释放双眼,带上耳机,听听看~!
目录
-
Kubernetes之(十三)ConfigMap和Secret
-
ConfigMap
-
ConfigMap创建方式
* 存储卷方式挂载configmap:
* 使用nginx-www配置nginx- Secret
-
创建 Secret
Kubernetes之(十三)ConfigMap和Secret
简介
ConfigMap和Secret是kubernetes系统上两种特殊类型的存储卷,ConfigMao对象用于为容器中的应用提供配置数据以定制程序行为,不过年敏感的配置信息,例如密钥,证书等通常由Secret对象来进行配置,它们将相应的配置信息保存于对象中,而后在Pod资源上以存储卷的形式将其挂载并获取相关配置,以实现配置与镜像文件的解耦。
传统的实践过程中们需要对一个应用进行配置,只需要修改其配置文件通常有以下几种方式:
-
启动容器时,通过命令传递参数 command args自定义参数
-
把配置文件写入镜像内
-
通过环境变量的方式传递配置数据
-
cloud native的程序,一般通过环境变量加载配置
- 通过enteypoint脚本预处理变量为配置文件中的配置信息
-
挂载Docker卷传送配置文件
而在Kubernetes系统之中也存在这样的组件,就是特殊的存储卷类型。其并不是提供pod存储空间,而是给管理员或用户提供从集群外部向Pod内部的应用注入配置信息的方式。这两种特殊类型的存储卷:configMap和secret
**ConfigMap:**主要用于向Pod注入非敏感数据,使用时,用户将数据直接存储在ConfigMap对象当中,然后Pod通过使用ConfigMap卷进行引用,实现容器的配置文件集中定义和管理。
**Secret:**用于向Pod传递敏感信息,比如密码,私钥,证书文件等,这些信息如果在容器中定义容易泄露,Secret资源可以让用户将这些信息存储在急群众,然后通过Pod进行挂载,实现敏感数据和系统解耦的效果。
ConfigMap
configmap是让配置文件从镜像中解耦,让镜像的可移植性和可复制性。许多应用程序会从配置文件、命令行参数或环境变量中读取配置信息。这些配置信息需要与docker image解耦,ConfigMap API给我们提供了向容器中注入配置信息的机制,ConfigMap可以被用来保存单个属性,也可以用来保存整个配置文件或者JSON二进制对象。
ConfigMap API资源用来保存key-value pair配置数据,这个数据可以在pods里使用,或者被用来为像controller一样的系统组件存储配置数据。虽然ConfigMap跟Secrets类似,但是ConfigMap更方便的处理不含敏感信息的字符串。 注意:ConfigMaps不是属性配置文件的替代品。ConfigMaps只是作为多个properties文件的引用。可以把它理解为Linux系统中的/etc目录,专门用来存储配置文件的目录。下面举个例子,使用ConfigMap配置来创建Kuberntes Volumes,ConfigMap中的每个data项都会成为一个新文件。
2
3
4
5
6
7
8
9
10
11
12
13
2KIND: ConfigMap
3VERSION: v1
4
5FIELDS:
6 apiVersion <string>
7
8 data <map[string]string>
9
10 kind <string>
11
12 metadata <Object>
13
ConfigMap创建方式
1、 通过 –from-literal:
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
2configmap/nginx-config created
3[root@master configmap]# kubectl get cm
4NAME DATA AGE
5nginx-config 2 4s
6
7[root@master configmap]# kubectl describe cm nginx-config
8Name: nginx-config
9Namespace: default
10Labels: <none>
11Annotations: <none>
12
13Data
14====
15nginx_port:
16----
178080
18server_name:
19----
20myapp.white.com
21Events: <none>
22
2、通过 –from-file:
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
2server {
3 server_name myapp.white.com;
4 listen 80;
5 root /data/web/html/;
6}
7
8
9[root@master configmap]# kubectl create configmap nginx-www --from-file=./www.conf
10configmap/nginx-www created
11[root@master configmap]# kubectl get cm
12NAME DATA AGE
13nginx-config 2 3m5s
14nginx-www 1 3s
15[root@master configmap]# kubectl get cm nginx-www -o yaml
16apiVersion: v1
17data:
18 www.conf: "server {\n\tserver_name myapp.white.com;\n\tlisten 80;\n\troot /data/web/html/;\n}\n"
19kind: ConfigMap
20metadata:
21 creationTimestamp: "2019-04-03T02:25:57Z"
22 name: nginx-www
23 namespace: default
24 resourceVersion: "207536"
25 selfLink: /api/v1/namespaces/default/configmaps/nginx-www
26 uid: d0171cb8-55b7-11e9-80a7-000c295ec349
27
将cm注入到pod内
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
2apiVersion: v1
3kind: Pod
4metadata:
5 name: pod-cm-1
6 namespace: default
7 labels:
8 app: myapp
9 tier: frontend
10spec:
11 containers:
12 - name: myapp
13 image: ikubernetes/myapp:v1
14 ports:
15 - name: http
16 containerPort: 80
17 env:
18 - name: NGINX_SERVER_PORT
19 valueFrom:
20 configMapKeyRef:
21 name: nginx-config
22 key: nginx_port
23 - name: NGINX_SERVER_NAME
24 valueFrom:
25 configMapKeyRef:
26 name: nginx-config
27 key: server_name
28
29[root@master configmap]# kubectl get pods
30NAME READY STATUS RESTARTS AGE
31myapp-backend-pod-6b56d98b6b-2dh5h 1/1 Running 0 25h
32myapp-backend-pod-6b56d98b6b-hwzws 1/1 Running 0 25h
33myapp-backend-pod-6b56d98b6b-ztwn2 1/1 Running 0 25h
34pod-cm-1 1/1 Running 0 19s
35pod-hostpath-vol 1/1 Running 0 20h
36pod-pvc-vol 1/1 Running 0 17h
37tomcat-deploy-5f554cd88d-7gzc7 1/1 Running 0 24h
38tomcat-deploy-5f554cd88d-c42t6 1/1 Running 0 24h
39tomcat-deploy-5f554cd88d-qhc4j 1/1 Running 0 24h
40
41
进入容器查看:
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
2/ # printenv
3MYAPP_SVC_PORT_80_TCP_ADDR=10.98.57.156
4KUBERNETES_SERVICE_PORT=443
5KUBERNETES_PORT=tcp://10.96.0.1:443
6MYAPP_SERVICE_PORT_HTTP=80
7TOMCAT_PORT_8080_TCP=tcp://10.107.88.118:8080
8TOMCAT_PORT_8009_TCP=tcp://10.107.88.118:8009
9MYAPP_SVC_PORT_80_TCP_PORT=80
10HOSTNAME=pod-cm-1
11SHLVL=1
12MYAPP_SVC_PORT_80_TCP_PROTO=tcp
13HOME=/root
14MYAPP_SERVICE_HOST=10.100.41.152
15NGINX_SERVER_PORT=8080 #已经被调用
16NGINX_SERVER_NAME=myapp.white.com #已经被调用
17MYAPP_SVC_PORT_80_TCP=tcp://10.98.57.156:80
18MYAPP_PORT=tcp://10.100.41.152:80
19MYAPP_SERVICE_PORT=80
20TERM=xterm
21NGINX_VERSION=1.12.2
22KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
23MYAPP_PORT_80_TCP_ADDR=10.100.41.152
24PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
25TOMCAT_SERVICE_PORT_HTTP=8080
26KUBERNETES_PORT_443_TCP_PORT=443
27KUBERNETES_PORT_443_TCP_PROTO=tcp
28MYAPP_PORT_80_TCP_PORT=80
29MYAPP_PORT_80_TCP_PROTO=tcp
30MYAPP_SVC_SERVICE_HOST=10.98.57.156
31TOMCAT_PORT_8080_TCP_ADDR=10.107.88.118
32TOMCAT_SERVICE_HOST=10.107.88.118
33TOMCAT_PORT_8009_TCP_ADDR=10.107.88.118
34KUBERNETES_SERVICE_PORT_HTTPS=443
35KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
36TOMCAT_PORT_8080_TCP_PORT=8080
37PWD=/
38KUBERNETES_SERVICE_HOST=10.96.0.1
39MYAPP_PORT_80_TCP=tcp://10.100.41.152:80
40TOMCAT_PORT_8080_TCP_PROTO=tcp
41TOMCAT_PORT_8009_TCP_PORT=8009
42MYAPP_SVC_SERVICE_PORT=80
43MYAPP_SVC_PORT=tcp://10.98.57.156:80
44TOMCAT_PORT_8009_TCP_PROTO=tcp
45TOMCAT_PORT=tcp://10.107.88.118:8080
46TOMCAT_SERVICE_PORT=8080
47TOMCAT_SERVICE_PORT_AJP=8009
48
如果此时使用kubectl edit cm来修改configmap 此时在容器内查看环境变量不会被修改,因为该env是在pod创建的时候获取的,不会被修改
存储卷方式挂载configmap:
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
2apiVersion: v1
3kind: Pod
4metadata:
5 name: pod-cm-2
6 namespace: default
7 labels:
8 app: myapp
9 tier: frontend
10spec:
11 containers:
12 - name: myapp
13 image: ikubernetes/myapp:v1
14 ports:
15 - name: http
16 containerPort: 80
17 volumeMounts:
18 - name: nginxconf
19 mountPath: /etc/nginx/config.d/
20 readOnly: true
21 volumes:
22 - name: nginxconf
23 configMap:
24 name: nginx-config
25
26
27[root@master configmap]# kubectl apply -f pod-configmap-2.yaml
28pod/pod-cm-2 created
29
查看并进入Pod
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
2NAME READY STATUS RESTARTS AGE
3myapp-backend-pod-6b56d98b6b-2dh5h 1/1 Running 0 29h
4myapp-backend-pod-6b56d98b6b-hwzws 1/1 Running 0 29h
5myapp-backend-pod-6b56d98b6b-ztwn2 1/1 Running 0 29h
6pod-cm-2 1/1 Running 0 53s
7pod-hostpath-vol 1/1 Running 0 23h
8pod-pvc-vol 1/1 Running 0 20h
9tomcat-deploy-5f554cd88d-7gzc7 1/1 Running 0 27h
10tomcat-deploy-5f554cd88d-c42t6 1/1 Running 0 27h
11tomcat-deploy-5f554cd88d-qhc4j 1/1 Running 0 27h
12
13[root@master configmap]# kubectl exec -it pod-cm-2 -- /bin/sh
14/ # cd /etc/nginx/config.d/
15/etc/nginx/config.d # ls
16nginx_port server_name
17/etc/nginx/config.d # cat nginx_port
188080
19/etc/nginx/config.d # cat server_name
20myapp.white.com/etc/nginx/config.d
21
22
此时使用kubectl edit修改端口,进入容器进行查看
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
2
3# Please edit the object below. Lines beginning with a '#' will be ignored,
4# and an empty file will abort the edit. If an error occurs while saving this file will be
5# reopened with the relevant failures.
6#
7apiVersion: v1
8data:
9 nginx_port: "11111"
10 server_name: myapp.white.com
11kind: ConfigMap
12metadata:
13 creationTimestamp: "2019-04-03T02:22:55Z"
14 name: nginx-config
15 namespace: default
16 resourceVersion: "207257"
17 selfLink: /api/v1/namespaces/default/configmaps/nginx-config
18 uid: 63e91046-55b7-11e9-80a7-000c295ec349
19
进入容器查看(需要等待一小会,有一定延迟时间)
2
3
4
211111
3/etc/nginx/config.d #
4
使用nginx-www配置nginx
nginx-www是使用文件创建的cm,文件名是键名,内容是值。
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
2apiVersion: v1
3kind: Pod
4metadata:
5 name: pod-cm-3
6 namespace: default
7 labels:
8 app: myapp
9 tier: frontend
10spec:
11 containers:
12 - name: myapp
13 image: ikubernetes/myapp:v1
14 ports:
15 - name: http
16 containerPort: 80
17 volumeMounts:
18 - name: nginxconf
19 mountPath: /etc/nginx/conf.d/
20 readOnly: true
21 volumes:
22 - name: nginxconf
23 configMap:
24 name: nginx-www
25
创建并查看
2
3
4
5
6
7
8
9
10
11
12
13
14
15
2pod/pod-cm-3 created
3[root@master configmap]# kubectl get pods
4NAME READY STATUS RESTARTS AGE
5myapp-backend-pod-6b56d98b6b-2dh5h 1/1 Running 0 29h
6myapp-backend-pod-6b56d98b6b-hwzws 1/1 Running 0 29h
7myapp-backend-pod-6b56d98b6b-ztwn2 1/1 Running 0 29h
8pod-cm-3 1/1 Running 0 5s
9pod-hostpath-vol 1/1 Running 0 23h
10pod-pvc-vol 1/1 Running 0 20h
11tomcat-deploy-5f554cd88d-7gzc7 1/1 Running 0 28h
12tomcat-deploy-5f554cd88d-c42t6 1/1 Running 0 28h
13tomcat-deploy-5f554cd88d-qhc4j 1/1 Running 0 28h
14
15
进入容器查看
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
2/ # cd /etc/nginx/conf.d/
3/etc/nginx/conf.d # ls
4www.conf
5/etc/nginx/conf.d # cat www.conf
6server {
7 server_name myapp.white.com;
8 listen 80;
9 root /data/web/html/;
10}
11
12查看nginx加载的内容
13/etc/nginx/conf.d # nginx -T
14... ...
15# configuration file /etc/nginx/conf.d/www.conf:
16server {
17 server_name myapp.white.com;
18 listen 80;
19 root /data/web/html/;
20}
21
此时使用kubectl edit修改cm内的内容,容器内部会被修改,但是nginx 需要重载才能生效,如果需要这样配置,需要手动或配置脚本进行nginx -s reload。
Secret
Secret对象存储数据的方式是以键值方式存储数据,在Pod资源进行调用Secret的方式是通过环境变量或者存储卷的方式进行访问数据,解决了密码、token、密钥等敏感数据的配置问题,而不需要把这些敏感数据暴露到镜像或者Pod Spec中。另外,Secret对象的数据存储和打印格式为Base64编码的字符串,因此用户在创建Secret对象时,也需要提供该类型的编码格式的数据。在容器中以环境变量或存储卷的方式访问时,会自动解码为明文格式。需要注意的是,如果是在Master节点上,Secret对象以非加密的格式存储在etcd中,所以需要对etcd的管理和权限进行严格控制。
Secret有4种类型:
- Service Account :用来访问Kubernetes API,由Kubernetes自动创建,并且会自动挂载到Pod的/run/secrets/kubernetes.io/serviceaccount目录中;
- Opaque :base64编码格式的Secret,用来存储密码、密钥、信息、证书等,类型标识符为generic;
- kubernetes.io/dockerconfigjson :用来存储私有docker registry的认证信息,类型标识为docker-registry。
- kubernetes.io/tls:用于为SSL通信模式存储证书和私钥文件,命令式创建类型标识为tls。
创建 Secret
使用–from-literal
2
3
4
5
6
7
8
2secret/mysql-root-password created
3[root@master configmap]# kubectl get secret
4NAME TYPE DATA AGE
5default-token-dqd2f kubernetes.io/service-account-token 3 6d22h
6mysql-root-password Opaque 1 4s
7tomcat-ingress-secret kubernetes.io/tls 2 28h
8
查看
2
3
4
5
6
7
8
9
10
11
12
2Name: mysql-root-password
3Namespace: default
4Labels: <none>
5Annotations: <none>
6
7Type: Opaque
8
9Data
10====
11password: 9 bytes
12
查看可知只有9个字节,没有显示内容。可以转换成YAML格式文件查看Base64加密后的password
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
2Name: mysql-root-password
3Namespace: default
4Labels: <none>
5Annotations: <none>
6
7Type: Opaque
8
9Data
10====
11password: 9 bytes
12[root@master configmap]# kubectl get secret mysql-root-password -o yaml
13apiVersion: v1
14data:
15 password: TXlQQHNzMTIz
16kind: Secret
17metadata:
18 creationTimestamp: "2019-04-03T06:46:00Z"
19 name: mysql-root-password
20 namespace: default
21 resourceVersion: "226351"
22 selfLink: /api/v1/namespaces/default/secrets/mysql-root-password
23 uid: 247548a3-55dc-11e9-80a7-000c295ec349
24type: Opaque
25
解码
2
3
2MyP@ss123
3
使用–from-file
2
3
4
5
6
7
8
9
10
11
2[root@master configmap]# echo -n 123456 > ./password
3[root@master configmap]# kubectl create secret generic mysecret --from-file=./username --from-file=./password
4secret/mysecret created
5[root@master configmap]# kubectl get secret
6NAME TYPE DATA AGE
7default-token-dqd2f kubernetes.io/service-account-token 3 6d22h
8mysecret Opaque 2 4s
9mysql-root-password Opaque 1 6m6s
10tomcat-ingress-secret kubernetes.io/tls 2 28h
11
通过 –from-env-file
文件 env.txt 中每行 Key=Value 对应一个信息条目。
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
2apiVersion: v1
3kind: Pod
4metadata:
5 name: pod-secret-1
6 namespace: default
7 labels:
8 app: myapp
9 tier: frontend
10spec:
11 containers:
12 - name: myapp
13 image: ikubernetes/myapp:v1
14 ports:
15 - name: http
16 containerPort: 80
17 env:
18 - name: MYSQL_ROOT_PASSWORD
19 valueFrom:
20 secretKeyRef:
21 name: mysql-root-password
22 key: password
23
24
25[root@master configmap]# kubectl apply -f pod-secret-1.yaml
26pod/pod-secret-1 created
27
28
进入Pod查看
2
3
4
2/ # printenv|grep MYSQL_ROOT_PASSWORD
3MYSQL_ROOT_PASSWORD=MyP@ss123
4
在Pod内已经是转换后的密码,任何人都可以看到,不够安全。
使用挂在存储卷方式
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
2NAME TYPE DATA AGE
3default-token-dqd2f kubernetes.io/service-account-token 3 6d22h
4mysecret Opaque 2 11m
5mysql-root-password Opaque 1 17m
6tomcat-ingress-secret kubernetes.io/tls 2 28h
7
8[root@master configmap]# vim pod-secret-demo.yaml
9apiVersion: v1
10kind: Pod
11metadata:
12 name: pod-secret-vol
13spec:
14 containers:
15 - name: pod-secret-vol
16 image: busybox
17 args:
18 - /bin/sh
19 - -c
20 - sleep 10;touch /tmp/healthy;sleep 36000
21 volumeMounts:
22 - name: test
23 mountPath: "/etc/test"
24 readOnly: true
25 volumes:
26 - name: test
27 secret:
28 secretName: mysecret
29
30[root@master configmap]# kubectl apply -f pod-secret-demo.yaml
31pod/pod-secret-vol created
32
33[root@master configmap]# kubectl get pods
34NAME READY STATUS RESTARTS AGE
35myapp-backend-pod-6b56d98b6b-2dh5h 1/1 Running 0 30h
36myapp-backend-pod-6b56d98b6b-hwzws 1/1 Running 0 30h
37myapp-backend-pod-6b56d98b6b-ztwn2 1/1 Running 0 30h
38pod-hostpath-vol 1/1 Running 0 24h
39pod-pvc-vol 1/1 Running 0 21h
40pod-secret-1 1/1 Running 0 9m
41pod-secret-vol 1/1 Running 0 7s
42tomcat-deploy-5f554cd88d-7gzc7 1/1 Running 0 29h
43tomcat-deploy-5f554cd88d-c42t6 1/1 Running 0 29h
44tomcat-deploy-5f554cd88d-qhc4j 1/1 Running 0 29h
45
进入Pod查看
2
3
4
5
6
7
8
9
2/ # cd /etc/test/
3/etc/test # ls
4password username
5/etc/test # cat username
6admin
7/etc/test # cat password
8123456
9
可以看到,Kubernetes 会在指定的路径 /etc/test 下为每条敏感数据创建一个文件,文件名就是数据条目的 Key,这里是 /etc/test/username 和 /etc/test/password,Value 则以明文存放在文件中。
也可以自定义存放数据的文件名,比如将配置文件改为:
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
2apiVersion: v1
3kind: Pod
4metadata:
5 name: pod-secret-vol-1
6spec:
7 containers:
8 - name: pod-secret-vol-1
9 image: busybox
10 args:
11 - /bin/sh
12 - -c
13 - sleep 10;touch /tmp/healthy;sleep 36000
14 volumeMounts:
15 - name: test
16 mountPath: "/etc/test"
17 readOnly: true
18 volumes:
19 - name: test
20 secret:
21 secretName: mysecret
22 items:
23 - key: username
24 path: my-secret/my-username
25 - key: password
26 path: my-secret/my-password
27
28
29
这时数据将分别存放在 /etc/test/my-secret/my-username 和 /etc/test/my-secret/my-password 中。
2
3
4
5
6
7
8
9
10
11
12
2/ # cd /etc/test/
3/etc/test # ls
4my-secret
5/etc/test # cd my-secret/
6/etc/test/..2019_04_03_07_12_02.941048565/my-secret # ls
7my-password my-username
8/etc/test/..2019_04_03_07_12_02.941048565/my-secret # cat my-username
9admin
10/etc/test/..2019_04_03_07_12_02.941048565/my-secret # cat my-password
11123456
12
以 Volume 方式使用的 Secret 支持动态更新:Secret 更新后,容器中的数据也会更新。
将 password 更新为 abcdef,base64 编码为 YWJjZGVm
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
2apiVersion: v1
3kind: Secret
4metadata:
5 name: mysecret
6data:
7 username: YWRtaW4= #echo -n admin|base64
8 password: YWJjZGVm #echo -n abcdef|base64
9
10
11[root@master configmap]# kubectl exec -it pod-secret-vol-1 -- /bin/sh
12/etc # cd test/my-secret/
13/etc/test/..2019_04_03_07_18_09.073816450/my-secret # ls
14my-password my-username
15/etc/test/..2019_04_03_07_18_09.073816450/my-secret # cat my-password
16abcdef
17
通过 Volume 使用 Secret,容器必须从文件读取数据,会稍显麻烦,Kubernetes 还支持通过环境变量使用 Secret。
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
2apiVersion: v1
3kind: Pod
4metadata:
5 name: pod-secret-env
6spec:
7 containers:
8 - name: pod-secret-env
9 image: busybox
10 args:
11 - /bin/sh
12 - -c
13 - sleep 10;touch /tmp/healthy;sleep 36000
14 env:
15 - name: SECRET_USERNAME
16 valueFrom:
17 secretKeyRef:
18 name: mysecret
19 key: username
20 - name: SECRET_PASSWORD
21 valueFrom:
22 secretKeyRef:
23 name: mysecret
24 key: password
25
26
27[root@master configmap]# kubectl apply -f pod-secret-env-demo.yaml
28pod/pod-secret-env created
29
30[root@master configmap]# kubectl exec -it pod-secret-env sh
31/ # echo $SECRET_USERNAME
32admin
33/ # echo $SECRET_PASSWORD
34abcdef
35
总结:
通过环境变量 SECRET_USERNAME 和 SECRET_PASSWORD 成功读取到 Secret 的数据。
需要注意的是,环境变量读取 Secret 很方便,但不支持Secret 动态更新。
