Ch13 ConfigMap 및 비밀

重點在於解決單一Image在不同階段甚至不同應用仍可以重複使用,而不用重建Image.

It is a good practice to make container images as reusable as possible. The sameimage should be able to be used for development, staging, and production. It is evenbetter if the same image is general-purpose enough to be used across applications andservices.

컨피그맵

Pod에서 이전 회합과 ConfigMap이 결합됩니다.

The key thing is that the ConfigMapis combined with the Pod right before it is run. This means that the container image and the Pod definition itself can be reused across many apps by just changing the ConfigMap that is used.

ConfigMap 만들기

只是建立 키-값 쌍

컨피그맵 사용

파일 시스템
當作目錄掛載至Pod,Key作為檔案名稱,檔案內容為value.

환경 변수
動態設定環境變數

명령줄 인수
動態作為命令列參數

비밀

노트

k8s admin 權限的人就可以存取全部的secret.新版K8s開始支援雲端加密儲存(클라우드 키 저장소),可以安提高教性感.

By default, Kubernetes secrets are stored in plain text in the etcd storage for the cluster. Depending on your requirements, this may not be sufficient security for you. In particular, anyone who has cluster administration rights in your cluster will be able to read all of the secrets in the cluster. In recent versions of Kubernetes, support has been added for encrypting the secrets with a user-supplied key, generally integrated into a cloud key store. Additionally, most cloud key stores have integration with Kubernetes flexible volumes,enabling you to skip Kubernetes secrets entirely and rely exclusively on the cloud provider’s key store. All of these options should provide you with sufficient tools to craft a security profile that suits your needs.

비밀 만들기

$ kubectl create secret generic kuard-tls \
--from-file=kuard.crt \
--from-file=kuard.key

$ kubectl describe secrets kuard-tls
Name:         kuard-tls
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:         Opaque

Data
====
kuard.crt:    1050 bytes
kuard.key:    1679 bytes

소비 비밀

비밀 볼륨

시크릿 볼륨은 kubelet 관리, 포드에 있는 시간, 시크릿은 tmpfs 볼륨, 노드 디스크에는 없습니다.

Secret data can be exposed to Pods using the secrets volume type. Secrets volumes are managed by the kubelet and are created at Pod creation time. Secrets are stored on tmpfs volumes (aka RAM disks), and as such are not written to disk on nodes.

개인 도커 레지스트리

K8s 提供額外方式處理 docker pull 的憑證問題.

$ k create secret --help
Create a secret using specified subcommand.

Available Commands:
  docker-registry Create a secret for use with a Docker registry
  generic         Create a secret from a local file, directory or literal value
  tls             Create a TLS secret

Usage:
  kubectl create secret [flags] [options]

kubectl create secret docker-registry my-image-pull-secret \
--docker-username=<username> \
--docker-password=<password> \
--docker-email=<email-address>

명명 제약

ConfigMap以UTF-8儲存,K8s1.6之後ConfigMap無法儲存binary.

Secretbase64는 이진수를 지원합니다.

ConfigMap 및 Secret最大不得超過1MB.

ConfigMap data values are simple UTF-8 text specified directly in the manifest. As of Kubernetes 1.6, ConfigMaps are unable to store binary data.Secret data values hold arbitrary data encoded using base64. The use of base64 encoding makes it possible to store binary data. This does, however, make it more difficult to manage secrets that are stored in YAML files as the base64-encoded value must be put in the YAML. Note that the maximum size for a ConfigMap or secret is 1 MB.

ConfigMap 및 비밀 관리

Configmap/secret 的 磁碟區 磁碟區. 但是 目前 目前 使用 更新 更新 更新 後 後 直接 自動 推 送 到 到 正在 正在 正在 使用 並沒有 並沒有 並沒有 內建 發送 發送 信號 信號 通知 通知 應用 程式 的 功能. 一切 取決於 取決於 程式 實做 方式 來 決定 決定 何時 該 套用 新 的 的 設定 設定 應用 應用 應用 應用 應用.

Once a ConfigMap or secret is updated using the API, it’ll be automatically pushed to all volumes that use that ConfigMap or secret. It may take a few seconds, but the file listing and contents of the files, as seen by kuard, will be updated with these new values. Using this live update feature you can update the configuration of applications without restarting them.

Currently there is no built-in way to signal an application when a new version of a ConfigMap is deployed. It is up to the application (or some helper script) to look for the config files to change and reload them.