Secret存在的意义:
Secret解决了密码、token、秘钥等敏感数据的配置问题,而不需要把这秀敏感数据暴露到镜像或者Pod Spec中。Secret可以以volume或者环境变量的方式使用。
Secret有三种类型:
-
Service Account:用来访问kubernetes
API,由Kubernetes自动创建,并且会自动挂载到Pod的/run/secrets/kubernetes.io/serviceaccount目录下
-
Opaque:base64编码格式的Secret,用来存储密码、秘钥等。
-
kubernetes.io/dockerconfigjson: 用来存储私有docker registryde 的认证信息。
示例:
用的比较多的是Opaque:
一、将Secret挂载到Volume中
1.获得base64编码:
prod@xqkang:/usr/local$ echo -n "admin"| base64
YWRtaW4=
prod@xqkang:/usr/local$ echo -n "12356"| base64
MTIzNTY=
2.创建secret(根据上面获得的base64位编码):
[root@master secret]# cat secrets.yml
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
passwd: MTIzNDU2
name: YWRtaW4=
3.应用到pod中
[root@apiserver secret]# cat volume-secret.yaml
apiVersion: v1
kind: Pod
metadata:
name: secret-test
labels:
name: secret-test
spec:
containers:
- name: secretsdb
image: nginx
volumeMounts:
- name: secret-volumes
mountPath: /etc/secrets
readOnly: true
volumes:
- name: secret-volumes
secret:
secretName: mysecret
进入容器查看
[root@apiserver secret]# kubectl exec -it secret-test bash
root@secret-test:/# cd /etc/secrets/
root@secret-test:/etc/secrets# ls
name password
root@secret-test:/etc/secrets# cat name
admin
二、将Secret导入环境变量中
1.配置pod:
[root@apiserver secret]# cat env.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: secret-deployment1
spec:
replicas: 3
template:
metadata:
labels:
app: secret-env
spec:
containers:
- name: secret-env
image: nginx:v1
ports:
- containerPort: 80
env:
- name: TEST_USER
valueFrom:
secretKeyRef:
name: mysecret
key: name
- name: TEST_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: password
查看成功与否:
[root@apiserver secret]# kubectl exec -it secret-deployment1-6796f74774-dqmgf bash
root@secret-deployment1-6796f74774-dqmgf:/# echo $TEST_USER
admin
命令: echo $TEST_USER 书写:admin表示成功.
kubernetes.io/dockerconfigjson
使用Kubectl创建docker registry认证的secret:
用法:拉去自己仓库的镜像时,需要登录时使用
[root@apiserver secret]# kubectl create secret docker-registry myregistrykey(Secret名称) --docker-server=服务器 --docker-username=tb1993723_2013 --docker-password=密码 --docker-email=邮箱
secret/myregistrykey created
编写pod:
[root@apiserver secret]# cat secret-docker.yaml
apiVersion: v1
kind: Pod
metadata:
name: secret-doc
labels:
name: secret-doc
spec:
containers:
- name: secretsdoc
image: registry.cn-hangzhou.aliyuncs.com/命名空间/镜像:版本号
imagePullSecrets:
- name: myregistrykey
如果不注册报错:
注册后pod运行成功.
[root@apiserver secret]# kubectl get pod
NAME READY STATUS RESTARTS AGE
secret-doc 1/1 Running 0 10s