misterli's Blog.

同步secret和config到指定namespace

k8s configmap secret sync
字数统计: 686阅读时长: 3 min
2021/01/05

简介

Synator可以将Secrets和ConfigMap在我们集群的namespace中同步,实现一步在集群多个namespace创建secrets和configmap,可以用来创建一些集群中多个namespace都需要的secerts和configmap咨询,如镜像的拉取凭证

项目:https://github.com/TheYkk/synator.git

安装

1
2
3
git clone https://github.com/TheYkk/synator.git
cd synctor
kubectl apply -f deploy.yml

安装后可以查看

1
2
3
[root@master-01 sync-cm-secret]# kubectl get pod -l name=synator
NAME                       READY   STATUS    RESTARTS   AGE
synator-77f47f7dfb-jbrq5   1/1     Running   0          13m

使用

1、添加注解synator/sync=yes到Secret或ConfigMap即可,还可以使用注解synator/include-namespaces='namespace1,namespace2' 设置同步到哪些名称空间,或者使用注解synator/exclude-namespaces='kube-system,kube-node-lease 排除某些名称空间

例如我们创建一个secrets并设置同步到kuboard和monitoring这两个namespace下

1
2
3
4
5
6
7
8
9
10
11
kind: Secret
apiVersion: v1
metadata:
  name: example
  namespace: default
  annotations:
    synator/sync: 'yes'
    synator/include-namespaces: 'kuboard,monitoring'
data:
  tt: dHQ0NTExMjM0NTU=
type: Opaque

当我们创建后可以发现会同步在kuboard和monitoring名称空间下也创建名为example的secrer资源

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
[root@master-01 sync-cm-secret]# kubectl get secrets  -n  kuboard 
NAME                         TYPE                                  DATA   AGE
default-token-7qwf4          kubernetes.io/service-account-token   3      28h
kuboard-admin-token-r58sf    kubernetes.io/service-account-token   3      28h
kuboard-viewer-token-7hvhj   kubernetes.io/service-account-token   3      28h
[root@master-01 sync-cm-secret]# kubectl  apply -f secerts.yaml 
secret/example created
[root@master-01 sync-cm-secret]# kubectl get secrets  -n  kuboard 
NAME                         TYPE                                  DATA   AGE
default-token-7qwf4          kubernetes.io/service-account-token   3      28h
example                      Opaque                                1      4s
kuboard-admin-token-r58sf    kubernetes.io/service-account-token   3      28h
kuboard-viewer-token-7hvhj   kubernetes.io/service-account-token   3      28h
[root@master-01 sync-cm-secret]# kubectl get secrets 
NAME                                       TYPE                                  DATA   AGE
default-token-fdd5k                        kubernetes.io/service-account-token   3      41d
example                                    Opaque                                1      8s
issuer-account-key                         Opaque                                1      28d
synator-token-dt6gh                        kubernetes.io/service-account-token   3      19m
test-web-service-route-5c6bc66f8c-0-cert   kubernetes.io/tls                     2      28d

注意:删除这个secrets.yaml文件不会同步删除kuboard和monitoring下的资源

2、使用注解synator/reload: "secret:example"可以在资源更新后更新pod

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
apiVersion: apps/v1
kind: Deployment
metadata:
  name: busybox
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      name: busybox
  template:
    metadata:
      labels:
        name: busybox
      annotations:
        synator/reload: "secret:example"
    spec:
      containers:
      - name: busybox
        image: busybox:1.29
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 80
        args:
        - /bin/sh
        - -c
        - touch /tmp/healthy; sleep 30; rm -rf /tmp/healthy; sleep 600
        volumeMounts:
        - mountPath: /config
          name: config-volume
      volumes:
      - name: config-volume
        projected:
          defaultMode: 420
          sources:
          - secret:
              name: example

我们修改上面部署的example这个secret会发现pod此时自动进行了更新,pod引用的secret也变为更新后的了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
[root@master-01 demo]# kubectl apply -f deployment.yaml 
deployment.apps/busybox created
[root@master-01 demo]# kubectl exec -it busybox-7d79ccdbb-l5v6j  -- sh 
/ # cat config/tt 
tt451123455/ # exit
[root@master-01 demo]# echo tt87654321|base64
dHQ4NzY1NDMyMQo=
[root@master-01 demo]# vi secerts.yaml 
[root@master-01 demo]# kubectl apply -f secerts.yaml 
secret/example configured
[root@master-01 demo]# kubectl get pod
NAME                               READY   STATUS        RESTARTS   AGE
busybox-7d79ccdbb-dzkl4            1/1     Running       0          9s
busybox-7d79ccdbb-l5v6j            1/1     Terminating   0          98s
check-ecs-price-7cdc97b997-bl99p   1/1     Running       0          3h58m
synator-77f47f7dfb-jbrq5           1/1     Running       0          30m
web-show-768dd97986-fp9bs          1/1     Running       0          21d
[root@master-01 demo]# kubectl exec -it busybox-7d79ccdbb-dzkl4  --sh 
[root@master-01 demo]# kubectl exec -it busybox-7d79ccdbb-dzkl4  -- sh 
/ # cat config/tt 
tt87654321
/ # exit

原文作者:Mister Li

原文链接:https://www.lishuai.fun/2021/01/05/sync-configmap-ande-secret-to-namespace/

发表日期:January 5th 2021, 3:03:44 pm

更新日期:May 3rd 2022, 11:25:55 pm

版权声明:本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

CATALOG
  1. 1. 简介
  2. 2. 安装
  3. 3. 使用
Total : 46
2023
2022
2021
2020
kubernetes rbac k8s vulnerability ingress-nginx RBAC argocd devops gitlab harbor slb hugo pv csi s3 kubesphere prometheus sso kubevela k8s准入控制 kyverno longhorn oomkill event configmap secret sync ingress cert-manager chaos-mesh minio vpa 动态扩缩容 k8s kubevela oamm 报警 ssl-exporter traefik 混沌工程 rke k8s pvc nfs prometheus redis umami etcd kuboard docker ci buildkit redis