http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
server_tokens off;
access_log /usr/share/nginx/html/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
root /usr/share/nginx/html;
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}# kubectl create configmap nginxconfig --from-file nginx.conf
# kubectl get configmap
# kubectl get configmap -o yaml
在rc配置文件中使用configmap
# cat nginx-rc-configmap.yaml
apiVersion: v1
kind: ReplicationController
metadata:
name: nginx
labels:
name: nginx
spec:
replicas: 2
selector:
name: nginx
template:
metadata:
labels:
name: nginx
spec:
containers:
- name: nginx
image: docker.io/nginx
volumeMounts:
- name: nginx-etc
mountPath: /etc/nginx/nginx.conf
subPath: nginx.conf
ports:
- containerPort: 80
volumes:
- name: nginx-etc
configMap:
name: nginxconfig
items:
- key: nginx.conf
path: nginx.conf# kubectl create -f nginx-rc-configmap.yaml
configmap的信息实际是存储在etcd中的,可以使用kubectl edit configmap xxx 来对configmap进行修改
# etcdctl ls /registry/configmaps/default
# etcdctl get /registry/configmaps/default/nginxconfig
4、Secret
Kubemetes提供了Secret来处理敏感数据,比如密码、Token和密钥,相比于直接将敏感数据配置在Pod的定义或者镜像中,Secret提供了更加安全的机制(Base64加密),防止数据泄露。Secret的创建是独立于Pod的,以数据卷的形式挂载到Pod中,Secret的数据将以文件的形式保存,容器通过读取文件可以获取需要的数据。
目前Secret的类型有3种:
Opaque(default): 任意字符串
kubernetes.io/service-account-token: 作用于ServiceAccount
kubernetes.io/dockercfg: 作用于Docker registry,用户下载docker镜像认证使用
secert的具体配置在前文serviceaccount中已经介绍过了,本文不再赘述。