#理解环境变量
#目录
#Overview
Kubernetes 中的环境变量是以键值对形式存在的,用于在容器运行时提供配置信息。它们为向应用程序注入配置信息、密钥和运行时参数提供了一种灵活且安全的方式,无需修改容器镜像或应用代码。
#Core Concepts
#什么是环境变量?
环境变量是:
- 容器内运行的进程可访问的键值对
- 一种无需重建镜像的运行时配置机制
- 向应用程序传递配置信息的标准方式
- 通过任何编程语言的标准操作系统 API 访问
#Kubernetes 中环境变量的来源
Kubernetes 支持多种环境变量来源:
| 来源类型 | 描述 | 使用场景 |
|---|---|---|
| 静态值 | 直接的键值对 | 简单配置 |
| ConfigMap | 引用 ConfigMap 的键 | 非敏感配置 |
| Secret | 引用 Secret 的键 | 敏感数据(密码、令牌) |
| 字段引用 | Pod/容器元数据 | 动态运行时信息 |
| 资源引用 | 资源请求/限制 | 资源感知配置 |
#环境变量优先级
环境变量覆盖配置的顺序如下:
- Kubernetes env(最高优先级)
- 引用的 ConfigMaps/Secrets
- Dockerfile 中的 ENV 指令
- 应用程序默认值(最低优先级)
#使用场景和示例
#1. 应用配置
基本的应用设置:
apiVersion: v1
kind: Pod
spec:
containers:
- name: web-app
image: myapp:latest
env:
- name: PORT
value: "8080"
- name: LOG_LEVEL
value: "info"
- name: ENVIRONMENT
value: "production"
- name: MAX_CONNECTIONS
value: "100"#2. 数据库配置
使用 ConfigMaps 和 Secrets 配置数据库连接:
apiVersion: v1
kind: ConfigMap
metadata:
name: db-config
data:
DB_HOST: "postgres.example.com"
DB_PORT: "5432"
DB_NAME: "myapp"
DB_POOL_SIZE: "10"
---
apiVersion: v1
kind: Secret
metadata:
name: db-secret
type: Opaque
data:
DB_USER: bXl1c2Vy # base64 编码的 "myuser"
DB_PASSWORD: bXlwYXNzd29yZA== # base64 编码的 "mypassword"
---
apiVersion: v1
kind: Pod
spec:
containers:
- name: app
image: myapp:latest
env:
# 来自 ConfigMap
- name: DB_HOST
valueFrom:
configMapKeyRef:
name: db-config
key: DB_HOST
- name: DB_PORT
valueFrom:
configMapKeyRef:
name: db-config
key: DB_PORT
- name: DB_NAME
valueFrom:
configMapKeyRef:
name: db-config
key: DB_NAME
# 来自 Secret
- name: DB_USER
valueFrom:
secretKeyRef:
name: db-secret
key: DB_USER
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: db-secret
key: DB_PASSWORD#3. 动态运行时信息
访问 Pod 和 Node 的元数据:
apiVersion: v1
kind: Pod
spec:
containers:
- name: app
image: myapp:latest
env:
# Pod 信息
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
# 资源信息
- name: CPU_REQUEST
valueFrom:
resourceFieldRef:
resource: requests.cpu
- name: MEMORY_LIMIT
valueFrom:
resourceFieldRef:
resource: limits.memory#4. 不同环境的配置
针对不同环境的配置示例:
# 开发环境
apiVersion: v1
kind: ConfigMap
metadata:
name: app-config-dev
data:
DEBUG: "true"
LOG_LEVEL: "debug"
CACHE_TTL: "60"
RATE_LIMIT: "1000"
---
# 生产环境
apiVersion: v1
kind: ConfigMap
metadata:
name: app-config-prod
data:
DEBUG: "false"
LOG_LEVEL: "warn"
CACHE_TTL: "3600"
RATE_LIMIT: "100"
---
# 使用环境特定配置的部署
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp
spec:
template:
spec:
containers:
- name: app
image: myapp:latest
envFrom:
- configMapRef:
name: app-config-prod # 开发时改为 app-config-dev#CLI 示例及实际使用
#使用 kubectl run
# 直接设置环境变量
kubectl run myapp --image=nginx --env="PORT=8080" --env="DEBUG=true"
# 多个环境变量
kubectl run webapp --image=myapp:latest \
--env="DATABASE_URL=postgresql://localhost:5432/mydb" \
--env="REDIS_URL=redis://localhost:6379" \
--env="LOG_LEVEL=info"
# 交互式 Pod 并设置环境变量
kubectl run debug --image=ubuntu:20.04 -it --rm \
--env="TEST_VAR=hello" \
--env="ANOTHER_VAR=world" \
-- /bin/bash#使用 kubectl create
# 从字面值创建 ConfigMap
kubectl create configmap app-config \
--from-literal=DATABASE_HOST=postgres.example.com \
--from-literal=DATABASE_PORT=5432 \
--from-literal=CACHE_SIZE=256MB
# 从文件创建 ConfigMap
echo "DEBUG=true" > app.env
echo "LOG_LEVEL=debug" >> app.env
kubectl create configmap app-env --from-env-file=app.env
# 创建用于敏感数据的 Secret
kubectl create secret generic db-secret \
--from-literal=username=myuser \
--from-literal=password=mypassword#复杂环境变量示例
#带服务发现的微服务
apiVersion: v1
kind: ConfigMap
metadata:
name: service-config
data:
USER_SERVICE_URL: "http://user-service:8080"
ORDER_SERVICE_URL: "http://order-service:8080"
PAYMENT_SERVICE_URL: "http://payment-service:8080"
NOTIFICATION_SERVICE_URL: "http://notification-service:8080"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: api-gateway
spec:
template:
spec:
containers:
- name: gateway
image: api-gateway:latest
env:
- name: PORT
value: "8080"
- name: ENVIRONMENT
value: "production"
envFrom:
- configMapRef:
name: service-config
- secretRef:
name: api-keys#多容器 Pod 共享配置
apiVersion: v1
kind: Pod
metadata:
name: multi-container-app
spec:
containers:
# 主应用容器
- name: app
image: myapp:latest
env:
- name: ROLE
value: "primary"
- name: SHARED_SECRET
valueFrom:
secretKeyRef:
name: shared-secret
key: token
envFrom:
- configMapRef:
name: shared-config
# Sidecar 容器
- name: sidecar
image: sidecar:latest
env:
- name: ROLE
value: "sidecar"
- name: MAIN_APP_URL
value: "http://localhost:8080"
- name: SHARED_SECRET
valueFrom:
secretKeyRef:
name: shared-secret
key: token
envFrom:
- configMapRef:
name: shared-config#最佳实践
#1. 安全最佳实践
# ✅ 对敏感数据使用 Secrets
apiVersion: v1
kind: Secret
metadata:
name: app-secrets
type: Opaque
data:
api-key: <base64-encoded-value>
database-password: <base64-encoded-value>
---
apiVersion: v1
kind: Pod
spec:
containers:
- name: app
image: myapp:latest
env:
# ✅ 引用 Secrets
- name: API_KEY
valueFrom:
secretKeyRef:
name: app-secrets
key: api-key
# ❌ 避免硬编码敏感数据
# - name: API_KEY
# value: "secret-api-key-123"#2. 配置组织
# ✅ 按用途组织配置
apiVersion: v1
kind: ConfigMap
metadata:
name: database-config
data:
DB_HOST: "postgres.example.com"
DB_PORT: "5432"
DB_POOL_SIZE: "10"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: cache-config
data:
REDIS_HOST: "redis.example.com"
REDIS_PORT: "6379"
CACHE_TTL: "3600"
---
apiVersion: v1
kind: Pod
spec:
containers:
- name: app
image: myapp:latest
envFrom:
- configMapRef:
name: database-config
- configMapRef:
name: cache-config#3. 环境变量命名
# ✅ 使用一致的命名规范
env:
- name: DATABASE_HOST # 清晰且描述性强的名称
value: "postgres.example.com"
- name: DATABASE_PORT # 使用下划线分隔
value: "5432"
- name: LOG_LEVEL # 环境变量使用大写
value: "info"
- name: FEATURE_FLAG_NEW_UI # 相关变量使用前缀
value: "true"
# ❌ 避免不清晰或不一致的命名
# - name: db # 太短
# - name: databaseHost # 命名风格不一致
# - name: log-level # 分隔符不一致#4. 默认值和校验
apiVersion: v1
kind: Pod
spec:
containers:
- name: app
image: myapp:latest
env:
- name: PORT
value: "8080" # 提供合理的默认值
- name: LOG_LEVEL
value: "info" # 默认安全值
- name: TIMEOUT_SECONDS
value: "30" # 名称中包含单位
- name: MAX_RETRIES
value: "3" # 限制重试次数