This is the 8th day of my participation in Gwen Challenge
ConfigMap
Introduction to the
Configmap provides unencrypted key-value pairs stored in etCD that can be used on pod, environment variables, command-line parameters, or directly mounted storage volumes when using controller objects
role
- Configuration data and application decoupled deployment do not need to be in the same package
- Hot update configuration
- You can serve as a configuration center for unified management
- Centralization of environment variables
- Immutable key-value is supported to enhance service stability
Because value is not encrypted and has low security, it is not suitable for storing account secrets and other information
create
Create and view the commands directly on the command line terminal
kubectl create configmap test1 --from-literal=hello=world
kubectl get cm
kubectl describe cm/test1
Copy the code
You can see that key and value appear below the Data field, delimited by —
Created using yamL configuration
kind: ConfigMap
apiVersion: v1
metadata:
creationTimestamp: 2021-06-26T08:22:38Z
name: example-config
namespace: default
data:
example.property.1: hello
example.property.2: world
example.property.file: |-
property.1=value-1
property.2=value-2
property.3=value-3
Copy the codecreate
kubectl apply -f example-cm.yaml
Copy the codeCheck the example-config configuration in configMap
kubectl get cm/example-config -o yaml
Copy the code
Create the vm in file mode
kubectl create configmap database --from-file=redis=./conf/redis.conf --from-file=mysql=./conf/mysql.conf
kubectl describe cm/database
Copy the code
Having created the configuration in three ways, how do you use it in POD
use
Create the configuration first
kubectl create configmap cm-demo --from-literal=db.host=localhost --from-literal=db.port=3306
Copy the codeUse configMap for environment variables and parameter substitution
apiVersion: v1
kind: Pod
metadata:
name: testcm1-pod
spec:
containers:
- name: testcm1
image: busybox
command: [ "/bin/sh", "-c", "env" ]
env:
- name: DB_HOST
valueFrom:
configMapKeyRef:
name: cm-demo
key: db.host
- name: DB_PORT
valueFrom:
configMapKeyRef:
name: cm-demo
key: db.port
envFrom:
- configMapRef:
name: cm-demo
Copy the codeView it directly on the Rancher page because env is printed out
Secret
Nowadays, information security has been attached great importance, so some sensitive information needs an encrypted storage, and Secret can save passwords, OAuth tokens and SSH keys, etc., which can be used with POD to greatly improve the security
Three types of
- Opaque: Secret in base64 encoding format, used to store passwords and keys. But the data can also be decoded through Base64 – decode to get the original data, all encryption is very weak.
- Kubernetes. IO/dockerconfigjson: used to store the private docker registry authentication information.
- Kubernetes. IO /service-account-token: used by
serviceaccountKubernetes creates secret by default when ServiceAccOut is created. Pod If serviceAccount is used, the secret file is automatically mounted to the Pod directory/run/secrets/kubernetes.io/serviceaccountIn the.
Opaque Secret type
Run the following command to get an encrypted string that can be written to YAML as a value
echo -n "root" | base64
echo -n "root123" | base64
apiVersion: v1
kind: Secret
metadata:
name: secret-demo
type: Opaque
data:
username: cm9vdA==
password: cm9vdDEyMw==
kubectl create -f secret-demo.yaml
kubectl describe secret/secret-demo
Copy the code
You can see that value is encrypted
Service – account – token type
The create serviceaccount k8s will default to create corresponding secret, pod using sa, the corresponding sc will automatically mount to pod/run/secrets/kubernetes. IO/serviceaccount directory
Example:
Kubectl run secret - pod3 - image nginx: 1.18 kubectl exec $(kubectl get the pods | grep secret | awk '} {print $1) ls /run/secrets/kubernetes.io/serviceaccount kubectl exec $(kubectl get pods | grep secret | awk '{print $1}') cat /run/secrets/kubernetes.io/serviceaccount/tokenCopy the code
You can see the token content inside
Secret Compares with ConfigMap
Similarities:
- In the form of key/value
- Belongs to a specific namespace
- You can export to environment variables
- You can mount it as a directory/file
- Configuration information mounted by the volume can be hot updated
Difference:
- Secret can be associated with a ServerAccount
- Secret can store docker Register authentication information, used in the ImagePullSecret parameter, used to pull private repository images
- Secret Supports Base64 encryption
- Secret is divided into kubernetes. IO/service – account – token, kubernetes. Three types of IO/dockerconfigjson, Opaque, and Configmap does not distinguish between types