环境变量(env)是容器级别的参数,为容器设置环境变量方法有
- 变量值从Pod属性获取
- 变量值从自定义变量获取
- 变量值从ConfigMap获取
- 变量值从Secret获取
@Pod属性和自定义变量
test-env.yaml内容如下
apiVersion: v1
kind: Pod
metadata:
name: test-env
spec:
containers:
- name: test-env
image: busybox
command: [ "sh", "-c", "sleep 3600"]
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: date
value: "2021-08-29"
- name: hello
value: "Greeting"
说明:
lines 11-22 变量值从Pod属性获取
lines 23-26 变量值从自定义变量获取
创建Pod后,进入容器, 获取变量值
[root@k8s-master ~]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
dns 1/1 Running 3 3h42m 10.244.36.94 k8s-node1 <none> <none>
nfs-client-provisioner-5fd446cd9d-c62kl 1/1 Running 0 8h 10.244.169.149 k8s-node2 <none> <none>
test-env 1/1 Running 0 3m12s 10.244.36.99 k8s-node1 <none> <none>
[root@k8s-master ~]#
[root@k8s-master ~]# kubectl exec -it test-env -- sh
/ # echo $POD_NAME
test-env
/ # echo $POD_NAMESPACE
default
/ # echo $POD_IP
10.244.36.99
/ # echo $date
2021-08-29
/ # echo $hello
Greeting
/ # exit
[root@k8s-master ~]#
@ ConfigMap
yaml可参考官方文档 -> ConfigMap | Kubernetes
test-configmap.yaml内容如下
apiVersion: v1
kind: ConfigMap
metadata:
name: game-demo
data:
# 类属性键;每一个键都映射到一个简单的值
player_initial_lives: "3"
ui_properties_file_name: "user-interface.properties"
# 类文件键
game.properties: |
enemy.types=aliens,monsters
player.maximum-lives=5
user-interface.properties: |
color.good=purple
color.bad=yellow
allow.textmode=true
---
apiVersion: v1
kind: Pod
metadata:
name: test-configmap
spec:
containers:
- name: demo
image: alpine
command: ["sleep", "3600"]
env:
# 定义环境变量
- name: PLAYER_INITIAL_LIVES # 请注意这里和 ConfigMap 中的键名是不一样的
valueFrom:
configMapKeyRef:
name: game-demo # 这个值来自 ConfigMap
key: player_initial_lives # 需要取值的键
- name: UI_PROPERTIES_FILE_NAME
valueFrom:
configMapKeyRef:
name: game-demo
key: ui_properties_file_name
volumeMounts:
- name: config
mountPath: "/config"
readOnly: true
volumes:
# 你可以在 Pod 级别设置卷,然后将其挂载到 Pod 内的容器中
- name: config
configMap:
# 提供你想要挂载的 ConfigMap 的名字
name: game-demo
# 来自 ConfigMap 的一组键,将被创建为文件
items:
- key: "game.properties"
path: "game.properties"
- key: "user-interface.properties"
path: "user-interface.properties"说明:
1.ConfigMap的data部分
lines 6-8 一个键对应一个值
lines 10-17 配置的片段格式
2.Pod使用ConfigMap中的值
lines 28-39 环境变量
lines 40-55 在只读卷里面添加一个文件,让应用来读取
[root@k8s-master ~]# kubectl apply -f test-configmap.yaml
configmap/game-demo created
pod/test-configmap created
[root@k8s-master ~]# kubectl get configmap
NAME DATA AGE
game-demo 4 18s
kube-root-ca.crt 1 35d
[root@k8s-master ~]#说明:configmap,game-demo列DATA的4代表 其包含4个键,对应34,39行和52,54行
然后进入Pod获取这些变量的值, 1)环境变量
[root@k8s-master ~]# kubectl get pod
NAME READY STATUS RESTARTS AGE
test-configmap 1/1 Running 0 74s
dns 1/1 Running 5 15h
nfs-client-provisioner-5fd446cd9d-c62kl 1/1 Running 2 20h
test-env 1/1 Running 2 11h
[root@k8s-master ~]#
[root@k8s-master ~]# kubectl exec -it test-configmap -- sh
/ # env | grep enemy.types
/ #
/ # env
KUBERNETES_SERVICE_PORT=443
KUBERNETES_PORT=tcp://10.96.0.1:443
UI_PROPERTIES_FILE_NAME=user-interface.properties
HOSTNAME=test-configmap
SHLVL=1
HOME=/root
TERM=xterm
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
PLAYER_INITIAL_LIVES=3
KUBERNETES_SERVICE_HOST=10.96.0.1
PWD=/
/ # echo $PLAYER_INITIAL_LIVES
3
/ #
/ #
/ # env | grep UI_PROPERTIES_FILE_NAME
UI_PROPERTIES_FILE_NAME=user-interface.properties
/ # env | grep allow.textmode
/ #
2)挂载卷里的配置文件
/ # cd config/
/config # ls
game.properties user-interface.properties
/config # cat game.properties
enemy.types=aliens,monsters
player.maximum-lives=5
/config # cat user-interface.properties
color.good=purple
color.bad=yellow
allow.textmode=true
/config #@ Secret
Secret 是一种包含少量敏感信息例如密码、令牌或密钥的对象。
要使用 Secret,Pod 需要引用 Secret,有三种方式:
由kubelet在为Pod拉取镜像时使用
作为挂载到一个或多个容器上的卷中的文件
作为容器的环境变量
Secret的类型
官方文档 -> Secret | Kubernetes
base64加解密
加密 echo -n 'string' | base64
解密 echo -n 'string' | base64 -d
注意: echo选项"-n" 表示不输出换行,对比如下
[root@k8s-master ~]# echo -n 'admin' | base64
YWRtaW4=
[root@k8s-master ~]# echo 'admin' | base64
YWRtaW4K
[root@k8s-master ~]# echo 'YWRtaW4=' | base64 -d
admin[root@k8s-master ~]#
[root@k8s-master ~]# echo 'YWRtaW4K' | base64 -d
admin
[root@k8s-master ~]# echo -n 'YWRtaW4K' | base64 -d
admin
[root@k8s-master ~]# echo -n 'YWRtaW4=' | base64 -d
admin[root@k8s-master ~]#
test-secret.yaml内容如下,
apiVersion: v1
data:
username: YWRtaW4=
password: MWYyZDFlMmU2N2Rm
kind: Secret
metadata:
name: mysecret
type: Opaque
---
apiVersion: v1
kind: Pod
metadata:
name: test-secret
spec:
containers:
- name: test-secret
image: nginx
env:
- name: USER
valueFrom:
secretKeyRef:
name: mysecret
key: username
- name: PASS
valueFrom:
secretKeyRef:
name: mysecret
key: password
volumeMounts:
- name: config
mountPath: "/config"
readOnly: true
volumes:
- name: config
secret:
secretName: mysecret
items:
- key: username
path: usernamefile
创建Secret和Pod
[root@k8s-master ~]# kubectl apply -f test-secret.yaml
secret/mysecret created
pod/test-secret created
[root@k8s-master ~]# kubectl get secret
NAME TYPE DATA AGE
mysecret Opaque 2 13s
nfs-client-provisioner-token-hfwpd kubernetes.io/service-account-token 3 35h
[root@k8s-master ~]#
进入Pod获取环境变量
[root@k8s-master ~]# kubectl get pod
NAME READY STATUS RESTARTS AGE
test-configmap 1/1 Running 2 14h
dns 1/1 Running 8 30h
nfs-client-provisioner-5fd446cd9d-c62kl 1/1 Running 4 35h
test-env 1/1 Running 5 26h
test-secret 1/1 Running 0 22s
[root@k8s-master ~]#
[root@k8s-master ~]# kubectl exec -it test-secret -- sh
# echo $USER
admin
# echo $PASS
1f2d1e2e67df
#
# cd config
# ls
usernamefile
# cat usernamefile
admin# exit
[root@k8s-master ~]#