Kubernetes DowardAPI & Projected Volume
DowardAPI
DownwardAPl
与ConfigMap和Secret不同,DownwardAPI自身并非一种独立的API资源类型
DownwardAPI只是一种将Pod的metadata、 spec或status中的字段值注入到其内部Container里的方式
DownwardAPI提供了两种方式用于将 POD 的信息注入到容器内部
环境变量: 用于单个变量,可以将 POD 信息和容器信息直接注入容器内部
Volume挂载:将 POD 信息生成为文件,直接挂载到容器内部中去、
在容器上基于DownwardAPI引用Pod元数据,可通过两种字段完成
fieldRef: 引用常规的元数据
resourceFieldRef: 引用同资源限制和资源需求相关的元数据
fieldRef
resourceFieldRef
示例
[root@k8s-master01 DowardAPI]# cat dowardapi-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: dowardapi-pod
spec:
containers:
- name: demoapp
image: ikubernetes/demoapp:v1.0
env:
- name: HOST
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
[root@k8s-master01 DowardAPI]# kubectl apply -f dowardapi-pod.yaml
[root@k8s-master01 DowardAPI]# kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
dowardapi-pod 1/1 Running 0 4m30s 172.16.85.194 k8s-node01 <none> <none>
[root@k8s-master01 DowardAPI]# kubectl exec -it dowardapi-pod /bin/sh
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
[root@dowardapi-pod /]# printenv | grep HOST
HOSTNAME=dowardapi-pod
NGINX_SERVICE_SERVICE_HOST=10.101.38.66
HOST=172.16.85.194
KUBERNETES_SERVICE_HOST=10.96.0.1
[root@dowardapi-pod /]# printenv | grep POD_NAME
POD_NAME=dowardapi-pod
Projected Volumes
Projected Volume是一种特殊的卷类型,它能够将已存在的多个卷投射进同一个挂载点目录中
Proiected Volume仅支持对如下四种类型的卷(数据源) 进行投射操作,这类的卷一般都 是用于为容器提供预先定义好的数据
#Secret: 投射Secret 对象
#ConfigMap: 投射ConfigMap对象
#DownwardAPI: 投射Pod元数据
#ServiceAccountToken: 投射ServiceAccount Token
Kubernetes在每个Pod对象上默认使用一个Projected Volume。
将ServiceAccount Token、CA的数字证书 (configMap)和Pod所在的名称空间 (downwardAPI) 投射至容器中
示例1:
[root@k8s-master01 DowardAPI]# kubectl get pod dowardapi-pod -o yaml
#有一段projected 里面挂载了ca.crt、namespace名字、token
#挂载到容器/var/run/secrets/kubernetes.io/serviceaccount钟
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-xm9j2
readOnly: true
volumes:
- name: kube-api-access-xm9j2
projected:
defaultMode: 420
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
#进入Pod中检验
[root@k8s-master01 DowardAPI]# kubectl exec -it dowardapi-pod /bin/sh
[root@dowardapi-pod /run/secrets/kubernetes.io/serviceaccount]# pwd
/var/run/secrets/kubernetes.io/serviceaccount
[root@dowardapi-pod /run/secrets/kubernetes.io/serviceaccount]# ls -rlh
total 0
lrwxrwxrwx 1 root root 12 Jan 5 07:30 token -> ..data/token
lrwxrwxrwx 1 root root 16 Jan 5 07:30 namespace -> ..data/namespace
lrwxrwxrwx 1 root root 13 Jan 5 07:30 ca.crt -> ..data/ca.crt
官方示例2:
#通过 写入label标签和注解 来读取
apiVersion: v1
kind: Pod
metadata:
name: kubernetes-downwardapi-volume-example
labels:
zone: us-est-coast
cluster: test-cluster1
rack: rack-22
annotations:
build: two
builder: john-doe
spec:
containers:
- name: client-container
image: registry.k8s.io/busybox
command: ["sh", "-c"]
args:
- while true; do
if [[ -e /etc/podinfo/labels ]]; then
echo -en '\n\n'; cat /etc/podinfo/labels; fi;
if [[ -e /etc/podinfo/annotations ]]; then
echo -en '\n\n'; cat /etc/podinfo/annotations; fi;
sleep 5;
done;
volumeMounts:
- name: podinfo
mountPath: /etc/podinfo
volumes:
- name: podinfo
downwardAPI:
items:
- path: "labels"
fieldRef:
fieldPath: metadata.labels
- path: "annotations"
fieldRef:
fieldPath: metadata.annotations