Skip to content

Instantly share code, notes, and snippets.

@ianychoi

ianychoi/K8s-Configmap.md

Last active July 15, 2021 16:19
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save ianychoi/f5e5854bea2133115c17822f6bb53b1e to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save ianychoi/f5e5854bea2133115c17822f6bb53b1e to your computer and use it in GitHub Desktop.
Download ZIP
쿠버네티스 - ConfigMap & Secret
Raw
K8s-Configmap.md
  • ConfigMap 생성
# ConfigMap 생성 → 물론 YAML 로 만들수도 있습니다!
kubectl create configmap log-level --from-literal LOG_LEVEL=DEBUG

# 확인
kubectl get configmap
[root@k8s-m ~ (kube:default)]# kubectl get configmap
NAME               DATA   AGE
kube-root-ca.crt   1      98m
log-level          1      10s

# 상세 확인
kubectl describe configmaps log-level
[root@k8s-m ~ (kube:default)]# kubectl describe configmaps log-level
Name:         log-level
Namespace:    default
Labels:       <none>
Annotations:  <none>

Data
====
LOG_LEVEL:
----
DEBUG
Events:  <none>

# YAML 출력 확인
kubectl get configmaps log-level -o yaml
[root@k8s-m ~ (kube:default)]# kubectl get configmaps log-level -o yaml
apiVersion: v1
data:
  LOG_LEVEL: DEBUG
kind: ConfigMap
metadata:
  creationTimestamp: "2021-06-19T05:59:05Z"
  name: log-level
  namespace: default
  resourceVersion: "9073"
  uid: f95c2244-93cc-4759-8eeb-73670a54f3e7
  • configmap-pod.yaml : envFrom 과 configMapRef - 컨피그맵에 존재하는 모든 키-쌍 값을 가져옵니다.
apiVersion: v1
kind: Pod
metadata:
  name: configmap-pod
spec:
  containers:
    - name: configmap-pod
      image: busybox
      args: ['tail', '-f', '/dev/null']
      envFrom:
      - configMapRef:
          name: log-level
  • ConfigMap 활용
# 파드 생성
curl -s -O https://raw.githubusercontent.com/gasida/DKOS/main/3/configmap-pod.yaml
kubectl apply -f configmap-pod.yaml

# 파드에서 확인
kubectl exec configmap-pod -- env
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=configmap-pod
LOG_LEVEL=DEBUG
...

# 다음 실습을 위해서 생성된 자원 삭제
kubectl delete pod --all && kubectl delete configmaps log-level
Raw
K8s-Secret.md 
# default 시크릿 확인
kubectl get secrets
root@manager:~# kubectl get secrets
NAME                  TYPE                                  DATA   AGE
default-token-48ksg   kubernetes.io/service-account-token   3      11d

# my-password 이름의 시크릿을 생성하며, password=1q2w3e4r 이라는 키-값 쌍을 저장합니다, 기본 generic 는 Opaque 타입!
kubectl create secret generic my-password --from-literal password=1q2w3e4r

# 시크릿 확인 : 'kubernetes.io/service-account-token' 는 ServiceAccount 에 의해 네임스페이스 별로 자동 생성된 시크릿입니다
kubectl get secrets
NAME                  TYPE                                  DATA   AGE
default-token-qnl5g   kubernetes.io/service-account-token   3      161m
my-password           Opaque                                1      40m

# my-password 시크릿 확인
kubectl describe secrets my-password
Name:         my-password
...
Data
====
password:  8 bytes

kubectl get secrets my-password -o yaml
apiVersion: v1
data:
  password: MXEydzNlNHI=
kind: Secret
...

kubectl get secrets my-password -o jsonpath='{.data.password}' ; echo
MXEydzNlNHI=

# 시크릿에 값을 저장할 때, 쿠버네티스가 기본적으로 base64로 인코딩
echo MXEydzNlNHI= |base64 -d ;echo
1q2w3e4r

kubectl get secrets my-password -o jsonpath='{.data.password}' | base64 -d ; echo
1q2w3e4r

# 생성
curl -s -O https://raw.githubusercontent.com/gasida/DKOS/main/3/secret-pod.yaml
kubectl apply -f secret-pod.yaml

# 확인
kubectl get pod -o wide
NAME         READY   STATUS    RESTARTS   AGE   IP              NODE     NOMINATED NODE   READINESS GATES
secret-pod   1/1     Running   0          41m   172.16.228.66   k8s-w1   <none>           <none>

# 워커노드에 대한 권한이 있는 사람일 경우 해당 파드(컨테이너)에 secret 정보를 확인 할 수 있다!
# 호스트(워커노드)에서 tail 실행 프로세스 정보 확인
ps -ef | head -1 ; ps -ef | grep tail | grep -v auto
root@k8s-w1:~# ps -ef | head -1 ; ps -ef | grep tail | grep -v auto
UID          PID    PPID  C STIME TTY          TIME CMD
root      115533  115509  0 06:25 ?        00:00:00 tail -f /dev/null

root@k8s-w1:~# ps -ef | grep tail | grep -v auto | awk '{print $2}'
115533

# /proc/<PID> 디렉터리 정보 확인 : environ 파일!
tree -L 1 /proc/`ps -ef | grep tail | grep -v auto | awk '{print $2}'`
root@k8s-w1:~# tree -L 1 /proc/`ps -ef | grep tail | grep -v auto | awk '{print $2}'`
/proc/115533
├── arch_status
├── attr
├── autogroup
├── auxv
├── cgroup
├── clear_refs
├── cmdline
├── comm
├── coredump_filter
├── cpuset
├── cwd -> /
├── environ
...

# /proc/<PID>/environ 에 시크릿 정보가 그대로 노출되어 있다!
cat /proc/`ps -ef | grep tail | grep -v auto | awk '{print $2}'`/environ
root@k8s-w1:~# cat /proc/`ps -ef | grep tail | grep -v auto | awk '{print $2}'`/environ
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binHOSTNAME=secret-podpassword=1q2w3e4rKUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443KUBERNETES_PORT_443_TCP_PROTO=tcpKUBERNETES_PORT_443_TCP_PORT=443KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1KUBERNETES_SERVICE_HOST=10.96.0.1KUBERNETES_SERVICE_PORT=443KUBERNETES_SERVICE_PORT_HTTPS=443KUBERNETES_PORT=tcp://10.96.0.1:443HOME=/rootroot@k8s-w1:~#

# 다음 실습을 위해서 생성된 자원 삭제
kubectl delete pod --all && kubectl delete secret my-password
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment