✨✨ 欢迎大家来到景天科技苑✨✨
🎈🎈 养成好习惯,先赞后看哦~🎈🎈
🏆 作者简介:景天科技苑
🏆《头衔》:大厂架构师,华为云开发者社区专家博主,阿里云开发者社区专家博主,CSDN全栈领域优质创作者,掘金优秀博主,51CTO博客专家等。
🏆《博客》:Python全栈,前后端开发,小程序开发,人工智能,js逆向,App逆向,网络系统安全,数据分析,Django,fastapi,flask等框架,云原生k8s,linux,shell脚本等实操经验,网站搭建,数据库等分享。所属的专栏:云原生K8S,零基础到进阶实战
景天的主页:景天科技苑
文章目录
- ComfigMap
- 1.Configmap概述
- 1.1 什么是Configmap?
- 1.2 Configmap能解决哪些问题?
- 1.3 Configmap应用场景
- 1.4 局限性
- 2.Configmap创建方法
- 2.1 命令行直接创建
- 2.2 通过文件创建
- 2.3 指定目录创建
- 2.4 编写configmap资源清单YAML文件
- 3.使用Configmap
- 3.1 通过环境变量引入:使用configMapKeyRef
- 3.2 通过环境变量引入:使用envfrom
- 3.3 把configmap做成volume,挂载到pod
- 4.Configmap热更新
- 4.1 注意
ComfigMap
1.Configmap概述
1.1 什么是Configmap?
Configmap是k8s中的资源对象,用于保存非机密性的配置的,数据可以用key/value键值对的形式保存,也可通过文件的形式保存。
1.2 Configmap能解决哪些问题?
我们在部署服务的时候,每个服务都有自己的配置文件,
如果一台服务器上部署多个服务:nginx、tomcat、apache等,那么这些配置都存在这个节点上,
假如一台服务器不能满足线上高并发的要求,需要对服务器扩容,扩容之后的服务器还是需要部署多个服务:nginx、tomcat、apache,
新增加的服务器上还是要管理这些服务的配置,如果有一个服务出现问题,需要修改配置文件,每台物理节点上的配置都需要修改,
这种方式肯定满足不了线上大批量的配置变更要求。
所以,k8s中引入了Configmap资源对象,可以当成volume挂载到pod中,实现统一的配置管理。
1、Configmap是k8s中的资源, 相当于配置文件,可以有一个或者多个Configmap;
2、Configmap可以做成Volume,k8s pod启动之后,通过 volume 形式映射到容器内部指定目录上;
3、容器中应用程序按照原有方式读取容器特定目录上的配置文件。
4、在容器看来,配置文件就像是打包在容器内部特定目录,整个过程对应用没有任何侵入。
1.3 Configmap应用场景
1、使用k8s部署应用,当你将应用配置写进代码中,更新配置时也需要打包镜像,
configmap可以将配置信息和docker镜像解耦,以便实现镜像的可移植性和可复用性,
因为一个configMap其实就是一系列配置信息的集合,可直接注入到Pod中给容器使用。
configmap注入方式有两种:
一种将configMap做为存储卷,
一种是将configMap通过env中configMapKeyRef注入到容器中。
2、使用微服务架构的话,存在多个服务共用配置的情况,如果每个服务中单独一份配置的话,
那么更新配置就很麻烦,使用configmap可以友好的进行配置共享。
1.4 局限性
ConfigMap在设计上不是用来保存大量数据的。在ConfigMap中保存的数据不可超过1 MiB。
如果你需要保存超出此尺寸限制的数据,可以考虑挂载存储卷或者使用独立的数据库或者文件服务。
一般配置文件不会超过1M,所以大胆地去用,几千行也不会超过1M
2.Configmap创建方法
2.1 命令行直接创建
直接在命令行中指定configmap参数创建,通过–from-literal指定参数
[root@master01 configmap ]#kubectl create configmap tomcat-config --from-literal=tomcat_port=8080 --from-literal=server_name=myapp.tomcat.com
configmap/tomcat-config created
命令行创建configmap可以通过帮助命令查看使用规则:
[root@master01 configmap ]#kubectl create configmap --help
Create a config map based on a file, directory, or specified literal value.
A single config map may package one or more key/value pairs.
When creating a config map based on a file, the key will default to the basename of the file, and the value will
default to the file content. If the basename is an invalid key, you may specify an alternate key.
When creating a config map based on a directory, each file whose basename is a valid key in the directory will be
packaged into the config map. Any directory entries except regular files are ignored (e.g. subdirectories, symlinks,
devices, pipes, etc).
Aliases:
configmap, cm
Examples:
# Create a new config map named my-config based on folder bar
kubectl create configmap my-config --from-file=path/to/bar
# Create a new config map named my-config with specified keys instead of file basenames on disk
kubectl create configmap my-config --from-file=key1=/path/to/bar/file1.txt --from-file=key2=/path/to/bar/file2.txt
# Create a new config map named my-config with key1=config1 and key2=config2
kubectl create configmap my-config --from-literal=key1=config1 --from-literal=key2=config2
# Create a new config map named my-config from the key=value pairs in the file
kubectl create configmap my-config --from-file=path/to/bar
# Create a new config map named my-config from an env file
kubectl create configmap my-config --from-env-file=path/to/foo.env --from-env-file=path/to/bar.env
Options:
--allow-missing-template-keys=true: If true, ignore any errors in templates when a field or map key is missing in
the template. Only applies to golang and jsonpath output formats.
--append-hash=false: Append a hash of the configmap to its name.
--dry-run='none': Must be "none", "server", or "client". If client strategy, only print the object that would be
sent, without sending it. If server strategy, submit server-side request without persisting the resource.
--field-manager='kubectl-create': Name of the manager used to track field ownership.
--from-env-file=[]: Specify the path to a file to read lines of key=val pairs to create a configmap (i.e. a Docker
.env file).
--from-file=[]: Key file can be specified using its file path, in which case file basename will be used as
configmap key, or optionally with a key and file path, in which case the given key will be used. Specifying a directory
will iterate each named file in the directory whose basename is a valid configmap key.
--from-literal=[]: Specify a key and literal value to insert in configmap (i.e. mykey=somevalue)
-o, --output='': Output format. One of:
json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file.
--save-config=false: If true, the configuration of current object will be saved in its annotation. Otherwise, the
annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.
--show-managed-fields=false: If true, keep the managedFields when printing objects in JSON or YAML format.
--template='': Template string or path to template file to use when -o=go-template, -o=go-template-file. The
template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].
--validate=true: If true, use a schema to validate the input before sending it
Usage:
kubectl create configmap NAME [--from-file=[key=]source] [--from-literal=key1=value1] [--dry-run=server|client|none]
[options]
Use "kubectl options" for a list of global command-line options (applies to all commands).
[root@master01 configmap ]#kubectl describe configmap tomcat-config
Name: tomcat-config
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
server_name:
----
myapp.tomcat.com
tomcat_port:
----
8080
BinaryData
====
Events: <none>
2.2 通过文件创建
定义一个key是www,值是nginx.conf中的内容
[root@master01 configmap ]#cat nginx.conf
server {
server_name www.nginx.com;
listen 80;
root /home/nginx/www/
}
[root@master01 configmap ]#kubectl create configmap www-nginx --from-file=www=./nginx.conf
configmap/www-nginx created
此时,如果不指定文件的名称www。则创建的configmap的key是文件名,值是文件的内容
[root@master01 configmap ]#kubectl describe configmap www-nginx
Name: www-nginx
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
www:
----
server {
server_name www.nginx.com;
listen 80;
root /home/nginx/www/
}
BinaryData
====
Events: <none>
configmap缩写成cm
2.3 指定目录创建
[root@master01 configmap ]#mkdir test-a
[root@master01 configmap ]#cd test-a/
[root@master01 test-a ]#cat my-server.cnf
server-id=1
[root@master01 test-a ]#cat my-slave.cnf
server-id=2
指定目录创建configmap
[root@master01 test-a ]#kubectl create configmap mysql-config --from-file=/root/configmap/test-a/
configmap/mysql-config created
#查看configmap详细信息
[root@master01 test-a ]#kubectl describe cm mysql-config
Name: mysql-config
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
my-server.cnf:
----
server-id=1
my-slave.cnf:
----
server-id=2
BinaryData
====
Events: <none>
这种类似文件名做key,文件内容做值
2.4 编写configmap资源清单YAML文件
[root@master01 configmap ]#kubectl explain cm
KIND: ConfigMap
VERSION: v1
DESCRIPTION:
ConfigMap holds configuration data for pods to consume.
FIELDS:
apiVersion <string>
APIVersion defines the versioned schema of this representation of an
object. Servers should convert recognized schemas to the latest internal
value, and may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
binaryData <map[string]string>
BinaryData contains the binary data. Each key must consist of alphanumeric
characters, '-', '_' or '.'. BinaryData can contain byte sequences that are
not in the UTF-8 range. The keys stored in BinaryData must not overlap with
the ones in the Data field, this is enforced during validation process.
Using this field will require 1.10+ apiserver and kubelet.
data <map[string]string>
Data contains the configuration data. Each key must consist of alphanumeric
characters, '-', '_' or '.'. Values with non-UTF-8 byte sequences must use
the BinaryData field. The keys stored in Data must not overlap with the
keys in the BinaryData field, this is enforced during validation process.
immutable <boolean>
Immutable, if set to true, ensures that data stored in the ConfigMap cannot
be updated (only object metadata can be modified). If not set to true, the
field can be modified at any time. Defaulted to nil.
kind <string>
Kind is a string value representing the REST resource this object
represents. Servers may infer this from the endpoint the client submits
requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata <Object>
Standard object's metadata. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
[root@master01 configmap ]#cat mysql-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: mysql
labels:
app: mysql
data:
master.cnf: |
[mysqld]
log-bin
log_bin_trust_function_creators=1
lower_case_table_names=1
slave.cnf: |
[mysqld]
super-read-only
log_bin_trust_function_creators=1
文件内容有多行 后面要跟 |
不然会出问题
这里主要配置data字段中的内容
3.使用Configmap
3.1 通过环境变量引入:使用configMapKeyRef
创建一个存储mysql配置的configmap
[root@master01 configmap ]#vim mysql-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: mysql
labels:
app: mysql
data:
log: "1"
lower: "1"
[root@master01 configmap ]#kubectl apply -f mysql-configmap.yaml
configmap/mysql created
查看创建的Comfigmap
[root@master01 configmap ]#kubectl get cm
NAME DATA AGE
kube-root-ca.crt 1 12d
mysql 2 8s
mysql-config 2 55m
tomcat-config 2 3h35m
www-nginx 1 111m
创建pod,引用Configmap中的内容
[root@master01 configmap ]#vim mysql-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: mysql-pod
spec:
containers:
- name: mysql
image: busybox
command: [ "/bin/sh", "-c", "sleep 3600" ]
env:
- name: log_bin #定义环境变量log_bin
valueFrom:
configMapKeyRef:
name: mysql #指定configmap的名字
key: log #指定configmap中的key
- name: lower #定义环境变量lower
valueFrom:
configMapKeyRef:
name: mysql
key: lower
restartPolicy: Never
更新资源清单文件
[root@master01 configmap ]#kubectl apply -f mysql-pod.yaml
pod/mysql-pod created
[root@master01 configmap ]#kubectl exec -it mysql-pod -- /bin/sh
[root@master01 configmap ]#kubectl exec -it mysql-pod -c mysql -- /bin/sh
/ # printenv
log_bin=1
KUBERNETES_SERVICE_PORT=443
KUBERNETES_PORT=tcp://192.168.0.1:443
HOSTNAME=mysql-pod
SHLVL=1
HOME=/root
TERM=xterm
lower=1
KUBERNETES_PORT_443_TCP_ADDR=192.168.0.1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT_443_TCP=tcp://192.168.0.1:443
KUBERNETES_SERVICE_HOST=192.168.0.1
PWD=/
/ #
3.2 通过环境变量引入:使用envfrom
查看envfrom使用方法
[root@master01 configmap ]#kubectl explain pod.spec.containers.envFrom
KIND: Pod
VERSION: v1
RESOURCE: envFrom <[]Object>
DESCRIPTION:
List of sources to populate environment variables in the container. The
keys defined within a source must be a C_IDENTIFIER. All invalid keys will
be reported as an event when the container is starting. When a key exists
in multiple sources, the value associated with the last source will take
precedence. Values defined by an Env with a duplicate key will take
precedence. Cannot be updated.
EnvFromSource represents the source of a set of ConfigMaps
FIELDS:
configMapRef <Object>
The ConfigMap to select from
prefix <string>
An optional identifier to prepend to each key in the ConfigMap. Must be a
C_IDENTIFIER.
secretRef <Object>
The Secret to select from
[root@master01 configmap ]#vim mysql-pod-envfrom.yaml
apiVersion: v1
kind: Pod
metadata:
name: mysql-pod-envfrom
spec:
containers:
- name: mysql
image: busybox
imagePullPolicy: IfNotPresent
command: [ "/bin/sh", "-c", "sleep 3600" ]
envFrom:
- configMapRef:
name: mysql #指定configmap的名字
restartPolicy: Never
更新资源清单文件
[root@master01 configmap ]#kubectl apply -f mysql-pod-envfrom.yaml
pod/mysql-pod-envfrom created
[root@master01 configmap ]#kubectl get pods
NAME READY STATUS RESTARTS AGE
mysql-pod 1/1 Running 0 11m
mysql-pod-envfrom 1/1 Running 0 7s
nfs-provisioner-847fb5b8f5-lzvcf 1/1 Running 7 (5h21m ago) 3d5h
pod-pvc 1/1 Running 1 (6h21m ago) 3d3h
test-hostpath 2/2 Running 6 (6h21m ago) 4d4h
test-nfs-volume 1/1 Running 3 (6h21m ago) 4d1h
web-0 1/1 Running 1 (6h21m ago) 2d21h
web-1 1/1 Running 1 (6h21m ago) 2d21h
web-2 1/1 Running 1 (6h21m ago) 2d21h
web-3 1/1 Running 1 (6h21m ago) 2d21h
进容器查看环境变量
[root@master01 configmap ]#kubectl exec -it mysql-pod-envfrom -c ysql-pod-envfrom -- /bin/sh
/ # printenv
KUBERNETES_SERVICE_PORT=443
KUBERNETES_PORT=tcp://192.168.0.1:443
HOSTNAME=mysql-pod-envfrom
SHLVL=1
HOME=/root
TERM=xterm
lower=1
KUBERNETES_PORT_443_TCP_ADDR=192.168.0.1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
log=1
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT_443_TCP=tcp://192.168.0.1:443
KUBERNETES_SERVICE_HOST=192.168.0.1
PWD=/
这里取得变量以及值都是configmap里面定义的变量
3.3 把configmap做成volume,挂载到pod
[root@master01 configmap ]#vim mysql-configmap-volume.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: mysql-volume
labels:
app: mysql-volume
data:
log: "1"
lower: "1"
my.cnf: |
[mysqld]
Welcome=jingtian
[root@master01 configmap ]#kubectl apply -f mysql-configmap-volume.yaml
configmap/mysql-volume created
[root@master01 configmap ]#
[root@master01 configmap ]#kubectl get cm
NAME DATA AGE
kube-root-ca.crt 1 12d
mysql 2 23m
mysql-config 2 79m
mysql-volume 3 5s
tomcat-config 2 3h58m
www-nginx 1 135m
[root@master01 configmap ]#vim mysql-pod-volume.yaml
apiVersion: v1
kind: Pod
metadata:
name: mysql-pod-volume
spec:
containers:
- name: mysql
image: busybox
command: [ "/bin/sh","-c","sleep 3600" ]
volumeMounts:
- name: mysql-config
mountPath: /tmp/config
volumes:
- name: mysql-config
configMap:
name: mysql-volume 这里是configmap 的名字
restartPolicy: Never
[root@master01 configmap ]#kubectl apply -f mysql-pod-volume.yaml
pod/mysql-pod-volume created
[root@master01 configmap ]#kubectl get pods
NAME READY STATUS RESTARTS AGE
mysql-pod 1/1 Running 0 23m
mysql-pod-envfrom 1/1 Running 0 12m
mysql-pod-volume 1/1 Running 0 48s 这里
nfs-provisioner-847fb5b8f5-lzvcf 1/1 Running 7 (5h33m ago) 3d6h
pod-pvc 1/1 Running 1 (6h33m ago) 3d4h
test-hostpath 2/2 Running 6 (6h33m ago) 4d4h
test-nfs-volume 1/1 Running 3 (6h33m ago) 4d2h
进去容器查看挂载生成的文件
[root@master01 configmap ]#kubectl exec -it mysql-pod-volume -- /bin/sh
/ # cd /tmp/config/
/tmp/config # ls -l
total 0
lrwxrwxrwx 1 root root 10 Sep 26 07:27 log -> ..data/log
lrwxrwxrwx 1 root root 12 Sep 26 07:27 lower -> ..data/lower
lrwxrwxrwx 1 root root 13 Sep 26 07:27 my.cnf -> ..data/my.cnf
/tmp/config # ls
log lower my.cnf
/tmp/config # cat lower
1/tmp/config #
/tmp/config # cat my.cnf
[mysqld]
Welcome=jingtian
卷的形式挂载,没有把configmap 的变量加入到容器的环境变量
/tmp/config # printenv
KUBERNETES_PORT=tcp://192.168.0.1:443
KUBERNETES_SERVICE_PORT=443
HOSTNAME=mysql-pod-volume
SHLVL=1
HOME=/root
OLDPWD=/tmp
TERM=xterm
KUBERNETES_PORT_443_TCP_ADDR=192.168.0.1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT_443_TCP=tcp://192.168.0.1:443
KUBERNETES_SERVICE_HOST=192.168.0.1
PWD=/tmp/config
4.Configmap热更新
4.1 注意
更新 ConfigMap 后:
使用该 ConfigMap 挂载的 Env pod里面不会同步更新
使用该 ConfigMap 挂载的 Volume 中pod里面的数据需要一段时间(实测大概10秒)才能同步更新
[root@master01 configmap ]#kubectl edit cm mysql-volume
把log: “1”变成log: “2”
保存退出
[root@master01 configmap ]#kubectl exec -it mysql-pod-volume – /bin/sh
/ # cat /tmp/config/log
2/ #
#发现log值变成了2,更新生效了
[root@master01 configmap ]#kubectl edit cm mysql
# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
log: "2"
动态更新了env导入的configmap
[root@master01 configmap ]#kubectl exec -it mysql-pod-envfrom -- /bin/sh
/ # printenv
KUBERNETES_SERVICE_PORT=443
KUBERNETES_PORT=tcp://192.168.0.1:443
HOSTNAME=mysql-pod-envfrom
SHLVL=1
HOME=/root
TERM=xterm
lower=1
KUBERNETES_PORT_443_TCP_ADDR=192.168.0.1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
log=1 该值并未变化
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT_443_TCP=tcp://192.168.0.1:443
KUBERNETES_SERVICE_HOST=192.168.0.1
PWD=/
查看pod的变量未发生变化
![Fastjson 反序列化漏洞[1.2.24-rce]](https://img-blog.csdnimg.cn/direct/16fd4bba409c400e82294be5e07e692a.png)
