导航：首页 > 服务器 >

k8s集群ConfigMap和Secret存储卷

发表于：2025-12-02 作者：千家信息网编辑

千家信息网最后更新 2025年12月02日，ConfigMap对像是一系列配置的集合，k8s会将这一集合注入到对应的Pod对像中，并为容器成功启动使用。注入的方式一般有两种，一种是挂载存储卷，一种是传递变量。ConfigMap被引用之前必须存在

千家信息网最后更新 2025年12月02日k8s集群ConfigMap和Secret存储卷

ConfigMap对像是一系列配置的集合，k8s会将这一集合注入到对应的Pod对像中，并为容器成功启动使用。注入的方式一般有两种，一种是挂载存储卷，一种是传递变量。ConfigMap被引用之前必须存在，属于名称空间级别，不能跨名称空间使用，内容明文显示。ConfigMap内容修改后，对应的pod必须重启或者重新加载配置。
Secret类似于ConfigMap，是用Base64加密，密文显示，一般存放敏感数据。一般有两种创建方式，一种是使用kubectl create创建，一种是用Secret配置文件。
ConfigMap键值使用帮助：kubectl explain pods.spec.containers.env
ConfigMap卷创建帮助： kubectl explain pods.spec.volumes
ConfigMap卷引用帮助：kubectl explain pods.spec.containers.volumeMounts
Secret帮助：kubectl explain secret

一，ConfigMap存储卷
1.使用键值直接创建对像
[root@k8s01 yaml]# kubectl create configmap wuhan123 --from-literal=wuhan="2019军运会"
configmap/wuhan123
[root@k8s01 yaml]# kubectl get configmap wuhan123
NAME DATA AGE
wuhan123 1 27s
[root@k8s01 yaml]# kubectl get configmap wuhan123 -o yaml

apiVersion: v1data:  wuhan: 2019军运会            --键和数据kind: ConfigMapmetadata:  creationTimestamp: "2019-10-26T06:30:13Z"  name: wuhan123  namespace: default  resourceVersion: "3790588"  selfLink: /api/v1/namespaces/default/configmaps/wuhan123  uid: c7771f6f-3825-47f8-9029-4630810b6dd5

[root@k8s01 yaml]#

1.1引用ConfigMap键值中的单个对像：
[root@k8s01 yaml]# vim wuhan123.yaml

apiVersion: v1kind: Podmetadata:  name: wuhan123  namespace: default  labels:    app: webspec:  containers:  - name: wuhan123    image: nginx:latest    imagePullPolicy: Never    env:    - name: abc          --引用到数据后存放值      valueFrom:        configMapKeyRef:          name: wuhan123      --configmap名          key: wuhan               --键[root@k8s01 yaml]# kubectl apply -f wuhan123.yaml

pod/wuhan123 created
[root@k8s01 yaml]# kubectl exec -it wuhan123 bash
root@wuhan123:/# echo $abc --在容器中输出键中的值
2019军运会
root@wuhan123:/# exit
exit
[root@k8s01 yaml]#

1.2引用ConfigMap中所有对像
[root@k8s01 yaml]# vim wuhan123-1.yaml

apiVersion: v1kind: Podmetadata:  name: wuhan123-1  namespace: default  labels:    app: webspec:  containers:  - name: wuhan123-1    image: nginx:latest    imagePullPolicy: Never    envFrom:             --引用configmap所有值     - prefix: WUHAN_      --为每个变量加前缀      configMapRef:        name: wuhan123        optional: false

[root@k8s01 yaml]# kubectl apply -f wuhan123-1.yaml
pod/wuhan123-1 created
[root@k8s01 yaml]# kubectl exec -it wuhan123-1 bash
root@wuhan123-1:/# echo $WUHAN_wuhan --访问变量时要加前缀
2019军运会
root@wuhan123-1:/# exit
exit
[root@k8s01 yaml]#

2.基于文件创建
[root@k8s01 yaml]# kubectl create configmap wuhan2 --from-file=/root/yaml/nginx.conf --指定挂载的文件
configmap/wuhan2 created
[root@k8s01 yaml]# kubectl get configmap wuhan2
NAME DATA AGE
wuhan2 1 18s
[root@k8s01 yaml]# kubectl get configmap wuhan2 -o yaml
apiVersion: v1
data:
nginx.conf: |+
worker_processes auto;
worker_cpu_affinity auto;
worker_rlimit_nofile 65535;
events {
use epoll;
worker_connections 65535;
}
error_log logs/error.log error;
pid logs/nginx.pid;
http {
server_info off;
include common/mime.types;
default_type application/octet-stream;
index index.html index.htm default.html default.htm index.json;
log_format main
'[$remote_addr $http_x_forwarded_for - $remote_user $time_local] '
'[Request: $host "$request"] $request_time sec '
'[Detail: $status $body_bytes_sent $http_referer] '
'[Upstream: $upstream_addr $upstream_status]' ' $upstream_response_time sec';
access_log logs/access.log main;
keepalive_timeout 65;
sendfile on;
client_max_body_size 10240m;
client_body_buffer_size 1024k;
resolver 114.114.114.114 8.8.8.8;
uwsgi_cache_path uwsgi_temp levels=1:2 keys_zone=IFLYTEK_UWSGI_CACHE:100m inactive=5m max_size=20g;
include common/uwsgi.conf;
include common/proxy.conf;
include common/fastcgi.conf;
include common/gzip.conf;
include sites/*.conf;
}
kind: ConfigMap
metadata:
creationTimestamp: "2019-10-26T06:36:20Z"
name: wuhan2
namespace: default
resourceVersion: "3791130"
selfLink: /api/v1/namespaces/default/configmaps/wuhan2
uid: 6305dd66-df6c-48a8-a1ad-02513ad64d6c
[root@k8s01 yaml]#

2.1引用configmap对像
[root@k8s01 yaml]# vim wuhan234.yaml

apiVersion: v1kind: Podmetadata:  name: wuhan234  namespace: default  labels:    app: webspec:  containers:  - name: wuhan234    image: nginx:latest    imagePullPolicy: Never    volumeMounts:    - name: ngxconf      mountPath: /usr/share/nginx/conf     --将configmap挂载到指定目录      readOnly: true  volumes:  - name: ngxconf            --定义一个卷存储    configMap:      name: wuhan2          --指定configmap名

[root@k8s01 yaml]# kubectl apply -f wuhan234.yaml
pod/wuhan234 created
[root@k8s01 yaml]# kubectl exec -it wuhan234 bash
root@wuhan234:/# head -2 /usr/share/nginx/conf/nginx.conf --查看挂载后内容
worker_processes auto;
worker_cpu_affinity auto;
root@wuhan234:/# exit
exit
[root@k8s01 yaml]#

3.基于目录创建
[root@k8s01 yaml]# kubectl create configmap wuhan3 --from-file=/root/yaml/
configmap/wuhan3 created
[root@k8s01 yaml]# kubectl get configmap wuhan3
NAME DATA AGE
wuhan3 8 5s
[root@k8s01 yaml]# kubectl get configmap wuhan3 -o yaml

3.1引用configmap对像(挂载目录中指定文件)
[root@k8s01 yaml]# vim wuhan345.yaml

apiVersion: v1kind: Podmetadata:  name: wuhan345  namespace: default  labels:    app: webspec:  containers:  - name: wuhan345    image: nginx:latest    imagePullPolicy: Never    volumeMounts:    - name: ngxconf      mountPath: /usr/share/nginx/conf      readOnly: true  volumes:  - name: ngxconf           --定义存储卷名    configMap:      name: wuhan3         --引用configmap名      items:      - key: nginx.yaml        --引用后的文件名        path: nginx.yaml      --引用前文件名        mode: 0777              --文件权限      - key: helm123.yaml       --将helm.yaml文件引用后映射成helm123.yaml        path: helm.yaml        mode: 0600

[root@k8s01 yaml]# kubectl apply -f wuhan345.yaml
pod/wuhan345 created
[root@k8s01 yaml]# kubectl exec -it wuhan345 bash
root@wuhan345:/# ls -al /usr/share/nginx/conf/
total 0
drwxrwxrwx 3 root root 97 Oct 26 08:25 .
drwxr-xr-x 1 root root 18 Oct 26 08:25 ..
drwxr-xr-x 2 root root 44 Oct 26 08:25 ..2019_10_26_08_25_18.898777603
lrwxrwxrwx 1 root root 31 Oct 26 08:25 ..data -> ..2019_10_26_08_25_18.898777603
lrwxrwxrwx 1 root root 19 Oct 26 08:25 helm123.yaml -> ..data/helm123.yaml --文件后映射后
lrwxrwxrwx 1 root root 17 Oct 26 08:25 nginx.yaml -> ..data/nginx.yaml
root@wuhan345:/# exit
exit
[root@k8s01 yaml]#

3.2引用configmap对像(挂载目录中指定文件，原其它文件保留)
[root@k8s01 yaml]# vim wuhan345-1.yaml

apiVersion: v1kind: Podmetadata:  name: wuhan345-1  namespace: default  labels:    app: webspec:  containers:  - name: wuhan345-1    image: nginx:latest    imagePullPolicy: Never    volumeMounts:    - name: ngxconf      mountPath: /usr/share/nginx/conf/nginx.conf      subPath: nginx.conf      readOnly: true    - name: ngxconf      mountPath: /usr/share/nginx/conf/default.conf      subPath: default.conf      readOnly: true  volumes:  - name: ngxconf    configMap:      name: wuhan3

[root@k8s01 yaml]# kubectl apply -f wuhan345-1.yaml
pod/wuhan345-1 created
[root@k8s01 yaml]# kubectl exec -it wuhan345-1 bash
root@wuhan345-1:/# ls -al /usr/share/nginx/conf/
total 4
drwxr-xr-x 3 root root 44 Oct 26 08:20 .
drwxr-xr-x 1 root root 18 Oct 26 08:20 ..
drwxrwxrwx 2 root root 6 Oct 26 08:20 default.conf
-rw-r--r-- 1 root root 1083 Oct 26 08:20 nginx.conf
root@wuhan345-1:/# exit
exit
[root@k8s01 yaml]#

4.基于配置文件创建
[root@k8s01 yaml]# vim configmap.yaml

apiVersion: v1kind: ConfigMapmetadata:  name: wuhan5  namespace: defaultdata: |            --必须要使用符号|,否则没有格式  nginx.conf:    worker_processes auto;    worker_cpu_affinity auto;    worker_rlimit_nofile 65535;    events {      use epoll;      worker_connections 65535;    }    http {      server_info off;      index index.html index.htm default.html default.htm index.json;      access_log logs/access.log main;      keepalive_timeout 65;      server {         server_name baidu.com;         location / {            root html;            index index.html          }      }    }---apiVersion: v1kind: Podmetadata:  name: wuhan5-pod  namespace: defaultspec:  containers:  - name: wuhan5-pod    image: nginx:latest    imagePullPolicy: Never    volumeMounts:    - name: ngxconf     --引用别名      mountPath: /usr/share/nginx/conf     --挂载的目录  volumes:  - name: ngxconf     --定义一个别名    configMap:      name: wuhan5      --引用configmap名

[root@k8s01 yaml]# kubectl apply -f configmap.yaml
configmap/wuhan5 created
pod/wuhan5-pod created
[root@k8s01 yaml]# kubectl exec -it wuhan5-pod bash
root@wuhan5-pod:/# head -5 /usr/share/nginx/conf/nginx.conf --显示5行内容
worker_processes auto;
worker_cpu_affinity auto;
worker_rlimit_nofile 65535;
events {
use epoll;
root@wuhan5-pod:/# exit
exit
[root@k8s01 yaml]#

二，Secret存储卷
5.利用命令方式创建Secret
[root@k8s01 yaml]# kubectl create secret generic mypass --from-literal=username=root --from-literal=password=System135
secret/mypass created
[root@k8s01 yaml]# kubectl get secrets mypass
NAME TYPE DATA AGE
mypass Opaque 2 23s
[root@k8s01 yaml]# kubectl get secrets mypass -o yaml
apiVersion: v1
data:
password: U3lzdGVtMTM1 --密码已加密
username: cm9vdA== --用户名已加密
kind: Secret
metadata:
creationTimestamp: "2019-10-26T08:32:18Z"
name: mypass
namespace: default
resourceVersion: "3801721"
selfLink: /api/v1/namespaces/default/secrets/mypass
uid: 7a432a31-fe0b-4edc-a507-9f1aa0cd1745
type: Opaque --如果是Opaque表示就是用Base64加密
[root@k8s01 yaml]# echo U3lzdGVtMTM1 | base64 -d --显示密码明文
System135[root@k8s01 yaml]#

6.所有pod运行状态
[root@k8s01 yaml]# kubectl get pods -o wide| grep wuhan
wuhan123 1/1 Running 0 97m 10.244.1.33 k8s02
wuhan123-1 1/1 Running 0 94m 10.244.2.38 k8s03
wuhan234 1/1 Running 0 85m 10.244.1.35 k8s02
wuhan345 1/1 Running 0 58m 10.244.1.36 k8s02
wuhan345-1 1/1 Running 0 63m 10.244.2.39 k8s03
wuhan5-pod 1/1 Running 0 2m5s 10.244.2.41 k8s03
[root@k8s01 yaml]#

很赞哦！