关于K8S中ConfigMap与Secret的了解

在Kubernetes（K8s）中，ConfigMap 和 Secret 是用来存储应用程序配置信息和敏感数据的两种资源类型。它们可以帮助你将配置和密钥管理与应用程序的部署分离开来，从而提高安全性和灵活性。

定义

ConfigMap

ConfigMap 用于存储非敏感的配置数据，比如环境变量、配置文件等。它可以通过多种方式注入到 Pod 中，例如作为环境变量、命令行参数或者挂载为文件。


// ConfigMap holds configuration data for pods to consume.
type ConfigMap struct {
	metav1.TypeMeta `json:",inline"`
	// Standard object's metadata.
	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
	// +optional
	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`

	// Immutable, if set to true, ensures that data stored in the ConfigMap cannot
	// be updated (only object metadata can be modified).
	// If not set to true, the field can be modified at any time.
	// Defaulted to nil.
	// +optional
	Immutable *bool `json:"immutable,omitempty" protobuf:"varint,4,opt,name=immutable"`

	// Data contains the configuration data.
	// Each key must consist of alphanumeric characters, '-', '_' or '.'.
	// Values with non-UTF-8 byte sequences must use the BinaryData field.
	// The keys stored in Data must not overlap with the keys in
	// the BinaryData field, this is enforced during validation process.
	// +optional
	Data map[string]string `json:"data,omitempty" protobuf:"bytes,2,rep,name=data"`

	// BinaryData contains the binary data.
	// Each key must consist of alphanumeric characters, '-', '_' or '.'.
	// BinaryData can contain byte sequences that are not in the UTF-8 range.
	// The keys stored in BinaryData must not overlap with the ones in
	// the Data field, this is enforced during validation process.
	// Using this field will require 1.10+ apiserver and
	// kubelet.
	// +optional
	BinaryData map[string][]byte `json:"binaryData,omitempty" protobuf:"bytes,3,rep,name=binaryData"`
}

Secret

Secret 用于存储敏感数据，比如密码、API 密钥等。Secret 中的数据会被存储为 Base64 编码，但需要注意的是，这并不是加密，只是一种编码方式。


type Secret struct {
	metav1.TypeMeta `json:",inline"`
	// Standard object's metadata.
	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
	// +optional
	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`

	// Immutable, if set to true, ensures that data stored in the Secret cannot
	// be updated (only object metadata can be modified).
	// If not set to true, the field can be modified at any time.
	// Defaulted to nil.
	// +optional
	Immutable *bool `json:"immutable,omitempty" protobuf:"varint,5,opt,name=immutable"`

	// Data contains the secret data. Each key must consist of alphanumeric
	// characters, '-', '_' or '.'. The serialized form of the secret data is a
	// base64 encoded string, representing the arbitrary (possibly non-string)
	// data value here. Described in https://tools.ietf.org/html/rfc4648#section-4
	// +optional
	Data map[string][]byte `json:"data,omitempty" protobuf:"bytes,2,rep,name=data"`

	// stringData allows specifying non-binary secret data in string form.
	// It is provided as a write-only input field for convenience.
	// All keys and values are merged into the data field on write, overwriting any existing values.
	// The stringData field is never output when reading from the API.
	// +k8s:conversion-gen=false
	// +optional
	StringData map[string]string `json:"stringData,omitempty" protobuf:"bytes,4,rep,name=stringData"`

	// Used to facilitate programmatic handling of secret data.
	// More info: https://kubernetes.io/docs/concepts/configuration/secret/#secret-types
	// +optional
	Type SecretType `json:"type,omitempty" protobuf:"bytes,3,opt,name=type,casttype=SecretType"`
}

对比

资源名称	相同点	不同点
ConfigMap	注入到 Pod 中的环境变量或者挂载为文件，且都为key:value 方式（map 类型）	内容为明文，适合存放配置文件路径
Secret	注入到 Pod 中的环境变量或者挂载为文件，且都为key:value 方式（map 类型）	内容进行了 Base64 编码，密码等，通过 Type 字段可以进行内容限制

使用方式

创建 ConfigMap

你可以通过命令行或者 YAML 文件创建 ConfigMap。以下是一个创建 ConfigMap 的示例 YAML 文件：


apiVersion: v1
kind: ConfigMap
metadata:
  name: my-config-map
data:
  key1: config-value-1
  key2: config-value-2

在 Pod 中使用 ConfigMap

你可以在 Pod 的定义中引用 ConfigMap。


apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
    - name: mycontainer
      image: ljtian/http-server-gen:v0.2
      env:
        - name: KEY1
          valueFrom:
            configMapKeyRef:
              name: my-config-map
              key: key1
      volumeMounts:
        - name: config-volume
          mountPath: /etc/config
  volumes:
    - name: config-volume
      configMap:
        name: my-config-map

创建 Secret

你可以通过命令行或者 YAML 文件创建 Secret。以下是一个创建 Secret 的示例 YAML 文件：


apiVersion: v1
kind: Secret
metadata:
  name: my-secret
type: Opaque
data:
  username: dXNlcm5hbWU=  # Base64 编码的用户名
  password: cGFzc3dvcmQ=  # Base64 编码的密码

在 Pod 中使用 Secret

你可以在 Pod 的定义中引用 Secret。


apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
    - name: mycontainer
      image: ljtian/http-server-gen:v0.2
      env:
        - name: DB_USERNAME
          valueFrom:
            secretKeyRef:
              name: my-secret
              key: username
        - name: DB_PASSWORD
          valueFrom:
            secretKeyRef:
              name: my-secret
              key: password
      volumeMounts:
        - name: secret-volume
          readOnly: true
          mountPath: "/etc/secret-volume"
  volumes:
    - name: secret-volume
      secret:
        secretName: my-secret