secret
https://blog.csdn.net/u010278923/article/details/72857928
https://www.cnblogs.com/cf532088799/p/7977083.html
概念
secret对象类型主要目的是保存和处理敏感信息/私密数据,比如密码,OAuth tokens,ssh keys等信息。将这些信息放在secret对象中比 直接放在pod或docker image中更安全,也更方便使用。
一个已经创建好的secrets对象有两种方式被pod对象使用,其一,在container中的volume对象里以file的形式被使用,其二,在pull images时被kubelet使用。
类型
Opaque任意字符串,默认类型
kubernetes.io/dockercfg:作用于Docker registry,用户下载docker镜像认证使用
kubernetes.io/service-account-token:作用于ServiceAccount
2、kubectl get secret kubesystemsecret -n kube-system -o yaml 来获取data.dockercfg的值
kind: Secret
metadata:
name: kubesystemsecret
namespace: default
data:
.dockercfg: eyIxMC4zMC4zMC4xMjY6ODEyMyI6eyJ1c2VybmFtZSI6ImFkbWluIiwicGFzc3dvcmQiOiJhZG1pbjEyMyIsImVtYWlsIjoid3VfYm8zQGhvcGVydW4uY29tIiwiYXV0aCI6IllXUnRhVzQ2WVdSdGFXNHhNak09In19
type: kubernetes.io/dockercfg
kind: Pod
metadata:
#namespace: kube-system
namespace: default
labels:
name: busybox
role: master
name: busybox
spec:
containers:
- name: busybox
image: 10.30.30.126:8123/docker.io/busybox:latest
command:
- sleep
- "360000"
imagePullSecrets:
- name: kubesystemsecret
kind: Secret
metadata:
name: kubesystemsecret
namespace: default
data:
.dockercfg: eyIxMC4zMC4zMC4xMjY6ODEyMyI6eyJ1c2VybmFtZSI6ImFkbWluIiwicGFzc3dvcmQiOiJhZG1pbjEyMyIsImVtYWlsIjoid3VfYm8zQGhvcGVydW4uY29tIiwiYXV0aCI6IllXUnRhVzQ2WVdSdGFXNHhNak09In19
type: kubernetes.io/dockercfg
---
apiVersion: v1
kind: Pod
metadata:
#namespace: kube-system
namespace: default
labels:
name: busybox
role: master
name: busybox
spec:
containers:
- name: busybox
image: 10.30.30.126:8123/docker.io/busybox:latest
command:
- sleep
- "360000"
imagePullSecrets:
- name: kubesystemsecret
第二种使用方式的使用流程如下:
echo -n admin| base64 >>YWRtaW4=
echo -n admin123 | base64 >> YWRtaW4xMjM=
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
password: YWRtaW4xMjM=
username: YWRtaW4=
或者
命令行方式:
kubectl create secret generic mysecret --from-literal=username=test --from-literal=password=test123
http://docs.kubernetes.org.cn/548.html
kind: Pod
metadata:
name: secret-test-pod
spec:
containers:
- name: test-container
image: 10.30.30.126:8123/library/nginx:latest
volumeMounts:
# name must match the volume name below
- name: secret-volume
mountPath: /etc/secret-volume
imagePullSecrets:
- name: kubesystemsecret
volumes:
- name: secret-volume
secret:
secretName: mysecret
$ kubectl exec secret-test-podls /etc/secret-volume/ password username $ kubectl exec secret-test-pod cat /etc/secret-volume/password admin123 $ kubectl exec secret-test-pod cat /etc/secret-volume/username admin
环境变量
kind: Pod
metadata:
name: secret-envars-test-pod
spec:
containers:
- name: envars-test-container
image: 10.30.30.126:8123/library/nginx:latest
env:
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
name: opaque
key: username
- name: SECRET_PASSWORD
valueFrom:
secretKeyRef:
name: opaque
key: password
imagePullSecrets:
- name: kubesystemsecret
printenv
SECRET_USERNAME=admin
SECRET_PASSWORD=admin123
kubernetes.io/service-account-token:作用于ServiceAccount 不会用!!!