对POD进行深度认识,让我们再次进入POD的世界。
1 POD的几种状态
1、Pendding # 等待2、containerCreating # 创建3、Running # 运行4、Success # 成功5、Failed # 失败6、Ready # 准备7、CrashLoopBackoff # 长期失败8、Unknown # 未知
2 ProjectedVolume
作用:将指定的文件内容放置到容器中,常见的使用方式有以下三种;
1、Secret2、ConfigMap3、DownwardApi
3 Secret
加密方式,我们先看下默认的是怎样的吧;
[root@node1 ~]# kubectl get secretNAME TYPE DATA AGEdefault-token-77rbc kubernetes.io/service-account-token 3 29d[root@node1 ~]# kubectl get secret default-token-77rbc -o yamlapiVersion: v1data:ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR4RENDQXF5Z0F3SUJBZ0lVZUJ0Wi93ZzUwUzYvN0l6eUFmTmpDOHNxSktNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2FERUxNQWtHQTFVRUJoTUNWVk14RHpBTkJnTlZCQWdUQms5eVpXZHZiakVSTUE4R0ExVUVCeE1JVUc5eQpkR3hoYm1ReEV6QVJCZ05WQkFvVENrdDFZbVZ5Ym1WMFpYTXhDekFKQmdOVkJBc1RBa05CTVJNd0VRWURWUVFECkV3cExkV0psY201bGRHVnpNQjRYRFRJeU1ETXhOekF5TlRZd01Gb1hEVEkzTURNeE5qQXlOVFl3TUZvd2FERUwKTUFrR0ExVUVCaE1DVlZNeER6QU5CZ05WQkFnVEJrOXlaV2R2YmpFUk1BOEdBMVVFQnhNSVVHOXlkR3hoYm1ReApFekFSQmdOVkJBb1RDa3QxWW1WeWJtVjBaWE14Q3pBSkJnTlZCQXNUQWtOQk1STXdFUVlEVlFRREV3cExkV0psCmNtNWxkR1Z6TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUEvY2h2YnJjdDBmU3UKWXhhQjYzWFhMZ2I2VFBkb1c5aGk5bWtURTROdnFacEpYSFFSRHdNSmN3SUtSZjRQcDBYcnNDR3R2QmRQUWFKYQpNaWFaY0RJQ1RRdlRIWUdBMmFkMVJqL0x3dnlUZUVPTlorVkdsNlBKNTZzaVR0dkpGblZSYk9ydW9WRTlUdEhNCjJ5VU94VDdaVWk2NmFuWUVlUmZLL1BXdmJLMlNzUXpqYUNRWWwzV1BhOGdzd1JyRnBRQVNiL3pSZ0FpbU1KR24KSTF5RjkxK2NZS1VsQlVSdmh5QWNrVEFlWVNEKzNCWjMxaWkwaStLdEYxSERNVDIvRGhFRFgxWkFpSlNVeE41egpjQ1pQdUhCc2pSZE02NVdkOFJWMFNqbWI4aHFnY1drRzVKeEdGR0trYXB1empxTlJpaW45RUNpZVpNMDc3cjBEClBQcVFyUXB5RndJREFRQUJvMll3WkRBT0JnTlZIUThCQWY4RUJBTUNBUVl3RWdZRFZSMFRBUUgvQkFnd0JnRUIKL3dJQkFqQWRCZ05WSFE0RUZnUVVvSWdnT2JEdldtTWtqbGFJOVJQSDBvbGR2Y1l3SHdZRFZSMGpCQmd3Rm9BVQpvSWdnT2JEdldtTWtqbGFJOVJQSDBvbGR2Y1l3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUVjdzduRFVrOGxjCmNzUWFNNTVMclRKSzVQcWZWdUdubmozOWFWbFYzZTc1VXcxYU9mNDJvRE5KTm1pdllvKzhkRDlscFV0L0UvN0MKTVYwcjNROEtLQXJwV3dWSlFkeno1R0hZQWEzajYzS2lnb1FvaEF3dDY3SjJiVlcwTHFOQzNjV1ZHbC82QXhBVwpzYlRldnZUTEVaUjlKT0ZFMEg5RmxhcGgxcTQzWDEyMEZGTVVnV24zK2ZyZWRkRGJCVlNRUlJHU1ZkTnpXenpHClJrMzY1Q3N5eFAzUzZrd1ZVS0NrLzdPcDZNVllHRmljV3R6Wm9tUXF3UE1IU3p4Rk5vSDF2YzZ3cW5xSTk1bCsKOXNJMTdneHI2MEdoK3lkVzkwYjZ1eHZNR0lidU51aVYzdzJlMW5ZeG03NmZNZFhXWHlqRzk0Q3U2dHgyd2FZMgpxTS96aE1XeWRvTT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=namespace: ZGVmYXVsdA==token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklpMW5kWGRxUjFCM1ZWRTVZbTl1WjA1V1ZWVmxlVzh0U3pWWE1EUlRiaTFXWDJGMlUxZFlaM2RrZGtraWZRLmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUprWldaaGRXeDBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5elpXTnlaWFF1Ym1GdFpTSTZJbVJsWm1GMWJIUXRkRzlyWlc0dE56ZHlZbU1pTENKcmRXSmxjbTVsZEdWekxtbHZMM05sY25acFkyVmhZMk52ZFc1MEwzTmxjblpwWTJVdFlXTmpiM1Z1ZEM1dVlXMWxJam9pWkdWbVlYVnNkQ0lzSW10MVltVnlibVYwWlhNdWFXOHZjMlZ5ZG1salpXRmpZMjkxYm5RdmMyVnlkbWxqWlMxaFkyTnZkVzUwTG5WcFpDSTZJamcwTkdWaE9HSm1MV1l6T0dVdE5HSTJZeTFpTURsbExXRTVaRGsyTUdRek1HSTROU0lzSW5OMVlpSTZJbk41YzNSbGJUcHpaWEoyYVdObFlXTmpiM1Z1ZERwa1pXWmhkV3gwT21SbFptRjFiSFFpZlEuTFRqS1plekpELXhpOFo5NnpvcXM3bUhJTjQxYlFBQ0txRXplZmVaUlY2cTFVN0N2VFVscHo1anU2bjBsUnpmaEdwZ2tYdzV2dkx6cThFQ2FMTDJJckJyNHA4M29kb3p5ZnE1bDFxTlBXTTZ0TDN1N3ZMQzg0S2JVY0RoLUNET0c0Vm1GNnZfbXJnSWp3Qi0wUm1OOTVsdUo2eWpaVDNNbHJ3ZmpGMEZOTVp5LWJobWt4bnFIVlNoQTI2d3UwTm1MSC1BUUItX1J0MldzTk5sYmwtc3Nua3hlb0NrdzJYR25YSjVGMC1sN0ZDVGs1SmhaMDVQQkJvQ2NBY1dVZmthaVZCOExGeXh3Q3JPb01wRXJzTnNBZTdRZVhNZFh6NllyeWp6WElfcmlNYlBwb2xZSjNpOGdoT2ptMW5Hd2F0WU96b3R5MUpsNDJNdTFuT0p3ZzQzYmdRkind: Secretmetadata:annotations:kubernetes.io/service-account.name: defaultkubernetes.io/service-account.uid: 844ea8bf-f38e-4b6c-b09e-a9d960d30b85creationTimestamp: "2022-03-19T13:35:06Z"managedFields:- apiVersion: v1fieldsType: FieldsV1fieldsV1:f:data:.: {}f:ca.crt: {}f:namespace: {}f:token: {}f:metadata:f:annotations:.: {}f:kubernetes.io/service-account.name: {}f:kubernetes.io/service-account.uid: {}f:type: {}manager: kube-controller-manageroperation: Updatetime: "2022-03-19T13:35:06Z"name: default-token-77rbcnamespace: defaultresourceVersion: "313"uid: fd3f793e-6406-4c3c-abab-072459322d92type: kubernetes.io/service-account-token[root@node1 ~]#
从上面可以看到都是base64加密的内容,且名字为:default-token-77rbc,我们可以将想知道的内容进行解密即可,然后我们再看看我们之前的服务,在没有指定的情况下,是不是采用了该种方式呢?
[root@node1 ~]# kubectl get pod -o wideNAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATESnginx-ds-q2pjt 1/1 Running 30 22d 10.200.135.16 node3 <none> <none>nginx-ds-zc5qt 1/1 Running 35 29d 10.200.104.56 node2 <none> <none>[root@node1 ~]#[root@node1 ~]# kubectl get pod nginx-ds-q2pjt -o yaml---省略部分内容---volumeMounts:- mountPath: /var/run/secrets/kubernetes.io/serviceaccountname: default-token-77rbcreadOnly: truevolumes:- name: default-token-77rbcsecret:defaultMode: 420secretName: default-token-77rbc---省略部分内容---[root@node1 ~]#
从上面内容我们也能看到,即使你没有指定,k8s默认也会给你加上的,且我们可以看到secrteName是一致的,然后我们再登录进容器中,看下具体映射了哪些内容;
[root@node3 ~]# crictl psCONTAINER IMAGE CREATED STATE NAME ATTEMPT POD ID78ca6e18974ff c0c6672a66a59 28 minutes ago Running calico-kube-controllers 43 33c0a0b75241f273ba708edd9b 67da37a9a360e 28 minutes ago Running coredns 34 a34ca428cc6148fcc0c4531411 b5af743e59849 28 minutes ago Running default-http-backend 5 982ff71d6c2e173c804f73c93a b5af743e59849 28 minutes ago Running default-http-backend 2 2e89678bba9738a14f1f4ef1a1 f2f70adc5d89a 28 minutes ago Running my-nginx 30 70fd05dbd43ec821a24040dfbd 7a71aca7b60fc 28 minutes ago Running calico-node 34 8ca1b324e528ad5cce8aa38d0a 90f9d984ec9a3 29 minutes ago Running node-cache 34 1d0b6745308965f6ecb863500d f2f70adc5d89a 29 minutes ago Running nginx-proxy 35 7335063a5e517[root@node3 ~]#[root@node3 ~]# crictl ps | grep q2pjt[root@node3 ~]# crictl exec -it 8a14f1f4ef1a1 /bin/bashroot@nginx-ds-q2pjt:/# cd /var/run/secrets/kubernetes.io/serviceaccount/root@nginx-ds-q2pjt:/var/run/secrets/kubernetes.io/serviceaccount# lsca.crt namespace tokenroot@nginx-ds-q2pjt:/var/run/secrets/kubernetes.io/serviceaccount# ls -ltotal 0lrwxrwxrwx 1 root root 13 Apr 18 13:02 ca.crt -> ..data/ca.crtlrwxrwxrwx 1 root root 16 Apr 18 13:02 namespace -> ..data/namespacelrwxrwxrwx 1 root root 12 Apr 18 13:02 token -> ..data/tokenroot@nginx-ds-q2pjt:/var/run/secrets/kubernetes.io/serviceaccount# cat namespacedefaultroot@nginx-ds-q2pjt:/var/run/secrets/kubernetes.io/serviceaccount#root@nginx-ds-q2pjt:/var/run/secrets/kubernetes.io/serviceaccount# exitexit[root@node3 ~]#
看到了这些之后,有没有想过他的作用是什么呢?他的作用就是和kubeapi进行交互,鉴权所使用的。
那么我们当然也可以自己创建secrte,如下:
[root@node1 ~]# cd namespace/[root@node1 namespace]# mkdir projectedvalume[root@node1 namespace]# cd projectedvalume/[root@node1 projectedvalume]# vim secret.yamlapiVersion: v1kind: Secretmetadata:name: dbpasstype: Opaquedata:username: eXVud2VpamlhCg==passwd: eXVud2VpamlhMTIzCg==[root@node1 projectedvalume]#[root@node1 projectedvalume]# kubectl create -f secret.yamlsecret/dbpass created[root@node1 projectedvalume]# kubectl get secretNAME TYPE DATA AGEdbpass Opaque 2 13sdefault-token-77rbc kubernetes.io/service-account-token 3 30d[root@node1 projectedvalume]#
然后我们将这个secrte放入pod中,如下:
[root@node1 projectedvalume]# vim pod-secret.yamlapiVersion: v1kind: Podmetadata:name: pod-secretspec:containers:- name: springboot-webimage: registry.cn-beijing.aliyuncs.com/yunweijia0909/springboot-web:v1ports:- containerPort: 8080volumeMounts:- name: db-secretmountPath: /db-secretreadOnly: truevolumes:- name: db-secretprojected:sources:- secret:name: dbpass[root@node1 projectedvalume]# kubectl apply -f pod-secret.yamlpod/pod-secret created[root@node1 projectedvalume]# kubectl get pod -o wide | grep secretpod-secret 1/1 Running 0 13s 10.200.135.27 node3 <none> <none>[root@node1 projectedvalume]#
看到该pod运行在node3节点上,我们登录到node3上看一看;
[root@node3 ~]# crictl ps | grep springboot-web2fc5df27f1877 8ad32427177e4 2 minutes ago Running springboot-web 0 494e73cde04da[root@node3 ~]#[root@node3 ~]# crictl exec -it 2fc5df27f1877 /bin/bashroot@pod-secret:/# cd /db-secret/root@pod-secret:/db-secret# ls -ltotal 0lrwxrwxrwx 1 root root 13 Apr 18 14:02 passwd -> ..data/passwdlrwxrwxrwx 1 root root 15 Apr 18 14:02 username -> ..data/usernameroot@pod-secret:/db-secret# cat passwdyunweijia123root@pod-secret:/db-secret# cat usernameyunweijiaroot@pod-secret:/db-secret# exitexit[root@node3 ~]#
还有一点,如果说你创建了很多pod以后,如果你想换一下secret的值,可以直接换,那么就有同学要说了,那我的pod还可以和kubeapi交互嘛?是可以的哈,换完之后,你pod中和secret相关的值,也会随之改变,你可以试一下,这里就不做演示了。
4 ConfigMap configMad是干嘛用的呢?是可以将不加密的文件放置到容器中的,下面我们来看下;假如我们有一个配置文件,想放到pod中。然后我们使该配置生效;[root@node1 projectedvalume]# vim ceshi.propertiesenemies=alienslives=3enemies.cheat=trueenemies.cheat.level=noGoodRottensecret.code.passphrase=UUDDLRLRBABASsecret.code.allowed=truesecret.code.lives=30[root@node1 projectedvalume]#
然后我们看看如何在pod中使用它;[root@node1 projectedvalume]# kubectl create configmap web-ceshi --from-file ceshi.propertiesconfigmap/web-ceshi created[root@node1 projectedvalume]# kubectl get cm web-ceshi -o yamlapiVersion: v1data:ceshi.properties: |enemies=alienslives=3enemies.cheat=trueenemies.cheat.level=noGoodRottensecret.code.passphrase=UUDDLRLRBABASsecret.code.allowed=truesecret.code.lives=30kind: ConfigMapmetadata:creationTimestamp: "2022-04-18T14:13:44Z"managedFields:- apiVersion: v1fieldsType: FieldsV1fieldsV1:f:data:.: {}f:ceshi.properties: {}manager: kubectl-createoperation: Updatetime: "2022-04-18T14:13:44Z"name: web-ceshinamespace: defaultresourceVersion: "535574"uid: cbad79b1-b35d-4924-b1f9-43bab1f79953[root@node1 projectedvalume]#
可以看到运行在node3上,我们去看下;[root@node1 projectedvalume]# vim pod-ceshi.yamlapiVersion: v1kind: Podmetadata:name: pod-ceshispec:containers:- name: webimage: registry.cn-beijing.aliyuncs.com/yunweijia0909/springboot-web:v1ports:- containerPort: 8080volumeMounts:- name: ceshimountPath: /etc/config/ceshireadOnly: truevolumes:- name: ceshiconfigMap:name: web-ceshi[root@node1 projectedvalume]# kubectl apply -f pod-ceshi.yamlpod/pod-ceshi created[root@node1 projectedvalume]#[root@node1 projectedvalume]# kubectl get pod -o wide | grep ceshipod-ceshi 1/1 Running 0 34s 10.200.135.24 node3 <none> <none>[root@node1 projectedvalume]#
同样的,我们一样可以修改该configmap,我们修改下试试;[root@node3 ~]# crictl ps | grep web96e31e6be73c4 8ad32427177e4 About a minute ago Running web 0 1f4ef2c594229[root@node3 ~]# crictl exec -it 96e31e6be73c4 /bin/bashroot@pod-ceshi:/# cd /etc/config/ceshiroot@pod-ceshi:/etc/config/ceshi# lsceshi.propertiesroot@pod-ceshi:/etc/config/ceshi# cat ceshi.propertiesenemies=alienslives=3enemies.cheat=trueenemies.cheat.level=noGoodRottensecret.code.passphrase=UUDDLRLRBABASsecret.code.allowed=truesecret.code.lives=30root@pod-ceshi:/etc/config/ceshi# exitexit[root@node3 ~]#
然后我们再看下configmap的第二种使用方式,配置成环境变量;[root@node1 projectedvalume]# kubectl edit cm web-ceshi# 只改下面一个参数,然后我们保存退出enemies.cheat=falseconfigmap/web-ceshi edited[root@node1 projectedvalume]## 我们登录到容器中看下[root@node3 ~]# crictl exec -it 96e31e6be73c4 /bin/bashroot@pod-ceshi:/# cd /etc/config/ceshi/root@pod-ceshi:/etc/config/ceshi# cat ceshi.propertiesenemies=alienslives=3enemies.cheat=falseenemies.cheat.level=noGoodRottensecret.code.passphrase=UUDDLRLRBABASsecret.code.allowed=truesecret.code.lives=30root@pod-ceshi:/etc/config/ceshi# exitexit[root@node3 ~]#
然后我们再看下如何使用;[root@node1 projectedvalume]# vim configmap.yamlapiVersion: v1kind: ConfigMapmetadata:name: configsdata:JAVA_OPTS: -Xms1024mLOG_LEVEL: DEBUG[root@node1 projectedvalume]# kubectl apply -f configmap.yamlconfigmap/configs created[root@node1 projectedvalume]#
看到运行在了node3上,我们登录上去看下;剩余内容请转至VX公众号 “运维家” ,回复 “148” 查看。[root@node1 projectedvalume]# vim pod-env.yamlapiVersion: v1kind: Podmetadata:name: pod-envspec:containers:- name: webimage: registry.cn-beijing.aliyuncs.com/yunweijia0909/springboot-web:v1ports:- containerPort: 8080env:- name: LOG_LEVEL_CONFIGvalueFrom:configMapKeyRef:name: configskey: LOG_LEVEL[root@node1 projectedvalume]# kubectl apply -f pod-env.yamlpod/pod-env created[root@node1 projectedvalume]# kubectl get pod -o wide | grep pod-envpod-env 1/1 Running 0 18s 10.200.135.28 node3 <none> <none>[root@node1 projectedvalume]#
------ 以下内容为防伪内容,忽略即可 ------
------ 以下内容为防伪内容,忽略即可 ------
------ 以下内容为防伪内容,忽略即可 ------
linux虚拟地址linux命令输出嵌入式linux版本linux内核编程入门linux怎么退出编辑linuxlib64linux查看分组虚拟机怎么访问linux将win刷成linux系统linux系统下的图形界面linux终端图形模式戴尔3669装linux系统Linux挂载光盘isolinux使用systemlinux系统开奖网源码鸟叔的linux的私房菜是什么linux怎么添加到引导linux红帽系统是什么linux命令那个难mini家用linux
网友评论