15、Kubernetes 实战 - Secret 镜像的使用
一,前言
上一篇,介绍了两种 Secret 对象的创建;
本篇,介绍了 Secret 镜像的使用;
二,使用 secret 镜像
1,Volume 挂载
将Secret 镜像通过存储卷的方式进行挂载
更新配置
查看之前的 deployment-user-v1.yaml
[root@k8s-master deployment]# vi deployment-user-v1.yaml
apiVersion: apps/v1 API版本号
kind: Deployment 资源类型部署
metadata:
name: user-v1 资源名称
spec:
minReadySeconds: 1
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
selector:
matchLabels:
app: user-v1 告诉deployment根据规则匹配相应的Pod进行控制和管理,matchLabels字段匹配Pod的label值
replicas: 3 声明Pod副本的数量
template:
metadata:
labels:
app: user-v1Pod名称
spec: 描述Pod内的容器信息
containers:
- name: nginx 容器的名称
image: nginx:user-v3镜像
ports:
- containerPort: 80容器内映射的端口
修改以下几处配置:
1,将副本改为 1 份
2,template 模板下的 spec 描述信息,添加 volumes 数据卷声明:使用 secret-opaque(下图中)
[root@k8s-master deployment]# kubectl get secret
NAME TYPE DATA AGE
default-token-q4qxd kubernetes.io/service-account-token 3 8d
registry-auth kubernetes.io/dockerconfigjson 1 25m
registry-auth-file kubernetes.io/dockerconfigjson 1 19m
secret-opaque Opaque 2 40m
secret-opaque-flie Opaque 2 32m
更新deployment-user-v1.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: user-v1
spec:
minReadySeconds: 1
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
selector:
matchLabels:
app: user-v1
+ replicas: 1声明Pod副本的数量
template:
metadata:
labels:
app: user-v1
spec:
+ volumes:
+ - name: secret-opaque声明数据卷
+ secret:
+ secretName: secret-opaque引用的secret名称
containers:
- name: nginx
image: nginx:user-v3
+ volumeMounts:数据卷的挂载信息
+ - name: secret-opaque #挂载名称
+ mountPath: /secret-opaque挂载路径
+ readOnly: true只读
ports:
- containerPort: 80
应用配置
[root@k8s-master deployment]# kubectl apply -f deployment-user-v1.yaml
deployment.apps/user-v1 configured
查看pod 列表
[root@k8s-master deployment]# kubectl get pods
NAME READY STATUS RESTARTS AGE
http-probe 1/1 Running 78 4h18m
user-v1-64c948c799-66m9w 1/1 Running 0 58s
进入pod
kubectl exec -it user-v1-64c948c799-66m9w -- bash
// 实际执行
[root@k8s-master deployment]# kubectl exec -it user-v1-64c948c799-66m9w -- bash
root@user-v1-64c948c799-66m9w:/# cd secret-opaque/
root@user-v1-64c948c799-66m9w:/secret-opaque# ls
password username
root@user-v1-64c948c799-66m9w:/secret-opaque# cat username
admin
root@user-v1-64c948c799-66m9w:/secret-opaque# cat password
123456
这就是第一种,将Secret作为数据卷,将硬盘上的文件挂载到文件系统中去
2,环境变量注入
- 第二种是将 Secret 注入进容器的环境变量
修改deployment-user-v1.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: user-v1
spec:
minReadySeconds: 1
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
selector:
matchLabels:
app: user-v1
replicas: 1
template:
metadata:
labels:
app: user-v1
spec:
volumes:
- name: secret-opaque
secret:
secretName: secret-opaque
containers:
- name: nginx
+ env:环境变量
+ - name: USERNAME
+ valueFrom:取值位置
+ secretKeyRef:引用secret对象中的某个key
+ name: secret-opaque-flie指定secret对象
+ key: username指定secret对象中的key为username
+ - name: PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: secret-opaque-flie
+ key: password
image: nginx:user-v3
volumeMounts:
- name: secret-opaque
mountPath: /secret-opaque
readOnly: true
ports:
- containerPort: 80
应用配置
[root@k8s-master deployment]# kubectl apply -f deployment-user-v1.yaml
deployment.apps/user-v1 configured
[root@k8s-master deployment]# kubectl get pods
NAME READY STATUS RESTARTS AGE
http-probe 0/1 CrashLoopBackOff 83 4h35m
user-v1-84bdcc465b-vxvl2 1/1 Running 0 31s
打印当前所有变量
// 进入容器
kubectl exec -it user-v1-84bdcc465b-vxvl2 -- env
kubectl exec -it user-v1-84bdcc465b-vxvl2 -- env | grep USERNAME
// 实际执行
[root@k8s-master deployment]# kubectl exec -it user-v1-84bdcc465b-vxvl2 -- env
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=user-v1-84bdcc465b-vxvl2
TERM=xterm
USERNAME=root
PASSWORD=root
KUBERNETES_PORT_443_TCP_PORT=443
SERVICE_USER_V1_PORT=tcp://10.104.13.40:80
SERVICE_USER_V1_PORT_80_TCP=tcp://10.104.13.40:80
SERVICE_USER_V1_PORT_80_TCP_ADDR=10.104.13.40
SERVICE_USER_V1_PORT_80_TCP_PROTO=tcp
KUBERNETES_SERVICE_PORT=443
KUBERNETES_PORT=tcp://10.96.0.1:443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
SERVICE_USER_V1_SERVICE_HOST=10.104.13.40
KUBERNETES_SERVICE_PORT_HTTPS=443
SERVICE_USER_V1_PORT_80_TCP_PORT=80
KUBERNETES_SERVICE_HOST=10.96.0.1
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
SERVICE_USER_V1_SERVICE_PORT=80
NGINX_VERSION=1.19.6
NJS_VERSION=0.5.0
PKG_RELEASE=1~buster
HOME=/root
[root@k8s-master deployment]# kubectl exec -it user-v1-84bdcc465b-vxvl2 -- env | grep USERNAME
USERNAME=root
备注:
配置生效后,可以获取到环境变量;
比如:nodejs 可以通过 process.env.USERNAME 拿到环境变量 USERNAME 的值;
3,Docker 私有库认证
- 第三种是 Docker 私有库类型,这种方法只能用来配置 私有镜像库认证。
创建一个新的配置文件(拷贝deployment-user-v1.yaml -> deployment-v4.yaml)
[root@k8s-master deployment]# cp deployment-user-v1.yaml deployment-v4.yaml
修改前deployment-v4.yaml
[root@k8s-master deployment]# vi deployment-v4.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: user-v1
spec:
minReadySeconds: 1
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
selector:
matchLabels:
app: user-v1
replicas: 1
template:
metadata:
labels:
app: user-v1
spec:
volumes:
- name: secret-opaque
secret:
secretName: secret-opaque
containers:
- name: nginx
env:环境变量
- name: USERNAME
valueFrom:取值位置
secretKeyRef:引用secret对象中的某个key
name: secret-opaque-flie指定secret对象
key: username指定secret对象中的key为username
- name: PASSWORD
valueFrom:
secretKeyRef:
name: secret-opaque-flie
key: password
image: nginx:user-v3
volumeMounts:
- name: secret-opaque
mountPath: /secret-opaque
readOnly: true
ports:
- containerPort: 80
修改后deployment-v4.yaml (使用私有镜像仓库)
[root@k8s-master deployment]# vi deployment-v4.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: v4 修改
spec:
selector:
matchLabels:
app: v4 修改
replicas: 1
template:
metadata:
labels:
app: v4修改
spec:
containers:
- name: vue-project
image: 39.105.212.14:8082/vue-project:2021123011191640834385 修改
ports:
- containerPort: 80
查看本地镜像列表
[root@iZ2ze7rkgit9zoa18pxu73Z ~]# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
39.105.212.14:8082/vue-project 2021123011191640834385 cf09bb54e87e 4 hours ago 110MB
39.105.212.14:8082/vue-project 2021123011461640835990 cf09bb54e87e 4 hours ago 110MB
cicdproject latest 2e9269d7c724 10 days ago 110MB
node latest 058747996654 3 weeks ago 992MB
nginx 1.15 53f3fd8007f7 2 years ago 109MB
选用镜像:39.105.212.14:8082/vue-project:2021123011191640834385
// 镜像名称规则
image: [仅有镜像库地址]/[镜像名称]:[镜像标签]
生效配置
// 生效配置
[root@k8s-master deployment]# kubectl apply -f deployment-v4.yaml
deployment.apps/v4 created
// 查看 pod,v4 报错 ErrImagePull
[root@k8s-master deployment]# kubectl get pods
NAME READY STATUS RESTARTS AGE
http-probe 0/1 CrashLoopBackOff 87 4h48m
user-v1-84bdcc465b-vxvl2 1/1 Running 0 13m
v4-6dcd997cdf-fw8pr 0/1 ErrImagePull 0 7s
// 查看 pod 详情:镜像拉取失败,没有权限
// 成功分配任务;拉取镜像;镜像拉取失败:没有权限;
[root@k8s-master deployment]# kubectl describe pods v4-6dcd997cdf-fw8pr
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 38s default-scheduler Successfully assigned default/v4-6dcd997cdf-fw8pr to k8s-node
Normal Pulling 22s (x2 over 38s) kubelet Pulling image "39.105.212.14:8082/vue-project:2021123011191640834385"
Warning Failed 22s (x2 over 38s) kubelet Failed to pull image "39.105.212.14:8082/vue-project:2021123011191640834385": rpc error: code = Unknown desc = Error response from daemon: Get "https://39.105.212.14:8082/v2/": http: server gave HTTP response to HTTPS client
Warning Failed 22s (x2 over 38s) kubelet Error: ErrImagePull
Normal BackOff 7s (x2 over 37s) kubelet Back-off pulling image "39.105.212.14:8082/vue-project:2021123011191640834385"
Warning Failed 7s (x2 over 37s) kubelet Error: ImagePullBackOff
三,结尾
本篇,介绍了两种 Secret 对象的使用;
下一篇,第十七篇 - ECS 服务停机和环境修复;