containers.args无法直接引用ConfigMap,但是可以通过$(ENV_VAR_NAME)引用环境变量,间接引用ConfigMap。
# config-cli-cm.yaml apiVersion: v1 kind: Pod metadata: name: config-cli-cm spec: containers: - name: config-cli-cm image: registry.cn-hangzhou.aliyuncs.com/orzi/loopechodate env: - name: INTERVAL valueFrom: configMapKeyRef: name: mycm key: interval args: ["$(INTERVAL)"]创建查看
-> [root@kube0.vm] [~] k create -f config-cli-cm.yaml pod/config-cli-cm created -> [root@kube0.vm] [~] k logs config-cli-cm interval is : 3 -> [root@kube0.vm] [~] k exec config-cli-cm cat /tmp/a.txt Mon May 25 05:11:14 UTC 2020 Mon May 25 05:11:17 UTC 2020 Mon May 25 05:11:20 UTC 2020 将ConfigMap条目暴露为卷环境变量和命令行参数作为配置值通常适用于变量值较短的场景。如果想暴露ConfigMap中配置文件,可以将ConfigMap或者其条目通过卷的形式挂载到容器。
# config-volume-cm.yaml apiVersion: v1 kind: Pod metadata: name: config-volume-cm spec: containers: - name: config-volume-cm image: nginx:alpine volumeMounts: - name: config mountPath: /tmp/mycm readOnly: true volumes: - name: config configMap: name: mycm创建查看
-> [root@kube0.vm] [~] k create -f config-volume-cm.yaml pod/config-volume-cm created -> [root@kube0.vm] [~] k exec config-volume-cm ls /tmp/mycm Dockerfile a.txt b.txt interval如果只想暴露指定的条目,可以指定volumes.configMap.items。
volumes: - name: config configMap: name: mycm items: - key: interval path: interval2输出结果是:
-> [root@kube0.vm] [~] k exec config-volume-cm ls /tmp/mycm interval2configMap.defaultMode设置访问权限
挂载文件夹会隐藏该文件夹中已存在的文件,挂载ConfigMap的单独条目不会隐藏其他文件
SecretSecret与ConfigMap一样都是键值对,也可以作为环境变量传递给容器,条目也能暴露称为卷中的文件。但是为了安全起见,请始终使用Secret卷暴露Secret。Secret只会存储在内存中,永不写入物理存储。Secret条目的内容会被进行Base64编码。
默认令牌每个pod默认都会挂载一个Secret,该Secret包含ca.crt、namespace、token,包含了从Pod内部安全访问Kubernetes Api服务器所需的全部信息。
先随便找一个pod查看。
再查看一下详情
-> [root@kube0.vm] [~] k describe secrets default-token-5g447 Name: default-token-5g447 Namespace: default Labels: <none> Annotations: kubernetes.io/service-account.name: default kubernetes.io/service-account.uid: bd92a729-ed0a-491d-b600-0f86824ad588 Type: kubernetes.io/service-account-token Data ==== ca.crt: 1025 bytes namespace: 7 bytes token: eyJhbGciOiJSUzI1.... 使nginx支持https 创建私钥和证书 -> [root@kube0.vm] [~/cert] openssl genrsa -o https.key 2048 -> [root@kube0.vm] [~/cert] openssl req -new -x509 -key https.key -out https.cert -days 3650 -subj /CN=www.mysecret.com 创建Secret创建一个类型为generic的Secret,其他两个类型是docker-registry、tls。
-> [root@kube0.vm] [~/cert] echo bar > foo # 后面会用到 -> [root@kube0.vm] [~/cert] k create secret generic mysecret --from-file=./ secret/mysecret created 将ssl.conf放入ConfigMap中 # ssl.conf server { listen 80; listen 443 ssl; server_name ; ssl_certificate certs/https.cert; ssl_certificate_key certs/https.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; location / { root /usr/share/nginx/html; index index.html index.htm; } } -> [root@kube0.vm] [~] k create configmap sslcm --from-file=ssl.conf configmap/sslcm created 创建查看先看一下描述文件
# https-nginx.yaml apiVersion: v1 kind: Pod metadata: name: https-nginx spec: containers: - name: https-nginx image: nginx:alpine env: - name: FOO valueFrom: secretKeyRef: name: mysecret key: foo volumeMounts: - name: sslcm mountPath: /etc/nginx/conf.d/ readOnly: true - name: mysecret mountPath: /etc/nginx/certs/ readOnly: true ports: - containerPort: 80 - containerPort: 443 volumes: - name: sslcm configMap: name: sslcm items: - key: ssl.conf path: https.conf - name: mysecret secret: secretName: mysecret创建、设置端口转发
-> [root@kube0.vm] [~] k create -f https-nginx.yaml pod/https-nginx created -> [root@kube0.vm] [~] k port-forward https-nginx 443:443 Forwarding from 127.0.0.1:443 -> 443新开窗口,发送请求
-> [root@kube0.vm] [~] curl -k https://localhost <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> .....