「Kubernetes」- Volumes and Configuration Data

  CREATED BY JENKINSBOT

挂载 Secret 信息

mount point – kubernetes secret items not mounted as file path – Stack Overflow

当创建 Secret 实例后,我们能够将该 Secret 挂载到 Pod 中,以文件的形式存在。

创建 Secret 实例,以用于后面的实验:

# kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
  name: pp-secret
stringData:
  data-01: "whatever 01"
  data-02: "whatever 02"
  data-03: "whatever 03"
EOF

案例:挂载 Secret 到目录

如果需要在容器中访问该密码,则简单的读取 /tmp/accsss/passphrase 即可:

# kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
  name: pp-consumer
spec:

  volumes:
    - name: pp-passphrase
      secret:
        secretName: pp-secret
        # 指定权限
        # 但 kubectl describe 时会显示 0600 的十进制形式(https://stackoverflow.com/questions/61728030/kubernetes-volume-mount-permissions-incorrect-for-secret)
        defaultMode: 0600

  containers:
    - name: shell
      image: busybox
      command: ["sleep", "infinity"]
      volumeMounts:
      - name: pp-passphrase
        mountPath: /tmp/access
        readOnly: true
EOF

# kubectl exec pp-consumer -- ls /tmp/access
data-01
data-02
data-03

# kubectl exec pp-consumer -- cat /tmp/access/data-01
whatever 01

# kubectl exec pp-consumer -- cat /tmp/access/data-02
whatever 02

案例:挂载部分 Secret 到目录中

现在,我们仅希望将 data-01 与 data-03 暴露到目录中,而不暴露 data-02 信息:

# kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
  name: pp-consumer
spec:

  volumes:
    - name: pp-passphrase
      secret:
        secretName: pp-secret
        items:
        - key: data-01
          path: data-01
        - key: data-03
          path: data-03-in-container

  containers:
    - name: shell
      image: busybox
      command: ["sleep", "infinity"]
      volumeMounts:
      - name: pp-passphrase
        mountPath: /tmp/access
        readOnly: true
EOF

# kubectl exec pp-consumer -- ls /tmp/access
data-01
data-03-in-container

# kubectl exec pp-consumer -- cat /tmp/access/data-01
whatever 01

# kubectl exec pp-consumer -- cat /tmp/access/data-03-in-container
whatever 03

案例:挂载特定 Secret 信息

前两种方式的共同缺点在于:当挂载时,会隐藏 /tmp/access 目录中的内容。

现在我们仅需将 data-02 挂载到容器,但不要隐藏 /tmp/access 目录的内容:

kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
  name: pp-consumer
spec:

  volumes:
    - name: pp-passphrase
      secret:
        secretName: pp-secret
        defaultMode: 0600

  containers:
    - name: shell
      image: busybox
      command: ["sleep", "infinity"]
      volumeMounts:
      - name: pp-passphrase
        subPath: data-02
        mountPath: /tmp/access/data-02-only
        readOnly: true
EOF

# kubectl exec pp-consumer -- ls /tmp/access
data-02-only

# kubectl exec pp-consumer -- cat /tmp/data-02-only
whatever 02

挂载 ConfigMap 信息

如何向应用程序提供配置数据:ConfigMap

通过ConfigMap可以将配置通过「环境变量」或「配置文件」的方式提供给Pod。

	kubectl create configmap "cm-name" --from-literal=siseversion=0.9

现在就可以使用这个配置映射了:

kind: Deploymet
apiVerison: extensions/v1beta1
metadata:
  name: cmapp
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: cmapp
    spec:
      containers
        - name: sise
          image: whatever
          ports:
            - containerPort: 9876
          env:
            - name: SIMPLE_SVC_VERSION
              valueFrom:
                configMapKeyRef:
                  name: sisconfig
                  key: siseversion

也可以从配置文件中创建ConfigMap对象:kubectl create configmap “cm-name” –from-file=example.cfg

接下来挂载配置文件:

kind: Pod
apiVersion: v1
metadata:
  name: oreilly
spec:
  containers:
    - image: busybox
      command:
        - "sh"
        - "-c"
        - "whatever"
      volumeMount:
        - mountPath: /oreilly
          name: oreilly
      name: busybox
  volumes:
    - name: oreilly
      configMap:
        name: "cm-name"

然后该文件是有效的。