1. secret
Secret is a k8s resource used to store sensitive data such as passwords, tokens, keys, etc. Although this type of data can also be stored in Pods or mirrors, it is placed in Secret to more conveniently control how to use the data and reduce exposure. risk.
There are three types:
1. kubernetes.io/service-account-token: automatically created by Kubernetes and used to access the APIServer’s Secret. The Pod will use this Secret to communicate with the APIServer by default and will be automatically mounted to the Pod’s /run/secrets/kubernetes.io /serviceaccount directory;
2. Opaque: Secret in base64 encoding format, used to store user-defined passwords, keys, etc., the default Secret type;
3. kubernetes.io/dockerconfigjson: used to store authentication information of private docker registry.
Pod needs to reference a secret before it can use it. Pod has 3 ways to use secret:
●As files mounted to volumes on one or more containers.
●As an environment variable of the container.
●Used by kubelet when pulling images for Pods.
Specifically visit Secrets | Kubernetes
2. Create Secret
echo -n 'zhangsan' > username.txt echo -n 'abc1234' > password.txt kubectl create secret generic mysecret --from-file=username.txt --from-file=password.txt kubectl get secrets NAME TYPE DATA AGE default-token-8pqp6 kubernetes.io/service-account-token 3 3d1h mysecret Opaque 2 51s kubectl describe secret mysecret Name:mysecret Namespace: default Labels: <none> Annotations: <none> Type: Opaque Data ==== password.txt: 7 bytes username.txt: 8 bytes //The get or describe instructions will not display the actual content of the secret. This is due to data protection considerations.
2. The content is encoded with base64 and a Secret is created.
echo -n zhangsan | base64 emhhbmdzYW4K= echo -n abc1234 | base64 YWJjMTIzNAo== vim secret.yaml apiVersion: v1 Kind: Secret metadata: name:mysecret1 type: Opaque data: username: emhhbmdzYW4K= password: YWJjMTIzNAo== kubectl create -f secret.yaml kubectl get secrets NAME TYPE DATA AGE default-token-8pqp6 kubernetes.io/service-account-token 3 3d1h mysecret Opaque 2 43m mysecret1 Opaque 2 6s kubectl get secret mysecret1 -o yaml apiVersion: v1 data: password: YWJjMTIzNAo== username: emhhbmdzYW4K= Kind: Secret metadata: creationTimestamp: 2021-05-24T09:11:18Z name:mysecret1 namespace:default resourceVersion: "45641" selfLink: /api/v1/namespaces/default/secrets/mysecret1 uid: ffffb7902-bc6f-11eb-acba-000c29d88bba type: Opaque
//How to use
1. Mount Secret to Volume and mount it to a directory of Pod in the form of Volume
vim secret-test.yaml apiVersion: v1 Kind: Pod metadata: name:mypod spec: containers: - name: nginx image: nginx volumeMounts: - name: secrets mountPath: "/etc/secrets" readOnly: true volumes: - name: secrets secret: secretName: mysecret kubectl create -f secret-test.yaml kubectl getpods NAME READY STATUS RESTARTS AGE seret-test 1/1 Running 0 16s kubectl exec -it seret-test bash # cd /etc/secrets/ #ls password.txt username.txt # vi password.txt # vi username.txt
vim secret-test1.yaml apiVersion: v1 Kind: Pod metadata: name:mypod1 spec: containers: - name: nginx image: nginx env: - name: TEST_USER valueFrom: secretKeyRef: name:mysecret1 key: username - name: TEST_PASSWORD valueFrom: secretKeyRef: name:mysecret1 key: password kubectl apply -f secret-test1.yaml kubectl getpods NAME READY STATUS RESTARTS AGE mypod1 1/1 Running 0 77s kubectl exec -it mypod bash # echo $TEST_USER zhangsan # echo $TEST_PASSWORD abc1234
//ConfigMap
Similar to Secret, the difference is that ConfigMap saves information that does not require encrypted configuration.
The ConfigMap function was introduced in Kubernetes 1.2, and many applications read configuration information from configuration files, command line parameters, or environment variables. The Con?gMap API provides us with a mechanism to inject configuration information into the container. Con?gMap can be used to save a single attribute, or it can be used to save the entire configuration file or a JSON binary large object.
Application scenario: application configuration
//Create ConfigMap
1. Use the directory to create 0000000000000000000000000
mkdir /opt/configmap/ vim /opt/configmap/game.properties enemies=aliens lives=3 enemies.cheat=true enemies.cheat.level=noGoodRotten secret.code.passphrase=UUDDLRLRBABAS secret.code.allowed=true secret.code.lives=30 vim /opt/configmap/ui.properties color.good=purple color.bad=yellow allow.textmode=true how.nice.to.look=fairlyNice ls /opt/configmap/ game.properties ui.properties kubectl create configmap game-config --from-file=/opt/configmap/ //--from-file specifies that all files in the directory will be used to create a key-value pair in Con?gMap. The name of the key is the file name and the value is the content of the file. kubectl get cm NAME DATA AGE game-config 2 10s kubectl get cm game-config -o yaml apiVersion: v1 data: game.properties: | enemies=aliens lives=3 enemies.cheat=true enemies.cheat.level=noGoodRotten secret.code.passphrase=UUDDLRLRBABAS secret.code.allowed=true secret.code.lives=30 ui.properties: | color.good=purple color.bad=yellow allow.textmode=true how.nice.to.look=fairlyNice kind: ConfigMap metadata: creationTimestamp: 2021-05-25T06:49:18Z name: game-config namespace:default resourceVersion: "87803" selfLink: /api/v1/namespaces/default/configmaps/game-config uid: 541b5302-bd25-11eb-acba-000c29d88bba
2. Use file creation
Con?gMap can be created from a single file as long as it is specified as a file
–from-file This parameter can be used multiple times, that is, it can be used twice to specify the two configuration files in the previous instance. The effect is the same as specifying the entire directory.
kubectl create configmap game-config-2 --from-file=/opt/configmap/game.properties --from-file=/opt/configmap/ui.properties kubectl get configmaps game-config-2 -o yaml kubectl describe cm game-config-2
3. Create using literal values
Create using literal values and use the –from-literal parameter to pass configuration information. This parameter can be used multiple times. The format is as follows
kubectl create configmap special-config –from-literal=special.how=very –from-literal=special.type=good
kubectl get configmaps special-config -o yaml apiVersion: v1 data: special.how: very #key-value structure special.type: good kind: ConfigMap metadata: creationTimestamp: 2021-05-25T06:59:37Z name: special-config namespace:default resourceVersion: "88610" selfLink: /api/v1/namespaces/default/configmaps/special-config uid: c4f45936-bd26-11eb-acba-000c29d88bba kubectl delete cm --all kubectl delete pod --all //Use Con?gMap in Pod
1. Use Con?gMap to replace environment variables
vim env.yaml apiVersion: v1 kind: ConfigMap metadata: name: special-config namespace:default data: special.how: very special.type: good --- apiVersion: v1 kind: ConfigMap metadata: name: env-config namespace:default data: log_level: INFO kubectl create -f env.yaml kubectl get cm NAME DATA AGE env-config 1 6s special-config 2 6s //Creation of Pod vim test-pod.yaml apiVersion: v1 Kind: Pod metadata: name: test-pod spec: containers: - name: busybox image: busybox:1.28.4 command: [ "/bin/sh", "-c", "env" ] env: - name: SPECIAL_HOW_KEY valueFrom: configMapKeyRef: name: special-config key: special.how - name: SPECIAL_TYPE_KEY valueFrom: configMapKeyRef: name: special-config key: special.type envFrom: - configMapRef: name: env-config restartPolicy: Never kubectl create -f test-pod.yaml kubectl getpods NAME READY STATUS RESTARTS AGE pod-test 0/1 Completed 0 33s kubectl logs pod-test KUBERNETES_SERVICE_PORT=443 KUBERNETES_PORT=tcp://10.0.0.1:443 HOSTNAME=pod-test SHLVL=1 SPECIAL_HOW_KEY=very #The value of the assigned variable SPECIAL_HOW_KEY is special-config's special.how: very HOME=/root SPECIAL_TYPE_KEY=good #The value of the assigned variable SPECIAL_TYPE_KEY is special-config's special.type: good KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin KUBERNETES_PORT_443_TCP_PORT=443 KUBERNETES_PORT_443_TCP_PROTO=tcp log_level=INFO #Introduce env-config variables log_level: INFO KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443 KUBERNETES_SERVICE_PORT_HTTPS=443 KUBERNETES_SERVICE_HOST=10.0.0.1 PWD=/
2. Use Con?gMap to set command line parameters
vim test-pod2.yaml apiVersion: v1 Kind: Pod metadata: name: test-pod2 spec: containers: - name: busybox image: busybox:1.28.4 command: -/bin/sh - -c - echo "$(SPECIAL_HOW_KEY) $(SPECIAL_TYPE_KEY)" env: - name: SPECIAL_HOW_KEY valueFrom: configMapKeyRef: name: special-config key: special.how - name: SPECIAL_TYPE_KEY valueFrom: configMapKeyRef: name: special-config key: special.type envFrom: - configMapRef: name: env-config restartPolicy: Never kubectl create -f test-pod2.yaml kubectl getpods NAME READY STATUS RESTARTS AGE test-pod2 0/1 Completed 0 34s kubectl logs test-pod2 very good
3. Use Con?gMap through the data volume plug-in
Using Con?gMap in a data volume means filling files into the data volume. In this file, the key is the file name and the key value is the file content.
vim test-pod3.yaml apiVersion: v1 Kind: Pod metadata: name: test-pod3 spec: containers: - name: busybox image: busybox:1.28.4 command: [ "/bin/sh", "-c", "sleep 36000" ] volumeMounts: - name: config-volume mountPath: /etc/config volumes: - name: config-volume configMap: name: special-config restartPolicy: Never kubectl create -f test-pod3.yaml kubectl getpods NAME READY STATUS RESTARTS AGE test-pod3 1/1 Running 0 5s kubectl exec -it test-pod3 sh # cd /etc/config/ #ls special.how special.type # vi special.how #vi special.type //Hot update of Con?gMap vim test-pod4.yaml apiVersion: v1 kind: ConfigMap metadata: name: log-config namespace:default data: log_level: INFO --- apiVersion: extensions/v1beta1 Kind: Deployment metadata: name: my-nginx spec: replicas: 1 template: metadata: labels: run:my-nginx spec: containers: - name: my-nginx image: nginx ports: - containerPort: 80 volumeMounts: - name: config-volume mountPath: /etc/config volumes: - name: config-volume configMap: name: log-config kubectl apply -f test-pod5.yaml kubectl getpods NAME READY STATUS RESTARTS AGE my-nginx-76b6489f44-6dwxh 1/1 Running 0 46s kubectl exec -it my-nginx-76b6489f44-6dwxh -- cat /etc/config/log_level INFO kubectl edit configmap log-config apiVersion: v1 data: log_level: DEBUG #INFO modified to DEBUG kind: ConfigMap metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"v1","data":{"log_level":"DEBUG"},"kind":"ConfigMap","metadata" :{"annotations":{},"name":"log-config","namespace":"default"}} #INFO changed to DEBUG creationTimestamp: 2021-05-25T07:59:18Z name: log-config namespace:default resourceVersion: "93616" selfLink: /api/v1/namespaces/default/configmaps/log-config uid: 1b8115de-bd2f-11eb-acba-000c29d88bba //Wait about 10 seconds for the data in the Volume mounted using this ConfigMap to be updated synchronously kubectl exec -it my-nginx-76b6489f44-6dwxh -- cat /etc/config/log_level DEBUG //Rolling update Pod after ConfigMap update Updating ConfigMap currently does not trigger rolling updates of related Pods. You can add version/config in .spec.template.metadata.annotations and modify version/config each time to trigger rolling updates. kubectl patch deployment my-nginx --patch '{"spec": {"template": {"metadata": {"annotations": {"version/config": " 20210525" }}}}}' kubectl getpods NAME READY STATUS RESTARTS AGE my-nginx-665dd4dc8c-j4k9t 0/1 ContainerCreating 0 4s my-nginx-76b6489f44-6dwxh 0/1 Terminating 0 10m kubectl getpods NAME READY STATUS RESTARTS AGE my-nginx-665dd4dc8c-j4k9t 1/1 Running 0 74s PS: After updating ConfigMap: ●Env mounted using this ConfigMap will not be updated synchronously. ●The data in the Volume mounted using this ConfigMap will take some time (approximately 10 seconds as measured) to be updated synchronously.