（2022版）一套教程搞定k8s安装到实战 | Secret

视频来源：B站《（2022版）最新、最全、最详细的Kubernetes（K8s）教程，从K8s安装到实战一套搞定》

一边学习一边整理老师的课程内容及试验笔记，并与大家分享，侵权即删，谢谢支持！

附上汇总贴：（2022版）一套教程搞定k8s安装到实战 | 汇总_COCOgsta的博客-CSDN博客

Secret用来保存敏感信息的，比如密码、令牌或者key、Redis、MySQL密码。

Secret介绍地址：kubernetes.io/docs/concep…

$ * \ 特殊字符单引号无需转义

ImagePullSecret：Pod拉取私有镜像仓库时使用的账号密码，里面的帐号信息，会传递给kubelet，然后kubelet就可以拉去有密码的仓库里面的镜像。

创建一个docker registry的secret

[root@k8s-master-lb ~]# kubectl create secret docker-registry docker-secret2 --docker-server=hub.docker.com --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL
secret/docker-secret2 created
复制代码

test-env-pod.yaml

apiVersion: v1
kind: Pod
metadata:
  name: dapi-test-pod
spec:
  nodeName: k8s-node01
  imagePullSecrets:
    - name: docker-secret2
  containers:
    - name: test-container
      image: busybox:1.28
      imagePullPolicy: IfNotPresent
      command: [ "/bin/sh", "-c", "sleep 3600" ]
      volumeMounts:
      - name: config-volume
        mountPath: /mnt
      envFrom:
      - configMapRef:
          name: special-config
      env:
        # Define the environment variable
        # - name: SPECIAL_LEVEL_KEY
        #   valueFrom:
        #     configMapKeyRef:
        #       # The ConfigMap containing the value you want to assign to SPECIAL_LEVEL_KEY
        #       name: special-config
        #       # Specify the key associated with the value
        #       key: special.how
        - name: test
          value: test-value
        - name: mysqlHostAddress
          value: 10.10.10.10
        - name: mysqlPort
          value: "3306" # only string
  restartPolicy: Never
  volumes:
    - name: config-volume
      configMap:
        name: special-config
复制代码

subPath解决目录覆盖的问题

apiVersion: v1
kind: Pod
metadata:
  name: dapi-test-pod
spec:
  nodeName: k8s-node01
  imagePullSecrets:
    - name: docker-secret2
  containers:
    - name: test-container
      image: busybox:1.28
      imagePullPolicy: IfNotPresent
      command: [ "/bin/sh", "-c", "sleep 3600" ]
      volumeMounts:
      - mountPath: /etc/nginx/nginx.conf
        name: config-volume
        subPath: etc/nginx/nginx.conf
      envFrom:
      - configMapRef:
          name: special-config
      env:
        # Define the environment variable
        # - name: SPECIAL_LEVEL_KEY
        #   valueFrom:
        #     configMapKeyRef:
        #       # The ConfigMap containing the value you want to assign to SPECIAL_LEVEL_KEY
        #       name: special-config
        #       # Specify the key associated with the value
        #       key: special.how
        - name: test
          value: test-value
        - name: mysqlHostAddress
          value: 10.10.10.10
        - name: mysqlPort
          value: "3306" # only string
  restartPolicy: Never
  volumes:
    - configMap:
        defaultMode: 420
        items:
        - key: nginx.conf
          path: etc/nginx/nginx.conf
        name: nginx-conf
      name: config-volume
复制代码

ConfigMap和Secret如果是以subPath的形式挂载的，那么Pod是不会感知到ConfigMap和Secret的更新的。

如果Pod的变量来自于ConfigMap和Secret中定义的内容，那么ConfigMap和Secret更新后，也不会更新Pod中的变量。

解决办法

apiVersion: v1
kind: Pod
metadata:
  name: dapi-test-pod
spec:
  nodeName: k8s-node01
  imagePullSecrets:
    - name: docker-secret2
  containers:
    - name: test-container
      image: busybox:1.28
      imagePullPolicy: IfNotPresent
      command: [ "/bin/sh", "-c", "sleep 3600" ]
      volumeMounts:
      - mountPath: /etc/nginx/nginx.conf
        name: config-volume
        subPath: etc/nginx/nginx.conf
      - mountPath: /mnt/
        name: config-volume-non-subpath
      envFrom:
      - configMapRef:
          name: special-config
      env:
        # Define the environment variable
        # - name: SPECIAL_LEVEL_KEY
        #   valueFrom:
        #     configMapKeyRef:
        #       # The ConfigMap containing the value you want to assign to SPECIAL_LEVEL_KEY
        #       name: special-config
        #       # Specify the key associated with the value
        #       key: special.how
        - name: test
          value: test-value
        - name: mysqlHostAddress
          value: 10.10.10.10
        - name: mysqlPort
          value: "3306" # only string
  restartPolicy: Never
  volumes:
    - configMap:
        defaultMode: 420
        items:
        - key: nginx.conf
          path: etc/nginx/nginx.conf
        name: nginx-conf
      name: config-volume
    - configMap:
        defaultMode: 420
        name: nginx-conf
      name: config-volume-non-subpath
复制代码

postStart：容器启动之前执行的命令

preStop：容器停止之前执行的命令

热更新ConfigMap或Secret：

kubectl create cm nginx-conf --from-file=nginx.conf --dry-run -oyaml | kubectl replace -f-
复制代码

immutable：在ConfigMap和Secret的最后加上如下内容，则不再可以edit该ConfigMap或Secret