【go云原生】Kubernetes Volume
最近更新:2025-01-06
|
字数总计:2.2k
|
阅读估时:10分钟
|
阅读量:次
- Kubernetes Volume
- ConfigMap与Secret
- ConfigMap
- 创建方式
- 使用方式
- Secret
- 创建方式
- 使用方式
- Volume
- hostPath
- emptyDir
- configMap
- secret
- PV与PVC
Kubernetes Volume
ConfigMap与Secret
ConfigMap
- ConfigMap是k8s集群用来保存非机密性数据得键值对对象。使用时,pod可以将其作为环境变量、命令行参数或者存储卷中的配置文件。
创建方式
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
|
kubectl create cm myhelloenv --from-literal=env1=k8scmvalue1 --from-literal=env2=k8scmvalue2
kubectl get cm myhelloenv -o yaml
p1=k8scmp1
p2=k8scmp2
kubectl create cm myhellostarup --from-env-file myhello-startup-params
kubectl get cm myhellostarup -o yaml
AppInfo:
Name: hello
Host: 127.0.0.1
Port: 80
Desc: 这里是配置文件
AuthorInfo:
Name: hello2
Gender: 男
Age: 11
Desc: 这里是一位男士
kubectl create cm myhelloconfigs --from-file=appinfo.yml=app-info.conf --from-file=authorinfo.yml=author-info.conf
kubectl get cm myhelloconfigs -o yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: myhello-all-config
data:
env1: "k8scmvalue1"
env2: "k8scmvalue2"
p1: "k8scmp1"
p2: "k8scmp2"
appinfo.yml: |
AppInfo:
Name: hello
Host: 127.0.0.1
Port: 80
Desc: 这里是配置文件
authorinfo.yml: |
AuthorInfo:
Name: hello2
Gender: 男
Age: 11
Desc: 这里是一位男士
kubectl create -f myhello-all-config.yaml
kubectl get -f myhello-all-config.yaml -o yaml
|
使用方式
- 用作容器的环境变量
- 用于容器内命令行参数
- Pod中作为文件使用
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
|
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp-cm-deployment
labels:
name: myapp-cm
spec:
replicas: 5
selector:
matchLabels:
name: myapp-cm
template:
metadata:
labels:
name: myapp-cm
spec:
containers:
- name: myhello
image: xlhmzch/hello:1.0.3
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
command: ["./app"]
args: ["--param1=$(param1)", "--param2=$(param2)"]
env:
- name: env1
valueFrom:
configMapKeyRdf:
name: myhello-all-config
key: env1
- name: env2
valueFrom:
configMapKeyRdf:
name: myhello-all-config
key: env2
- name: param1
valueFrom:
configMapKeyRdf:
name: myhello-all-config
key: p1
- name: param2
valueFrom:
configMapKeyRdf:
name: myhello-all-config
key: p2
volumeMounts:
- name: myhello-conf
mountPath: "/app/configs"
readOnly: true
volumes:
- name: myhello-conf
configMap:
name: myhello-all-config
items:
- key: "appinfo.yml"
path: "appinfo.yml"
- key: "authorinfo.yml"
path: "authorinfo.yml"
kubectl apply -f myapp-cm-deployment.yaml
apiVersion: v1
kind: Service
metadata:
name: myapp-cm-svc
spec:
type: ClusterIP
selector:
name: myapp-cm
ports:
- protocol: TCP
name: http
port: 80
targetPort: 80
kubectl apply -f myapp-cm-svc.yaml
curl http://10.108.110.126/print/env
curl http://10.108.110.126/print/startup
curl http://10.108.110.126/print/config/appinfo
curl http://10.108.110.126/print/config/authorinfo
|
Secret
- 一种包含少量敏感信息例如密码、令牌或密钥的对象。这样的信息可能会被放到pod的定义中或者镜像中,使用secret意味着不需要再应用程序中包含敏感信息。
- 三种类型的secret
- generic
- tls
- docker-registry
创建方式
- generic
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
kubectl create secret generic kvdemo-secret --from-literal=username=admin --from-literal=pwd=oinoihph14561
username=admin
pwd=oinoihph14561
kubectl create secret generic envfiledemo-secret --from-env-file user-pwd-env
echo -n 'admin' > username.txt
echo -n 'oinoihph14561' > password.txt
kubectl create secret generic filedemo --form-file=username.txt --from-file=password.txt
echo -n 'admin' | base64
echo -n 'oinoihph14561' | base64
apiVersion: v1
kind: Secret
metadata:
name: my-opaque-secret
type: Opaque
data:
username: noinwg=
password: noqinergoho281
kubectl create -f my-opaque-secret.yaml
kubectl get -f my-opaque-secret.yaml -o yaml
|
- tls
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /tmp/3wicu.key -out /tmp/3wicu.crt -subj "/CN=www.icu.com/0=www.icu.com"
kubectl create secret tls tlsdemo-secret --cert=/tmp/3wicu.crt --key=/tmp/3wicu.key
cat /tmp/3wicu.crt | base64
cat /tmp/3wicu.key | base64
apiVersion: "v1"
kind: "Secret"
metadata:
name: "my-tls-secret"
namespace: "default"
type: kubernetes.io/tls
data:
tls.crt: "aldskmiognapignoierngopqniergopnier"
tls.key: "qoiegnoqgnorpiqnp3irugnpqirognpqirug"
kubectl apply -f my-tls-secret.yaml
|
- docker-registry
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
kubectl create secret docker-registry dockerregistrydemo --docker-server=https://index.mydocker.io/v1/ --docker-username=my --docker-password=pwd123 --docker-email=my@qq.com
{
"auths" : {
"docker.lin.com:5000": {
"username" : "lin",
"password": "pass1234",
"email": "lin@qq.com",
"auth": "qwegwerg="
}
}
}
cat dockerconfigjson | base64
apiVersion: "v1"
kind: "Secret"
metadata:
name: dockerconfigjson-secret
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: "1998198qioiqn3grpoun2unr24g42th"
kubectl create -f dockerconfigjson-secret.yaml
|
使用方式
- 用作容器的环境变量
- Pod作为文件使用
- kubelet为pod拉取镜像时使用
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
| echo -n "env1secretvalue1" | base64
echo -n "env1secretvalue2" | base64
cat $HOME/.docker/config.json | base64
cat /tmp/3wicu.crt | base64
cat /tmp/3wicu.key | base64
apiVersion: v1
kind: Secret
metadata:
name: my-all-secret
type: Opaque
data:
environment1: qoneotiq49819efr
environment2: qoneotiq451qergg
.dockerconfigjson: "qweongoqpwbrquibgrqei"
tls.crt: "qwognqpernigpoqerngp"
tls.key: "qwognqpernigpoqerngp"
kubectl apply -f my-all-secret.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp-secret-deployment
labels:
name: myapp-secret
spec:
replicas: 5
selector:
matchLabels:
name: myapp-secret
template:
metadata:
labels:
name: myapp-secret
spec:
imagePullSecrets:
- name: my-all-secret
containers:
- name: myhello
image: xlhmzch/hello:1.0.3
imagePullPolicy: Always
ports:
- containerPort: 80
command: ["./app"]
args: ["--param1=$(env1)", "--param2=$(env1)"]
env:
- name: env1
valueFrom:
secretKeyRef:
name: my-all-secret
key: environment1
optional: false
- name: env2
valueFrom:
secretKeyRef:
name: my-all-secret
key: environment2
optional: false
volumeMounts:
- name: myhello-secret
mountPath: "/app/cert"
readOnly: true
volumes:
- name: myhello-secret
secret:
secretName: my-all-secret
optional: false
items:
- key: "tls.key"
path: "tls.key"
- key: "tls.crt"
path: "tls.crt"
apiVersion: v1
kind: Service
metadata:
name: myapp-secret-svc
spec:
type: ClusterIP
selector:
name: myapp-secret
ports:
- protocol: TCP
name: http
port: 80
targetPort: 80
kubectl apply -f myapp-secret-deployment.yaml
kubectl apply -f myapp-secret-svc.yaml
curl http://10.104.206.255/print/env
curl http://10.104.206.255/print/startup
kubectl exec myapp-secret-deployment-noqngiqbr -- ls cert
kubectl exec myapp-secret-deployment-noqngiqbr -- cat cert/tls.crt
|
Volume
- 核心是一个目录
- 解决:
- 解决容器崩溃或重启时文件丢失的问题
- 解决多个容器共享文件的问题
hostPath
- cadvisor-ds.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
| apiVersion: apps/v1
kind: DaemonSet
metadata:
name: cadvisor
namespace: default
labels:
app: cadvisor
spec:
selector:
matchLabels:
app: cadvisor
template:
metadata:
labels:
app: cadvisor
spec:
tolerations:
- key: node-role.kubernetes.io/control-plane
operator: Exists
effect: NoSchedule
containers:
- name: cadvisor
image: google/cadvisor:v0.32.0
ports:
- containerPort: 8080
resources:
limits:
memory: 200Mi
requests:
cpu: 100m
memory: 200Mi
volumeMounts:
- name: rootfs
mountPath: /rootfs
- name: run
mountPath: /var/run
- name: sys
mountPath: /sys
- name: varlibdocker
mountPath: /var/lib/docker/
- name: devdisk
mountPath: /dev/disk
readOnly: true
- name: localtime
mountPath: /etc/localtime
readOnly: true
terminationGroupPeriodseconds: 30
volumes:
- name: rootfs
hostPath:
path: /
- name: run
hostPath:
path: /var/run
- name: sys
hostPath:
path: /sys/
- name: varlibdocker
hostPath:
path: /var/lib/docker/
- name: devdisk
hostPath:
path: /dev/disk
- name: localtime
hostPath:
path: /etc/localtime
|
- cadvisor-svc.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| apiVersion: v1
kind: Service
metadata:
name: cadvisor-svc
labels:
name: cadvisor-svc
spec:
type: NodePort
ports:
- port: 80
protocol: TCP
targetPort: 8080
name: http
nodePort: 30002
selector:
app: cadvisor
|
1
2
3
| kubectl apply -f cadvisor-ds.yaml
kubectl apply -f cadvisor-svc.yaml
curl http://192.168.239.142:30002
|
emptyDir
- nginx-init-demo.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
| apiVersion: v1
kind: Pod
metadata:
name: nginx-init-demo
spec:
containers:
- name: nginx
image:nginx
ports:
- containerPort: 80
volumeMounts:
- name: workdir
mountPath: /usr/share/nginx/html
initContainers:
- name: install
image: busybox
command:
- wget
- "-o"
- "/work-dir/index.html"
- https://www.baidu.com/
volumeMounts:
- name: workdir
mountPath: "/work-dir"
dnsPolicy: Default
volumes:
- name: workdir
emptyDir: {}
|
configMap
- 在configMap作为文件使用的章节已经出现过了
secret
PV与PVC
- 上述都是临时卷,当pod销毁时,volume也就销毁了。而PV和PVC是持久卷。
- NFS文件系统安装
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
apt-get install nfs-common
git clone https://github.com/kubernetes-sigs/nfs-ganesha-server-and-external-provisioner
cd nfs-ganesha-server-and-external-provisioner-master
vim ./deploy/kubernetes/deployment.yaml
> image: quay.io/kubernetes_incubator/nfs-provisioner
> hostPath:
> path: /mysrv
> args:
> - "-provisioner=lin.com/nfs"
kubectl apply -f ./deploy/kubernetes/deployment.yaml
kubectl apply -f ./deploy/kubernetes/rbac.yaml
|
- 创建存储类
1
2
3
4
5
6
7
8
9
10
11
| vim mynfs.yaml
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: mynfs
provisioner: lin.com/nfs
mountOptions:
- vers=4.1
kubectl apply -f mynfs.yaml
|
- 创建PVC
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| vim mypvc001.yaml
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: mypvc001
spec:
storageClassName: mynfs
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Mi
kubectl apply -f mypvc001.yaml
|
- 使用PVC
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
| vim write-pod.yaml
kind: Pod
apiversion: v1
metadata:
name: write-pod
spec:
containers:
- name: write-pod
image: busybox
command:
-"/bin/sh"
args:
-"-c"
-"echo 成功访问pv >/mnt/SUCCESS && exit 0 | exit 1"
volumeMounts:
- name: nfs-pvc
mountPath: "/mnt"
restartPolicy: "Never"
volumes:
- name: nfs-pvc
persistentVolumeclaim:
claimName: mypvc001
kubectl apply -f write-pod.yaml
cat /mysrv/pvc-noiphonoigqerigjoper/SUCCESS
|
2025-01-05
该篇文章被 Cleofwine
归为分类:
Go云原生
