定义

ConfigMap

明文配置

1
2
3
4
5
6
7
8
$ k create cm info --from-literal=name=zhongmingmao --dry-run=client -oyaml
apiVersion: v1
data:
  name: zhongmingmao
kind: ConfigMap
metadata:
  creationTimestamp: null
  name: info

ConfigMap 没有 spec,因为 ConfigMap 存储的是配置数据,并不是容器,因此没有运行时规格

ConfigMap 里的数据都是 Key-Value 结构

cm.yml
1
2
3
4
5
6
7
8
9
10
apiVersion: v1
kind: ConfigMap
metadata:
  name: info

data:
  name: zhongmingmao
  city: guangzhou
  greeting: |
    hello kubernetes!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
$ k apply -f cm.yml
configmap/info created

$ k get cm
NAME               DATA   AGE
info               3      81s

$ k describe cm info
Name:         info
Namespace:    default
Labels:       <none>
Annotations:  <none>

Data
====
city:
----
guangzhou
greeting:
----
hello kubernetes!

name:
----
zhongmingmao

BinaryData
====

Events:  <none>

Secret

机密配置,有多种分类

  1. 访问私有镜像仓库的认证信息
  2. 身份识别的凭证信息
  3. HTTPS 通信的证书和私钥
  4. 一般的机密信息

Base64 编码

1
2
3
4
5
6
7
8
9
10
11
$ k create secret generic user --from-literal=password=1234 --dry-run=client -oyaml
apiVersion: v1
data:
  password: MTIzNA==
kind: Secret
metadata:
  creationTimestamp: null
  name: user

$ echo -n 'MTIzNA==' | base64 -d
1234
secret.yml
1
2
3
4
5
6
7
8
apiVersion: v1
kind: Secret
metadata:
  name: user

data:
  city: Z3Vhbmd6aG91
  password: MTIzNA==

通过 describe 无法直接查看内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
$ k apply -f secret.yml
secret/user created

$ k get secrets
NAME                  TYPE                                  DATA   AGE
user                  Opaque                                2      3m52s

$ k describe secrets user
Name:         user
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
city:      9 bytes
password:  4 bytes

$ k get secrets user -oyaml
apiVersion: v1
data:
  city: Z3Vhbmd6aG91
  password: MTIzNA==
kind: Secret
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","data":{"city":"Z3Vhbmd6aG91","password":"MTIzNA=="},"kind":"Secret","metadata":{"annotations":{},"name":"user","namespace":"default"}}
  creationTimestamp: "2022-06-16T14:19:36Z"
  name: user
  namespace: default
  resourceVersion: "7418"
  uid: 42accd15-acbd-4041-9270-3344726277a9
type: Opaque

使用

ConfigMap 和 Secret 只是存储在 etcd 中的字符串,需要注入到 Pod

Environment variable

valueFrom - 指定了环境变量值的来源

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
$ k explain pod.spec.containers.env.valueFrom
KIND:     Pod
VERSION:  v1

RESOURCE: valueFrom <Object>

DESCRIPTION:
     Source for the environment variable's value. Cannot be used if value is not
     empty.

     EnvVarSource represents a source for the value of an EnvVar.

FIELDS:
   configMapKeyRef    <Object>
     Selects a key of a ConfigMap.

   fieldRef    <Object>
     Selects a field of the pod: supports metadata.name, metadata.namespace,
     `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`, spec.nodeName,
     spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.

   resourceFieldRef    <Object>
     Selects a resource of the container: only resources limits and requests
     (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu,
     requests.memory and requests.ephemeral-storage) are currently supported.

   secretKeyRef    <Object>
     Selects a key of a secret in the pod's namespace
env-pod.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
apiVersion: v1
kind: Pod
metadata:
  name: env-pod

spec:
  containers:
  - name: busy
    image: busybox
    imagePullPolicy: IfNotPresent
    command: ["/bin/sleep", "300"]
    env:
     - name: NAME
       valueFrom:
         configMapKeyRef:
           name: info
           key: name
     - name: CITY
       valueFrom:
         configMapKeyRef:
           name: info
           key: city
     - name: GREETING
       valueFrom:
         configMapKeyRef:
           name: info
           key: greeting
     - name: USER_CITY
       valueFrom:
         secretKeyRef:
           name: user
           key: city
     - name: PASSWORD
       valueFrom:
         secretKeyRef:
           name: user
           key: password
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ k apply -f pod.yml
pod/env-pod created

$  k get pod
NAME      READY   STATUS    RESTARTS   AGE
env-pod   1/1     Running   0          19s

$ k exec -it env-pod -- env
...
NAME=zhongmingmao
CITY=guangzhou
GREETING=hello kubernetes!

USER_CITY=guangzhou
PASSWORD=1234
...

解耦

image-20230616225220865

Volume

Volume 属于 Pod,不属于某个容器,因此 volumes 与 containers 同级

使用 Volume 统一抽象了所有存储(临时卷、持久卷、动态卷、快照卷等),扩展性非常好

volume-pod.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
apiVersion: v1
kind: Pod
metadata:
  name: volume-pod

spec:
  containers:
  - name: busy
    image: busybox
    imagePullPolicy: IfNotPresent
    command: ["/bin/sleep", "300"]
    volumeMounts:
    - mountPath: /tmp/cm-items
      name: cm-vol
    - mountPath: /tmp/secret-items
      name: secret-vol
  volumes:
  - name: cm-vol
    configMap:
      name: info
  - name: secret-vol
    secret:
      secretName: user

ConfigMap 和 Secret 都成了目录的形式,Key-Value 变成了文件,Key 为文件名

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
$ k apply -f volume-pod.yml
pod/volume-pod created

$ k get pod
NAME         READY   STATUS    RESTARTS   AGE
volume-pod   1/1     Running   0          14s

$ k exec -it volume-pod -- sh
/ # ls /tmp/cm-items
city      greeting  name
/ #
/ # cat /tmp/cm-items/greeting
hello kubernetes!
/ #
/ # ls /tmp/secret-items/
city      password
/ #
/ # cat /tmp/secret-items/password
1234/ #
/ #
/ # df -h | grep /tmp/
                         10.2G      6.7G      3.0G  69% /tmp/cm-items
tmpfs                     3.8G      8.0K      3.8G   0% /tmp/secret-items
/ #
/ # exit

image-20230616231352227