(1). Secret
K8S提供Secret来提供对敏感数据的配置.
(2). test-secret.yml
apiVersion: v1
kind: Secret
metadata:
name: env-secret-config
type: Opaque
# data类型要预先base64(echo -n "root" | base64)
# data:
# DATA_SOURCE_USER_NAME: cm9vdAo=
# DATA_SOURCE_USER_PWD: cm9vdAo=
stringData:
DATA_SOURCE_USER_NAME: root
DATA_SOURCE_USER_PWD: "111111"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: env-config
data:
DATA_SOURCE_URL: jdbc:mysql://mysql-0.mysql:3306/test
---
apiVersion: v1
kind: Pod
metadata:
name: test-configmap-pod
spec:
containers:
- name: test-configmap
image: busybox:latest
command: [ "/bin/tail", "-f", "/etc/hostname" ]
envFrom:
- configMapRef:
name: env-config # 引用另外一个configmap的名称
- secretRef:
name: env-secret-config # 引用另一个secret的名称
(3). 发布配置
# 应用配置
lixin-macbook:k8s-test lixin$ kubectl apply -f test-secret.yml
secret/env-secret-config created
configmap/env-config created
pod/test-configmap-pod created
# 查看secret/configmap
lixin-macbook:k8s-test lixin$ kubectl get secret,configmap
NAME TYPE DATA AGE
secret/default-token-n29nk kubernetes.io/service-account-token 3 47h
secret/env-secret-config Opaque 2 32s
NAME DATA AGE
configmap/env-config 1 32s
configmap/kube-root-ca.crt 1 47h
# 查看secret内容(数据是隐藏了的)
lixin-macbook:k8s-test lixin$ kubectl describe secret env-secret-config
Name: env-secret-config
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
DATA_SOURCE_USER_NAME: 4 bytes
DATA_SOURCE_USER_PWD: 6 bytes
# 通过kubectl get secret还是可以看到隐藏的内容的
lixin-macbook:k8s-test lixin$ kubectl get secret env-secret-config -o yaml
apiVersion: v1
data:
DATA_SOURCE_USER_NAME: cm9vdA==
DATA_SOURCE_USER_PWD: MTExMTEx
kind: Secret
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","kind":"Secret","metadata":{"annotations":{},"name":"env-secret-config","namespace":"default"},"stringData":{"DATA_SOURCE_USER_NAME":"root","DATA_SOURCE_USER_PWD":"111111"},"type":"Opaque"}
creationTimestamp: "2021-01-18T06:39:41Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:DATA_SOURCE_USER_NAME: {}
f:DATA_SOURCE_USER_PWD: {}
f:metadata:
f:annotations:
.: {}
f:kubectl.kubernetes.io/last-applied-configuration: {}
f:type: {}
manager: kubectl-client-side-apply
operation: Update
time: "2021-01-18T06:39:41Z"
name: env-secret-config
namespace: default
resourceVersion: "21128"
uid: 088b0c5b-d496-4a1e-b30d-e25ffb123848
type: Opaque
(4). 进入容器查看环境变量
# 查看pods,svc
lixin-macbook:k8s-test lixin$ kubectl get pods,svc
NAME READY STATUS RESTARTS AGE
pod/test-configmap-pod 0/1 ContainerCreating 0 9s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 47h
# 进入容器内部
lixin-macbook:k8s-test lixin$ kubectl exec test-configmap-pod -it -- /bin/sh
# 打印环境变量
/ # printenv
KUBERNETES_SERVICE_PORT=443
KUBERNETES_PORT=tcp://10.96.0.1:443
HOSTNAME=test-configmap-pod
SHLVL=1
DATA_SOURCE_URL=jdbc:mysql://mysql-0.mysql:3306/test
HOME=/root
TERM=xterm
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
DATA_SOURCE_USER_PWD=111111
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_SERVICE_HOST=10.96.0.1
PWD=/
DATA_SOURCE_USER_NAME=root