3. Use Kubernetes to manage Secrets
在此场景中,您将了解如何使用 Kubernetes 管理Secrets。Kubernetes 允许您创建通过环境变量或作为卷挂载到 pod 的Secrets。
这允许Secrets(例如 SSL 证书或密码)只能通过基础架构团队以安全的方式进行管理,而不是将Secrets存储在应用程序的部署工件中。
3.1 Create Secrets
Kubernetes 要求将机密编码为 Base64 字符串。
使用命令行工具,我们可以创建 Base64 字符串并将它们存储为变量以在文件中使用。
username=$(echo -n "admin" | base64) password=$(echo -n "a62fjbd37942dcs" | base64)
Secrets是使用yaml定义的。下面我们将使用上面定义的变量,并为它们提供我们的应用程序可以使用的友好标签。这将创建一个可以通过名称访问的键/值Secrets集合,在本例中为test-secret
controlplane $ secret.yaml apiVersion: v1 kind: Secret metadata: name: test-secret type: Opaque data: username: $username password: $password"
这个yaml文件可以与 Kubectl 一起使用来创建我们的秘密。在启动需要访问密钥的 pod 时,我们将通过友好名称引用集合。
controlplane $ kubectl create -f secret.yaml secret/test-secret created controlplane $ kubectl get secrets NAME TYPE DATA AGE default-token-rgbmd kubernetes.io/service-account-token 3 8m12s test-secret Opaque 2 62s
3.2 secret配置环境变量
在文件secret-env.yaml 中,我们定义了一个 Pod,它具有从先前创建的秘密填充的环境变量。
controlplane $ cat secret-env.yaml apiVersion: v1 kind: Pod metadata: name: secret-env-pod spec: containers: - name: mycontainer image: alpine:latest command: ["sleep", "9999"] env: - name: SECRET_USERNAME valueFrom: secretKeyRef: name: test-secret key: username - name: SECRET_PASSWORD valueFrom: secretKeyRef: name: test-secret key: password restartPolicy: Never
为了填充环境变量,我们定义了名称,在本例中为 SECRET_USERNAME,以及机密集合的名称和包含数据的密钥。
- name: SECRET_USERNAME valueFrom: secretKeyRef: name: test-secret key: username
controlplane $ kubectl create -f secret-env.yaml pod/secret-env-pod created controlplane $ kubectl exec -it secret-env-pod env | grep SECRET_ SECRET_USERNAME=admin SECRET_PASSWORD=a62fjbd37942dcs
Kubernetes 在填充环境变量时解码 base64 值。您应该会看到我们定义的原始用户名/密码组合。这些变量现在可用于访问 API、数据库等。
controlplane $ kubectl get pods NAME READY STATUS RESTARTS AGE secret-env-pod 1/1 Running 0 78s
3.3 通过卷挂载secret
使用环境变量在内存中存储机密可能会导致它们意外泄漏。推荐的方法是将它们安装为卷。
controlplane $ cat secret-pod.yaml apiVersion: v1 kind: Pod metadata: name: secret-vol-pod spec: volumes: - name: secret-volume secret: secretName: test-secret containers: - name: test-container image: alpine:latest command: ["sleep", "9999"] volumeMounts: - name: secret-volume mountPath: /etc/secret-volume
要将secret安装为卷,我们首先定义一个具有众所周知名称的卷,在本例中为volume卷,并为其提供我们存储的volume。
volumes: - name: secret-volume secret: secretName: test-secret
当我们定义容器时,我们将创建的卷挂载到特定目录。应用程序将从该路径读取secret作为文件
volumeMounts: - name: secret-volume mountPath: /etc/secret-volume
controlplane $ kubectl create -f secret-pod.yaml pod/secret-vol-pod created controlplane $ kubectl exec -it secret-vol-pod ls /etc/secret-volume password username controlplane $ kubectl exec -it secret-vol-pod cat /etc/secret-volume/username admin admincontrolplane $ kubectl exec -it secret-vol-pod cat /etc/secret-volume/password a62fjbd37942dcs
4. Deploy Docker Compose with Kompose
这个场景中,您将如何使用 Kompose 将现有的 Docker Compose 文件部署到 Kubernetes。
Kompose 是一个帮助熟悉 docker-compose 的用户迁移到 Kubernetes 的工具。它需要一个 Docker Compose 文件并将其转换为 Kubernetes 资源。更多细节可以在http://kompose.io/找到
4.1 安装Kompose
Kompose 作为二进制文件部署到客户端。要在 Katacoda 上安装 Kompose,请运行命令
curl -L https://github.com/kubernetes/kompose/releases/download/v1.9.0/kompose-linux-amd64 -o /usr/bin/kompose && chmod +x /usr/bin/kompose
有关如何为您的操作系统安装 Kompose 的详细信息,请访问https://github.com/kubernetes/kompose/releases
4.2 kompose 启动
Kompose 采用现有的 Docker Compose 文件,并使它们能够部署到 Kubernetes 上。Compose 是一个用于定义和运行多容器 Docker 应用程序的工具。借助 Compose,您可以使用 Compose 文件来配置应用程序的服务。
将示例 Docker Compose 文件复制到编辑器。
version: "2" services: redis-master: image: redis:latest ports: - "6379" redis-slave: image: gcr.io/google_samples/gb-redisslave:v1 ports: - "6379" environment: - GET_HOSTS_FROM=dns frontend: image: gcr.io/google-samples/gb-frontend:v3 ports: - "80:80" environment: - GET_HOSTS_FROM=dns
与 Docker Compose 一样,Kompose 允许使用单个命令部署image
controlplane $ kompose up INFO We are going to create Kubernetes Deployments, Services and PersistentVolumeClaims for your Dockerized application. If you need different kind of resources, use the 'kompose convert' and 'kubectl create -f' commands instead. INFO Deploying application in "default" namespace INFO Successfully created Service: frontend INFO Successfully created Service: redis-master INFO Successfully created Service: redis-slave INFO Successfully created Deployment: frontend INFO Successfully created Deployment: redis-master INFO Successfully created Deployment: redis-slave Your application has been deployed to Kubernetes. You can run 'kubectl get deployment,svc,pods,pvc' for details.
可以使用 Kubernetes CLI kubectl发现已部署内容的详细信息。
controlplane $ kubectl get deployment,svc,pods,pvc NAME READY UP-TO-DATE AVAILABLE AGE deployment.extensions/frontend 1/1 1 1 35s deployment.extensions/redis-master 1/1 1 1 35s deployment.extensions/redis-slave 1/1 1 1 35s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/frontend ClusterIP 10.101.107.67 <none> 80/TCP 35s service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 2m10s service/redis-master ClusterIP 10.109.66.160 <none> 6379/TCP 35s service/redis-slave ClusterIP 10.110.203.137 <none> 6379/TCP 35s NAME READY STATUS RESTARTS AGE pod/frontend-64bcc8dd75-n8lrx 1/1 Running 0 35s pod/redis-master-fc59d57fd-wl2bd 1/1 Running 0 35s pod/redis-slave-8676777656-xwhrk 1/1 Running 0 35s
4.3 转换
Kompose 还能够获取现有的 Compose 文件并生成相关的 Kubernetes Manifest 文件。
controlplane $ kompose convert INFO Kubernetes file "frontend-service.yaml" created INFO Kubernetes file "redis-master-service.yaml" created INFO Kubernetes file "redis-slave-service.yaml" created INFO Kubernetes file "frontend-deployment.yaml" created INFO Kubernetes file "redis-master-deployment.yaml" created INFO Kubernetes file "redis-slave-deployment.yaml" created controlplane $ ls docker-compose.yml frontend-service.yaml redis-master-service.yaml redis-slave-service.yaml frontend-deployment.yaml redis-master-deployment.yaml redis-slave-deployment.yaml
4.4 Kubectl 创建
转换文件后,它们也可以使用Kubectl进行部署。这将匹配通过kompose up应用的现有部署。
controlplane $ kubectl apply -f frontend-service.yaml,redis-master-service.yaml,redis-slave-service.yaml,frontend-deployment.yaml,redis-master-deployment.yaml,redis-slave-deployment.yaml
4.5 OpenShift
Kompose 还支持不同的 Kubernetes 发行版,例如 OpenShift。
controlplane $ kompose --provider openshift convert INFO OpenShift file "frontend-service.yaml" created INFO OpenShift file "redis-master-service.yaml" created INFO OpenShift file "redis-slave-service.yaml" created INFO OpenShift file "frontend-deploymentconfig.yaml" created INFO OpenShift file "frontend-imagestream.yaml" created INFO OpenShift file "redis-master-deploymentconfig.yaml" created INFO OpenShift file "redis-master-imagestream.yaml" created INFO OpenShift file "redis-slave-deploymentconfig.yaml" created INFO OpenShift file "redis-slave-imagestream.yaml" created
4.6 转换为 Json
默认情况下,Kompose 会生成 YAML 文件。可以通过指定-j参数来生成基于 JSON 的文件。
controlplane $ kompose convert -j INFO Kubernetes file "frontend-service.json" created INFO Kubernetes file "redis-master-service.json" created INFO Kubernetes file "redis-slave-service.json" created INFO Kubernetes file "frontend-deployment.json" created INFO Kubernetes file "redis-master-deployment.json" created INFO Kubernetes file "redis-slave-deployment.json" created
