配置管理

本章介绍 Kubernetes 中的配置管理机制，包括 ConfigMap、Secret、资源配额和限制范围。

ConfigMap

ConfigMap 用于存储非敏感的配置数据。

创建 ConfigMap

# 从文件创建
kubectl create configmap app-config \
  --from-file=config.properties

# 从环境变量文件
kubectl create configmap app-env \
  --from-env-file=env.properties

# 从字面值
kubectl create configmap special-config \
  --from-literal=LOG_LEVEL=info \
  --from-literal=MAX_SIZE=1000

YAML 定义

apiVersion: v1
kind: ConfigMap
metadata:
  name: game-config
data:
  # 简单键值
  game.level: "difficult"
  game.speed: "fast"
  
  # 配置文件
  server.properties: |
    server.port=8080
    server.host=0.0.0.0
    compression.enabled=true
  
  # JSON 格式
  config.json: |
    {
      "logLevel": "info",
      "maxConnections": 100,
      "features": {
        "featureA": true,
        "featureB": false
      }
    }

在 Pod 中使用 ConfigMap

作为环境变量

spec:
  containers:
  - name: app
    image: my-app
    env:
    # 单个值
    - name: LOG_LEVEL
      valueFrom:
        configMapKeyRef:
          name: game-config
          key: game.level
    # 全部环境变量
    envFrom:
    - configMapRef:
        name: game-config

作为卷挂载

spec:
  containers:
  - name: app
    image: my-app
    volumeMounts:
    - name: config
      mountPath: /etc/config
      readOnly: true
  volumes:
  - name: config
    configMap:
      name: game-config
      items:
      - key: server.properties
        path: server.properties

Secret

Secret 用于存储敏感数据，如密码、令牌、密钥等。

创建 Secret

# 从文件
kubectl create secret generic db-credentials \
  --from-file=username=./username.txt \
  --from-file=password=./password.txt

# 从字面值
kubectl create secret generic api-key \
  --from-literal=api-key=your-api-key

# TLS 证书
kubectl create secret tls my-tls \
  --cert=./cert.pem \
  --key=./key.pem

# Docker 仓库凭证
kubectl create secret docker-registry my-registry \
  --docker-server=https://index.docker.io/v1/ \
  --docker-username=myuser \
  --docker-password=mypassword

Secret 类型

类型	用途
Opaque	通用类型（默认）
kubernetes.io/tls	TLS 证书
kubernetes.io/dockerconfigjson	Docker 仓库凭证
kubernetes.io/basic-auth	HTTP 基本认证

YAML 定义

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
type: Opaque
stringData:
  # 明文（会自动转为 base64）
  api-key: your-api-key
  username: admin
---
# base64 编码
apiVersion: v1
kind: Secret
metadata:
  name: encoded-secret
type: Opaque
data:
  # echo -n "password" | base64
  password: cGFzc3dvcmQ=

使用 Secret

spec:
  containers:
  - name: app
    image: my-app
    env:
    - name: DB_PASSWORD
      valueFrom:
        secretKeyRef:
          name: db-credentials
          key: password
    volumeMounts:
    - name: credentials
      mountPath: /etc/credentials
      readOnly: true
  volumes:
  - name: credentials
    secret:
      secretName: db-credentials
      items:
      - key: username
        path: username

资源配额 (ResourceQuota)

创建 ResourceQuota

apiVersion: v1
kind: ResourceQuota
metadata:
  name: my-quota
spec:
  hard:
    requests.cpu: "4"
    requests.memory: 8Gi
    limits.cpu: "8"
    limits.memory: 16Gi
    persistentvolumeclaims: "10"
    pods: "20"
    services: "10"
    secrets: "20"
    configmaps: "20"

查看配额使用

kubectl get resourcequota
kubectl describe resourcequota

默认配额（LimitRange）

apiVersion: v1
kind: LimitRange
metadata:
  name: my-limits
spec:
  limits:
  - max:
      cpu: "2"
      memory: 2Gi
    min:
      cpu: 100m
      memory: 128Mi
    default:
      cpu: 500m
      memory: 512Mi
    defaultRequest:
      cpu: 200m
      memory: 256Mi
    type: Container

资源限制最佳实践

1. 设置合理的资源请求

resources:
  requests:
    memory: "128Mi"
    cpu: "100m"
  limits:
    memory: "256Mi"
    cpu: "500m"

2. 使用 LimitRange 设置默认值

apiVersion: v1
kind: LimitRange
metadata:
  name: default-limits
spec:
  limits:
  - default:
      memory: 512Mi
      cpu: 500m
    defaultRequest:
      memory: 256Mi
      cpu: 200m
    type: Container

3. 使用 HPA 自动扩缩容

apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: my-hpa
spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: my-app
  minReplicas: 2
  maxReplicas: 10
  metrics:
  - type: Resource
    resource:
      name: cpu
      target:
        type: Utilization
        averageUtilization: 70
  - type: Resource
    resource:
      name: memory
      target:
        type: Utilization
        averageUtilization: 80

命名空间管理

创建命名空间

apiVersion: v1
kind: Namespace
metadata:
  name: production
  labels:
    environment: production

在命名空间中使用资源

# 指定命名空间
kubectl get pods -n production

# 设置默认命名空间
kubectl config set-context --current --namespace=production

资源配额命名空间级别

apiVersion: v1
kind: ResourceQuota
metadata:
  name: prod-quota
  namespace: production
spec:
  hard:
    requests.cpu: "10"
    requests.memory: 20Gi
    limits.cpu: "20"
    limits.memory: 40Gi
    pods: "50"

配置管理工具

Kustomize

# kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
- deployment.yaml
- service.yaml
- configmap.yaml

configMapGenerator:
- name: app-config
  literals:
  - LOG_LEVEL=info

replicas:
- name: app
  count: 3

Helm

# 安装 Helm
curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash

# 添加仓库
helm repo add stable https://charts.helm.sh/stable
helm repo update

# 安装 Chart
helm install my-release stable/nginx-ingress

# 查看 Release
helm list

# 升级
helm upgrade my-release stable/nginx-ingress

小结

本章我们学习了：

1. ConfigMap：非敏感配置管理
2. Secret：敏感数据管理
3. ResourceQuota：命名空间级别资源限制
4. LimitRange：Pod/容器默认资源限制
5. HPA：自动扩缩容
6. 命名空间：资源隔离
7. 配置工具：Kustomize 和 Helm

练习

1. 创建一个 ConfigMap 并在 Pod 中使用
2. 创建 Secret 存储数据库凭证
3. 在命名空间设置 ResourceQuota
4. 使用 LimitRange 设置默认资源限制

继续学习 Kubernetes 之旅！