Kubernetes notes (V) configuration management

1. ConfigMap

ConfigMap It's a kind of API object , Used to save unclassified data to a health value pair . When used, it can be used as an environment variable 、 Command line parameters or configuration files in the storage volume .ConfigMap The configuration information can be decoupled from the container image , It is convenient to modify the application configuration . Every time the application needs to modify the configuration , It just needs to be modified ConfigMap Then restart the application on demand Pod that will do , There is no need to recompile and package like modifying code 、 Make image and other operations .

Kubernetes Support literal based 、 file 、 Create by directory, etc ConfigMap, The following is an example based on literal quantity

kubectl create configmap special-config --from-literal=special.how=very --from-literal=special.type=charm

$ kubectl get configmaps special-config -o yaml
apiVersion: v1
kind: ConfigMap
metadata:
  creationTimestamp: 2016-02-18T19:14:38Z
  name: special-config
  namespace: default
  resourceVersion: "651"
  selfLink: /api/v1/namespaces/default/configmaps/special-config
  uid: dadce046-d673-11e5-8cd0-68f728db1985
data:
  special.how: very
  special.type: charm

ConfigMap After creation, it can be directly mounted as a volume to Pod , It can also be used to declare environment variables ：

Use as an environment variable

You can introduce the specified key value pairs as environment variables , You can also introduce all key value pairs as environment variables .

spec:
  containers:
    - name: test-container
      image: k8s.gcr.io/busybox
      command: [ "/bin/sh", "-c", "env" ]
      env:
        - name: SPECIAL_LEVEL_KEY
          valueFrom:
            configMapKeyRef:
              name: special-config
              key: special.how
      envFrom:
      - configMapRef:
          name: special-config
  restartPolicy: Never

Mount the volume directly

apiVersion: v1
kind: Pod
metadata:
  name: dapi-test-pod
spec:
  containers:
    - name: test-container
      image: k8s.gcr.io/busybox
      command: [ "/bin/sh", "-c", "ls /etc/config/" ]
      volumeMounts:
      - name: config-volume
        mountPath: /etc/config
  volumes:
    - name: config-volume
      configMap:
        name: special-config
  restartPolicy: Never

2. Secret

ConfigMap It is generally used to manage and store common configurations , and Secret It is used to manage and save sensitive information , For example, password ,OAuth token , Or is it ssh Key, etc . Use Secret To save this information will be more dynamically added to Pod Define or use ConfigMap More security and flexibility .

and ConfigMap equally ,Secret It also supports literal based 、 File, etc , Then mount into Pod in .
Creating Secret when Kubernetes Different types are available ：

$ kubectl create secret
Create a secret using specified subcommand.

Available Commands:
  docker-registry Create a secret for use with a Docker registry
  generic         Create a secret from a local file, directory, or literal value
  tls             Create a TLS secret

Generic Generic type , It can be based on files 、 Literal 、 directories creating .
tls Used to create TLS Encryption with Secret, You need to specify the key And certificates , For example, refer to our Ingress Enable TLS
docker-registry: Create access to the private image repository Secret, The authentication information needed to access the image warehouse can be encapsulated in Secret. Then when Pod You can use this... When the image in needs to be pulled from the private image warehouse Secret 了 .

$

 kubectl create secret docker-registry regcred --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-pword> --docker-email=<your-email>

apiVersion: v1
kind: Pod
metadata:
  name: private-reg
spec:
  containers:
  - name: private-reg-container
    image: <your-private-image>
  imagePullSecrets:
  - name: regcred


---


apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
  - name: mypod
    image: redis
    volumeMounts:
    - name: foo
      mountPath: "/etc/foo"
  volumes:
  - name: foo
    secret:
      secretName: mysecret
      defaultMode: 0400

For ordinary Secret, Can be like ConfigMap As an environment variable or volume in Pod Use in .

apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
  - name: mypod
    image: redis
    volumeMounts:
    - name: foo
      mountPath: "/etc/foo"
  volumes:
  - name: foo
    secret:
      secretName: mysecret
      defaultMode: 0400

Secret The values stored in are all after base64 Encoded value

$ kubectl create secret generic prod-db-secret \
  --from-literal=username=produser \
  --from-literal=password=Y4nys7f11
secret/prod-db-secret created
username:  8 bytes

$ kubectl get secrets prod-db-secret -o yaml
apiVersion: v1
data:
  password: WTRueXM3ZjEx
  username: cHJvZHVzZXI=
kind: Secret
metadata:
  name: prod-db-secret
  namespace: default
type: Opaque

$ echo "WTRueXM3ZjEx" | base64 -d
Y4nys7f11%

$ echo "cHJvZHVzZXI=" | base64 -d
produser%

So we just need to get Secret It can be done by base64 Decode and obtain the value of the actual sensitive data . therefore Secret The security provided by itself is limited , More around Secret Safety practices . For example, avoid writing sensitive data directly to the code warehouse , So... Is extracted Secret. In addition, there is only one node Pod be used Secret It will be sent to the corresponding node , You can set Secret Write to memory instead of disk , such Pod After the stop Secret Data will also be deleted .

Kubernetes Components and api-server Communication between is generally subject to TLS The protection of , therefore Secret It is also safe when transferring between components .Pod Can't share between Secret, Can be in Pod Level build security partitions to ensure that only required containers can access Secret.