一体化监控管理平台解决方案,一体化监控管理平台的应用范围
1078
2022-11-04
k8s部署-41-对POD进行重新认识(下)
1 POD的几种状态
1、Pendding # 等待2、containerCreating # 创建3、Running # 运行4、Success # 成功5、Failed # 失败6、Ready # 准备7、CrashLoopBackoff # 长期失败8、Unknown # 未知
2 ProjectedVolume
作用:将指定的文件内容放置到容器中,常见的使用方式有以下三种;
1、Secret2、ConfigMap3、DownwardApi
3 Secret
加密方式,我们先看下默认的是怎样的吧;
[root@node1 ~]# kubectl get secretNAME TYPE DATA AGEdefault-token-77rbc kubernetes.io/service-account-token 3 29d[root@node1 ~]# kubectl get secret default-token-77rbc -o yamlapiVersion: v1data: ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR4RENDQXF5Z0F3SUJBZ0lVZUJ0Wi93ZzUwUzYvN0l6eUFmTmpDOHNxSktNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2FERUxNQWtHQTFVRUJoTUNWVk14RHpBTkJnTlZCQWdUQms5eVpXZHZiakVSTUE4R0ExVUVCeE1JVUc5eQpkR3hoYm1ReEV6QVJCZ05WQkFvVENrdDFZbVZ5Ym1WMFpYTXhDekFKQmdOVkJBc1RBa05CTVJNd0VRWURWUVFECkV3cExkV0psY201bGRHVnpNQjRYRFRJeU1ETXhOekF5TlRZd01Gb1hEVEkzTURNeE5qQXlOVFl3TUZvd2FERUwKTUFrR0ExVUVCaE1DVlZNeER6QU5CZ05WQkFnVEJrOXlaV2R2YmpFUk1BOEdBMVVFQnhNSVVHOXlkR3hoYm1ReApFekFSQmdOVkJBb1RDa3QxWW1WeWJtVjBaWE14Q3pBSkJnTlZCQXNUQWtOQk1STXdFUVlEVlFRREV3cExkV0psCmNtNWxkR1Z6TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUEvY2h2YnJjdDBmU3UKWXhhQjYzWFhMZ2I2VFBkb1c5aGk5bWtURTROdnFacEpYSFFSRHdNSmN3SUtSZjRQcDBYcnNDR3R2QmRQUWFKYQpNaWFaY0RJQ1RRdlRIWUdBMmFkMVJqL0x3dnlUZUVPTlorVkdsNlBKNTZzaVR0dkpGblZSYk9ydW9WRTlUdEhNCjJ5VU94VDdaVWk2NmFuWUVlUmZLL1BXdmJLMlNzUXpqYUNRWWwzV1BhOGdzd1JyRnBRQVNiL3pSZ0FpbU1KR24KSTF5RjkxK2NZS1VsQlVSdmh5QWNrVEFlWVNEKzNCWjMxaWkwaStLdEYxSERNVDIvRGhFRFgxWkFpSlNVeE41egpjQ1pQdUhCc2pSZE02NVdkOFJWMFNqbWI4aHFnY1drRzVKeEdGR0trYXB1empxTlJpaW45RUNpZVpNMDc3cjBEClBQcVFyUXB5RndJREFRQUJvMll3WkRBT0JnTlZIUThCQWY4RUJBTUNBUVl3RWdZRFZSMFRBUUgvQkFnd0JnRUIKL3dJQkFqQWRCZ05WSFE0RUZnUVVvSWdnT2JEdldtTWtqbGFJOVJQSDBvbGR2Y1l3SHdZRFZSMGpCQmd3Rm9BVQpvSWdnT2JEdldtTWtqbGFJOVJQSDBvbGR2Y1l3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUVjdzduRFVrOGxjCmNzUWFNNTVMclRKSzVQcWZWdUdubmozOWFWbFYzZTc1VXcxYU9mNDJvRE5KTm1pdllvKzhkRDlscFV0L0UvN0MKTVYwcjNROEtLQXJwV3dWSlFkeno1R0hZQWEzajYzS2lnb1FvaEF3dDY3SjJiVlcwTHFOQzNjV1ZHbC82QXhBVwpzYlRldnZUTEVaUjlKT0ZFMEg5RmxhcGgxcTQzWDEyMEZGTVVnV24zK2ZyZWRkRGJCVlNRUlJHU1ZkTnpXenpHClJrMzY1Q3N5eFAzUzZrd1ZVS0NrLzdPcDZNVllHRmljV3R6Wm9tUXF3UE1IU3p4Rk5vSDF2YzZ3cW5xSTk1bCsKOXNJMTdneHI2MEdoK3lkVzkwYjZ1eHZNR0lidU51aVYzdzJlMW5ZeG03NmZNZFhXWHlqRzk0Q3U2dHgyd2FZMgpxTS96aE1XeWRvTT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= namespace: ZGVmYXVsdA== token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklpMW5kWGRxUjFCM1ZWRTVZbTl1WjA1V1ZWVmxlVzh0U3pWWE1EUlRiaTFXWDJGMlUxZFlaM2RrZGtraWZRLmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUprWldaaGRXeDBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5elpXTnlaWFF1Ym1GdFpTSTZJbVJsWm1GMWJIUXRkRzlyWlc0dE56ZHlZbU1pTENKcmRXSmxjbTVsZEdWekxtbHZMM05sY25acFkyVmhZMk52ZFc1MEwzTmxjblpwWTJVdFlXTmpiM1Z1ZEM1dVlXMWxJam9pWkdWbVlYVnNkQ0lzSW10MVltVnlibVYwWlhNdWFXOHZjMlZ5ZG1salpXRmpZMjkxYm5RdmMyVnlkbWxqWlMxaFkyTnZkVzUwTG5WcFpDSTZJamcwTkdWaE9HSm1MV1l6T0dVdE5HSTJZeTFpTURsbExXRTVaRGsyTUdRek1HSTROU0lzSW5OMVlpSTZJbk41YzNSbGJUcHpaWEoyYVdObFlXTmpiM1Z1ZERwa1pXWmhkV3gwT21SbFptRjFiSFFpZlEuTFRqS1plekpELXhpOFo5NnpvcXM3bUhJTjQxYlFBQ0txRXplZmVaUlY2cTFVN0N2VFVscHo1anU2bjBsUnpmaEdwZ2tYdzV2dkx6cThFQ2FMTDJJckJyNHA4M29kb3p5ZnE1bDFxTlBXTTZ0TDN1N3ZMQzg0S2JVY0RoLUNET0c0Vm1GNnZfbXJnSWp3Qi0wUm1OOTVsdUo2eWpaVDNNbHJ3ZmpGMEZOTVp5LWJobWt4bnFIVlNoQTI2d3UwTm1MSC1BUUItX1J0MldzTk5sYmwtc3Nua3hlb0NrdzJYR25YSjVGMC1sN0ZDVGs1SmhaMDVQQkJvQ2NBY1dVZmthaVZCOExGeXh3Q3JPb01wRXJzTnNBZTdRZVhNZFh6NllyeWp6WElfcmlNYlBwb2xZSjNpOGdoT2ptMW5Hd2F0WU96b3R5MUpsNDJNdTFuT0p3ZzQzYmdRkind: Secretmetadata: annotations: kubernetes.io/service-account.name: default kubernetes.io/service-account.uid: 844ea8bf-f38e-4b6c-b09e-a9d960d30b85 creationTimestamp: "2022-03-19T13:35:06Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:ca.crt: {} f:namespace: {} f:token: {} f:metadata: f:annotations: .: {} f:kubernetes.io/service-account.name: {} f:kubernetes.io/service-account.uid: {} f:type: {} manager: kube-controller-manager operation: Update time: "2022-03-19T13:35:06Z" name: default-token-77rbc namespace: default resourceVersion: "313" uid: fd3f793e-6406-4c3c-abab-072459322d92type: kubernetes.io/service-account-token[root@node1 ~]#
从上面可以看到都是base64加密的内容,且名字为:default-token-77rbc,我们可以将想知道的内容进行解密即可,然后我们再看看我们之前的服务,在没有指定的情况下,是不是采用了该种方式呢?
[root@node1 ~]# kubectl get pod -o wideNAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATESnginx-ds-q2pjt 1/1 Running 30 22d 10.200.135.16 node3
从上面内容我们也能看到,即使你没有指定,k8s默认也会给你加上的,且我们可以看到secrteName是一致的,然后我们再登录进容器中,看下具体映射了哪些内容;
[root@node3 ~]# crictl psCONTAINER IMAGE CREATED STATE NAME ATTEMPT POD ID78ca6e18974ff c0c6672a66a59 28 minutes ago Running calico-kube-controllers 43 33c0a0b75241f273ba708edd9b 67da37a9a360e 28 minutes ago Running coredns 34 a34ca428cc6148fcc0c4531411 b5af743e59849 28 minutes ago Running default-http-backend 5 982ff71d6c2e173c804f73c93a b5af743e59849 28 minutes ago Running default-http-backend 2 2e89678bba9738a14f1f4ef1a1 f2f70adc5d89a 28 minutes ago Running my-nginx 30 70fd05dbd43ec821a24040dfbd 7a71aca7b60fc 28 minutes ago Running calico-node 34 8ca1b324e528ad5cce8aa38d0a 90f9d984ec9a3 29 minutes ago Running node-cache 34 1d0b6745308965f6ecb863500d f2f70adc5d89a 29 minutes ago Running nginx-proxy 35 7335063a5e517[root@node3 ~]# [root@node3 ~]# crictl ps | grep q2pjt[root@node3 ~]# crictl exec -it 8a14f1f4ef1a1 bin/bashroot@nginx-ds-q2pjt:/# cd /var/run/secrets/kubernetes.io/serviceaccount/root@nginx-ds-q2pjt:/var/run/secrets/kubernetes.io/serviceaccount# lsca.crt namespace tokenroot@nginx-ds-q2pjt:/var/run/secrets/kubernetes.io/serviceaccount# ls -ltotal 0lrwxrwxrwx 1 root root 13 Apr 18 13:02 ca.crt -> ..data/ca.crtlrwxrwxrwx 1 root root 16 Apr 18 13:02 namespace -> ..data/namespacelrwxrwxrwx 1 root root 12 Apr 18 13:02 token -> ..data/tokenroot@nginx-ds-q2pjt:/var/run/secrets/kubernetes.io/serviceaccount# cat namespace defaultroot@nginx-ds-q2pjt:/var/run/secrets/kubernetes.io/serviceaccount# root@nginx-ds-q2pjt:/var/run/secrets/kubernetes.io/serviceaccount# exitexit[root@node3 ~]#
看到了这些之后,有没有想过他的作用是什么呢?他的作用就是和kubeapi进行交互,鉴权所使用的。
那么我们当然也可以自己创建secrte,如下:
[root@node1 ~]# cd namespace/[root@node1 namespace]# mkdir projectedvalume[root@node1 namespace]# cd projectedvalume/[root@node1 projectedvalume]# vim secret.yaml apiVersion: v1kind: Secretmetadata: name: dbpasstype: Opaquedata: username: eXVud2VpamlhCg== passwd: eXVud2VpamlhMTIzCg==[root@node1 projectedvalume]# [root@node1 projectedvalume]# kubectl create -f secret.yaml secret/dbpass created[root@node1 projectedvalume]# kubectl get secretNAME TYPE DATA AGEdbpass Opaque 2 13sdefault-token-77rbc kubernetes.io/service-account-token 3 30d[root@node1 projectedvalume]#
然后我们将这个secrte放入pod中,如下:
[root@node1 projectedvalume]# vim pod-secret.yaml apiVersion: v1kind: Podmetadata: name: pod-secretspec: containers: - name: springboot-web image: registry.cn-beijing.aliyuncs.com/yunweijia0909/springboot-web:v1 ports: - containerPort: 8080 volumeMounts: - name: db-secret mountPath: db-secret readOnly: true volumes: - name: db-secret projected: sources: - secret: name: dbpass[root@node1 projectedvalume]# kubectl apply -f pod-secret.yaml pod/pod-secret created[root@node1 projectedvalume]# kubectl get pod -o wide | grep secretpod-secret 1/1 Running 0 13s 10.200.135.27 node3
看到该pod运行在node3节点上,我们登录到node3上看一看;
[root@node3 ~]# crictl ps | grep springboot-web2fc5df27f1877 8ad32427177e4 2 minutes ago Running springboot-web 0 494e73cde04da[root@node3 ~]# [root@node3 ~]# crictl exec -it 2fc5df27f1877 /bin/bash root@pod-secret:/# cd db-secret/root@pod-secret:/db-secret# ls -ltotal 0lrwxrwxrwx 1 root root 13 Apr 18 14:02 passwd -> ..data/passwdlrwxrwxrwx 1 root root 15 Apr 18 14:02 username -> ..data/usernameroot@pod-secret:/db-secret# cat passwd yunweijia123root@pod-secret:/db-secret# cat username yunweijiaroot@pod-secret:/db-secret# exitexit[root@node3 ~]#
还有一点,如果说你创建了很多pod以后,如果你想换一下secret的值,可以直接换,那么就有同学要说了,那我的pod还可以和kubeapi交互嘛?是可以的哈,换完之后,你pod中和secret相关的值,也会随之改变,你可以试一下,这里就不做演示了。
4 ConfigMap configMad是干嘛用的呢?是可以将不加密的文件放置到容器中的,下面我们来看下;假如我们有一个配置文件,想放到pod中。[root@node1 projectedvalume]# vim ceshi.properties enemies=alienslives=3enemies.cheat=trueenemies.cheat.level=noGoodRottensecret.code.passphrase=UUDDLRLRBABASsecret.code.allowed=truesecret.code.lives=30[root@node1 projectedvalume]#然后我们使该配置生效;[root@node1 projectedvalume]# kubectl create configmap web-ceshi --from-file ceshi.properties configmap/web-ceshi created[root@node1 projectedvalume]# kubectl get cm web-ceshi -o yamlapiVersion: v1data: ceshi.properties: | enemies=aliens lives=3 enemies.cheat=true enemies.cheat.level=noGoodRotten secret.code.passphrase=UUDDLRLRBABAS secret.code.allowed=true secret.code.lives=30kind: ConfigMapmetadata: creationTimestamp: "2022-04-18T14:13:44Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:ceshi.properties: {} manager: kubectl-create operation: Update time: "2022-04-18T14:13:44Z" name: web-ceshi namespace: default resourceVersion: "535574" uid: cbad79b1-b35d-4924-b1f9-43bab1f79953[root@node1 projectedvalume]#然后我们看看如何在pod中使用它;[root@node1 projectedvalume]# vim pod-ceshi.yaml apiVersion: v1kind: Podmetadata: name: pod-ceshispec: containers: - name: web image: registry.cn-beijing.aliyuncs.com/yunweijia0909/springboot-web:v1 ports: - containerPort: 8080 volumeMounts: - name: ceshi mountPath: etc/config/ceshi readOnly: true volumes: - name: ceshi configMap: name: web-ceshi[root@node1 projectedvalume]# kubectl apply -f pod-ceshi.yaml pod/pod-ceshi created[root@node1 projectedvalume]#[root@node1 projectedvalume]# kubectl get pod -o wide | grep ceshipod-ceshi 1/1 Running 0 34s 10.200.135.24 node3
至此,本文结束。
往期推荐11-docker系列-docker之compose安装和相关命令08-docker系列-docker网络你了解多少(上)02-docker系列-镜像分类以及操作(导入、导出、删除)
发表评论
暂时没有评论,来抢沙发吧~