1. secret
Secret is a k8s resource used to store sensitive data such as passwords, tokens, keys, etc. Although this type of data can also be stored in Pods or mirrors, it is placed in Secret to more conveniently control how to use the data and reduce exposure. risk.
There are three types:
1. kubernetes.io/service-account-token: automatically created by Kubernetes and used to access the APIServer’s Secret. The Pod will use this Secret to communicate with the APIServer by default and will be automatically mounted to the Pod’s /run/secrets/kubernetes.io /serviceaccount directory;
2. Opaque: Secret in base64 encoding format, used to store user-defined passwords, keys, etc., the default Secret type;
3. kubernetes.io/dockerconfigjson: used to store authentication information of private docker registry.
Pod needs to reference a secret before it can use it. Pod has 3 ways to use secret:
●As files mounted to volumes on one or more containers.
●As an environment variable of the container.
●Used by kubelet when pulling images for Pods.
Specifically visit Secrets | Kubernetes
2. Create Secret
echo -n 'zhangsan' > username.txt echo -n 'abc1234' > password.txt kubectl create secret generic mysecret --from-file=username.txt --from-file=password.txt kubectl get secrets NAME TYPE DATA AGE default-token-8pqp6 kubernetes.io/service-account-token 3 3d1h mysecret Opaque 2 51s kubectl describe secret mysecret Name:mysecret Namespace: default Labels: <none> Annotations: <none> Type: Opaque Data ==== password.txt: 7 bytes username.txt: 8 bytes //The get or describe instructions will not display the actual content of the secret. This is due to data protection considerations.
2. The content is encoded with base64 and a Secret is created.
echo -n zhangsan | base64 emhhbmdzYW4K= echo -n abc1234 | base64 YWJjMTIzNAo== vim secret.yaml apiVersion: v1 Kind: Secret metadata: name:mysecret1 type: Opaque data: username: emhhbmdzYW4K= password: YWJjMTIzNAo== kubectl create -f secret.yaml kubectl get secrets NAME TYPE DATA AGE default-token-8pqp6 kubernetes.io/service-account-token 3 3d1h mysecret Opaque 2 43m mysecret1 Opaque 2 6s kubectl get secret mysecret1 -o yaml apiVersion: v1 data: password: YWJjMTIzNAo== username: emhhbmdzYW4K= Kind: Secret metadata: creationTimestamp: 2021-05-24T09:11:18Z name:mysecret1 namespace:default resourceVersion: "45641" selfLink: /api/v1/namespaces/default/secrets/mysecret1 uid: ffffb7902-bc6f-11eb-acba-000c29d88bba type: Opaque
//How to use
1. Mount Secret to Volume and mount it to a directory of Pod in the form of Volume
vim secret-test.yaml
apiVersion: v1
Kind: Pod
metadata:
name:mypod
spec:
containers:
- name: nginx
image: nginx
volumeMounts:
- name: secrets
mountPath: "/etc/secrets"
readOnly: true
volumes:
- name: secrets
secret:
secretName: mysecret
kubectl create -f secret-test.yaml
kubectl getpods
NAME READY STATUS RESTARTS AGE
seret-test 1/1 Running 0 16s
kubectl exec -it seret-test bash
# cd /etc/secrets/
#ls
password.txt username.txt
# vi password.txt
# vi username.txt
vim secret-test1.yaml
apiVersion: v1
Kind: Pod
metadata:
name:mypod1
spec:
containers:
- name: nginx
image: nginx
env:
- name: TEST_USER
valueFrom:
secretKeyRef:
name:mysecret1
key: username
- name: TEST_PASSWORD
valueFrom:
secretKeyRef:
name:mysecret1
key: password
kubectl apply -f secret-test1.yaml
kubectl getpods
NAME READY STATUS RESTARTS AGE
mypod1 1/1 Running 0 77s
kubectl exec -it mypod bash
# echo $TEST_USER
zhangsan
# echo $TEST_PASSWORD
abc1234
//ConfigMap
Similar to Secret, the difference is that ConfigMap saves information that does not require encrypted configuration.
The ConfigMap function was introduced in Kubernetes 1.2, and many applications read configuration information from configuration files, command line parameters, or environment variables. The Con?gMap API provides us with a mechanism to inject configuration information into the container. Con?gMap can be used to save a single attribute, or it can be used to save the entire configuration file or a JSON binary large object.
Application scenario: application configuration
//Create ConfigMap
1. Use the directory to create 0000000000000000000000000
mkdir /opt/configmap/
vim /opt/configmap/game.properties
enemies=aliens
lives=3
enemies.cheat=true
enemies.cheat.level=noGoodRotten
secret.code.passphrase=UUDDLRLRBABAS
secret.code.allowed=true
secret.code.lives=30
vim /opt/configmap/ui.properties
color.good=purple
color.bad=yellow
allow.textmode=true
how.nice.to.look=fairlyNice
ls /opt/configmap/
game.properties
ui.properties
kubectl create configmap game-config --from-file=/opt/configmap/
//--from-file specifies that all files in the directory will be used to create a key-value pair in Con?gMap. The name of the key is the file name and the value is the content of the file.
kubectl get cm
NAME DATA AGE
game-config 2 10s
kubectl get cm game-config -o yaml
apiVersion: v1
data:
game.properties: |
enemies=aliens
lives=3
enemies.cheat=true
enemies.cheat.level=noGoodRotten
secret.code.passphrase=UUDDLRLRBABAS
secret.code.allowed=true
secret.code.lives=30
ui.properties: |
color.good=purple
color.bad=yellow
allow.textmode=true
how.nice.to.look=fairlyNice
kind: ConfigMap
metadata:
creationTimestamp: 2021-05-25T06:49:18Z
name: game-config
namespace:default
resourceVersion: "87803"
selfLink: /api/v1/namespaces/default/configmaps/game-config
uid: 541b5302-bd25-11eb-acba-000c29d88bba
2. Use file creation
Con?gMap can be created from a single file as long as it is specified as a file
–from-file This parameter can be used multiple times, that is, it can be used twice to specify the two configuration files in the previous instance. The effect is the same as specifying the entire directory.
kubectl create configmap game-config-2 --from-file=/opt/configmap/game.properties --from-file=/opt/configmap/ui.properties kubectl get configmaps game-config-2 -o yaml kubectl describe cm game-config-2
3. Create using literal values
Create using literal values and use the –from-literal parameter to pass configuration information. This parameter can be used multiple times. The format is as follows
kubectl create configmap special-config –from-literal=special.how=very –from-literal=special.type=good
kubectl get configmaps special-config -o yaml apiVersion: v1 data: special.how: very #key-value structure special.type: good kind: ConfigMap metadata: creationTimestamp: 2021-05-25T06:59:37Z name: special-config namespace:default resourceVersion: "88610" selfLink: /api/v1/namespaces/default/configmaps/special-config uid: c4f45936-bd26-11eb-acba-000c29d88bba kubectl delete cm --all kubectl delete pod --all //Use Con?gMap in Pod
1. Use Con?gMap to replace environment variables
vim env.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: special-config
namespace:default
data:
special.how: very
special.type: good
---
apiVersion: v1
kind: ConfigMap
metadata:
name: env-config
namespace:default
data:
log_level: INFO
kubectl create -f env.yaml
kubectl get cm
NAME DATA AGE
env-config 1 6s
special-config 2 6s
//Creation of Pod
vim test-pod.yaml
apiVersion: v1
Kind: Pod
metadata:
name: test-pod
spec:
containers:
- name: busybox
image: busybox:1.28.4
command: [ "/bin/sh", "-c", "env" ]
env:
- name: SPECIAL_HOW_KEY
valueFrom:
configMapKeyRef:
name: special-config
key: special.how
- name: SPECIAL_TYPE_KEY
valueFrom:
configMapKeyRef:
name: special-config
key: special.type
envFrom:
- configMapRef:
name: env-config
restartPolicy: Never
kubectl create -f test-pod.yaml
kubectl getpods
NAME READY STATUS RESTARTS AGE
pod-test 0/1 Completed 0 33s
kubectl logs pod-test
KUBERNETES_SERVICE_PORT=443
KUBERNETES_PORT=tcp://10.0.0.1:443
HOSTNAME=pod-test
SHLVL=1
SPECIAL_HOW_KEY=very #The value of the assigned variable SPECIAL_HOW_KEY is special-config's special.how: very
HOME=/root
SPECIAL_TYPE_KEY=good #The value of the assigned variable SPECIAL_TYPE_KEY is special-config's special.type: good
KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_PROTO=tcp
log_level=INFO #Introduce env-config variables log_level: INFO
KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_SERVICE_HOST=10.0.0.1
PWD=/
2. Use Con?gMap to set command line parameters
vim test-pod2.yaml
apiVersion: v1
Kind: Pod
metadata:
name: test-pod2
spec:
containers:
- name: busybox
image: busybox:1.28.4
command:
-/bin/sh
- -c
- echo "$(SPECIAL_HOW_KEY) $(SPECIAL_TYPE_KEY)"
env:
- name: SPECIAL_HOW_KEY
valueFrom:
configMapKeyRef:
name: special-config
key: special.how
- name: SPECIAL_TYPE_KEY
valueFrom:
configMapKeyRef:
name: special-config
key: special.type
envFrom:
- configMapRef:
name: env-config
restartPolicy: Never
kubectl create -f test-pod2.yaml
kubectl getpods
NAME READY STATUS RESTARTS AGE
test-pod2 0/1 Completed 0 34s
kubectl logs test-pod2
very good
3. Use Con?gMap through the data volume plug-in
Using Con?gMap in a data volume means filling files into the data volume. In this file, the key is the file name and the key value is the file content.
vim test-pod3.yaml
apiVersion: v1
Kind: Pod
metadata:
name: test-pod3
spec:
containers:
- name: busybox
image: busybox:1.28.4
command: [ "/bin/sh", "-c", "sleep 36000" ]
volumeMounts:
- name: config-volume
mountPath: /etc/config
volumes:
- name: config-volume
configMap:
name: special-config
restartPolicy: Never
kubectl create -f test-pod3.yaml
kubectl getpods
NAME READY STATUS RESTARTS AGE
test-pod3 1/1 Running 0 5s
kubectl exec -it test-pod3 sh
# cd /etc/config/
#ls
special.how special.type
# vi special.how
#vi special.type
//Hot update of Con?gMap
vim test-pod4.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: log-config
namespace:default
data:
log_level: INFO
---
apiVersion: extensions/v1beta1
Kind: Deployment
metadata:
name: my-nginx
spec:
replicas: 1
template:
metadata:
labels:
run:my-nginx
spec:
containers:
- name: my-nginx
image: nginx
ports:
- containerPort: 80
volumeMounts:
- name: config-volume
mountPath: /etc/config
volumes:
- name: config-volume
configMap:
name: log-config
kubectl apply -f test-pod5.yaml
kubectl getpods
NAME READY STATUS RESTARTS AGE
my-nginx-76b6489f44-6dwxh 1/1 Running 0 46s
kubectl exec -it my-nginx-76b6489f44-6dwxh -- cat /etc/config/log_level
INFO
kubectl edit configmap log-config
apiVersion: v1
data:
log_level: DEBUG #INFO modified to DEBUG
kind: ConfigMap
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","data":{"log_level":"DEBUG"},"kind":"ConfigMap","metadata" :{"annotations":{},"name":"log-config","namespace":"default"}} #INFO changed to DEBUG
creationTimestamp: 2021-05-25T07:59:18Z
name: log-config
namespace:default
resourceVersion: "93616"
selfLink: /api/v1/namespaces/default/configmaps/log-config
uid: 1b8115de-bd2f-11eb-acba-000c29d88bba
//Wait about 10 seconds for the data in the Volume mounted using this ConfigMap to be updated synchronously
kubectl exec -it my-nginx-76b6489f44-6dwxh -- cat /etc/config/log_level
DEBUG
//Rolling update Pod after ConfigMap update
Updating ConfigMap currently does not trigger rolling updates of related Pods. You can add version/config in .spec.template.metadata.annotations and modify version/config each time to trigger rolling updates.
kubectl patch deployment my-nginx --patch '{"spec": {"template": {"metadata": {"annotations": {"version/config": " 20210525" }}}}}'
kubectl getpods
NAME READY STATUS RESTARTS AGE
my-nginx-665dd4dc8c-j4k9t 0/1 ContainerCreating 0 4s
my-nginx-76b6489f44-6dwxh 0/1 Terminating 0 10m
kubectl getpods
NAME READY STATUS RESTARTS AGE
my-nginx-665dd4dc8c-j4k9t 1/1 Running 0 74s
PS: After updating ConfigMap:
●Env mounted using this ConfigMap will not be updated synchronously.
●The data in the Volume mounted using this ConfigMap will take some time (approximately 10 seconds as measured) to be updated synchronously.