 生效
InitContainer
- InitContainer vs 普通 Container
- InitContainer 会先于普通 Container 启动执行,直到所有 InitContainer 执行成功后,普通 Container 才会被启动
- Pod 中多个 InitContainer 之间按顺序启动,而 Pod 中多个普通 Container 是并行启动
- InitContainer 执行成功后就结束退出,而普通 Container 会一直执行或者重启(restartPolicy != Never)
- 用途
- 一般用于普通 Container启动前的初始化或者前置条件检验
参考资料
- CNCF × Alibaba 云原生技术公开课