ConfigMap:k8s标准资源,将配置文件做成k8s资源,使其它资源可加载其中配置
Secret:实现加密功能的安全配置文件。由多个key:val中组成
创建configmap资源,可直接使用kubectl创建并且传值
kubectl create configmap filebeat-cfg -n config --from-literal=redis_host="redis.default.svc.cluster.local" --from-literal=log_level="Info"
--from-literal=log_level="Info" 此字段表示为创建一个key为log_level并且为这个可以赋值为info
而后创建pod,并引用configmap资源中的key
apiVersion: v1
kind: Pod
metadata:
name: pod-cfg-demo
namespace : config
spec:
containers:
name: filebeat
image: ikubernetes/filebeat:5.6.5-alp ine
env:#引用环境变量值
- name: REDIS_ HOST #名称,REDIS_HOST为容器内部的变量名称
valueFrom:#引用其他资源传递变量,
configMapKeyRef :#表示引用configmap资源
name: filebeat-cfg #configmap名称,为刚才创建的configmap资源
key: redis_host#key名称
- name: LOG_LEUEL #同上也为容器内的变量名称
valueFrom:
configMapKeyRef :
name: filebeat-cfg
key: log_level
连接至容器内部查看环境变量传递成功了,但是我们修改configmap中key 的值不会生效,除非重建pod
基于存储卷引用configmap
创建2个配置文件为存储卷提供配置
定义好configmap
kubectl create configmap nginx-cfg --from-file=./server1.conf --from-file=server-2./server2.conf -n config
--from-file=./server1.conf #利用文件来传递参数,没有给key名称默认为文件名称为key,文件内容为value
--from-file=server-2./server2.conf -n config#也可以手动添加key名。并指定文件内容为value,且目录为相对路径不能为绝对路径
apiVersion: v1
kind: Pod
metadata:
name: myapp-pod
namespace: config
spec:
containers:
- name: myapp
image: ikubernetes/ myapp:v1
volumeMounts : #定义容器使用存储卷挂载
- name: config#使用存储卷的名称
mountPath: /etc/nginx/conf.d/
volumes:#定义存储卷
- name: config#存储卷名称
configMap:#存储卷类型:这里为configmap而不是nfs其他的文件系统,可以指定configmap资源为存储卷
name: nginx-cfg#configmap名称,这里为我们刚才创建的cm名称
items :#使用cm中的key
- key: server1.conf #key名称
path: server-first.conf #表示映射为文件时文件名是什么
- key: server-2
path: server-second.conf
kubectl edit cm nginx-cfg -n config#在线修改时会自动同步至容器内部
secret资源。经过base64编码后的配置中心,用于传递敏感信息的值
secret类型:
tls类型:专用ssl。tls格式的证书和私钥打包进secret中。不管原来文件叫什么,通通进行统一,证书一定会映射为叫tls.crt。私钥为tls.key
generic:非证书认证时使用的普通的敏感信息类型
docker-registry:用于连接dockerhub中时使用的账户认证信息类型
kubectl create secret generic mysql-root-password -n config --from-literal=password=centos #创建通用型secret资源
创建pod使用secret中的key传递给容器
apiVersion: v1
kind: Pod
metadata:
name: mysql
namespace: config
spec:
containers:
- name: mysql
image: mysql:5.6
env: #容器内部定义的变量
- name: MYSQL_ROOT_PASSWORD#此名称为容器内部定义的变量名,不是随便给的。需要传递参数才能启动mysql容器
valueFrom: #定义值
secretKeyRef: #值类型为secret
key: password #key名称
name: mysql-root-password #secret的名称
交互式连接mysql可直接使用传递的参数登陆mysql
kubectl create secret tls mysql-cert --cert=./myapp.crt --key=./myapp.key -n config#创证书类型secret配置,是其他pod能将此secret当作证书认证
apiVersion: v1
kind: Pod
metadata:
name: myapp-pod-tls
namespace: config
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v1
volumeMounts:
- name: config
mountPath: /etc/nginx/conf.d/
- name: tls
mountPath: /etc/nginx/certs/#容器内部的挂载路径
volumes:#定义存储卷类型
- name: config 存储卷名称
configMap: #存储卷类型configmap
name: nginx-cfg
items:
- key: server1.conf
path: server-first.conf
- key: server-2
path: server-second.conf
- name: tls
secret: #此存储卷类型为secret
secretName: mysql-cert #secret的名称,刚才我创建为mysql-cert
items: #定义key
- key: tls.crt #注意原key和crt为什么名称。在secret中定义都为tls.key,tls,crt
path: myapp.crt #在容器中名称相对路径为mountPath: /etc/nginx/conf.d/
- key: tls.key
path: myapp.key
mode: 0600 #定义权限
StatefulSet:管理有状态应用,但对于扩缩容需要自己写代码操作,statefulset只负责提供给pod一个单一的标识,存储设备。
operator:使用不同应用程序,对不同的应用程序有程序的所有运维管理操作,不同的应用程序有不同的operator,operator运行为k8s集群中的pod,用于控制有状态的集群应用
定义statefulset:
先创建好几个pv,使用静态创建
apiVersion: v1
kind: PersistentVolume
metadata:
name: pv-nfs-v0
labels:
storage: nfs
spec:
accessModes: ["ReadWriteOnce ","ReadwriteMany","ReadOnlyMany"]
capacity:
storage: 1Gi
volumeMode: Filesystem
persistentvolumeReclaimPolicy: Retain
nfs:
server: 192 .168.1.199
path: /vols/v0
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: pv-nfs-v1
labels:
storage: nfs
spec:
accessModes: ["ReadWriteOnce ","ReadwriteMany","ReadOnlyMany"]
capacity:
storage: 5Gi
volumeMode: Filesystem
persistentvolumeReclaimPolicy: Retain
nfs:
server: 192 .168.1.199
path: /vols/v1
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: pv-nfs-v2
labels:
storage: nfs
spec:
accessModes: ["ReadWriteOnce ","ReadwriteMany","ReadOnlyMany"]
capacity:
storage: 5Gi
volumeMode: Filesystem
persistentvolumeReclaimPolicy: Retain
nfs:
server: 192 .168.1.199
path: /vols/v2
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: pv-nfs-v3
labels:
storage: nfs
spec:
accessModes: ["ReadWriteOnce ","ReadwriteMany","ReadOnlyMany"]
capacity:
storage: 5Gi
volumeMode: Filesystem
persistentvolumeReclaimPolicy: Retain
nfs:
server: 192 .168.1.199
path: /vols/v3
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: pv-nfs-v4
labels:
storage: nfs
spec:
accessModes: ["ReadWriteOnce ","ReadwriteMany","ReadOnlyMany"]
capacity:
storage: 5Gi
volumeMode: Filesystem
persistentvolumeReclaimPolicy: Retain
nfs:
server: 192 .168.1.199
path: /vols/v4
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: pv-nfs-v5
labels:
storage: nfs
spec:
accessModes: ["ReadWriteOnce ","ReadwriteMany","ReadOnlyMany"]
capacity:
storage: 5Gi
volumeMode: Filesystem
persistentvolumeReclaimPolicy: Retain
nfs:
server: 192 .168.1.199
path: /vols/v5
#而后创建statefulset资源,绑定使用pv
定义好statefulset
apiVersion: v1
kind: Service #定义好前端service
metadata:
name: myapp-sts-svc
namespace: sts
labels:
app: myapp
spec:
ports:
- port: 80
name: web
clusterIP: None
selector:
app: myapp-pod
containers: sts
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: statefulset-demo
namespace: sts
spec:
selector:
matchLabels:
app: myapp-pod
containers: sts
serviceName: "myapp-sts-svc"
replicas: 2 #pod副本数量
template:#pod模板
metadata:
labels:
app: myapp-pod
containers: sts
spec:
terminationGracePeriodSeconds: 10#删除pod时长
containers:
- name: myapp
image: ikubernetes/myapp:v1
ports:
- containerPort: 80
name: web
volumeMounts:
- name: myapp-pvc
mountPath: /usr/share/nginx/html
volumeClaimTemplates:#定义好pvc资源模板
- metadata:
name: myapp-pvc #pvc名称
namespace: sts #所属名称空间
spec:
accessModes: [ "ReadWriteOnce" ] #访问模型为单路读写
resources: #请求占用多少资源
requests:
storage: 2Gi