Secret配置管理
Secret对象与ConfigMap对象类似,但它主要用于存储以下敏感信息,例如密码,OAuth token和SSH key等等。将这些信息存储在secret中,和直接存储在Pod的定义中,或Docker镜像定义中相比,更加安全和灵活。
pod可以用两种方式使用secret:
1、查看卷的挂载
[wjjk8s@server1 cm]$ kubectl run test --image=busybox --restart=Never
[wjjk8s@server1 ~]$ kubectl describe sa default
[wjjk8s@server1 ~]$ kubectl run test --image=busybox -it
If you don't see a command prompt, try pressing enter.
/ # cd /var/run/secrets/kubernetes.io/
/var/run/secrets/kubernetes.io # cd serviceaccount/
/var/run/secrets/kubernetes.io/serviceaccount # ls
ca.crt namespace token
2、每个namespace下有一个名为default的默认的serviceaccount对象
[wjjk8s@server1 ~]$ kubectl get secret
[wjjk8s@server1 ~]$ kubectl get pod -o yaml
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: default-token-l7p69
readOnly: true
#serviceaccount里有一个名为tokens的可以作为volume一样被mount到pod里的secret,当pod启动时这个secret会被自动mount到pod的指定目录下,用来协助完成pod中的进程访问api server时的身份鉴权过程
opaque secret其value为base64编码后的值
4、创建secret
4.1 从文件中创建secret
[wjjk8s@server1 ~]$ echo -n 'admin' > ./username.txt
[wjjk8s@server1 ~]$ echo -n 'westos' > ./password.txt
[wjjk8s@server1 ~]$ kubectl create secret generic my-secret --from-file=username.txt --from-file=password.txt
[wjjk8s@server1 ~]$ kubectl get secret
[wjjk8s@server1 ~]$ kubectl describe secrets my-secret
如果密码具有特殊字符,则需要使用\字符对其进行转义,执行一下命令
[wjjk8s@server1 ~]$ echo d2VzdG9z|base64 -d
westos
[wjjk8s@server1 ~]$ kubectl create secret generic dev-db-secret --from-literal=username=devuser --from-literal=password=S\!B\\*d\$zDsb^C
[wjjk8s@server1 ~]$ kubectl get secret
dev-db-secret Opaque 2 20s
[wjjk8s@server1 ~]$ kubectl get secrets dev-db-secret -o yaml
apiVersion: v1
data:
password: UyFCXCpkJHpEc2JeQw==
username: ZGV2dXNlcg==
[wjjk8s@server1 ~]$ echo UyFCXCpkJHpEc2JeQw== | base64 -d
S!B\*d$zDsb^C
4.2编写yaml文件创建
[wjjk8s@server1 ~]$ cat mysecret.yaml
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
password: UyFCXCpkJHpEc2JeQw==
username: ZGV2dXNlcg==
[wjjk8s@server1 ~]$ kubectl create -f mysecret.yaml
4.3 将secret挂载到volume中
[wjjk8s@server1 serect]$ cat pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: mysecret
spec:
containers:
- name: nginx
image: nginx
volumeMounts:
- name: secrets
mountPath: "/secret"
readOnly: true
volumes:
- name: secrets
secret:
secretName: mysecret
[wjjk8s@server1 serect]$ kubectl apply -f pod.yaml
4.4 向指定路径映射secret密钥
[wjjk8s@server1 serect]$ vim pod2.yaml
volumes:
- name: secrets
secret:
secretName: mysecret
items:
- key: username
path: my-group/my-username
[wjjk8s@server1 serect]$ kubectl create -f pod2.yaml
[wjjk8s@server1 serect]$ kubectl exec -it mysecret -- bash
root@mysecret:/# cd /secret
root@mysecret:/secret# ls
my-group
root@mysecret:/secret# cd my-group
root@mysecret:/secret/my-group# ls
my-username
4.5 将secret设置为环境变量,但是无法支持动态更新
[wjjk8s@server1 serect]$ vim pod3.yaml
[wjjk8s@server1 serect]$ kubectl apply -f pod3.yaml
[wjjk8s@server1 serect]$ kubectl exec -it secret-env -- bash
SECRET_USERNAME=devuser
SECRET_PASSWORD=S!B\*d$zDsb
4.6 kubernetes.io/dockerconfigjson用于存储docker registry的认证信息
vim pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: game2048
image: reg.westos.org/westos/game2048
imagePullSecrets:
- name: myregistrykey
kubectl create secret docker-registry myregistrykey --docker-server=reg.westos.org --docker-username=admin --docker-password=Westos+001 --docker-email=**********@qq.com
kubectl describe secrets myregistrykey
kubectl get secrets myregistrykey -o yaml
kubectl apply -f pod.yaml