같이 배우다configmap 및 secret
29308 단어 kubernetes
ConfigMap 및 Secret
컨디션
192.168.48.101 master01
192.168.48.201 node01
192.168.48.202 node02
ConfigMap
많은 응용 프로그램들이 자주 프로필, 명령행 파라미터, 환경 변수에서 설정 정보를 읽는다. ConfigMap 매우 중요한 자원 대상이다.
명령으로 생성
Examples:
# Create a new configmap named my-config based on folder bar
kubectl create configmap my-config --from-file=path/to/bar
# Create a new configmap named my-config with specified keys instead of file basenames on disk
kubectl create configmap my-config --from-file=key1=/path/to/bar/file1.txt --from-file=key2=/path/to/bar/file2.txt
# Create a new configmap named my-config with key1=config1 and key2=config2
kubectl create configmap my-config --from-literal=key1=config1 --from-literal=key2=config2
키 값 형식
[root@master ~]# kubectl create configmap nginx-config --from-literal=nginx_port=80 --from-literal=server_name=myapp.magedu.com
configmap/nginx-config created
[root@master ~]# kubectl get cm
NAME DATA AGE
demo-config 3 13d
nginx-config 2 7s
[root@master ~]# kubectl describe cm nginx-config
Name: nginx-config
Namespace: default
Labels:
Annotations:
Data
====
nginx_port:
----
80
server_name:
----
myapp.magedu.com
Events:
파일 형식
[root@master ~]# vim www.conf
server {
server_name myapp.magedu.com;
listen 80;
root /usr/share/nginx/html;
}
[root@master ~]# kubectl create configmap nginx-www --from-file=www.conf
configmap/nginx-www created
[root@master ~]# kubectl get cm
NAME DATA AGE
demo-config 3 13d
nginx-config 2 3m38s
nginx-www 1 5s
[root@master ~]# kubectl describe cm nginx-www
Name: nginx-www
Namespace: default
Labels:
Annotations:
Data
====
www.conf:
----
server {
server_name myapp.magedu.com;
listen 80;
root /usr/share/nginx/html;
}
Events:
yaml 파일 생성
kind: ConfigMap
apiVersion: v1
metadata:
name: cm-demo
namespace: default
data:
data.1: hello
data.2: world
config: |
property.1=value-1
property.2=value-2
property.3=value-3
env 마운트configmap
vim myapp-pod-cm.yaml
apiVersion: v1
kind: Pod
metadata:
name: myapp-pod-cm
namespace: default
labels:
app: myapp
type: pod
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v1
ports:
- name: http
containerPort: 80
env:
- name: NGINX_SERVER_PORT
valueFrom:
configMapKeyRef:
name: nginx-config
key: nginx_port
- name: NGINX_SERVER_NAME
valueFrom:
configMapKeyRef:
name: nginx-config
key: server_name
테스트[root@master pod_yaml]# kubectl apply -f myapp-pod-cm.yaml
pod/myapp-pod-cm created
[root@master pod_yaml]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
demo-deploy-8675c97685-vhncn 1/1 Running 0 13d 10.244.2.5 node02
demo-deploy-8675c97685-w7md2 1/1 Running 0 13d 10.244.1.5 node01
demo-pod 1/2 Running 9 13d 10.244.2.4 node02
myapp-nfs-pvc 1/1 Running 0 7h7m 10.244.1.11 node01
myapp-pod-cm 1/1 Running 0 15s 10.244.1.14 node01
nfs-client-provisioner-7fbb54945f-8rbcb 1/1 Running 0 5h17m 10.244.2.7 node02
nfs-web-0 1/1 Running 0 4h58m 10.244.1.13 node01
nfs-web-1 1/1 Running 0 4h58m 10.244.2.8 node02
nfs-web-2 1/1 Running 0 4h57m 10.244.2.9 node02
test-pod 1/1 Running 0 5h10m 10.244.1.12 node01
[root@master pod_yaml]# kubectl exec myapp-pod-cm -it -- /bin/sh
/ # printenv
MYAPP_SVC_NODEPORT_SERVICE_HOST=10.106.106.242
MYAPP_SVC_PORT_80_TCP_ADDR=10.98.57.156
KUBERNETES_PORT=tcp://10.96.0.1:443
KUBERNETES_SERVICE_PORT=443
MYAPP_SVC_CLUSTERIP_SERVICE_HOST=10.98.148.121
MYAPP_SVC_PORT_80_TCP_PORT=80
HOSTNAME=myapp-pod-cm
SHLVL=1
MYAPP_SVC_PORT_80_TCP_PROTO=tcp
HOME=/root
MYAPP_SVC_NODEPORT_PORT=tcp://10.106.106.242:80
MYAPP_SVC_NODEPORT_SERVICE_PORT=80
MYAPP_SVC_CLUSTERIP_SERVICE_PORT=80
MYAPP_SVC_CLUSTERIP_PORT=tcp://10.98.148.121:80
NGINX_SERVER_PORT=80
NGINX_SERVER_NAME=myapp.magedu.com
MYAPP_SVC_PORT_80_TCP=tcp://10.98.57.156:80
MYAPP_SVC_NODEPORT_PORT_80_TCP_ADDR=10.106.106.242
MYAPP_SVC_CLUSTERIP_PORT_80_TCP_ADDR=10.98.148.121
MYAPP_SVC_NODEPORT_PORT_80_TCP_PORT=80
MYAPP_SVC_NODEPORT_PORT_80_TCP_PROTO=tcp
MYAPP_SVC_CLUSTERIP_PORT_80_TCP_PORT=80
TERM=xterm
NGINX_VERSION=1.12.2
MYAPP_SVC_CLUSTERIP_PORT_80_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_PROTO=tcp
MYAPP_SVC_NODEPORT_PORT_80_TCP=tcp://10.106.106.242:80
MYAPP_SVC_SERVICE_HOST=10.98.57.156
MYAPP_SVC_CLUSTERIP_PORT_80_TCP=tcp://10.98.148.121:80
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
KUBERNETES_SERVICE_PORT_HTTPS=443
PWD=/
KUBERNETES_SERVICE_HOST=10.96.0.1
MYAPP_SVC_SERVICE_PORT=80
MYAPP_SVC_PORT=tcp://10.98.57.156:80
configmap을 저장소 볼륨으로 마운트
vim myapp-pod-cm-volume.yaml
apiVersion: v1
kind: Pod
metadata:
name: myapp-pod-cm-volume
namespace: default
labels:
app: myapp
type: pod
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v1
ports:
- name: http
containerPort: 80
volumeMounts:
- name: nginxconf
mountPath: /etc/nginx/config.d
readOnly: true
volumes:
- name: nginxconf
configMap:
name: nginx-config
[root@master pod_yaml]# kubectl apply -f myapp-pod-cm-volume.yaml
pod/myapp-pod-cm-volume created
[root@master pod_yaml]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
demo-deploy-8675c97685-vhncn 1/1 Running 0 13d 10.244.2.5 node02
demo-deploy-8675c97685-w7md2 1/1 Running 0 13d 10.244.1.5 node01
demo-pod 1/2 Running 9 13d 10.244.2.4 node02
myapp-nfs-pvc 1/1 Running 0 7h16m 10.244.1.11 node01
myapp-pod-cm 1/1 Running 0 8m41s 10.244.1.14 node01
myapp-pod-cm-volume 1/1 Running 0 7s 10.244.1.15 node01
nfs-client-provisioner-7fbb54945f-8rbcb 1/1 Running 0 5h26m 10.244.2.7 node02
nfs-web-0 1/1 Running 0 5h6m 10.244.1.13 node01
nfs-web-1 1/1 Running 0 5h6m 10.244.2.8 node02
nfs-web-2 1/1 Running 0 5h6m 10.244.2.9 node02
test-pod 1/1 Running 0 5h18m 10.244.1.12 node01
[root@master pod_yaml]# kubectl exec myapp-pod-cm-volume -it -- /bin/sh
/ # cd /etc/nginx/config.d/
/etc/nginx/config.d # ls
nginx_port server_name
/etc/nginx/config.d # cat nginx_port
80
/etc/nginx/config.d # cat server_name
myapp.magedu.com
Secret
일반적인 경우ConfigMap는 일부 안전하지 않은 설정 정보를 저장하는 데 쓰인다. 만약에 안전과 관련된 데이터가 관련된다면 ConfigMap를 사용하는 것은 매우 부적절하다. ConfigMap는 저장이라고 하기 때문에 우리는 이때 다른 자원 대상을 사용해야 한다고 말한다. Secret, Secret는 민감한 정보를 저장하는 데 사용한다. 예를 들어 비밀번호, OAuth 영패와 ssh 키 등이다.이 정보를 Secret에 놓는 것이 Pod의 정의에 놓는 것보다 docker 거울에 놓는 것이 더 안전하고 유연하다.Secret에는 세 가지 유형이 있습니다.
192.168.48.101 master01
192.168.48.201 node01
192.168.48.202 node02
많은 응용 프로그램들이 자주 프로필, 명령행 파라미터, 환경 변수에서 설정 정보를 읽는다.
ConfigMap 매우 중요한 자원 대상이다.명령으로 생성
Examples:
# Create a new configmap named my-config based on folder bar
kubectl create configmap my-config --from-file=path/to/bar
# Create a new configmap named my-config with specified keys instead of file basenames on disk
kubectl create configmap my-config --from-file=key1=/path/to/bar/file1.txt --from-file=key2=/path/to/bar/file2.txt
# Create a new configmap named my-config with key1=config1 and key2=config2
kubectl create configmap my-config --from-literal=key1=config1 --from-literal=key2=config2
키 값 형식
[root@master ~]# kubectl create configmap nginx-config --from-literal=nginx_port=80 --from-literal=server_name=myapp.magedu.com
configmap/nginx-config created
[root@master ~]# kubectl get cm
NAME DATA AGE
demo-config 3 13d
nginx-config 2 7s
[root@master ~]# kubectl describe cm nginx-config
Name: nginx-config
Namespace: default
Labels:
Annotations:
Data
====
nginx_port:
----
80
server_name:
----
myapp.magedu.com
Events:
파일 형식
[root@master ~]# vim www.conf
server {
server_name myapp.magedu.com;
listen 80;
root /usr/share/nginx/html;
}
[root@master ~]# kubectl create configmap nginx-www --from-file=www.conf
configmap/nginx-www created
[root@master ~]# kubectl get cm
NAME DATA AGE
demo-config 3 13d
nginx-config 2 3m38s
nginx-www 1 5s
[root@master ~]# kubectl describe cm nginx-www
Name: nginx-www
Namespace: default
Labels:
Annotations:
Data
====
www.conf:
----
server {
server_name myapp.magedu.com;
listen 80;
root /usr/share/nginx/html;
}
Events:
yaml 파일 생성
kind: ConfigMap
apiVersion: v1
metadata:
name: cm-demo
namespace: default
data:
data.1: hello
data.2: world
config: |
property.1=value-1
property.2=value-2
property.3=value-3
env 마운트configmap
vim myapp-pod-cm.yaml
apiVersion: v1
kind: Pod
metadata:
name: myapp-pod-cm
namespace: default
labels:
app: myapp
type: pod
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v1
ports:
- name: http
containerPort: 80
env:
- name: NGINX_SERVER_PORT
valueFrom:
configMapKeyRef:
name: nginx-config
key: nginx_port
- name: NGINX_SERVER_NAME
valueFrom:
configMapKeyRef:
name: nginx-config
key: server_name
테스트
[root@master pod_yaml]# kubectl apply -f myapp-pod-cm.yaml
pod/myapp-pod-cm created
[root@master pod_yaml]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
demo-deploy-8675c97685-vhncn 1/1 Running 0 13d 10.244.2.5 node02
demo-deploy-8675c97685-w7md2 1/1 Running 0 13d 10.244.1.5 node01
demo-pod 1/2 Running 9 13d 10.244.2.4 node02
myapp-nfs-pvc 1/1 Running 0 7h7m 10.244.1.11 node01
myapp-pod-cm 1/1 Running 0 15s 10.244.1.14 node01
nfs-client-provisioner-7fbb54945f-8rbcb 1/1 Running 0 5h17m 10.244.2.7 node02
nfs-web-0 1/1 Running 0 4h58m 10.244.1.13 node01
nfs-web-1 1/1 Running 0 4h58m 10.244.2.8 node02
nfs-web-2 1/1 Running 0 4h57m 10.244.2.9 node02
test-pod 1/1 Running 0 5h10m 10.244.1.12 node01
[root@master pod_yaml]# kubectl exec myapp-pod-cm -it -- /bin/sh
/ # printenv
MYAPP_SVC_NODEPORT_SERVICE_HOST=10.106.106.242
MYAPP_SVC_PORT_80_TCP_ADDR=10.98.57.156
KUBERNETES_PORT=tcp://10.96.0.1:443
KUBERNETES_SERVICE_PORT=443
MYAPP_SVC_CLUSTERIP_SERVICE_HOST=10.98.148.121
MYAPP_SVC_PORT_80_TCP_PORT=80
HOSTNAME=myapp-pod-cm
SHLVL=1
MYAPP_SVC_PORT_80_TCP_PROTO=tcp
HOME=/root
MYAPP_SVC_NODEPORT_PORT=tcp://10.106.106.242:80
MYAPP_SVC_NODEPORT_SERVICE_PORT=80
MYAPP_SVC_CLUSTERIP_SERVICE_PORT=80
MYAPP_SVC_CLUSTERIP_PORT=tcp://10.98.148.121:80
NGINX_SERVER_PORT=80
NGINX_SERVER_NAME=myapp.magedu.com
MYAPP_SVC_PORT_80_TCP=tcp://10.98.57.156:80
MYAPP_SVC_NODEPORT_PORT_80_TCP_ADDR=10.106.106.242
MYAPP_SVC_CLUSTERIP_PORT_80_TCP_ADDR=10.98.148.121
MYAPP_SVC_NODEPORT_PORT_80_TCP_PORT=80
MYAPP_SVC_NODEPORT_PORT_80_TCP_PROTO=tcp
MYAPP_SVC_CLUSTERIP_PORT_80_TCP_PORT=80
TERM=xterm
NGINX_VERSION=1.12.2
MYAPP_SVC_CLUSTERIP_PORT_80_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_PROTO=tcp
MYAPP_SVC_NODEPORT_PORT_80_TCP=tcp://10.106.106.242:80
MYAPP_SVC_SERVICE_HOST=10.98.57.156
MYAPP_SVC_CLUSTERIP_PORT_80_TCP=tcp://10.98.148.121:80
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
KUBERNETES_SERVICE_PORT_HTTPS=443
PWD=/
KUBERNETES_SERVICE_HOST=10.96.0.1
MYAPP_SVC_SERVICE_PORT=80
MYAPP_SVC_PORT=tcp://10.98.57.156:80
configmap을 저장소 볼륨으로 마운트
vim myapp-pod-cm-volume.yaml
apiVersion: v1
kind: Pod
metadata:
name: myapp-pod-cm-volume
namespace: default
labels:
app: myapp
type: pod
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v1
ports:
- name: http
containerPort: 80
volumeMounts:
- name: nginxconf
mountPath: /etc/nginx/config.d
readOnly: true
volumes:
- name: nginxconf
configMap:
name: nginx-config
[root@master pod_yaml]# kubectl apply -f myapp-pod-cm-volume.yaml
pod/myapp-pod-cm-volume created
[root@master pod_yaml]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
demo-deploy-8675c97685-vhncn 1/1 Running 0 13d 10.244.2.5 node02
demo-deploy-8675c97685-w7md2 1/1 Running 0 13d 10.244.1.5 node01
demo-pod 1/2 Running 9 13d 10.244.2.4 node02
myapp-nfs-pvc 1/1 Running 0 7h16m 10.244.1.11 node01
myapp-pod-cm 1/1 Running 0 8m41s 10.244.1.14 node01
myapp-pod-cm-volume 1/1 Running 0 7s 10.244.1.15 node01
nfs-client-provisioner-7fbb54945f-8rbcb 1/1 Running 0 5h26m 10.244.2.7 node02
nfs-web-0 1/1 Running 0 5h6m 10.244.1.13 node01
nfs-web-1 1/1 Running 0 5h6m 10.244.2.8 node02
nfs-web-2 1/1 Running 0 5h6m 10.244.2.9 node02
test-pod 1/1 Running 0 5h18m 10.244.1.12 node01
[root@master pod_yaml]# kubectl exec myapp-pod-cm-volume -it -- /bin/sh
/ # cd /etc/nginx/config.d/
/etc/nginx/config.d # ls
nginx_port server_name
/etc/nginx/config.d # cat nginx_port
80
/etc/nginx/config.d # cat server_name
myapp.magedu.com
Secret
일반적인 경우ConfigMap는 일부 안전하지 않은 설정 정보를 저장하는 데 쓰인다. 만약에 안전과 관련된 데이터가 관련된다면 ConfigMap를 사용하는 것은 매우 부적절하다. ConfigMap는 저장이라고 하기 때문에 우리는 이때 다른 자원 대상을 사용해야 한다고 말한다. Secret, Secret는 민감한 정보를 저장하는 데 사용한다. 예를 들어 비밀번호, OAuth 영패와 ssh 키 등이다.이 정보를 Secret에 놓는 것이 Pod의 정의에 놓는 것보다 docker 거울에 놓는 것이 더 안전하고 유연하다.Secret에는 세 가지 유형이 있습니다.
serviceaccount 인용에 사용되며, 서비스accout이 생성될 때 Kubernetes는 기본적으로 대응하는 시크릿을 생성합니다.Pod에서 서비스 계정을 사용하면 해당 시크릿이 Pod 디렉토리/run/secrets/kubernetes.io/serviceaccount에 자동으로 마운트됩니다.Opaque Secret
Opaque 형식의 데이터는 맵 형식입니다.value는
base64 인코딩 형식을 요구합니다. 예를 들어 사용자 이름은admin이고 비밀번호는admin321의 시크릿 대상을 만듭니다. 우선 이 사용자 이름과 비밀번호를base64 인코딩으로 만듭니다.명령 생성
[root@master ~]# kubectl create secret generic mysql-root --from-literal=username=admin --from-literal=password=admin321
secret/mysql-root created
[root@master ~]# kubectl get secret
NAME TYPE DATA AGE
default-token-f9699 kubernetes.io/service-account-token 3 13d
demo-secret Opaque 1 13d
mysql-root Opaque 2 14s
nfs-client-provisioner-token-q5h6t kubernetes.io/service-account-token 3 5h51m
[root@master ~]# kubectl describe secrets mysql-root
Name: mysql-root
Namespace: default
Labels:
Annotations:
Type: Opaque
Data
====
password: 8 bytes
username: 5 bytes
yaml 파일 생성
[root@master ~]# echo -n "admin321" | base64
YWRtaW4zMjE=
[root@master ~]# echo -n "admin" | base64
YWRtaW4=
[root@master ~]# vim mysql-root-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
username: YWRtaW4=
password: YWRtaW4zMjE=
[root@master ~]# kubectl get secrets
NAME TYPE DATA AGE
default-token-f9699 kubernetes.io/service-account-token 3 13d
demo-secret Opaque 1 13d
mysecret Opaque 2 4m46s
mysql-root Opaque 2 9m51s
nfs-client-provisioner-token-q5h6t kubernetes.io/service-account-token 3 6h
[root@master ~]# kubectl describe secrets mysecret
Name: mysecret
Namespace: default
Labels:
Annotations:
Type: Opaque
Data
====
password: 8 bytes
username: 5 bytes
[root@master ~]# kubectl get secrets mysecret -o yaml
apiVersion: v1
data:
password: YWRtaW4zMjE=
username: YWRtaW4=
kind: Secret
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","data":{"password":"YWRtaW4zMjE=","username":"YWRtaW4="},"kind":"Secret","metadata":{"annotations":{},"name":"mysecret","namespace":"default"},"type":"Opaque"}
creationTimestamp: "2019-04-13T14:36:50Z"
name: mysecret
namespace: default
resourceVersion: "93037"
selfLink: /api/v1/namespaces/default/secrets/mysecret
uid: 92c96158-5df9-11e9-8bc6-000c296cdc6e
type: Opaque
[root@master ~]# echo "YWRtaW4zMjE=" | base64 -d
admin321[root@master ~]# echo "YWRtaW4=" | base64 -d
admin[root@master ~]#
env 마운트
vim secret1-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: secret1-pod
spec:
containers:
- name: secret1
image: busybox:latest
imagePullPolicy: IfNotPresent
command: [ "/bin/sh", "-c", "env" ]
env:
- name: USERNAME
valueFrom:
secretKeyRef:
name: mysecret
key: username
- name: PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: password
[root@master ~]# kubectl apply -f secret1-pod.yaml
[root@master ~]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
demo-deploy-8675c97685-vhncn 1/1 Running 0 13d 10.244.2.5 node02
demo-deploy-8675c97685-w7md2 1/1 Running 0 13d 10.244.1.5 node01
demo-pod 1/2 Running 9 13d 10.244.2.4 node02
myapp-nfs-pvc 1/1 Running 0 7h58m 10.244.1.11 node01
myapp-pod-cm 1/1 Running 0 51m 10.244.1.14 node01
myapp-pod-cm-volume 1/1 Running 0 42m 10.244.1.15 node01
nfs-client-provisioner-7fbb54945f-8rbcb 1/1 Running 0 6h8m 10.244.2.7 node02
nfs-web-0 1/1 Running 0 5h49m 10.244.1.13 node01
nfs-web-1 1/1 Running 0 5h49m 10.244.2.8 node02
nfs-web-2 1/1 Running 0 5h48m 10.244.2.9 node02
secret1-pod 0/1 Completed 2 26s 10.244.2.10 node02
test-pod 1/1 Running 0 6h1m 10.244.1.12 node01
[root@master ~]# kubectl logs secret1-pod
MYAPP_SVC_NODEPORT_SERVICE_HOST=10.106.106.242
KUBERNETES_SERVICE_PORT=443
KUBERNETES_PORT=tcp://10.96.0.1:443
MYAPP_SVC_CLUSTERIP_SERVICE_HOST=10.98.148.121
HOSTNAME=secret1-pod
SHLVL=1
HOME=/root
MYAPP_SVC_NODEPORT_PORT=tcp://10.106.106.242:80
MYAPP_SVC_NODEPORT_SERVICE_PORT=80
MYAPP_SVC_CLUSTERIP_PORT=tcp://10.98.148.121:80
MYAPP_SVC_CLUSTERIP_SERVICE_PORT=80
MYAPP_SVC_NODEPORT_PORT_80_TCP_ADDR=10.106.106.242
MYAPP_SVC_CLUSTERIP_PORT_80_TCP_ADDR=10.98.148.121
MYAPP_SVC_NODEPORT_PORT_80_TCP_PORT=80
MYAPP_SVC_NODEPORT_PORT_80_TCP_PROTO=tcp
USERNAME=admin
MYAPP_SVC_CLUSTERIP_PORT_80_TCP_PORT=80
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
MYAPP_SVC_CLUSTERIP_PORT_80_TCP_PROTO=tcp
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_PROTO=tcp
MYAPP_SVC_NODEPORT_PORT_80_TCP=tcp://10.106.106.242:80
MYAPP_SVC_CLUSTERIP_PORT_80_TCP=tcp://10.98.148.121:80
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_SERVICE_HOST=10.96.0.1
PWD=/
PASSWORD=admin321
Volume 마운트
vim secret2-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: secret2-pod
spec:
containers:
- name: secret2
image: busybox:latest
imagePullPolicy: IfNotPresent
command: ["/bin/sh", "-c", "ls /etc/secrets"]
volumeMounts:
- name: secrets
mountPath: /etc/secrets
volumes:
- name: secrets
secret:
secretName: mysecret
[root@master01 ~]# kubectl get pod
NAME READY STATUS RESTARTS AGE
demo-deploy-8675c97685-vhncn 1/1 Running 0 13d
demo-deploy-8675c97685-w7md2 1/1 Running 0 13d
demo-pod 1/2 Running 9 13d
myapp-nfs-pvc 1/1 Running 0 8h
myapp-pod-cm 1/1 Running 0 56m
myapp-pod-cm-volume 1/1 Running 0 47m
nfs-client-provisioner-7fbb54945f-8rbcb 1/1 Running 0 6h13m
nfs-web-0 1/1 Running 0 5h54m
nfs-web-1 1/1 Running 0 5h54m
nfs-web-2 1/1 Running 0 5h53m
secret1-pod 0/1 CrashLoopBackOff 5 5m22s
secret2-pod 0/1 Completed 2 18s
test-pod 1/1 Running 0 6h6m
[root@master01 ~]# kubectl logs secret2-pod
password
username
kubernetes.io/service-account-token
또 다른 유형
Secret은 kubernetes.io/service-account-token으로 serviceaccount에 인용된다.서비스 계정을 만들 때 Kubernetes는 기본적으로 대응하는 시크릿을 만듭니다.Pod에서 서비스 계정을 사용하면 해당 시크릿은 자동으로 Pod/var/run/secrets/kubernetes.io/serviceaccount 디렉토리에 마운트됩니다.[root@master01 ~]# kubectl get pod
NAME READY STATUS RESTARTS AGE
demo-deploy-8675c97685-vhncn 1/1 Running 0 13d
demo-deploy-8675c97685-w7md2 1/1 Running 0 13d
demo-pod 1/2 Running 9 13d
myapp-nfs-pvc 1/1 Running 0 8h
myapp-pod-cm 1/1 Running 0 60m
myapp-pod-cm-volume 1/1 Running 0 52m
nfs-client-provisioner-7fbb54945f-8rbcb 1/1 Running 0 6h18m
nfs-web-0 1/1 Running 0 5h58m
nfs-web-1 1/1 Running 0 5h58m
nfs-web-2 1/1 Running 0 5h58m
secret1-pod 0/1 CrashLoopBackOff 6 9m47s
secret2-pod 0/1 CrashLoopBackOff 5 4m43s
test-pod 1/1 Running 0 6h10m
[root@master01 ~]# kubectl describe pod demo-pod
Name: demo-pod
Namespace: default
Priority: 0
PriorityClassName:
Node: node02/192.168.48.202
Start Time: Sun, 31 Mar 2019 12:53:32 +0800
Labels: app=myapp
type=pod
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{},"labels":{"app":"myapp","type":"pod"},"name":"demo-pod","namespace":"default"...
Status: Running
IP: 10.244.2.4
Containers:
myapp:
Container ID: docker://83ae7929a8c83e907a8d445a44d4bc254942b83332cdc63044b2793f85a6658d
Image: ikubernetes/myapp:v1
Image ID: docker-pullable://ikubernetes/myapp@sha256:9c3dc30b5219788b2b8a4b065f548b922a34479577befb54b03330999d30d513
Port: 80/TCP
Host Port: 0/TCP
State: Running
Started: Sun, 31 Mar 2019 12:53:33 +0800
Ready: True
Restart Count: 0
Environment:
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from default-token-f9699 (ro)
busybox:
Container ID: docker://75a994741b6583346519394a01701f9a444cfe5283ff78da2b818cf22c54cab3
Image: busybox:latest
Image ID: docker-pullable://busybox@sha256:954e1f01e80ce09d0887ff6ea10b13a812cb01932a0781d6b0cc23f743a874fd
Port:
Host Port:
Command:
/bin/sh
-c
mkdir -p /usr/share/nginx/html; echo $(date) >> /usr/share/nginx/html/test.html;sleep 3600
State: Terminated
Reason: Completed
Exit Code: 0
Started: Sat, 13 Apr 2019 18:54:24 +0800
Finished: Sat, 13 Apr 2019 19:54:24 +0800
Last State: Terminated
Reason: Completed
Exit Code: 0
Started: Sat, 13 Apr 2019 17:54:02 +0800
Finished: Sat, 13 Apr 2019 18:54:02 +0800
Ready: False
Restart Count: 9
Environment:
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from default-token-f9699 (ro)
Conditions:
Type Status
Initialized True
Ready False
ContainersReady False
PodScheduled True
Volumes:
default-token-f9699:
Type: Secret (a volume populated by a Secret)
SecretName: default-token-f9699
Optional: false
QoS Class: BestEffort
Node-Selectors:
Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s
node.kubernetes.io/unreachable:NoExecute for 300s
Events:
[root@master01 ~]# kubectl exec demo-pod ls /var/run/secrets/kubernetes.io/serviceaccount
ca.crt
namespace
token
[root@master01 ~]# kubectl exec demo-pod cat /var/run/secrets/kubernetes.io/serviceaccount/token
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9rZW4tZjk2OTkiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjhkN2RhOWMwLTUzMWQtMTFlOS04NmVhLTAwMGMyOTZjZGM2ZSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.VwxzFq7N1UHBDaPxkrELrnnUYsMvFbQIaz18XdYlryYWGIMAvQ3NzSKqrNka2Ydk1joh9RLA-XIyCa1I2jREpkcKZqeVjE5KQ9wURbjRQEhVTfUG3tw8NQomO_f41M5c1TGq5OrD7AvBfeS96OQnArEdzJwNQCK1guhp2jhoyiHQBdRCoYvjlOnHkUznZ2VT8_IQ7D7cVbkSNvneHqXcCYhpdtGa
kubernetes.io/dockerconfigjson
위의
Opaque 유형을 제외하고 우리는 사용자docker registry 인증Secret을 만들 수 있다. 직접 kubectl create 명령으로 만들면 다음과 같다.$ kubectl create secret docker-registry myregistry --docker-server=DOCKER_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL
secret "myregistry" created
그런 다음
Secret 목록을 확인합니다.$ kubectl get secret
NAME TYPE DATA AGE
default-token-n9w2d kubernetes.io/service-account-token 3 33d
myregistry kubernetes.io/dockerconfigjson 1 15s
mysecret Opaque 2 34m
위의
TYPE 유형을 살펴보면 myregistry 해당 유형이 맞는지 kubernetes.io/dockerconfigjson 같은 명령을 사용하여 상세한 정보를 볼 수 있습니다.$ kubectl describe secret myregistry
Name: myregistry
Namespace: default
Labels: <none>
Annotations: <none>
Type: kubernetes.io/dockerconfigjson
Data
====
.dockerconfigjson: 152 bytes
같은 볼수
describe구역이 직접 전시되지 않았습니다. 보고 싶으면 Data로 전시를 출력할 수 있습니다.$ kubectl get secret myregistry -o yaml
apiVersion: v1
data:
.dockerconfigjson: eyJhdXRocyI6eyJET0NLRVJfU0VSVkVSIjp7InVzZXJuYW1lIjoiRE9DS0VSX1VTRVIiLCJwYXNzd29yZCI6IkRPQ0tFUl9QQVNTV09SRCIsImVtYWlsIjoiRE9DS0VSX0VNQUlMIiwiYXV0aCI6IlJFOURTMFZTWDFWVFJWSTZSRTlEUzBWU1gxQkJVMU5YVDFKRSJ9fX0=
kind: Secret
metadata:
creationTimestamp: 2018-06-19T16:01:05Z
name: myregistry
namespace: default
resourceVersion: "3696966"
selfLink: /api/v1/namespaces/default/secrets/myregistry
uid: f91db707-73d9-11e8-a101-525400db4df7
type: kubernetes.io/dockerconfigjson
위의
-o yaml 아래 데이터를 data.dockerconfigjson 디코딩해서 안에 있는 데이터가 어떤지 볼 수 있을까요?$ echo eyJhdXRocyI6eyJET0NLRVJfU0VSVkVSIjp7InVzZXJuYW1lIjoiRE9DS0VSX1VTRVIiLCJwYXNzd29yZCI6IkRPQ0tFUl9QQVNTV09SRCIsImVtYWlsIjoiRE9DS0VSX0VNQUlMIiwiYXV0aCI6IlJFOURTMFZTWDFWVFJWSTZSRTlEUzBWU1gxQkJVMU5YVDFKRSJ9fX0= | base64 -d
{"auths":{"DOCKER_SERVER":{"username":"DOCKER_USER","password":"DOCKER_PASSWORD","email":"DOCKER_EMAIL","auth":"RE9DS0VSX1VTRVI6RE9DS0VSX1BBU1NXT1JE"}}}
만약 우리가 사유창고의
base64 거울을 끌어내려면 위의 docker 이것myregistry을 사용해야 한다.apiVersion: v1
kind: Pod
metadata:
name: foo
spec:
containers:
- name: foo
image: 192.168.1.100:5000/test:v1
imagePullSecrets:
- name: myregistrykey
우리는 사유창고 렌즈
Secret를 가져와야 한다. 우리는 이 사유창고를 대상으로 위와 같은 192.168.1.100:5000/test:v1를 만들어야 한다. 그리고 Secret의 YAML 파일에서 지정Pod해야 한다. 우리는 뒤의 사유창고를 구축하는 과정에서 여러분에게 상세하게 설명할 것이다.시크릿과 ConfigMap 비교
마지막으로 imagePullSecrets와 Secret 두 자원 대상의 공통점과 차이점을 비교해 보겠습니다.
공통점:
이 내용에 흥미가 있습니까?
현재 기사가 여러분의 문제를 해결하지 못하는 경우 AI 엔진은 머신러닝 분석(스마트 모델이 방금 만들어져 부정확한 경우가 있을 수 있음)을 통해 가장 유사한 기사를 추천합니다:
vagrant + CoreOS에서 kubernetes guestbook 샘플 이동제목대로 kubernetes의 guestbook 샘플을 먼저 움직이는 것이 목적입니다. kubernetes의 문서대로 움직였기 때문에 정리했습니다. Gentoo (linux-4.7.0-rc7) curl git vag...
텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
CC BY-SA 2.5, CC BY-SA 3.0 및 CC BY-SA 4.0에 따라 라이센스가 부여됩니다.
좋은 웹페이지 즐겨찾기
