溫馨提示×
您好,登錄后才能下訂單哦!
點擊 登錄注冊 即表示同意《億速云用戶服務條款》
您好,登錄后才能下訂單哦!
這篇文章主要講解了“kubernetes中怎么驗證secret和configmap”,文中的講解內容簡單清晰,易于學習與理解,下面請大家跟著小編的思路慢慢深入,一起來研究和學習“kubernetes中怎么驗證secret和configmap”吧!
在k8s上用deployment和service部署nginx,用secret存儲ssl證書,用configmap存儲nginx配置文件,簡單搭建起https服務。
1,新建一個有兩個pod的deployment my-nginx
編輯deployment文件
vi dep-nginx.yaml
apiVersion: apps/v1 kind: Deployment metadata: name: my-nginx spec: selector: matchLabels: run: my-nginx replicas: 2 template: metadata: labels: run: my-nginx spec: containers: - name: my-nginx image: nginx ports: - containerPort: 80
部署pod:
kubectl apply -f dep-nginx.yaml
kubectl get pods -l run=my-nginx -o wide
# 檢查 Pod 的 IP 地址
kubectl get pods -l run=my-nginx -o yaml | grep podIP
2,為my-nginx新建service
vi nginx-svc.yaml
apiVersion: v1 kind: Service metadata: name: my-nginx labels: run: my-nginx spec: ports: - port: 80 targetPort: 80 protocol: TCP selector: run: my-nginx
kubectl apply -f nginx-svc.yaml
kubectl get svc my-nginx
kubectl get ep my-nginx
3,驗證pod的自愈
刪除deployment中的pod
kubectl delete pods -l run=my-nginx
可看到刪除的pod會被重建,查看重建后的變化
kubectl exec my-nginx-3800858182-e9ihh -- printenv | grep SERVICE
service的dns
kubectl get services kube-dns --namespace=kube-system
kubectl run curl --image=radial/busyboxplus:curl -i --tty
替代nslookup工具的busybox
https://github.com/cncf/curriculum
nslookup my-nginx
4,為新建的nginx添加ssl證書,通過新建secret來使用
1)自簽證書
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /d/tmp/nginx.key -out /d/tmp/nginx.crt -subj "/CN=my-nginx/O=my-nginx"
編碼
echo -n "string"| base64
cat dockerconfig.json |base64 -w 0
解碼
echo "string" | base64 --decode
cat nginx.key |base64 -w 0
cat nginx.crt |base64 -w 0
2)編輯secret文件
vi nginxsecrets.yaml
apiVersion: "v1" kind: "Secret" metadata: name: "nginxsecret" namespace: "default" data: nginx.crt: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURIekNDQWdlZ0F3SUJBZ0lKQUp5M3lQK0pzMlpJT" nginx.key: "LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ"
3)部署secret
kubectl apply -f nginxsecrets.yaml
4)查看新建的secret
kubectl get secrets
5)編輯對應的deployment和service配置文件
vi nginx-https.yaml
apiVersion: v1 kind: Service metadata: name: nginx-https labels: run: nginx-https spec: type: NodePort ports: - port: 80 targetPort: 80 protocol: TCP name: http - port: 443 #新加443端口 protocol: TCP name: https selector: run: nginx-https --- apiVersion: apps/v1 kind: Deployment metadata: name: nginx-https spec: selector: matchLabels: run: nginx-https replicas: 1 template: metadata: labels: run: nginx-https spec: volumes: - name: secret-volume secret: secretName: nginxsecret #和新建secret的名字一致 containers: - name: nginxhttps image: nginx ports: - containerPort: 443 - containerPort: 80 volumeMounts: - mountPath: /etc/nginx/ssl #設置配置文件掛載點 name: secret-volume
部署deployment和service
kubectl -f nginx-https.yaml
6)登錄pod并配置ssl,secret只是添加了SSL證書,還得修改配置文件
kubectl exec -it nginx-https-6575cc58f5-7p28z -- /bin/bash
sed -i 'N;2a\ listen 443 ssl;' /etc/nginx/conf.d/default.conf
sed -i 'N;4a\ ssl_certificate /etc/nginx/ssl/nginx.crt;' /etc/nginx/conf.d/default.conf
sed -i 'N;6a\ ssl_certificate_key /etc/nginx/ssl/nginx.key;' /etc/nginx/conf.d/default.conf
nginx -s reload
7)驗證
獲取POD的IP
kubectl get pods -o yaml | grep -i podip
curl -k https://10.244.3.5
-k 即因為證書不受信,允許curl使用未驗證證書的ssl連接并且傳輸數據
瀏覽器的權威證書頒發機構查詢: 瀏覽器設置--隱私與安全--證書管理
linux下路徑: /etc/ssl/certs
獲得service IP
kubectl get svc | grep nginx-https | awk '{print $3}'
訪問測試:
curl -k https://10.1.71.99
獲取service的endpoints
kubectl get ep nginx-https
5,剛剛進入容器修改配置不nice,其實無需手動,用configmap將nginx配置傳入容器,像secret一樣使用
vi https-nginx-configmap.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: https-nginx
spec:
selector:
matchLabels:
run: https-nginx
replicas: 2
template:
metadata:
labels:
run: https-nginx
spec:
volumes:
- name: secret-volume
secret:
secretName: nginxsecret
- name: config-volume
configMap:
name: nginx-config
containers:
- name: https-nginx
image: nginx
ports:
- containerPort: 80
- containerPort: 443
volumeMounts:
- mountPath: /etc/nginx/ssl
name: secret-volume
- mountPath: /etc/nginx/conf.d
name: config-volume
---
apiVersion: v1
kind: Service
metadata:
name: https-nginx
labels:
run: https-nginx
spec:
type: NodePort
ports:
- port: 80
targetPort: 80
protocol: TCP
name: http
- port: 443
targetPort: 443
protocol: TCP
name: https
selector:
run: https-nginx
---
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-config
data:
nginx.conf: |
server {
listen 80;
listen [::]:80;
listen 443 ssl;
server_name localhost;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}kubectl apply -f https-nginx-configmap.yaml
kubectl get deployments
kubectl get svc
kubectl get cm
感謝各位的閱讀,以上就是“kubernetes中怎么驗證secret和configmap”的內容了,經過本文的學習后,相信大家對kubernetes中怎么驗證secret和configmap這一問題有了更深刻的體會,具體使用情況還需要大家實踐驗證。這里是億速云,小編將為大家推送更多相關知識點的文章,歡迎關注!
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。
