文章目录
- 一. Configmap
- 1、资源清单创建
- 创建 ConfigMap 的资源清单
- 1. 使用目录创建
- 2. 使用文件创建
- 3. 使用命令值创建
- 4、通过yaml文件创建
- 2、Pod 中使用 ConfigMap
- 1. 使用 ConfigMap 来替代环境变量
- 2. 使用 ConfigMap 设置命令行参数
- 3. 通过数据卷插件使用ConfigMap
- 4. ConfigMap 的热更新
- 二. Secret
- 1. Service Account(不常用)
- 2. Opaque Secret
- (1)创建 Opaque Secret
- (2)将 Secret 挂载到 Volume 中
- (3)将 Secret 导出到环境变量中
- 3. docker-registry Secret
- harbor镜像仓库
- pod直接下载镜像
- pod通过Secret下载镜像
一. Configmap
ConfigMap 功能在 Kubernetes1.2 版本中引入,许多应用程序会从配置文件、命令行参数或环境变量中读取配置信息。ConfigMap API 给我们提供了向容器中注入配置信息的机制,ConfigMap 可以被用来保存单个属性,也可以用来保存整个配置文件或者 JSON 二进制大对象
将配置信息放到configmap对象中,然后在pod的对象中导入configmap对象,实现导入配置的操作
1、资源清单创建
创建 ConfigMap 的资源清单
apiVersion: v1 # 版本,通过 kubectl explain cm 可以查看
kind: ConfigMap
metadata:
name: special-config # ConfigMap 的名字
namespace: default # 名称空间
data: # key: value 结构,配置数据
special.how: very
special.type: charm
kubectl apply -f comfigmap.yaml1. 使用目录创建
- 创建 /root/k8s/yaml/configmap/game.properties 文件:
enemies=aliens
lives=3
enemies.cheat=true
enemies.cheat.level=noGoodRotten
secret.code.passphrase=UUDDLRLRBABAS
secret.code.allowed=true
secret.code.lives=30- 创建 /root/k8s/yaml/configmap/ui.properties 文件
color.good=purple
color.bad=yellow
allow.textmode=true
how.nice.to.look=fairlyNice- 创建 configmap ,--from-file 指定在目录下的所有文件都会被用在 ConfigMap 里面创建一个键值对,键的名字就是文件名,值就是文件的内容
#这里指向目录
kubectl create configmap game-config --from-file=/root/k8s/yaml/configmap- 查看创建的 configmap(可简写为 cm):
$ kubectl get cm
NAME DATA AGE
game-config 2 6m40s
# 查看详细信息
kubectl get cm game-config -o yaml
kubectl describe cm game-config查看有哪些数据
[root@k8s-master storage]# kubectl get configmap -o yaml ##### 查看方式1
apiVersion: v1
items:
- apiVersion: v1
data:
game.properties: |+ ##### 本段最后有一行空格,+ 表示保留字符串行末尾的换行
enemies=aliens
lives=3
enemies.cheat=true
enemies.cheat.level=noGoodRotten
secret.code.passphrase=UUDDLRLRBABAs
secret.code.allowed=true
secret.code.lives=30
ui.properties: |
color.good=purple
color.bad=yellow
allow.textmode=true
how.nice.to.look=fairlyNice
kind: ConfigMap
metadata:
creationTimestamp: "2020-06-07T06:57:28Z"
name: game-config
namespace: default
resourceVersion: "889177"
selfLink: /api/v1/namespaces/default/configmaps/game-config
uid: 6952ac85-ded0-4c5e-89fd-b0c6f0546ecf
kind: List
metadata:
resourceVersion: ""
selfLink: ""
[root@k8s-master storage]#
[root@k8s-master storage]# kubectl describe configmap game-config ##### 查看方式2
Name: game-config
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
game.properties:
----
enemies=aliens
lives=3
enemies.cheat=true
enemies.cheat.level=noGoodRotten
secret.code.passphrase=UUDDLRLRBABAs
secret.code.allowed=true
secret.code.lives=30
ui.properties:
----
color.good=purple
color.bad=yellow
allow.textmode=true
how.nice.to.look=fairlyNice
Events: <none>2. 使用文件创建
通过 --from-file 参数只要指定为一个文件就可以从单个文件中创建 ConfigMap
–from-file 这个参数可以使用多次,你可以使用两次分别指定上个实例中的那两个配置文件,效果就跟指定整个目录是一样的
# cat /root/k8s_practice/storage/configmap/game.properties
enemies=aliens
lives=3
enemies.cheat=true
enemies.cheat.level=noGoodRotten
secret.code.passphrase=UUDDLRLRBABAs
secret.code.allowed=true
secret.code.lives=30
# kubectl create configmap game-config-2 --fromfile=game.properties
# kubectl get configmaps game-config-2 -o yaml3. 使用命令值创建
使用文字值创建,利用 --from-literal 参数传递配置信息,该参数可以使用多次,格式如下
[root@k8s-master storage]# pwd
/root/k8s_practice/storage
[root@k8s-master storage]# kubectl create configmap special-config --from-literal=special.how=very --from-literal="special.type=charm"
configmap/special-config created
[root@k8s-master storage]#
[root@k8s-master storage]# kubectl get configmap special-config
NAME DATA AGE
special-config 2 23s查看数据
查看
[root@k8s-master storage]# kubectl get configmap special-config -o yaml ##### 查看方式1
apiVersion: v1
data:
special.how: very
special.type: charm
kind: ConfigMap
metadata:
creationTimestamp: "2020-06-07T09:32:04Z"
name: special-config
namespace: default
resourceVersion: "912702"
selfLink: /api/v1/namespaces/default/configmaps/special-config
uid: 76698e78-1380-4826-b5ac-d9c81f746eac
[root@k8s-master storage]#
[root@k8s-master storage]# kubectl describe configmap special-config ##### 查看方式2
Name: special-config
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
special.how:
----
very
special.type:
----
charm
Events: <none>4、通过yaml文件创建
1、定义yaml
[root@k8s-master storage]# pwd
/root/k8s_practice/storage
[root@k8s-master storage]# cat configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: configmap-demo
data:
# 类属性键;每一个键都映射到一个简单的值
player_initial_lives: "3"
ui_properties_file_name: 'user-interface.properties'
#
# 类文件键
game.properties: |
enemy.types=aliens,monsters
player.maximum-lives=5
user-interface.properties: |
color.good=purple
color.bad=yellow
allow.textmode=true2、创建
[root@k8s-master storage]# kubectl apply -f configmap.yaml
configmap/configmap-demo created
[root@k8s-master storage]# kubectl get configmap configmap-demo
NAME DATA AGE
configmap-demo 4 2m59s3、查看数据
[root@k8s-master storage]# kubectl get configmap configmap-demo -o yaml ##### 查看方式1
apiVersion: v1
data:
game.properties: |
enemy.types=aliens,monsters
player.maximum-lives=5
player_initial_lives: "3"
ui_properties_file_name: user-interface.properties
user-interface.properties: |
color.good=purple
color.bad=yellow
allow.textmode=true
kind: ConfigMap
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","data":{"game.properties":"enemy.types=aliens,monsters\nplayer.maximum-lives=5\n","player_initial_lives":"3","ui_properties_file_name":"user-interface.properties","user-interface.properties":"color.good=purple\ncolor.bad=yellow\nallow.textmode=true\n"},"kind":"ConfigMap","metadata":{"annotations":{},"name":"configmap-demo","namespace":"default"}}
creationTimestamp: "2020-06-07T11:36:46Z"
name: configmap-demo
namespace: default
resourceVersion: "931685"
selfLink: /api/v1/namespaces/default/configmaps/configmap-demo
uid: fdad7000-87bd-4b72-be98-40dd8fe6400a
[root@k8s-master storage]#
[root@k8s-master storage]#
[root@k8s-master storage]# kubectl describe configmap configmap-demo ##### 查看方式2
Name: configmap-demo
Namespace: default
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"v1","data":{"game.properties":"enemy.types=aliens,monsters\nplayer.maximum-lives=5\n","player_initial_lives":"3","ui_proper...
Data
====
game.properties:
----
enemy.types=aliens,monsters
player.maximum-lives=5
player_initial_lives:
----
3
ui_properties_file_name:
----
user-interface.properties
user-interface.properties:
----
color.good=purple
color.bad=yellow
allow.textmode=true
Events: <none>2、Pod 中使用 ConfigMap
1. 使用 ConfigMap 来替代环境变量
- 创建两个 ConfigMap(configmap.yaml):
apiVersion: v1
kind: ConfigMap
metadata:
name: special-config
namespace: default
data:
special.how: very
special.type: charm
---
apiVersion: v1
kind: ConfigMap
metadata:
name: env-config
namespace: default
data:
log_level: INFO- 创建pod
apiVersion: v1
kind: Pod
metadata:
name: dapi-test-pod
spec:
s:
- name: test-container
image: wangyanglinux/myapp:v1
command: [ "/bin/sh", "-c", "env" ] # 打印 env
##引用方式---------------1
env: # 从 ConfigMap 中选择读取的键,并起个别名
- name: SPECIAL_LEVEL_KEY # 键别名,在这值应该是 very
valueFrom:
configMapKeyRef:
name: special-config # ComfigMap 的名称
key: special.how # 指定 ConfigMap 中的键名
- name: SPECIAL_TYPE_KEY # 键别名,在这值应该是 charm
valueFrom:
configMapKeyRef:
name: special-config # ComfigMap 的名称
key: special.type # 上句指定 ConfigMap 中的键名
### 引用方式--------------2
envFrom: # 直接从 ConfigMap 中读取全部配置
- configMapRef:
name: env-config # ComfigMap 的名称
restartPolicy: Never- 查看日志,可以看到 ConfigMap 中的配置已经注入到了容器中
2. 使用 ConfigMap 设置命令行参数
- 创建 ConfigMap
apiVersion: v1
kind: ConfigMap
metadata:
name: special-config
namespace: default
data:
special.how: very
special.type: charm- 创建pod
apiVersion: v1
kind: Pod
metadata:
name: dapi-test-pod
spec:
s:
- name: test-container
image: wangyanglinux/myapp:v1
command: [ "/bin/sh", "-c", "echo $(SPECIAL_LEVEL_KEY) $(SPECIAL_TYPE_KEY)" ] #可以调整启动Pod时的命令
env: # 从 ConfigMap 中选择读取的键,并起个别名
- name: SPECIAL_LEVEL_KEY # 键别名,在这值应该是 very
valueFrom:
configMapKeyRef:
name: special-config # ComfigMap 的名称
key: special.how # 上句指定 ConfigMap 中的键名
- name: SPECIAL_TYPE_KEY # 键别名,在这值应该是 charm
valueFrom:
configMapKeyRef:
name: special-config # ComfigMap 的名称
key: special.type
restartPolicy: Never- 查看日志
$ kubectl logs dapi-test-pod
very charm3. 通过数据卷插件使用ConfigMap
通过 Volume 方式挂载,ConfigMap 中的键名就是 文件名,键值就是 文件内容
创建 ConfigMap
apiVersion: v1
kind: ConfigMap
metadata:
name: special-config
namespace: default
data:
special.how: very
special.type: charm创建pod
apiVersion: v1
kind: Pod
metadata:
name: dapi-test-pod
spec:
s:
- name: test-container
image: wangyanglinux/myapp:v1
command: ["/bin/sh", "-c", "cat /etc/config/special.how"] # 打印挂载目录下的文件内容
volumeMounts: # volume 挂载
- name: config-volume # 挂载下面指定的 volume
mountPath: /etc/config # 挂载到的目录(容器内路径,该目录下,文件名就里键名,文件内容就是键值)
volumes:
- name: config-volume # volume 名称
configMap: # 来自 ConfigMap
name: special-config # ConfigMap 名字
restartPolicy: Never看日志
$ kubectl logs dapi-test-pod
very进入pod查看
[root@k8s-master storage]# kubectl exec -it pod-configmap-volume sh
/ # ls /etc/config
game.properties player_initial_lives ui_properties_file_name user-interface.properties
/ # cat /etc/config/player_initial_lives
/ # cat /etc/config/ui_properties_file_name
user-interface.properties/ #
/ # cat /etc/config/game.properties
enemy.types=aliens,monsters
player.maximum-lives=5
/ # cat /etc/config/user-interface.properties
color.good=purple
color.bad=yellow
allow.textmode=true4. ConfigMap 的热更新
创建一个 ConfigMap 和 Deployment:
apiVersion: v1
kind: ConfigMap
metadata:
name: log-config
namespace: default
data:
log_level: INFO
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: my-nginx
spec:
replicas: 1
template:
metadata:
labels:
run: my-nginx
spec:
s:
- name: my-nginx
image: wangyanglinux/myapp:v1
ports:
-Port: 80
volumeMounts: # 这块儿不懂看上一节《通过数据卷插件使用ConfigMap》
- name: config-volume
mountPath: /etc/config # 容器内这个目录下会有 log_level 这个文件,内容为 INFO
volumes:
- name: config-volume
configMap:
name: log-config查看 /etc/config/log_level 文件的内容
$ kubectl exec my-nginx-c484b98b4-sbls9 -it -- cat /etc/config/log_level
INFO热更新 修改 ConfigMap
kubectl edit configmap log-config
再次查看 /etc/config/log_level 文件的内容,可以看到,Pod 中的配置也改了
稍后10秒左右,再次查看pod中的ConfigMap信息
$ kubectl exec my-nginx-c484b98b4-sbls9 -it -- cat /etc/config/log_level
DEBUG注意:更新 ConfigMap 后: 使用该 ConfigMap 挂载的 Env 不会同步更新 使用该 ConfigMap 挂载的 Volume 中的数据需要一段时间(实测大概10秒)才能同步更新
让 Pod 滚动更新 ConfigMap 更新后,并不会让相应的文件重载。例如,Nginx 在启动时,会加载一次配置文件(配置文件中有 ConfigMap 的相关参数),加载完成后,无论这个配置文件再怎么变化,Nginx 都不会再加载它。因此需要 ConfigMap 更新后滚动更新 Pod。
- 可以通过修改 pod annotations 的方式强制触发滚动更新
- 这里我们在 .spec.template.metadata.annotations 中添加 version/config ,每次通过修改 version/config 的时间来触发滚动更新
kubectl patch deployment my-nginx --patch \
'{"spec": {"template": {"metadata": {"annotations":{"version/config": "20211110" }}}}}'二. Secret
参考
Secret 解决了密码、token、密钥等敏感数据的配置问题,而不需要把这些敏感数据暴露到镜像或者 Pod Spec 中。Secret 可以以 Volume 或者环境变量的方式使用
用户可以创建 secret,同时系统也创建了一些 secret。
Secret 有三种类型:
- Service Account:用来访问 Kubernetes API,由 Kubernetes 自动创建,并且会自动挂载到 Pod 的 /run/secrets/kubernetes.io/serviceaccount 目录中
- Opaque:base64 编码格式的 Secret,用来存储密码、密钥等。加密程度不高
- kubernetes.io/dockerconfigjson:用来存储私有 docker registry 的认证信息
要使用 secret,pod 需要引用 secret。Pod 可以用两种方式使用 secret:
- 作为 volume 中的文件被挂载到 pod 中的一个或者多个容器里,
- 当 kubelet 为 pod 拉取镜像时使用。
1. Service Account(不常用)
Service Account 用来访问 Kubernetes API,由 Kubernetes 自动创建,并且会自动挂载到 Pod 的 /run/secrets/kubernetes.io/serviceaccount 目录中
# 1. 随便找一个需要访问 Kubernetes API 的 Pod
$ kubectl get pod -n kube-system
NAME READY STATUS RESTARTS AGE
kube-proxy-2pqkk 1/1 Running 6 40d
# 2. 查看该 Pod 中 /run/secrets/kubernetes.io/serviceaccount 目录下的文件
$ kubectl exec kube-proxy-2pqkk -n kube-system -it -- ls /run/secrets/kubernetes.io/serviceaccount
ca.crt:访问 API Service 时的证书
namespace:名称空间
token:认证的密钥信息2. Opaque Secret
Opaque 类型的数据是一个 map 类型,要求 value 是 base64 编码格式:
(1)创建 Opaque Secret
- 给用户名和密码用 base64 加密
[root@k8s-master ~]# echo -n 'admin' | base64
YWRtaW4=
[root@k8s-master ~]# echo -n '1f2d1e2e67df' | base64
MWYyZDFlMmU2N2Rmbase64编码
$ echo -n YWRtaW4= | base64 -d
admin- 使用加密后的用户名和密码创建 Secret
[root@k8s-master secret]# pwd
/root/k8s_practice/secret
[root@k8s-master secret]# cat secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
username: YWRtaW4=
password: MWYyZDFlMmU2N2Rm
或者通过如下命令行创建【secret名称故意设置不一样,以方便查看对比】,生成secret后会自动加密,而非明文存储。
kubectl create secret generic db-user-pass --from-literal=username=admin --from-literal=password=1f2d1e2e67df- 查看Secretdefault-token-xxxxx:k8s 默认会在每个名称空间下都创建一个,用于 Pod 的挂载
[root@k8s-master secret]# kubectl apply -f secret.yaml
secret/mysecret created
[root@k8s-master secret]#
[root@k8s-master secret]# kubectl get secret ### 查看默认名称空间的secret简要信息
NAME TYPE DATA AGE
basic-auth Opaque 1 2d12h
default-token-v48g4 kubernetes.io/service-account-token 3 27d
mysecret Opaque 2 23s ### 可见已创建
tls-secret kubernetes.io/tls 2 3d2h
[root@k8s-master secret]#
[root@k8s-master secret]# kubectl get secret mysecret -o yaml ### 查看mysecret详细信息
apiVersion: v1
data:
password: MWYyZDFlMmU2N2Rm
username: YWRtaW4=
kind: Secret
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","data":{"password":"MWYyZDFlMmU2N2Rm","username":"YWRtaW4="},"kind":"Secret","metadata":{"annotations":{},"name":"mysecret","namespace":"default"},"type":"Opaque"}
creationTimestamp: "2020-06-08T14:08:59Z"
name: mysecret
namespace: default
resourceVersion: "987419"
selfLink: /api/v1/namespaces/default/secrets/mysecret
uid: 27b58929-71c4-495b-99a5-0d411910a529
type: Opaque
[root@k8s-master secret]#
[root@k8s-master secret]# kubectl describe secret mysecret ### 查看描述信息
Name: mysecret
Namespace: default
Labels: <none>
Annotations:
Type: Opaque
Data
====
password: 12 bytes
username: 5 bytes(2)将 Secret 挂载到 Volume 中
创建 Pod
apiVersion: v1
kind: Pod
metadata:
labels:
name: secret-test
name: secret-test
spec:
volumes: # 创建一个卷
- name: secrets # 卷名
secret: # 卷使用的方案
secretName: mysecret # 来自于上一节创建的 mysecret
s:
- image: wangyanglinux/myapp:v1
name: db
volumeMounts: # 卷挂载
- name: secrets # 挂载的是上面声明的 secrets
mountPath: "/etc/secrets" # 挂载的目录(容器内目录)
readOnly: true # 只读查看
# Opaque Secret 中的用户名和密码都已经挂载进来了
$ kubectl exec secret-test -it -- ls /etc/secrets
password username
# 查看内容,发现内容已经自动被解密
$ kubectl exec secret-test -it -- cat /etc/secrets/password
123
$ kubectl exec secret-test -it -- cat /etc/secrets/username
admin(3)将 Secret 导出到环境变量中
创建 Deployment
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: pod-deployment
spec:
replicas: 2
template:
metadata:
labels:
app: pod-deployment
spec:
s:
- name: pod-1
image: wangyanglinux/myapp:v1
ports:
-Port: 80
env:
- name: TEST_USER # 环境变量名
valueFrom:
secretKeyRef: # 从 Secret 中获取
name: mysecret # Secret 的名字
key: username # Secret 中的键名
- name: TEST_PASSWORD # 环境变量名
valueFrom:
secretKeyRef: # 从 Secret 中获取
name: mysecret # Secret 的名字
key: password # Secret 中的键名(相比 configmap,Secret 在这儿不需要使用明文,稍微安全一点)查看环境变量
# 进入容器
$ kubectl exec pod-deployment-747f78bc67-2w9wk -it -- /bin/sh
# 查看环境变量
$ echo $TEST_USER
admin
$ echo $TEST_PASSWORD
1233. docker-registry Secret
harbor镜像仓库
harbor配置文件
[root@k8s-master harbor]# pwd
/root/App/harbor
[root@k8s-master harbor]# vim harbor.yml
# Configuration file of Harbor
hostname: 172.16.1.110
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 5000
# https related config
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: /etc/harbor/cert/httpd.crt
private_key: /etc/harbor/cert/httpd.key
harbor_admin_password: Harbor12345启动harbor后客户端http设置 集群所有机器都要操作
[root@k8s-master ~]# vim /etc/docker/daemon.json
{
"exec-opts": ["native.cgroupdriver=systemd"],
"log-driver": "json-file",
"log-opts": {
"max-size": "100m"
},
"insecure-registries": ["172.16.1.110:5000"]
}
[root@k8s-master ~]#
[root@k8s-master ~]# systemctl restart docker # 重启docker服务添加了 “insecure-registries”: [“172.16.1.110:5000”] 这行,其中172.16.1.110为内网IP地址。该文件必须符合 json 规范,否则 Docker 将不能启动。
如果在Harbor所在的机器重启了docker服务,记得要重新启动Harbor。
创建「私有」仓库
上传镜像
docker pull registry.cn-beijing.aliyuncs.com/google_registry/myapp:v1
docker tag registry.cn-beijing.aliyuncs.com/google_registry/myapp:v1 172.16.1.110:5000/k8s-secret/myapp:v1
# 登录
docker login 172.16.1.110:5000 -u admin -p Harbor12345
# 上传
docker push 172.16.1.110:5000/k8s-secret/myapp:v1
退出登录 之后在操作机上退出harbor登录,便于后面演示
### 退出harbor登录
[root@k8s-node02 ~]# docker logout 172.16.1.110:5000
Removing login credentials for 172.16.1.110:5000
### 拉取失败,需要先登录。表明完成准备工作
[root@k8s-master secret]# docker pull 172.16.1.110:5000/k8s-secret/myapp:v1
Error response from daemon: pull access denied for 172.16.1.110:5000/k8s-secret/myapp, repository does not exist or may require 'docker login': denied: requested access to the resource is deniedpod直接下载镜像
在yaml文件中指定image后,直接启动pod
[root@k8s-master secret]# pwd
/root/k8s_practice/secret
[root@k8s-master secret]# cat pod_secret_registry.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-secret-registry
spec:
s:
- name: myapp
image: 172.16.1.110:5000/k8s-secret/myapp:v1启动pod并查看状态
[root@k8s-master secret]# kubectl apply -f pod_secret_registry.yaml
pod/pod-secret-registry created
[root@k8s-master secret]#
[root@k8s-master secret]# kubectl get pod -o wide ### 可见镜像下载失败
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
pod-secret-registry 0/1 ImagePullBackOff 0 7s 10.244.2.161 k8s-node02 <none> <none>
[root@k8s-master secret]#
[root@k8s-master secret]# kubectl describe pod pod-secret-registry ### 查看pod详情
Name: pod-secret-registry
Namespace: default
Priority: 0
Node: k8s-node02/172.16.1.112
Start Time: Mon, 08 Jun 2020 23:59:07 +0800
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{},"name":"pod-secret-registry","namespace":"default"},"spec":{"containers":[{"i...
Status: Pending
IP: 10.244.2.161
IPs:
IP: 10.244.2.161
Containers:
myapp:
Container ID:
Image: 172.16.1.110:5000/k8s-secret/myapp:v1
Image ID:
………………
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 23s default-scheduler Successfully assigned default/pod-secret-registry to k8s-node02
Normal BackOff 19s (x2 over 20s) kubelet, k8s-node02 Back-off pulling image "172.16.1.110:5000/k8s-secret/myapp:v1"
Warning Failed 19s (x2 over 20s) kubelet, k8s-node02 Error: ImagePullBackOff
Normal Pulling 9s (x2 over 21s) kubelet, k8s-node02 Pulling image "172.16.1.110:5000/k8s-secret/myapp:v1"
Warning Failed 9s (x2 over 21s) kubelet, k8s-node02 Failed to pull image "172.16.1.110:5000/k8s-secret/myapp:v1": rpc error: code = Unknown desc = Error response from daemon: pull access denied for 172.16.1.110:5000/k8s-secret/myapp, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
Warning Failed 9s (x2 over 21s) kubelet, k8s-node02 Error: ErrImagePull
[root@k8s-master secret]#
[root@k8s-master secret]# kubectl delete -f pod_secret_registry.yaml可见拉取私有镜像失败。
pod通过Secret下载镜像
通过命令行创建Secret,并查看其描述信息
# kubectl create secret docker-registry \ # 创建 Secret 的类型
# myregistrykey \ # Secret 的名称
# --docker-server=hub.zyx.com \ # docker server 的地址
# --docker-username=admin \ # docker 用户名
# --docker-password=Harbor12345 \ # docker 密码
# --docker-email=aa@qq.com # docker 邮箱[root@k8s-master secret]# kubectl create secret docker-registry myregistrysecret --docker-server='172.16.1.110:5000' --docker-username='admin' --docker-password='Harbor12345'
secret/myregistrysecret created
kubectl create secret docker-registry \
myregistrykey \
--docker-server='172.16.1.110:5000' \
--docker-username='admin' \
--docker-password='Harbor12345'
[root@k8s-master secret]#
[root@k8s-master secret]# kubectl get secret
NAME TYPE DATA AGE
basic-auth Opaque 1 2d14h
default-token-v48g4 kubernetes.io/service-account-token 3 27d
myregistrysecret kubernetes.io/dockerconfigjson 1 8s # 刚刚创建的
mysecret Opaque 2 118m
tls-secret kubernetes.io/tls 2 3d4h
[root@k8s-master secret]#
[root@k8s-master secret]# kubectl get secret myregistrysecret -o yaml ### 查看详细信息
apiVersion: v1
data:
.dockerconfigjson: eyJhdXRocyI6eyIxMC4wLjAuMTEwOjUwMDAiOnsidXNlcm5hbWUiOiJhZG1pbiIsInBhc3N3b3JkIjoiSGFyYm9yMTIzNDUiLCJhdXRoIjoiWVdSdGFXNDZTR0Z5WW05eU1USXpORFU9In19fQ==
kind: Secret
metadata:
creationTimestamp: "2020-06-08T16:07:32Z"
name: myregistrysecret
namespace: default
resourceVersion: "1004582"
selfLink: /api/v1/namespaces/default/secrets/myregistrysecret
uid: b95f4386-64bc-4ba3-b43a-08afb1c1eb9d
type: kubernetes.io/dockerconfigjson
[root@k8s-master secret]#
[root@k8s-master secret]# kubectl describe secret myregistrysecret ### 查看描述信息
Name: myregistrysecret
Namespace: default
Labels: <none>
Annotations: <none>
Type: kubernetes.io/dockerconfigjson
Data
====
.dockerconfigjson: 109 bytes修改之前的yaml文件 在创建 Pod 的时候,通过 imagePullSecrets 来引用刚创建的 myregistrykey,来拉取私有仓库的镜像
[root@k8s-master secret]# cat pod_secret_registry.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-secret-registry
spec:
s:
- name: myapp
image: 172.16.1.110:5000/k8s-secret/myapp:v1
imagePullSecrets: # 当去私有仓库拉取时的认证信息
- name: myregistrysecret # 认证信息,上一步创建的 docker registry启动pod并查看状态
[root@k8s-master secret]# kubectl apply -f pod_secret_registry.yaml
pod/pod-secret-registry created
[root@k8s-master secret]#
[root@k8s-master secret]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
pod-secret-registry 1/1 Running 0 8s 10.244.2.162 k8s-node02 <none> <none>
[root@k8s-master secret]#
[root@k8s-master secret]# kubectl describe pod pod-secret-registry
Name: pod-secret-registry
Namespace: default
Priority: 0
Node: k8s-node02/172.16.1.112
Start Time: Tue, 09 Jun 2020 00:22:40 +0800
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{},"name":"pod-secret-registry","namespace":"default"},"spec":{"containers":[{"i...
Status: Running
IP: 10.244.2.162
IPs:
IP: 10.244.2.162
Containers:
myapp:
Container ID: docker://ef4d42f1f1616a44c2a6c0a5a71333b27f46dfe76eb392962813a28d69150c00
Image: 172.16.1.110:5000/k8s-secret/myapp:v1
Image ID: docker-pullable://172.16.1.110:5000/k8s-secret/myapp@sha256:9eeca44ba2d410e54fccc54cbe9c021802aa8b9836a0bcf3d3229354e4c8870e
Port: <none>
Host Port: <none>
State: Running
Started: Tue, 09 Jun 2020 00:22:41 +0800
Ready: True
Restart Count: 0
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from default-token-v48g4 (ro)
Conditions:
Type Status
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
default-token-v48g4:
Type: Secret (a volume populated by a Secret)
SecretName: default-token-v48g4
Optional: false
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s
node.kubernetes.io/unreachable:NoExecute for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 22s default-scheduler Successfully assigned default/pod-secret-registry to k8s-node02
Normal Pulling 22s kubelet, k8s-node02 Pulling image "172.16.1.110:5000/k8s-secret/myapp:v1"
Normal Pulled 22s kubelet, k8s-node02 Successfully pulled image "172.16.1.110:5000/k8s-secret/myapp:v1"
Normal Created 22s kubelet, k8s-node02 Created myapp
Normal Started 21s kubelet, k8s-node02 Started myapp由上可见,通过secret认证后pod拉取私有镜像是可以的。