1.configmapphp
configmap和secret是两种特殊的存储卷,它们不是给pod提供存储空间用的,而是给管理员或者用户提供了从外部向pod内部注入信息的方式.html
configmap:把配置文件放在配置中心上,而后多个pod读取配置中心的配置文件,不过,configmap中的配置信息都是明文的,因此不安全;mysql
secret:功能和configmap同样,只不过配置中心存储的配置文件不是明文的.configmap和secret也是专属于某个名称空间的.nginx
# 用命令行建立configmap kubectl create configmap nginx-config --from-literal=nginx_port=80 --from-literal=server_name=myapp.lixiang.com kubectl describe cm nginx-config # 用清单方式建立configmap mkdir configmap && cd configmap cat www.conf server { server_name myapp.lixiang.com; listen 80; root /data/web/html; } kubectl create configmap nginx-www --from-file=www.conf # 用ENV方式把configmap的配置信息注入到pod中 cat pod-configmap.yaml apiVersion: v1 kind: Pod metadata: name: pod-cm-1 namespace: default labels: app: myapp tier: frontend spec: containers: - name: myapp image: ikubernetes/myapp:v1 ports: - name: http containerPort: 80 env: - name: NGINX_SERVER_PORT valueFrom: # kubectl explain pods.spec.containers.env.valueFrom configMapKeyRef: # 表示要引用一个configmap来获取数据 name: nginx-config # configmap的名字 key: nginx_port # 经过kubectl describe cm nginx-config的键 - name: NGINX_SERVER_NAME valueFrom: configMapKeyRef: name: nginx-config key: server_name kubectl apply -f pod-configmap.yaml kubectl exec -it pod-cm-1 -- /bin/sh # printenv NGINX_SERVER_PORT=80 NGINX_SERVER_NAME=myapp.lixiang.com # 经过edit方式修改configmap的配置文件,在Pod里面不会当即生效,须要重启pod才能生效 kubectl edit cm nginx-config # 用存储卷的方法把configmap注入到pod中 cat pod-configmap2.ymal apiVersion: v1 kind: Pod metadata: name: pod-cm-2 namespace: default labels: app: myapp spec: containers: - name: myapp image: ikubernetes/myapp:v1 ports: - name: http containerPort: 80 volumeMounts: - name: nginxconf mountPath: /etc/nginx/conf.d/ readOnly: true volumes: - name: nginxconf configMap: name: nginx-config kubectl apply -f pod-configmap2.ymal # 进入pod,能够看到configmap中的键值对,在/etc/nginx/conf.d/下以文件形式存在 # 把www.conf文件注入到pod中 cat pod-configmap3.yaml apiVersion: v1 kind: Pod metadata: name: pod-cm-3 namespace: default labels: app: myapp spec: containers: - name: myapp image: ikubernetes/myapp:v1 ports: - name: http containerPort: 80 volumeMounts: - name: nginxconf mountPath: /etc/nginx/conf.d/ readOnly: true volumes: - name: nginxconf configMap: name: nginx-www kubectl apply -f pod-configmap3.yaml kubectl exec -it pod-cm-3 -- /bin/sh / # cd /etc/nginx/conf.d/ /etc/nginx/conf.d # ls www.conf /etc/nginx/conf.d # cat www.conf server { server_name myapp.lixiang.com; listen 80; root /data/web/html; } # 修改端口,pod中的配置文件一样会发生变化 kubectl edit cm nginx-www
2.secretweb
secret功能和configmap同样,只不过secret配置中心存储的配置文件不是明文的,通常将链接数据库的密码、私钥等写在secret中.sql
kubectl create secret --helpdocker
generic:保存密码;数据库
tls:保存私钥、证书;json
docker-registry:保存docker认证信息,好比从私有docker仓库拉镜像时,就用这个类型,k8s拖镜像的进程是kublet.api
# 若是从私有仓库拉镜像,就用imagePullSecrets存登陆验证的信息 kubectl explain pods.spec.imagePullSecrets kubectl create secret docker-registry LXregsecret --docker-server=registry.cn-hangzhou.aliyuncs.com \ --docker-username=xx --docker-password=xxxxxx --docker-email=xx LXregsecret:指定secret的名字,可自行定义;--docker-email:邮件地址(选填) 该密钥只能在对应namespace使用,也就是这里的default,若是须要在其余namespace中用到,须要在建立时指定名称空间 containers: - name: channel image: registry-internal.cn-hangzhou.aliyuncs.com/yin32167/channel:dev-1.0 ports: - containerPort: 8114 imagePullSecrets: - name: LXregsecret # # 好像也能够这么建立,bash64 -wo 表明以64位转码展现而且不换行 cat .docker/config.json |base64 -w0 cat docker-secret.yaml apiVersion: v1 kind: Secret metadata: name: registrypullsecret data: .dockerconfigjson: 加密串 type: kubernetes.io/dockerconfigjson # password的内容会以base64的形式加密 kubectl create secret generic mysql-root-password --from-literal=password=123456 kubectl describe secret mysql-root-password kubectl get secret mysql-root-password -o yaml # 用base64进行解码 echo MTIzNDU2 |base64 -d # 把secret经过env的方式注入到pod里面 cat pod-secret-1.yaml apiVersion: v1 kind: Pod metadata: name: pod-secret-1 namespace: default labels: app: myapp spec: containers: - name: myapp image: ikubernetes/myapp:v1 ports: - name: http containerPort: 80 env: - name: MYSQL_ROOT_PASSWORD valueFrom: secretKeyRef: name: mysql-root-password key: password kubectl apply -f pod-secret-1.yaml kubectl exec -it pod-secret-1 -- /bin/sh # printenv MYSQL_ROOT_PASSWORD=123456 secret还能够用mount的方式注入pod中
参考博客:http://blog.itpub.net/28916011/viewspace-2214804/
在kubernetes集群中部署nginx+mysql+php应用:https://blog.csdn.net/bbwangj/article/details/82954187
kubernetes小课堂:https://k.i4t.com/