configMap
bash
复制代码
configmap概述:
数据会存储在etcd数据库,其应用场景主要在应用程序的配置
configmap支持的类型
(1)键值对
(2)多行数据
pod使用configmap资源有两种常见的方式
(1)变量注入
(2)数据卷挂载
推荐阅读
https://kubernetes.io/docs/concepts/storage/volumes/#configmap
https://kubernetes.io/docs/concepts/configuration/configmap/
声明式创建cm资源
[root@master231 configmaps]# cat 01-cm-demo.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: game-demo
# 指定cm资源的数据
data:
# 类属性键;每一个键都映射到一个简单的值,对应的键值对。
player_initial_lives: "3"
ui_properties_file_name: "user-interface.properties"
school: oldboyedu
class: linux94
# 类文件键,对应的是多行数据,注意缩进格式
game.properties: | # |表示换行,一行写不下
enemy.types=aliens,monsters
player.maximum-lives=5
user-interface.properties: |
color.good=purple
color.bad=yellow
allow.textmode=true
my.cnf: |
[mysqld]
datadir=/var/lib/mysql
basedir=/usr/local/mysql
socket=/tpm/mysql.sock
skip-name-resolve=1
port=3306
[client]
username=admin
password=oldboyedu
创建
root@ubuntu0:~/manifests/configmap# kubectl apply -f 01-cm-demo.yaml
configmap/game-demo created
查看
root@ubuntu0:~/manifests/configmap# kubectl get cm
NAME DATA AGE
game-demo 7 29s
kube-root-ca.crt 1 23d
root@ubuntu0:~/manifests/configmap# kubectl get cm game-demo
NAME DATA AGE
game-demo 7 33s #7代表有七个键值对
删除
root@ubuntu0:~/manifests/configmap# kubectl delete -f 01-cm-demo.yaml
configmap "game-demo" deleted
响应式创建
root@ubuntu0:~/manifests/configmap# kubectl create configmap xp --from-literal=school=oldboyedu --from-literal=class=linux94
configmap/xp created
root@ubuntu0:~/manifests/configmap# kubectl get cm
NAME DATA AGE
kube-root-ca.crt 1 23d
xp 2 6s
root@ubuntu0:~/manifests/configmap# kubectl get cm xp
NAME DATA AGE
xp 2 8s
root@ubuntu0:~/manifests/configmap# kubectl describe cm xp
Name: xp
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
class:
----
linux94
school:
----
oldboyedu
BinaryData
====
Events: <none>
基于配置文件创建cm
[root@master231 configmaps]# ll /root/kube-flannel.yml
-rw-r--r-- 1 root root 4406 Nov 15 17:40 /root/kube-flannel.yml
[root@master231 configmaps]#
[root@master231 configmaps]# kubectl create configmap oldboyedu-cni --from-file=cni.yml=/root/kube-flannel.yml
configmap/oldboyedu-cni created
3.3 查看cm资源
[root@master231 configmaps]# kubectl get cm oldboyedu-cni
NAME DATA AGE
oldboyedu-cni 1 8s
[root@master231 configmaps]#
[root@master231 configmaps]# kubectl describe cm oldboyedu-cni
[root@master231 configmaps]#
[root@master231 configmaps]# kubectl get cm oldboyedu-cni -o yaml
[root@master231 configmaps]#
[root@master231 configmaps]# kubectl get cm oldboyedu-cni -o json
3.3 删除cm资源
[root@master231 configmaps]# kubectl get cm
NAME DATA AGE
kube-root-ca.crt 1 4d16h
oldboyedu-cni 1 2m27s
oldboyedu-linux94 2 4m38s
[root@master231 configmaps]#
[root@master231 configmaps]# kubectl delete cm oldboyedu-cni
configmap "oldboyedu-cni" deleted
[root@master231 configmaps]#
[root@master231 configmaps]# kubectl get cm
NAME DATA AGE
kube-root-ca.crt 1 4d16h
oldboyedu-linux94 2 5m9s
[root@master231 configmaps]#
root@ubuntu0:~/manifests/configmap# kubectl get cm xp -o yaml
apiVersion: v1
data:
class: linux94
school: oldboyedu
kind: ConfigMap
metadata:
creationTimestamp: "2025-05-02T10:49:39Z"
name: xp
namespace: default
resourceVersion: "670826"
uid: b129e625-7733-4b80-9d9f-55227b473f51
那如何在声明式中引用这个key:vlaue呢
root@ubuntu0:~/manifests/configmap# cat 01-cm-demo.yaml
apiVersion: v1
kind: ReplicationController
metadata:
name: xp-configmap
spec:
replicas: 1
selector:
apps: v1
template:
metadata:
labels:
apps: v1
spec:
nodeName: ubuntu1
containers:
- name: xiuxian-v1
image: registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1
env:
- name: SCHOOL
# 指定值从哪里来,一点定义了valueFrom字段,则不能定义value字段。
# 换句话说,定义了valueFrom字段,则value字段必须为空,省略不写!
valueFrom:
# 表示数据从一个cm资源引用
configMapKeyRef:
# 指定cm的名称
name: "xp"
# 指定引用cm的KEY
key: "school"
- name: CLass
valueFrom:
configMapKeyRef:
name: "xp"
key: "class"
root@ubuntu0:~/manifests/configmap# kubectl apply -f 01-cm-demo.yaml
replicationcontroller/xp-configmap created
root@ubuntu0:~/manifests/configmap# kubectl exec -it xp-configmap-vvtch -- env|grep -Ei 'school|class'
SCHOOL=oldboyedu
CLass=linux94
Pod基于存储卷引用cm资源
bash
复制代码
root@ubuntu0:~/manifests/configmap# cat 02-rc-configmaps-volumes.yaml
apiVersion: v1
kind: ReplicationController
metadata:
name: xpxp
spec:
replicas: 1
selector:
apps: xpxp-v1
template:
metadata:
labels:
apps: xpxp-v1
spec:
nodeName: ubuntu1
volumes:
- name: data
# 指定存储卷类型是cm资源
configMap:
# 指定cm的名称
name: "xp"
# 定义需要引用具体的KEY,若不定义,则默认引用所有的KEY
items:
# 表示引用指定的KEY
- key: school
# 可以暂时理解为将来的文件名称
path: school.txt
containers:
- name: nginx
image: registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1
volumeMounts:
- name: data
mountPath: /oldboyedu
root@ubuntu0:~/manifests/configmap# kubectl apply -f 02-rc-configmaps-volumes.yaml
replicationcontroller/xpxp created
root@ubuntu0:~/manifests/configmap# kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
xpxp-25pwf 1/1 Running 0 25m 10.100.2.19 ubuntu1 <none> <none>
root@ubuntu0:~/manifests/configmap# kubectl exec xpxp-25pwf -- ls /oldboyedu
school.txt
root@ubuntu0:~/manifests/configmap# kubectl exec xpxp-25pwf -- more /oldboyedu/school.txt
oldboyeduroot@ubuntu0:~/manifests/configmap#
将"registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1"镜像的80端口修改为81端口,要求在不重新打镜像的情况下,使用cm存储卷的方式挂载。
1.找到nginx的配置文件
root@ubuntu0:~/manifests/configmap# kubectl exec -it xp-configmap-pgc6z -- sh
/ # vi /etc/nginx/nginx.conf
/ # ls /etc/nginx/conf.d/default.conf
/etc/nginx/conf.d/default.conf
/ # vi /etc/nginx/conf.d/default.conf
server {
listen 80;
listen [::]:80;
server_name localhost;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
2.编写资源清单
root@ubuntu0:~/manifests/configmap# cat 02-rc-configmaps-volumes.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: game-cm
data:
port.conf: |
server {
listen 81;
listen [::]:81;
server_name localhost;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
---
apiVersion: v1
kind: ReplicationController
metadata:
name: xiuxian-cm
spec:
replicas: 1
selector:
apps: xpxp-v1
template:
metadata:
labels:
apps: xpxp-v1
spec:
nodeName: ubuntu1
volumes:
- name: data
# 指定存储卷类型是cm资源
configMap:
# 指定cm的名称
name: "game-cm"
# 定义需要引用具体的KEY,若不定义,则默认引用所有的KEY
items:
# 表示引用指定的KEY
- key: port.conf
# 可以暂时理解为将来的文件名称
path: default.conf
containers:
- name: nginx
image: registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1
volumeMounts:
- name: data
mountPath: /etc/nginx/conf.d/
---
apiVersion: v1
kind: Service
metadata:
name: svc-mysql
spec:
type: NodePort
selector:
apps: xpxp-v1
ports:
- port: 80
targetPort: 81
nodePort: 30081
root@ubuntu0:~/manifests/configmap# kubectl apply -f 02-rc-configmaps-volumes.yaml
configmap/game-cm created
replicationcontroller/xiuxian-cm created
service/svc-mysql created
root@ubuntu0:~/manifests/configmap# kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
xiuxian-cm-b52m2 1/1 Running 0 7s 10.100.2.21 ubuntu1 <none> <none>
root@ubuntu0:~/manifests/configmap# kubectl describe svc
kubernetes svc-mysql
root@ubuntu0:~/manifests/configmap# kubectl describe svc svc-mysql
Name: svc-mysql
Namespace: default
Labels: <none>
Annotations: <none>
Selector: apps=xpxp-v1
Type: NodePort
IP Family Policy: SingleStack
IP Families: IPv4
IP: 192.168.116.228
IPs: 192.168.116.228
Port: <unset> 80/TCP
TargetPort: 81/TCP
NodePort: <unset> 30081/TCP
Endpoints: 10.100.2.21:81
Session Affinity: None
External Traffic Policy: Cluster
Events: <none>
root@ubuntu0:~/manifests/configmap# curl 10.100.2.21:81
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8"/>
<title>yinzhengjie apps v1</title>
<style>
div img {
width: 900px;
height: 600px;
margin: 0;
}
</style>
</head>
<body>
<h1 style="color: green">凡人修仙传 v1 </h1>
<div>
<img src="1.jpg">
<div>
</body>
</html>
在进入容器内,已经发生改变了
root@ubuntu0:~/manifests/configmap# kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
xiuxian-cm-b52m2 1/1 Running 0 2m38s 10.100.2.21 ubuntu1 <none> <none>
root@ubuntu0:~/manifests/configmap# kubectl exec -it xiuxian-cm-b52m2 -- sh
/ # cat /etc/nginx/conf.d/default.conf
server {
listen 81;
listen [::]:81;
server_name localhost;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
kubectl logs查看Pod日志
bash
复制代码
1.实时查看日志
[root@master231 ~]# kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
oldboyedu-xiuxian-cm-844zl 1/1 Running 0 4m47s 10.100.1.55 worker232 <none> <none>
[root@master231 ~]#
[root@master231 ~]# kubectl logs -f oldboyedu-xiuxian-cm-844zl
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: can not modify /etc/nginx/conf.d/default.conf (read-only file system?)
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2024/11/20 03:10:00 [notice] 1#1: using the "epoll" event method
2024/11/20 03:10:00 [notice] 1#1: nginx/1.20.1
2024/11/20 03:10:00 [notice] 1#1: built by gcc 10.2.1 20201203 (Alpine 10.2.1_pre1)
2024/11/20 03:10:00 [notice] 1#1: OS: Linux 5.15.0-119-generic
2024/11/20 03:10:00 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 524288:524288
2024/11/20 03:10:00 [notice] 1#1: start worker processes
2024/11/20 03:10:00 [notice] 1#1: start worker process 23
2024/11/20 03:10:00 [notice] 1#1: start worker process 24
10.100.0.0 - - [20/Nov/2024:03:10:08 +0000] "GET / HTTP/1.1" 200 357 "-" "curl/7.81.0" "-"
10.100.0.0 - - [20/Nov/2024:03:10:13 +0000] "GET / HTTP/1.1" 200 357 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" "-"
10.100.0.0 - - [20/Nov/2024:03:10:13 +0000] "GET /1.jpg HTTP/1.1" 200 233472 "http://10.0.0.231:30080/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" "-"
2024/11/20 03:10:13 [error] 24#24: *2 open() "/usr/share/nginx/html/favicon.ico" failed (2: No such file or directory), client: 10.100.0.0, server: localhost, request: "GET /favicon.ico HTTP/1.1", host: "10.0.0.231:30080", referrer: "http://10.0.0.231:30080/"
10.100.0.0 - - [20/Nov/2024:03:10:13 +0000] "GET /favicon.ico HTTP/1.1" 404 555 "http://10.0.0.231:30080/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" "-"
2.查看最近5min的日志
[root@master231 ~]# kubectl logs -f --since=5m oldboyedu-xiuxian-cm-844zl
2024/11/20 03:16:22 [error] 24#24: *4 open() "/usr/share/nginx/html/oldboyedu.html" failed (2: No such file or directory), client: 10.100.0.0, server: localhost, request: "GET /oldboyedu.html HTTP/1.1", host: "10.100.1.55:81"
10.100.0.0 - - [20/Nov/2024:03:16:22 +0000] "GET /oldboyedu.html HTTP/1.1" 404 153 "-" "curl/7.81.0" "-"
3.查看指定容器的日志(一般情况下是一个Pod有多个容器时才会使用)
[root@master231 ~]# kubectl logs -c c1 -f --since=5m oldboyedu-xiuxian-cm-844zl
2024/11/20 03:16:22 [error] 24#24: *4 open() "/usr/share/nginx/html/oldboyedu.html" failed (2: No such file or directory), client: 10.100.0.0, server: localhost, request: "GET /oldboyedu.html HTTP/1.1", host: "10.100.1.55:81"
10.100.0.0 - - [20/Nov/2024:03:16:22 +0000] "GET /oldboyedu.html HTTP/1.1" 404 153 "-" "curl/7.81.0" "-"
cm资源存储nginx主配置文件值subPath案例
bash
复制代码
root@ubuntu0:~/manifests/configmap# cat 02-rc-configmaps-volumes.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: game-cm
data:
main.conf: |
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format oldboyedu_nginx_json '{"@timestamp":"$time_iso8601",'
'"host":"$server_addr",'
'"clientip":"$remote_addr",'
'"SendBytes":$body_bytes_sent,'
'"responsetime":$request_time,'
'"upstreamtime":"$upstream_response_time",'
'"upstreamhost":"$upstream_addr",'
'"http_host":"$host",'
'"uri":"$uri",'
'"domain":"$host",'
'"xff":"$http_x_forwarded_for",'
'"referer":"$http_referer",'
'"tcp_xff":"$proxy_protocol_addr",'
'"http_user_agent":"$http_user_agent",'
'"status":"$status"}';
access_log /var/log/nginx/access.log oldboyedu_nginx_json;
sendfile on;
keepalive_timeout 65;
include /etc/nginx/conf.d/*.conf;
}
port.conf: |
server {
listen 81;
listen [::]:81;
server_name localhost;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
---
apiVersion: v1
kind: ReplicationController
metadata:
name: xiuxian-cm
spec:
replicas: 1
selector:
apps: xpxp-v1
template:
metadata:
labels:
apps: xpxp-v1
spec:
nodeName: ubuntu1
volumes:
- name: data
# 指定存储卷类型是cm资源
configMap:
# 指定cm的名称
name: "game-cm"
# 定义需要引用具体的KEY,若不定义,则默认引用所有的KEY
items:
# 表示引用指定的KEY
- key: port.conf
# 可以暂时理解为将来的文件名称
path: default.conf
- name: data1
configMap:
name: "game-cm"
items:
- key: main.conf
path: nginx.conf
containers:
- name: nginx
image: registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1
volumeMounts:
- name: data
mountPath: /etc/nginx/conf.d/
- name: data1
mountPath: /etc/nginx/nginx.conf
# 当subPath的值和cm的items的path值相同时,则mountPath表示的是文件而不是目录
subPath: nginx.conf
---
apiVersion: v1
kind: Service
metadata:
name: svc-mysql
spec:
type: NodePort
selector:
apps: xpxp-v1
ports:
- port: 80
targetPort: 81
nodePort: 30081
root@ubuntu0:~/manifests/configmap# kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
xiuxian-cm-8q45n 1/1 Running 0 7s 10.100.2.22 ubuntu1 <none> <none>
root@ubuntu0:~/manifests/configmap# curl 10.100.2.22:81
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8"/>
<title>yinzhengjie apps v1</title>
<style>
div img {
width: 900px;
height: 600px;
margin: 0;
}
</style>
</head>
<body>
<h1 style="color: green">凡人修仙传 v1 </h1>
<div>
<img src="1.jpg">
<div>
</body>
</html>
k8s部署mysql主从
bash
复制代码
root@ubuntu0:~/manifests/ReplicationController# cat 05-nfs-mysql.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: game-demo
# 指定cm资源的数据
data:
master.cnf: |
[mysqld]
# 二进制日志
log-bin=mysqllog-bin
server_id=111
skip-host-cache
skip-name-resolve
datadir=/var/lib/mysql
socket=/var/run/mysqld/mysqld.sock
secure-file-priv=/var/lib/mysql-files
user=mysql
pid-file=/var/run/mysqld/mysqld.pid
[client]
socket=/var/run/mysqld/mysqld.sock
!includedir /etc/mysql/conf.d/
slave.cnf: |
[mysqld]
log-bin=mysqllog-bin
server_id=222
skip-host-cache
skip-name-resolve
datadir=/var/lib/mysql
socket=/var/run/mysqld/mysqld.sock
secure-file-priv=/var/lib/mysql-files
user=mysql
pid-file=/var/run/mysqld/mysqld.pid
[client]
socket=/var/run/mysqld/mysqld.sock
!includedir /etc/mysql/conf.d/
---
apiVersion: v1
kind: ReplicationController
metadata:
name: mysql-master
spec:
replicas: 1
selector:
apps: v1
template:
spec:
nodeName: ubuntu1
volumes:
- name: data
nfs:
server: ubuntu0
path: /oldboyedu/data/nfs-server/master-lib
- name: data1
configMap:
name: "game-demo"
items:
- key: master.cnf
path: my.cnf
containers:
- name: mysql-v1
image: mysql:5.7.29
ports:
- containerPort: 3306
name: mysqlport
env:
- name: MYSQL_ALLOW_EMPTY_PASSWORD
value: "yes"
- name: MYSQL_USER
value: linux94
- name: MYSQL_PASSWORD
value: 'oldboyedu'
volumeMounts:
- name: data
mountPath: /var/lib/mysql
- name: data1
mountPath: /etc/my.cnf
subPath: my.cnf
args:
- --character-set-server=utf8
- --collation-server=utf8_bin
- --default-authentication-plugin=mysql_native_password
metadata:
labels:
apps: v1
---
apiVersion: v1
kind: Service
metadata:
name: svc-mysql
spec:
selector:
apps: v1
ports:
- port: 3306
name: mysqlport
---
apiVersion: v1
kind: ReplicationController
metadata:
name: mysql-slave
spec:
replicas: 1
selector:
apps: v2
template:
spec:
nodeName: ubuntu1
volumes:
- name: data
nfs:
server: ubuntu0
path: /oldboyedu/data/nfs-server/slave-lib
- name: data1
configMap:
name: "game-demo"
items:
- key: slave.cnf
path: my.cnf
containers:
- name: mysql-v2
image: mysql:5.7.29
env:
- name: MYSQL_ALLOW_EMPTY_PASSWORD
value: "yes"
- name: MYSQL_MASTER_HOST
value: 'svc-mysql'
ports:
- containerPort: 3306
volumeMounts:
- name: data
mountPath: /var/lib/mysql
- name: data1
mountPath: /etc/my.cnf
subPath: my.cnf
metadata:
labels:
apps: v2
---
apiVersion: v1
kind: Service
metadata:
name: svc-slave
spec:
selector:
apps: v2
ports:
- port: 3306
进入主数据库查看
root@ubuntu0:~/manifests/ReplicationController# kubectl exec -it mysql-master-4zxp6 -- mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.7.29-log MySQL Community Server (GPL)
Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
授权用户访问
mysql> GRANT Replication slave ON *.* TO linux94;
Query OK, 0 rows affected (0.00 sec)
mysql> SHOW MASTER STATUS\G
*************************** 1. row ***************************
File: mysqllog-bin.000004
Position: 353
Binlog_Do_DB:
Binlog_Ignore_DB:
Executed_Gtid_Set:
1 row in set (0.00 sec)
mysql> SHOW GRANTS FOR linux94;
+-------------------------------------------------+
| Grants for linux94@% |
+-------------------------------------------------+
| GRANT REPLICATION SLAVE ON *.* TO 'linux94'@'%' |
+-------------------------------------------------+
从库配置
mysql> CHANGE MASTER TO MASTER_HOST='svc-mysql',MASTER_USER='linux94',MASTER_PASSWORD='oldboyedu',MASTER_PORT=3306,MASTER_LOG_FILE='mysqllog-bin.000004',MASTER_LOG_POS=353,MASTER_CONNECT_RETRY=3;
Query OK, 0 rows affected, 2 warnings (0.04 sec)
mysql> STOP SLAVE;
Query OK, 0 rows affected, 1 warning (0.00 sec)
mysql> START SLAVE;
Query OK, 0 rows affected (0.00 sec)
mysql> SHOW SLAVE STATUS\G
*************************** 1. row ***************************
Slave_IO_State: Waiting for master to send event
Master_Host: svc-mysql
Master_User: linux94
Master_Port: 3306
Connect_Retry: 3
Master_Log_File: mysqllog-bin.000004
Read_Master_Log_Pos: 353
Relay_Log_File: mysql-slave-2pgsd-relay-bin.000002
Relay_Log_Pos: 323
Relay_Master_Log_File: mysqllog-bin.000004
Slave_IO_Running: Yes
Slave_SQL_Running: Yes
secret概述
bash
复制代码
与ConfigMap类似,区别在于secret存储敏感数据,所有的数据都需要经过base64进行编码。
使用secret主要存储的是凭据信息。
参考链接:
https://kubernetes.io/zh/docs/concepts/configuration/secret/#secret-types
secret资源声明式两种创建方式
2.1 方式一: 基于stringData方式(推荐)
root@ubuntu0:~/manifests/secret# cat 01-secrets-stringData.yaml
apiVersion: v1
kind: Secret
metadata:
name: user-info
stringData:
username: admin
password: "1"
my.cnf: |
[mysqld]
basedir=/oldboyedu/softwares/mysql80
port=3306
datadir=/oldboyedu/data/mysql80
socket=/tmp/mysql80.sock
root@ubuntu0:~/manifests/secret# kubectl apply -f 01-secrets-stringData.yaml
secret/user-info created
root@ubuntu0:~/manifests/secret# kubectl get secrets -o wide
NAME TYPE DATA AGE
default-token-hszqs kubernetes.io/service-account-token 3 26d
user-info Opaque 3 7s
root@ubuntu0:~/manifests/secret# kubectl get secrets -o wide user-info
NAME TYPE DATA AGE
user-info Opaque 3 46s
root@ubuntu0:~/manifests/secret# kubectl describe secrets user-info
Name: user-info
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
my.cnf: 113 bytes
password: 1 bytes
username: 5 bytes
root@ubuntu0:~/manifests/secret# kubectl get secrets user-info -o yaml
apiVersion: v1
data:
my.cnf: W215c3FsZF0KYmFzZWRpcj0vb2xkYm95ZWR1L3NvZnR3YXJlcy9teXNxbDgwCnBvcnQ9MzMwNgpkYXRhZGlyPS9vbGRib3llZHUvZGF0YS9teXNxbDgwCnNvY2tldD0vdG1wL215c3FsODAuc29jawo=
password: MQ==
username: YWRtaW4=
kind: Secret
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","kind":"Secret","metadata":{"annotations":{},"name":"user-info","namespace":"default"},"stringData":{"my.cnf":"[mysqld]\nbasedir=/oldboyedu/softwares/mysql80\nport=3306\ndatadir=/oldboyedu/data/mysql80\nsocket=/tmp/mysql80.sock\n","password":"1","username":"admin"}}
creationTimestamp: "2025-05-05T02:16:24Z"
name: user-info
namespace: default
resourceVersion: "815355"
uid: 90653274-1030-4208-a555-032c6484029f
type: Opaque
解密:
root@ubuntu0:~/manifests/secret# echo 'W215c3FsZF0KYmFzZWRpcj0vb2xkYm95ZWR1L3NvZnR3YXJlcy9teXNxbDgwCnBvcnQ9MzMwNgpkYXRhZGlyPS9vbGRib3llZHUvZGF0YS9teXNxbDgwCnNvY2tldD0vdG1wL215c3FsO
DAuc29jawo='|base64 -d
[mysqld]
basedir=/oldboyedu/softwares/mysql80
port=3306
datadir=/oldboyedu/data/mysql80
socket=/tmp/mysql80.sock
root@ubuntu0:~/manifests/secret# echo 'MQ=='|base64 -d
1root@ubuntu0:~/manifests/secret# echo 'MQ=='|base64 -d|more
1
方式二: 基于方式(不推荐,编写时容易出错)
root@ubuntu0:~/manifests/secret# echo linux94 | base64
bGludXg5NAo=
root@ubuntu0:~/manifests/secret# echo oldboyedu | base64
b2xkYm95ZWR1Cg==
root@ubuntu0:~/manifests/secret# cat 02-secrets-data.yaml
apiVersion: v1
kind: Secret
metadata:
name: admin
data:
# KEY无需做任何操作,VALUE进行BASE64手动编码
username: bGludXg5NAo=
password: b2xkYm95ZWR1Cg==
root@ubuntu0:~/manifests/secret# echo linux94 | base64
bGludXg5NAo=
root@ubuntu0:~/manifests/secret# echo oldboyedu | base64
b2xkYm95ZWR1Cg==
root@ubuntu0:~/manifests/secret# cat 02-secrets-data.yaml
apiVersion: v1
kind: Secret
metadata:
name: admin
data:
# KEY无需做任何操作,VALUE进行BASE64手动编码
username: bGludXg5NAo=
password: b2xkYm95ZWR1Cg==
root@ubuntu0:~/manifests/secret# kubectl apply -f 02-secrets-data.yaml
secret/admin created
root@ubuntu0:~/manifests/secret# kubectl get secrets admin
NAME TYPE DATA AGE
admin Opaque 2 6s
root@ubuntu0:~/manifests/secret# kubectl get secrets admin -o yaml
apiVersion: v1
data:
password: b2xkYm95ZWR1Cg==
username: bGludXg5NAo=
kind: Secret
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","data":{"password":"b2xkYm95ZWR1Cg==","username":"bGludXg5NAo="},"kind":"Secret","metadata":{"annotations":{},"name":"admin","namespace":"default"}}
creationTimestamp: "2025-05-05T02:21:09Z"
name: admin
namespace: default
resourceVersion: "815756"
uid: 4e62f0f6-1940-43f7-b81c-16278cda898d
type: Opaque
响应式创建secrets常用选项
bash
复制代码
root@ubuntu0:~/manifests/secret# kubectl create secret generic test01 --from-literal=SCHOOL=oldboyedu --from-literal=class=linux94
secret/test01 created
root@ubuntu0:~/manifests/secret# kubectl create secret generic test02 --from-file=stringData=01-secrets-stringData.yaml --from-file=Data=02-secrets-data.yaml
secret/test02 created
root@ubuntu0:~/manifests/secret# kubectl get secrets test01 test02
NAME TYPE DATA AGE
test01 Opaque 2 20s
test02 Opaque 2 9s
root@ubuntu0:~/manifests/secret# kubectl get secrets test01 test02 -o yaml
apiVersion: v1
items:
- apiVersion: v1
data:
SCHOOL: b2xkYm95ZWR1
class: bGludXg5NA==
kind: Secret
metadata:
creationTimestamp: "2025-05-05T02:39:39Z"
name: test01
namespace: default
resourceVersion: "817317"
uid: 9255edec-24db-4490-a8b3-d0951b21c470
type: Opaque
- apiVersion: v1
data:
Data: YXBpVmVyc2lvbjogdjEKa2luZDogU2VjcmV0Cm1ldGFkYXRhOgogIG5hbWU6IGFkbWluCmRhdGE6CiAgIyBLRVnml6DpnIDlgZrku7vkvZXmk43kvZzvvIxWQUxVRei/m+ihjEJBU0U2NOaJi+WKqOe8lueggQogIHVzZXJuYW1lOiBiR2x1ZFhnNU5Bbz0KICBwYXNzd29yZDogYjJ4a1ltOTVaV1IxQ2c9PQo=
stringData: YXBpVmVyc2lvbjogdjEKa2luZDogU2VjcmV0Cm1ldGFkYXRhOgogIG5hbWU6IHVzZXItaW5mbwpzdHJpbmdEYXRhOgogIHVzZXJuYW1lOiBhZG1pbgogIHBhc3N3b3JkOiAiMSIKCiAgbXkuY25mOiB8CiAgICBbbXlzcWxkXQogICAgYmFzZWRpcj0vb2xkYm95ZWR1L3NvZnR3YXJlcy9teXNxbDgwCiAgICBwb3J0PTMzMDYKICAgIGRhdGFkaXI9L29sZGJveWVkdS9kYXRhL215c3FsODAKICAgIHNvY2tldD0vdG1wL215c3FsODAuc29jawo=
kind: Secret
metadata:
creationTimestamp: "2025-05-05T02:39:50Z"
name: test02
namespace: default
resourceVersion: "817332"
uid: b1476fdd-5182-426d-a784-7ee5b16342c1
type: Opaque
kind: List
metadata:
resourceVersion: ""
selfLink: ""
root@ubuntu0:~/manifests/secret# kubectl delete secrets test01 test02
secret "test01" deleted
secret "test02" deleted
Pod引用secrets的两种方式
bash
复制代码
基于环境变量引入
1.先查看一下user-info的变量
root@ubuntu0:~/manifests/secret# kubectl get secrets user-info
NAME TYPE DATA AGE
user-info Opaque 3 4d21h
root@ubuntu0:~/manifests/secret# kubectl get secrets user-info -o yaml
apiVersion: v1
data:
my.cnf: W215c3FsZF0KYmFzZWRpcj0vb2xkYm95ZWR1L3NvZnR3YXJlcy9teXNxbDgwCnBvcnQ9MzMwNgpkYXRhZGlyPS9vbGRib3llZHUvZGF0YS9teXNxbDgwCnNvY2tldD0vdG1wL215c3FsODAuc29jawo=
password: MQ==
username: YWRtaW4=
kind: Secret
2.基于环境变量引入
root@ubuntu0:~/manifests/secret# cat 04-secret-env.yaml
apiVersion: v1
kind: ReplicationController
metadata:
name: secret-env
spec:
replicas: 1
selector:
apps: v1
template:
metadata:
labels:
apps: v1
spec:
nodeName: ubuntu1
containers:
- name: xp
image: registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1
env:
- name: env_username
valueFrom:
#表示值从一个secrets资源中引用
secretKeyRef:
# 指定secrets资源的名称
name: user-info
# 引用secrets的key
key: username
- name: env_mycnf
valueFrom:
#表示值从一个secrets资源中引用
secretKeyRef:
# 指定secrets资源的名称
name: user-info
# 引用secrets的key
key: my.cnf
root@ubuntu0:~/manifests/secret# kubectl apply -f 04-secret-env.yaml
replicationcontroller/secret-env created
root@ubuntu0:~/manifests/secret# kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
mysql-master-4zxp6 1/1 Running 0 5d 10.100.2.30 ubuntu1 <none> <none>
mysql-slave-2pgsd 1/1 Running 0 5d 10.100.2.29 ubuntu1 <none> <none>
secret-env-78xjs 1/1 Running 0 29s 10.100.2.32 ubuntu1 <none> <none>
查看环境变量,他会自动的解密
root@ubuntu0:~/manifests/secret# kubectl exec -it secret-env-78xjs -- env
env_username=admin
env_mycnf=[mysqld]
basedir=/oldboyedu/softwares/mysql80
port=3306
datadir=/oldboyedu/data/mysql80
socket=/tmp/mysql80.sock
基于存储卷的方式引用
root@ubuntu0:~/manifests/secret# cat 03-secret.yaml
apiVersion: v1
kind: ReplicationController
metadata:
name: oldboyedu-rc-nfs-v1
spec:
replicas: 1
selector:
apps: v1
template:
metadata:
labels:
apps: v1
spec:
nodeName: ubuntu1
volumes:
- name: data
#表示存储卷的类型是secret
secret:
# 指定secret的名称
secretName: user-info
# 指定要引用的键值对
items:
# 指定secrets的KEY
- key: username
# 暂时理解为将来在Pod容器挂载时的文件名称
path: username.txt
- key: password
path: password.txt
- key: my.cnf
path: my.cnf
containers:
- name: nginx
image: registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1
volumeMounts:
- name: data
mountPath: /oldboyedu
root@ubuntu0:~/manifests/secret# kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
mysql-master-4zxp6 1/1 Running 0 5d 10.100.2.30 ubuntu1 <none> <none>
mysql-slave-2pgsd 1/1 Running 0 5d 10.100.2.29 ubuntu1 <none> <none>
oldboyedu-rc-nfs-v1-5cx5d 1/1 Running 0 8s 10.100.2.33 ubuntu1 <none> <none>
root@ubuntu0:~/manifests/secret# kubectl exec -it oldboyedu-rc-nfs-v1-5cx5d -- sh
/ # ls -l /oldboyedu/
total 0
lrwxrwxrwx 1 root root 13 May 10 00:42 my.cnf -> ..data/my.cnf
lrwxrwxrwx 1 root root 19 May 10 00:42 password.txt -> ..data/password.txt
lrwxrwxrwx 1 root root 19 May 10 00:42 username.txt -> ..data/username.txt
/ # cat /oldboyedu/my.cnf
[mysqld]
basedir=/oldboyedu/softwares/mysql80
port=3306
datadir=/oldboyedu/data/mysql80
socket=/tmp/mysql80.sock
基于响应式secret实现harbor登录认证案例
bash
复制代码
1.响应式创建harbor的认证信息
[root@master231 case-demo]# kubectl create secret docker-registry oldboyedu-harbor --docker-username=admin --docker-password=1 [email protected] --docker-server=harbor.oldboyedu.com
secret/oldboyedu-harbor created
[root@master231 case-demo]# kubectl get secrets oldboyedu-harbor
NAME TYPE DATA AGE
oldboyedu-harbor kubernetes.io/dockerconfigjson 1 9s
2.创建测试
[root@master231 case-demo]# cat 16-rc-secrets-private-harbor-registry.yaml
apiVersion: v1
kind: ReplicationController
metadata:
name: oldboyedu-private-harbor
spec:
replicas: 3
selector:
apps: linux
template:
spec:
# 镜像拉取的认证凭据
imagePullSecrets:
# 指定访问harbor的认证信息
- name: oldboyedu-harbor
containers:
- name: c1
image: harbor.oldboyedu.com/oldboyedu-linux/alpine:latest
imagePullPolicy: Always
stdin: true
metadata:
labels:
apps: linux
[root@master231 case-demo]#
[root@master231 case-demo]# kubectl apply -f 16-rc-secrets-private-harbor-registry.yaml
replicationcontroller/oldboyedu-private-harbor created
[root@master231 case-demo]#
[root@master231 case-demo]# kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
oldboyedu-private-harbor-f7hmj 1/1 Running 0 4s 10.100.1.64 worker232 <none> <none>
oldboyedu-private-harbor-gkmtm 1/1 Running 0 4s 10.100.2.120 worker233 <none> <none>
oldboyedu-private-harbor-pmf5q 1/1 Running 0 4s 10.100.2.119 worker233 <none> <none>
[root@master231 case-demo]#
基于声明式secret实现harbor登录认证案例
bash
复制代码
1.harbor创建用户名和密码
用户名称: linux94
密码: Linux@2024
邮箱: [email protected]
2.对认证信息进行base64编码
[root@master231 case-demo]# echo -n linux94:Linux@2024 | base64
bGludXg5NDpMaW51eEAyMDI0
[root@master231 case-demo]#
3.得到最终的认证信息:
{"auths":{"harbor.oldboyedu.com":{"username":"linux94","password":"Linux@2024","email":"[email protected]","auth":"bGludXg5NDpMaW51eEAyMDI0"}}}
4.编写资源清单
[root@master231 case-demo]# cat 16-rc-secrets-private-harbor-registry.yaml
apiVersion: v1
kind: Secret
metadata:
name: linux94-harbor
stringData:
.dockerconfigjson: '{"auths":{"harbor.oldboyedu.com":{"username":"linux94","password":"Linux@2024","email":"[email protected]","auth":"bGludXg5NDpMaW51eEAyMDI0"}}}'
type: kubernetes.io/dockerconfigjson
---
apiVersion: v1
kind: ReplicationController
metadata:
name: oldboyedu-private-harbor
spec:
replicas: 3
selector:
apps: linux
template:
spec:
# 镜像拉取的认证凭据
imagePullSecrets:
# 指定访问harbor的认证信息
- name: linux94-harbor
containers:
- name: c1
image: harbor.oldboyedu.com/oldboyedu-linux/alpine:latest
imagePullPolicy: Always
stdin: true
metadata:
labels:
apps: linux
[root@master231 case-demo]#
[root@master231 case-demo]# kubectl apply -f 16-rc-secrets-private-harbor-registry.yaml
secret/linux94-harbor created
replicationcontroller/oldboyedu-private-harbor created
[root@master231 case-demo]#
[root@master231 case-demo]# kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
oldboyedu-private-harbor-6kf6t 1/1 Running 0 3s 10.100.2.124 worker233 <none> <none>
oldboyedu-private-harbor-prqnv 1/1 Running 0 3s 10.100.2.125 worker233 <none> <none>
oldboyedu-private-harbor-tcp27 1/1 Running 0 3s 10.100.1.68 worker232 <none> <none>
[root@master231 case-demo]#
基于serviceaccounts绑定secret实现harbor认证
bash
复制代码
root@ubuntu0:/oldboyedu/softwares/harbor# kubectl api-resources |grep -w sa
serviceaccounts sa v1 true ServiceAccount
1.响应式创建账号
root@ubuntu0:/oldboyedu/softwares/harbor# kubectl create sa xixi
serviceaccount/xixi created
root@ubuntu0:/oldboyedu/softwares/harbor# kubectl get sa xixi
NAME SECRETS AGE
xixi 1 61s
root@ubuntu0:/oldboyedu/softwares/harbor# kubectl get sa xixi -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: "2025-05-18T12:03:44Z"
name: xixi
namespace: default
resourceVersion: "1617334"
uid: 8597121b-be87-4e33-a25b-d7f84a2fc43d
secrets:
- name: xixi-token-f4d9p
2.查看账号后端的Image pull secrets
root@ubuntu0:/oldboyedu/softwares/harbor# kubectl describe sa xixi
Name: xixi
Namespace: default
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: xixi-token-f4d9p
Tokens: xixi-token-f4d9p
Events: <none>
由于上面的镜像拉去策略为空,所以更新账号绑定的信息
[root@master231 serviceaccounts]# kubectl patch sa xixi -p '{"imagePullSecrets":[{"name":"oldboyedu-harbor"}]}'
serviceaccount/xixi patched
[root@master231 serviceaccounts]#
[root@master231 serviceaccounts]# kubectl describe sa xixi
Name: xixi
Namespace: default
Labels: <none>
Annotations: <none>
Image pull secrets: oldboyedu-harbor
Mountable secrets: xixi-token-nk9z4
Tokens: xixi-token-nk9z4
Events: <none>
4.响应式更新账号的信息
[root@master231 serviceaccounts]# kubectl get secrets oldboyedu-harbor
NAME TYPE DATA AGE
oldboyedu-harbor kubernetes.io/dockerconfigjson 1 66m
[root@master231 serviceaccounts]#
[root@master231 serviceaccounts]# kubectl describe sa xixi
Name: xixi
Namespace: default
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: xixi-token-nk9z4
Tokens: xixi-token-nk9z4
Events: <none>
[root@master231 serviceaccounts]#
[root@master231 serviceaccounts]# kubectl patch sa xixi -p '{"imagePullSecrets":[{"name":"oldboyedu-harbor"}]}'
serviceaccount/xixi patched
[root@master231 serviceaccounts]#
[root@master231 serviceaccounts]# kubectl describe sa xixi
Name: xixi
Namespace: default
Labels: <none>
Annotations: <none>
Image pull secrets: oldboyedu-harbor
Mountable secrets: xixi-token-nk9z4
Tokens: xixi-token-nk9z4
Events: <none>
[root@master231 serviceaccounts]#
5.Pod使用sa账号拉取镜像
[root@master231 case-demo]# cat 17-rc-secrets-sa-harbor.yaml
apiVersion: v1
kind: Secret
metadata:
name: linux94-harbor
stringData:
.dockerconfigjson: '{"auths":{"harbor.oldboyedu.com":{"username":"linux94","password":"Linux@2024","email":"[email protected]","auth":"bGludXg5NDpMaW51eEAyMDI0"}}}'
type: kubernetes.io/dockerconfigjson
---
apiVersion: v1
# 将sa账号绑定secret的拉取镜像认证信息
imagePullSecrets:
- name: linux94-harbor
kind: ServiceAccount
metadata:
name: linux94
namespace: default
---
apiVersion: v1
kind: ReplicationController
metadata:
name: oldboyedu-private-harbor
spec:
replicas: 3
selector:
apps: linux
template:
spec:
# 指定服务账号,基于该账号拉取镜像
serviceAccount: linux94
containers:
- name: c1
image: harbor.oldboyedu.com/oldboyedu-linux/alpine:latest
imagePullPolicy: Always
stdin: true
metadata:
labels:
apps: linux
[root@master231 case-demo]#
pod创建流程
bash
复制代码
- Pod创建流程:
Pod的创建,删除,修改流程:
1.执行kubectl命令时会加载"~/.kube/config",从而识别到apiserver的地址,端口及认证证书;
2.apiserver进行证书认证,鉴权,语法检查,若成功则可以进行数据的读取或者写入;
3.若用户是写入操作(创建,修改,删除)则需要修改etcd数据库的信息;
4.如果创建Pod,此时scheduler负责Pod调度,将Pod调度到合适的worker节点,并将结果返回给ApiServer存储到etcd中;
5.kubelet组件会周期性上报给apiServer节点,包括Pod内的容器资源(cpu,memory,disk,gpu,...)及worker宿主机节点状态,apiServer并将结果存储到etcd中,若有该节点的任务也会直接返回给该节点进行调度;
6.kubelet开始调用CRI接口创建容器(依次创建pause,initContainers,containers);
7.在运行过程中,若Pod容器,正常或者异常退出时,kubelet会根据重启策略是否重启容器(Never,Always,OnFailure);
8.若一个节点怪掉,则需要controller manager介入维护,比如Pod副本数量缺失,则需要创建watch事件,要求控制器的副本数要达到标准,从而要创建新的Pod,此过程重复步骤4-6。
k8s部署jenkins
bash
复制代码
apiVersion: v1
kind: Namespace
metadata:
name: devops
---
apiVersion: v1
kind: ReplicationController
metadata:
name: oldboyedu-jenkins
namespace: devops
spec:
replicas: 1
selector:
apps: jenkins
template:
spec:
nodeName: worker233
volumes:
- name: data
nfs:
server: 10.0.0.231
path: /oldboyedu/data/nfs-server/volumes/devops/jenkins
containers:
- name: c1
# image: jenkins/jenkins:2.479.1-alpine-jdk21
image: harbor.oldboyedu.com/oldboyedu-devops/jenkins:2.479.1-alpine-jdk21
#command:
#- tail
#- -f
#- /etc/hosts
ports:
- containerPort: 8080
volumeMounts:
- name: data
mountPath: /var/jenkins_home/
metadata:
labels:
apps: jenkins
---
apiVersion: v1
kind: Service
metadata:
name: svc-jenkins
namespace: devops
spec:
type: NodePort
selector:
apps: jenkins
ports:
- port: 8080
nodePort: 30083
[root@master231 case-demo]#
3.温馨提示:
- 在使用资源清单之前,应该先将Jenkins运行起来,安装常用的插件;
- 再将/var/jenkins_home/数据拷贝到"/oldboyedu/data/nfs-server/volumes/devops/jenkins"中。