五、配置与密钥管理
5.1 ConfigMap —— 非敏感配置
# 从字面值创建ConfigMap
kubectl create configmap app-config \
--from-literal=db.host=mysql-service \
--from-literal=db.port=3306
# 从文件创建
kubectl create configmap app-config --from-file=./config/application.yml
# 从目录创建
kubectl create configmap app-config --from-file=./config/
# ConfigMap YAML示例
apiVersion: v1
kind: ConfigMap
metadata:
name: app-config
data:
application.yml: |
server:
port: 8080
spring:
datasource:
url: jdbc:mysql://mysql-service:3306/app
log.level: INFO
---
apiVersion: v1
kind: Pod
metadata:
name: myapp
spec:
containers:
- name: myapp
image: myapp:v1
env:
# 1. 环境变量方式
- name: DB_HOST
valueFrom:
configMapKeyRef:
name: app-config
key: db.host
# 2. 全部环境变量注入
envFrom:
- configMapRef:
name: app-config
# 3. Volume挂载方式
volumeMounts:
- name: config
mountPath: /app/config
volumes:
- name: config
configMap:
name: app-config
5.2 Secret —— 敏感信息
# 创建Secret(数据Base64编码)
kubectl create secret generic db-secret \
--from-literal=username=admin \
--from-literal=password=SecurePass123
# 从文件创建
kubectl create secret tls myapp-tls \
--cert=path/to/cert.pem \
--key=path/to/key.pem
# 查看Secret内容(需base64解码)
kubectl get secret db-secret -o yaml
echo "YWRtaW4=" | base64 -d # 输出: admin
apiVersion: v1
kind: Secret
metadata:
name: db-secret
type: Opaque # Opaque/kubernetes.io/tls/docker-registry
data:
username: YWRtaW4= # base64('admin')
password: U2VjdXJlUGFzcw== # base64('SecurePass123')
---
apiVersion: v1
kind: Pod
metadata:
name: myapp
spec:
containers:
- name: myapp
image: myapp:v1
env:
- name: DB_USER
valueFrom:
secretKeyRef:
name: db-secret
key: username
- name: DB_PASS
valueFrom:
secretKeyRef:
name: db-secret
key: password
六、可观测性建设
6.1 监控体系(Prometheus + Grafana)
# ServiceMonitor定义(Prometheus Operator)
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: myapp-monitor
spec:
selector:
matchLabels:
app: myapp
endpoints:
- port: metrics
path: /actuator/prometheus
interval: 30s
scrapeTimeout: 10s
6.2 日志收集(EFK/Loki)
# Loki日志收集配置(DaemonSet方式)
apiVersion: v1
kind: ConfigMap
metadata:
name: promtail-config
data:
promtail.yaml: |
scrape_configs:
- job_name: kubernetes-pods
kubernetes_sd_configs:
- role: pod
pipeline_stages:
- docker: {}
- cri: {}
- match:
selector: '{namespace="production"}'
stages:
- regex:
expression: '.*'
relabel_configs:
- source_labels:
- __meta_kubernetes_pod_label_app
target_label: app
- source_labels:
- __meta_kubernetes_pod_namespace
target_label: namespace
- source_labels:
- __meta_kubernetes_pod_node_name
target_label: node
6.3 分布式追踪(Jaeger集成)
// 应用代码中添加追踪
import io.opentelemetry.api.trace.Tracer;
import io.opentelemetry.api.trace.Span;
@RestController
public class OrderController {
@Autowired
private Tracer tracer;
@GetMapping("/api/order/{id}")
public Order getOrder(@PathVariable String id) {
Span span = tracer.spanBuilder("getOrder")
.setAttribute("order.id", id)
.startSpan();
try (Scope scope = span.makeCurrent()) {
// 业务逻辑
Order order = orderService.findById(id);
span.setStatus(StatusCode.OK);
return order;
} catch (Exception e) {
span.setStatus(StatusCode.ERROR, e.getMessage());
span.recordException(e);
throw e;
} finally {
span.end();
}
}
}
6.4 常用kubectl命令速查
# 基础操作
kubectl get pods -A # 查看所有命名空间的Pod
kubectl describe pod <pod-name> # 查看Pod详细信息
kubectl logs <pod-name> -c <container> -f # 查看日志并跟随
kubectl exec -it <pod-name> -- /bin/sh # 进入容器终端
kubectl port-forward pod/<pod-name> 8080:80 # 端口转发本地访问
# 调试技巧
kubectl run -it --rm debug --image=busybox -- /bin/sh # 临时调试Pod
kubectl get events --sort-by='.lastTimestamp' # 查看集群事件
kubectl top pods # 查看Pod资源使用
kubectl api-resources # 列出所有API资源
# 资源操作
kubectl apply -f manifest.yaml # 应用配置
kubectl delete -f manifest.yaml # 删除资源
kubectl edit deployment/<name> # 在线编辑
kubectl set image deployment/<name> myapp=v2 # 更新镜像
# 故障排查
kubectl cordon <node> # 标记节点不可调度
kubectl drain <node> --ignore-daemonsets # 排空节点Pod
kubectl uncordon <node> # 恢复节点调度
