Secret存在意义
Secret解决了密码、token、 密钥等敏感数据的配置问题,而不需要把这些敏感数据暴露到镜像或者Pod Spec中。Secret 可以以Volume或者环境变量的方式使用
Secret有三种类型:
● Service Account:用来访问Kubernetes API,由Kubernetes自动创建,并且会自动挂载到Pod的/run/secrets/kubernetes.io/serviceaccount
目录中
● Opaque:base64编码格式的Secret,用来存储密码、密钥等
● kubernetes.io/dockerconfigjson:用来存储私有docker registry的认证信息
Service Account
Service Account用来访问Kubernetes API,由Kubernetes自动创建,并且会自动挂载到Pod的/run/secrets/kubernetes.io/serviceaccount
目录中
$ kubectl run nginx --image nginx
deployment "nginx" created
$ kubectl get pods
NaMe READY STATUS RESTARTS AGE
nginx-3137573019-md1u2 1/1 Running 0 13s
$ kubectl exec nginx-3137573019-md1u2 ls /run/secrets/kubernetes.io/serviceaccount
ca.crt
namespace
token
或
[root@k8s-master01 config]# kubectl get pod -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-5c98db65d4-4kj2t 1/1 Running 10 11d
coredns-5c98db65d4-7zsr7 1/1 Running 10 11d
etcd-k8s-master01 1/1 Running 11 11d
kube-apiserver-k8s-master01 1/1 Running 11 11d
kube-controller-manager-k8s-master01 1/1 Running 10 11d
kube-flannel-ds-amd64-5chsx 1/1 Running 11 11d
kube-flannel-ds-amd64-8bxpj 1/1 Running 11 11d
kube-flannel-ds-amd64-g4gh9 1/1 Running 10 11d
kube-proxy-cznqr 1/1 Running 10 11d
kube-proxy-mcsdl 1/1 Running 11 11d
kube-proxy-t7v46 1/1 Running 10 11d
kube-scheduler-k8s-master01 1/1 Running 10 11d
[root@k8s-master01 config]# kubectl exec kube-proxy-cznqr -n kube-system -it -- /bin/sh
# cd /run/secrets/kubernetes.io/serviceaccount
# ls
ca.crt namespace token
Opaque Secret(常用)
1、创建说明
Opaque类型的数据是一个map类型,要求value是base64 编码格式:
$ echo -n "admin" | base64
YWRtaW4=
$ echo -n "1f2d1e2e67df" | base64
MWYyZDFlMmU2N2Rm
$ echo -n "YWRtaW4="| base64 -d
admin
secrets.yml
apiVersion: v1
kind: Secret
metadata :
name: mysecret
type: Opaque
data:
password: MWYyZDFlMmU2N2Rm
username: YWRtaW4=
[root@k8s-master01 config]# kubectl apply -f secrets.yaml
secret/mysecret created
[root@k8s-master01 config]# kubectl get secret
NAME TYPE DATA AGE
basic-auth Opaque 1 4d
default-token-2k8kw kubernetes.io/service-account-token 3 11d
mysecret Opaque 2 18s
tls-secret kubernetes.io/tls 2 4d1h
[root@k8s-master01 config]# kubectl get secret -n kube-system
NAME TYPE DATA AGE
attachdetach-controller-token-68rsn kubernetes.io/service-account-token 3 11d
bootstrap-signer-token-x7vl9 kubernetes.io/service-account-token 3 11d
certificate-controller-token-rbfhz kubernetes.io/service-account-token 3 11d
clusterrole-aggregation-controller-token-cn52v kubernetes.io/service-account-token 3 11d
coredns-token-w86xq kubernetes.io/service-account-token 3 11d
cronjob-controller-token-jwgpc kubernetes.io/service-account-token 3 11d
daemon-set-controller-token-fsfhc kubernetes.io/service-account-token 3 11d
default-token-k6zgd kubernetes.io/service-account-token 3 11d
deployment-controller-token-4wr4s kubernetes.io/service-account-token 3 11d
disruption-controller-token-9x2fp kubernetes.io/service-account-token 3 11d
endpoint-controller-token-kclqg kubernetes.io/service-account-token 3 11d
expand-controller-token-nnwgp kubernetes.io/service-account-token 3 11d
flannel-token-mrw42 kubernetes.io/service-account-token 3 11d
generic-garbage-collector-token-n4sgq kubernetes.io/service-account-token 3 11d
horizontal-pod-autoscaler-token-jm8ld kubernetes.io/service-account-token 3 11d
job-controller-token-88bhq kubernetes.io/service-account-token 3 11d
kube-proxy-token-l45zc kubernetes.io/service-account-token 3 11d
namespace-controller-token-q4bfb kubernetes.io/service-account-token 3 11d
node-controller-token-j46rt kubernetes.io/service-account-token 3 11d
persistent-volume-binder-token-pvttr kubernetes.io/service-account-token 3 11d
pod-garbage-collector-token-7c2df kubernetes.io/service-account-token 3 11d
pv-protection-controller-token-r7db4 kubernetes.io/service-account-token 3 11d
pvc-protection-controller-token-fd6lf kubernetes.io/service-account-token 3 11d
replicaset-controller-token-gcntr kubernetes.io/service-account-token 3 11d
replication-controller-token-wnjgc kubernetes.io/service-account-token 3 11d
resourcequota-controller-token-5hlgk kubernetes.io/service-account-token 3 11d
service-account-controller-token-jbqfk kubernetes.io/service-account-token 3 11d
service-controller-token-dr4q7 kubernetes.io/service-account-token 3 11d
statefulset-controller-token-j5vcl kubernetes.io/service-account-token 3 11d
token-cleaner-token-s5xdg kubernetes.io/service-account-token 3 11d
ttl-controller-token-mhthj kubernetes.io/service-account-token 3 11d
2、使用方式
1、将Secret挂载到Volume中
vi pod1.yaml
apiVersion: v1
kind: Pod
metadata:
labels:
name: seret-test
name: seret-test
spec:
volumes:
- name: secrets
secret:
secretName: mysecret
containers:
- image: wangyanglinux/myapp:v1
name: db
volumeMounts:
- name: secrets
mountPath: "/etc/secrets"
readOnly: true
[root@k8s-master01 config]# kubectl apply -f pod1.yaml
pod/seret-test created
[root@k8s-master01 config]# kubectl get pod
NAME READY STATUS RESTARTS AGE
my-nginx-7b55868ff4-nnczm 1/1 Running 0 50m
seret-test 1/1 Running 0 8s
[root@k8s-master01 config]# kubectl exec seret-test -it -- /bin/sh
/ # cd /etc/secrets
/etc/secrets # ls
password username
/etc/secrets # cat username
admin
2.将Secret导出到环境变量中
vi env.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: pod-deployment1
spec:
replicas: 2
template:
metadata:
labels:
app: pod-deployment1
spec:
containers:
- name: pod-11
image: wangyanglinux/myapp:v1
ports:
- containerPort: 80
env:
- name: TEST_USER
valueFrom:
secretKeyRef:
name: mysecret
key: username
- name: TEST_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: password
[root@k8s-master01 config]# kubectl delete pod --all
pod "my-nginx-7b55868ff4-nnczm" deleted
pod "seret-test" deleted
[root@k8s-master01 config]# kubectl apply -f env.yaml
deployment.extensions/pod-deployment1 created
[root@k8s-master01 config]# kubectl get pod
NAME READY STATUS RESTARTS AGE
my-nginx-7b55868ff4-5f7g8 1/1 Running 0 2m24s
pod-deployment1-579cf7f865-49dxf 1/1 Running 0 19s
pod-deployment1-579cf7f865-jpxmx 1/1 Running 0 18s
[root@k8s-master01 config]# kubectl exec pod-deployment1-579cf7f865-49dxf -it -- /bin/sh
/ # echo $TEST_USER
admin
/ # echo $TEST_PASSWORD
1f2d1e2e67df
打开浏览器访问:https://hub.atguigu.com/账户:admin,密码:Harbor12345
创建私有仓库
复制格式hub.atguigu.com/test/IMAGE[:TAG]
推送镜像过来
[root@k8s-master01 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
perl 5.36.0 f9596eddf06f 5 months ago 890MB
nginx latest 04661cdce581 6 months ago 141MB
rethinkdb latest 2a54dcb95502 7 months ago 131MB
hello-world latest feb5d9fea6a5 8 months ago 13.3kB
192.168.111.129:5000/demo latest 40fc65df2cf9 14 months ago 660MB
demo 1.0-SNAPSHOT 40fc65df2cf9 14 months ago 660MB
registry latest 678dfa38fcfa 17 months ago 26.2MB
openstf/ambassador latest 938a816f078a 22 months ago 8.63MB
openstf/stf latest 91d0ab894aff 22 months ago 958MB
quay.io/coreos/flannel v0.12.0-amd64 4e9f801d2217 2 years ago 52.8MB
k8s.gcr.io/kube-scheduler v1.15.1 b0b3c4c404da 2 years ago 81.1MB
k8s.gcr.io/kube-controller-manager v1.15.1 d75082f1d121 2 years ago 159MB
k8s.gcr.io/kube-proxy v1.15.1 89a062da739d 2 years ago 82.4MB
k8s.gcr.io/kube-apiserver v1.15.1 68c3eb07bfc3 2 years ago 207MB
quay.io/kubernetes-ingress-controller/nginx-ingress-controller 0.25.0 02149b6f439f 2 years ago 508MB
k8s.gcr.io/coredns 1.3.1 eb516548c180 3 years ago 40.3MB
k8s.gcr.io/etcd 3.3.10 2c4adeb21b4f 3 years ago 258MB
sorccu/adb latest 7123ee61b746 4 years ago 30.5MB
wangyanglinux/myapp v1 d4a5e0eaa84f 4 years ago 15.5MB
k8s.gcr.io/pause 3.1 da86e6ba6ca1 4 years ago 742kB
java 8 d23bdf5b1b1b 5 years ago 643MB
[root@k8s-master01 ~]# docker tag wangyanglinux/myapp:v1 hub.atguigu.com/test/myapp:v2
[root@k8s-master01 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
perl 5.36.0 f9596eddf06f 5 months ago 890MB
nginx latest 04661cdce581 6 months ago 141MB
rethinkdb latest 2a54dcb95502 7 months ago 131MB
hello-world latest feb5d9fea6a5 8 months ago 13.3kB
192.168.111.129:5000/demo latest 40fc65df2cf9 14 months ago 660MB
demo 1.0-SNAPSHOT 40fc65df2cf9 14 months ago 660MB
registry latest 678dfa38fcfa 17 months ago 26.2MB
openstf/ambassador latest 938a816f078a 22 months ago 8.63MB
openstf/stf latest 91d0ab894aff 22 months ago 958MB
quay.io/coreos/flannel v0.12.0-amd64 4e9f801d2217 2 years ago 52.8MB
k8s.gcr.io/kube-proxy v1.15.1 89a062da739d 2 years ago 82.4MB
k8s.gcr.io/kube-scheduler v1.15.1 b0b3c4c404da 2 years ago 81.1MB
k8s.gcr.io/kube-apiserver v1.15.1 68c3eb07bfc3 2 years ago 207MB
k8s.gcr.io/kube-controller-manager v1.15.1 d75082f1d121 2 years ago 159MB
quay.io/kubernetes-ingress-controller/nginx-ingress-controller 0.25.0 02149b6f439f 2 years ago 508MB
k8s.gcr.io/coredns 1.3.1 eb516548c180 3 years ago 40.3MB
k8s.gcr.io/etcd 3.3.10 2c4adeb21b4f 3 years ago 258MB
sorccu/adb latest 7123ee61b746 4 years ago 30.5MB
wangyanglinux/myapp v1 d4a5e0eaa84f 4 years ago 15.5MB
hub.atguigu.com/test/myapp v2 d4a5e0eaa84f 4 years ago 15.5MB
k8s.gcr.io/pause 3.1 da86e6ba6ca1 4 years ago 742kB
java 8 d23bdf5b1b1b 5 years ago 643MB
[root@k8s-master01 ~]# docker push hub.atguigu.com/test/myapp:v2
The push refers to repository [hub.atguigu.com/test/myapp]
a0d2c4392b06: Preparing
05a9e65e2d53: Preparing
68695a6cfd7d: Preparing
c1dc81a64903: Preparing
8460a579ab63: Preparing
d39d92664027: Waiting
denied: requested access to the resource is denied
报错权限拒绝,需要登录harbor
[root@k8s-master01 ~]# docker login hub.atguigu.com
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@k8s-master01 ~]# docker push hub.atguigu.com/test/myapp:v2
The push refers to repository [hub.atguigu.com/test/myapp]
a0d2c4392b06: Pushed
05a9e65e2d53: Pushed
68695a6cfd7d: Pushed
c1dc81a64903: Pushed
8460a579ab63: Pushed
d39d92664027: Pushed
v2: digest: sha256:9eeca44ba2d410e54fccc54cbe9c021802aa8b9836a0bcf3d3229354e4c8870e size: 1569
node01下载镜像成功
[root@k8s-node01 ~]# docker pull hub.atguigu.com/test/myapp:v2
v2: Pulling from test/myapp
Digest: sha256:9eeca44ba2d410e54fccc54cbe9c021802aa8b9836a0bcf3d3229354e4c8870e
Status: Downloaded newer image for hub.atguigu.com/test/myapp:v2
[root@k8s-node01 ~]# docker rmi hub.atguigu.com/test/myapp:v2
Untagged: hub.atguigu.com/test/myapp:v2
Untagged: hub.atguigu.com/test/myapp@sha256:9eeca44ba2d410e54fccc54cbe9c021802aa8b9836a0bcf3d3229354e4c8870e
master01、node01、node02三台主机,下载镜像成功,有可能以前登录过harbor,退出后再次下载镜像就会报错
[root@k8s-node01 ~]# docker logout hub.atguigu.com
Removing login credentials for hub.atguigu.com
[root@k8s-node01 ~]# docker pull hub.atguigu.com/test/myapp:v2
Error response from daemon: pull access denied for hub.atguigu.com/test/myapp, repository does not exist or may require 'docker login'
vi foo.yaml
apiVersion: v1
kind: Pod
metadata:
name: foo
spec:
containers:
- name: foo
image: hub.atguigu.com/test/myapp:v2
[root@k8s-master01 ~]# kubectl create -f foo.yaml
pod/foo created
[root@k8s-master01 ~]# kubectl get pod
NAME READY STATUS RESTARTS AGE
foo 0/1 ImagePullBackOff 0 14s
my-nginx-7b55868ff4-5f7g8 1/1 Running 1 21h
pod-deployment1-579cf7f865-49dxf 1/1 Running 1 21h
pod-deployment1-579cf7f865-jpxmx 1/1 Running 1 21h
[root@k8s-master01 ~]# kubectl describe pod foo
Name: foo
Namespace: default
Priority: 0
Node: k8s-node01/192.168.192.130
Start Time: Tue, 07 Jun 2022 14:35:35 +0800
Labels: <none>
Annotations: <none>
Status: Pending
IP: 10.244.1.127
Containers:
foo:
Container ID:
Image: hub.atguigu.com/test/myapp:v2
Image ID:
Port: <none>
Host Port: <none>
State: Waiting
Reason: ErrImagePull
Ready: False
Restart Count: 0
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from default-token-2k8kw (ro)
Conditions:
Type Status
Initialized True
Ready False
ContainersReady False
PodScheduled True
Volumes:
default-token-2k8kw:
Type: Secret (a volume populated by a Secret)
SecretName: default-token-2k8kw
Optional: false
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s
node.kubernetes.io/unreachable:NoExecute for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 65s default-scheduler Successfully assigned default/foo to k8s-node01
Normal Pulling 19s (x3 over 64s) kubelet, k8s-node01 Pulling image "hub.atguigu.com/test/myapp:v2"
Warning Failed 19s (x3 over 64s) kubelet, k8s-node01 Failed to pull image "hub.atguigu.com/test/myapp:v2": rpc error: code = Unknown desc = Error response from daemon: pull access denied for hub.atguigu.com/test/myapp, repository does not exist or may require 'docker login'
Warning Failed 19s (x3 over 64s) kubelet, k8s-node01 Error: ErrImagePull
Normal BackOff 7s (x4 over 63s) kubelet, k8s-node01 Back-off pulling image "hub.atguigu.com/test/myapp:v2"
Warning Failed 7s (x4 over 63s) kubelet, k8s-node01 Error: ImagePullBackOff
下载镜像失败,下面进行改正
kubernetes.io/dockerconfigjson(镜像下载策略)
使用Kuberctl创建docker registry认证的secret
格式:
$ kubectl create secret docker-registry myregistrykey --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL secret "myregistrykey" created
实际操作:
[root@k8s-master01 ~]# kubectl create secret docker-registry myregistrykey --docker-server=hub.atguigu.com --docker-username=admin --docker-password=Harbor12345 --docker-email=396700196@qq.com
secret/myregistrykey created
在创建Pod的时候,通过 imagePullsecrets 来引用刚创建的myregistrykey
vi foo.yaml
apiVersion: v1
kind: Pod
metadata:
name: foo
spec:
containers:
- name: foo
image: hub.atguigu.com/test/myapp:v2
imagePullSecrets:
- name: myregistrykey
[root@k8s-master01 ~]# kubectl get pod
NAME READY STATUS RESTARTS AGE
foo 0/1 ImagePullBackOff 0 9m8s
my-nginx-7b55868ff4-5f7g8 1/1 Running 1 21h
pod-deployment1-579cf7f865-49dxf 1/1 Running 1 21h
pod-deployment1-579cf7f865-jpxmx 1/1 Running 1 21h
[root@k8s-master01 ~]# kubectl delete pod --all
pod "foo" deleted
pod "my-nginx-7b55868ff4-5f7g8" deleted
pod "pod-deployment1-579cf7f865-49dxf" deleted
pod "pod-deployment1-579cf7f865-jpxmx" deleted
[root@k8s-master01 ~]# kubectl get pod
NAME READY STATUS RESTARTS AGE
my-nginx-7b55868ff4-tpftx 1/1 Running 0 15s
pod-deployment1-579cf7f865-fdgpw 1/1 Running 0 15s
pod-deployment1-579cf7f865-ln5q8 1/1 Running 0 15s
[root@k8s-master01 ~]# kubectl delete deployment --all
deployment.extensions "my-nginx" deleted
deployment.extensions "pod-deployment1" deleted
[root@k8s-master01 ~]# kubectl get pod
No resources found.
[root@k8s-master01 ~]# kubectl create -f foo.yaml
pod/foo created
[root@k8s-master01 ~]# kubectl get pod
NAME READY STATUS RESTARTS AGE
foo 1/1 Running 0 10s