第十八章 configMap资源
1.为什么要用configMap?
将配置文件和POD解耦
2.congiMap里的配置文件是如何存储的?
键值对
key:value
文件名:配置文件的内容
3.configMap支持的配置类型
直接定义的键值对
基于文件创建的键值对
4.configMap创建方式
命令行
资源配置清单
5.configMap的配置文件如何传递到POD里
变量传递
数据卷挂载
6.命令行创建configMap
kubectl create configmap --help
kubectl create configmap nginx-config --from-literal=nginx_port=80 --from-literal=server_name=nginx.cookzhang.com
kubectl get cm
kubectl describe cm nginx-config
7.POD环境变量形式引用configMap
kubectl explain pod.spec.containers.env.valueFrom.configMapKeyRef
cat >nginx-cm.yaml <<EOF
apiVersion: v1
kind: Pod
metadata:
name: nginx-cm
spec:
containers:
- name: nginx-pod
image: nginx:1.14.0
ports:
- name: http
containerPort: 80
env:
- name: NGINX_PORT
valueFrom:
configMapKeyRef:
name: nginx-config
key: nginx_port
- name: SERVER_NAME
valueFrom:
configMapKeyRef:
name: nginx-config
key: server_name
EOF
kubectl create -f nginx-cm.yaml
8.查看pod是否引入了变量
[root@node1 ~/confimap]# kubectl exec -it nginx-cm /bin/bash
root@nginx-cm:~# echo ${NGINX_PORT}
80
root@nginx-cm:~# echo ${SERVER_NAME}
nginx.cookzhang.com
root@nginx-cm:~# printenv |egrep "NGINX_PORT|SERVER_NAME"
NGINX_PORT=80
SERVER_NAME=nginx.cookzhang.com
注意:
变量传递的形式,修改confMap的配置,POD内并不会生效
因为变量只有在创建POD的时候才会引用生效,POD一旦创建好,环境变量就不变了
8.文件形式创建configMap
创建配置文件:
cat >www.conf <<EOF
server {
listen 80;
server_name www.cookzy.com;
location / {
root /usr/share/nginx/html/www;
index index.html index.htm;
}
}
EOF
创建configMap资源:
kubectl create configmap nginx-www --from-file=www.conf=./www.conf
查看cm资源
kubectl get cm
kubectl describe cm nginx-www
编写pod并以存储卷挂载模式引用configMap的配置
cat >nginx-cm-volume.yaml <<EOF
apiVersion: v1
kind: Pod
metadata:
name: nginx-cm
spec:
containers:
- name: nginx-pod
image: nginx:1.14.0
ports:
- name: http
containerPort: 80
volumeMounts:
- name: nginx-www
mountPath: /etc/nginx/conf.d/
volumes:
- name: nginx-www
configMap:
name: nginx-www
items:
- key: www.conf
path: www.conf
EOF
测试:
1.进到容器内查看文件
kubectl exec -it nginx-cm /bin/bash
cat /etc/nginx/conf.d/www.conf
2.动态修改configMap
kubectl edit cm nginx-www
3.再次进入容器内观察配置会不会自动更新
cat /etc/nginx/conf.d/www.conf
nginx -T
9.配置文件内容直接以数据格式直接存储在configMap里
创建config配置清单:
cat >nginx-configMap.yaml <<EOF
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-config
namespace: default
data:
www.conf: |
server {
listen 80;
server_name www.cookzy.com;
location / {
root /usr/share/nginx/html/www;
index index.html index.htm;
}
}
blog.conf: |
server {
listen 80;
server_name blog.cookzy.com;
location / {
root /usr/share/nginx/html/blog;
index index.html index.htm;
}
}
应用并查看清单:
kubectl create -f nginx-configMap.yaml
kubectl get cm
kubectl describe cm nginx-config
创建POD资源清单并引用configMap
cat >nginx-cm-volume-all.yaml <<EOF
apiVersion: v1
kind: Pod
metadata:
name: nginx-cm
spec:
containers:
- name: nginx-pod
image: nginx:1.14.0
ports:
- name: http
containerPort: 80
volumeMounts:
- name: nginx-config
mountPath: /etc/nginx/conf.d/
volumes:
- name: nginx-config
configMap:
name: nginx-config
items:
- key: www.conf
path: www.conf
- key: blog.conf
path: blog.conf
EOF
应用并查看:
kubectl create -f nginx-cm-volume-all.yaml
kubectl get pod
kubectl describe pod nginx-cm
进入容器内并查看:
kubectl exec -it nginx-cm /bin/bash
ls /etc/nginx/conf.d/
cat /etc/nginx/conf.d/www.conf
测试动态修改configMap会不会生效
kubectl edit cm nginx-config
kubectl exec -it nginx-cm /bin/bash
ls /etc/nginx/conf.d/
cat /etc/nginx/conf.d/www.conf
第十九章 安全认证和RBAC
API Server是访问控制的唯一入口
在k8s平台上的操作对象都要经历三种安全相关的操作
1.认证操作
http协议 token 认证令牌
ssl认证 kubectl需要证书双向认证
2.授权检查
RBAC 基于角色的访问控制
3.准入控制
进一步补充授权机制,一般在创建,删除,代理操作时作补充
k8s的api账户分为2类
1.实实在在的用户 人类用户 userAccount
2.POD客户端 serviceAccount 默认每个POD都有认真信息
RBAC就要角色的访问控制
你这个账号可以拥有什么权限
以traefik举例:
1.创建了账号 ServiceAccount:traefik-ingress-controller
2.创建角色 ClusterRole: traefik-ingress-controller
Role POD相关的权限
ClusterRole namespace级别操作
3.将账户和权限角色进行绑定 traefik-ingress-controller
RoleBinding
ClusterRoleBinding
4.创建POD时引用ServiceAccount
serviceAccountName: traefik-ingress-controller
注意!!!
kubeadm安装的k8s集群,证书默认只有1年
第二十章 dashboard
1.官方项目地址
https://github.com/kubernetes/dashboard
2.下载配置文件
wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-rc5/aio/deploy/recommended.yaml
3.修改配置文件
39 spec:
40 type: NodePort
41 ports:
42 - port: 443
43 targetPort: 8443
44 nodePort: 30000
4.应用资源配置
kubectl create -f recommended.yaml
5.创建管理员账户并应用
https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/creating-sample-user.md
cat > dashboard-admin.yaml<<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kubernetes-dashboard
EOF
kubectl create -f dashboard-admin.yaml
6.查看资源并获取token
kubectl get pod -n kubernetes-dashboard -o wide
kubectl get svc -n kubernetes-dashboard
kubectl get secret -n kubernetes-dashboard
kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep admin-user | awk '{print $1}')
7.浏览器访问
https://10.0.0.11:30000
google浏览器打不开就换火狐浏览器
黑科技
网友评论