Secret 存在意義
Secret 解決了密碼、token、密鑰等敏感數據的配置問題,而不需要把這些敏感數據暴露到鏡像或者 Pod Spec中。Secret 可以以 Volume 或者環境變量的方式使用
Secret 有三種類型:
-
Service Account:用來訪問 Kubernetes API,由 Kubernetes 自動創建,並且會自動掛載到 Pod 的/run/secrets/kubernetes.io/serviceaccount目錄中
-
Opaque:base64編碼格式的Secret,用來存儲密碼、密鑰等
-
kubernetes.io/dockerconfigjson:用來存儲私有 docker registry 的認證信息
Service Account
Service Account 用來訪問 Kubernetes API,由 Kubernetes 自動創建,並且會自動掛載到 Pod的/run/secrets/kubernetes.io/serviceaccount目錄中
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx-deploy
template:
metadata:
labels:
app: nginx-deploy
spec:
containers:
- name: nginx-deployment
image: nginx
env:
- name: GET_HOSTS_FROM
value: dns
ports:
- containerPort: 80
kubectl exec nginx-75cd57fb6-v9t84 -it /bin/sh
Opaque Secret
1、創建說明
Opaque 類型的數據是一個 map 類型,要求 value 是 base64 編碼格式:
echo -n "admin" | base64
YWRtaW4=
echo -n "wtl199201180271" | base64
d3RsMTk5MjAxMTgwMjcx
secrets.yml
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
password: d3RsMTk5MjAxMTgwMjcx
username: YWRtaW4=
2、使用方式
2.1、將 Secret 掛載到 Volume 中
apiVersion: v1
kind: Pod
metadata:
labels:
name: secret-test
name: secret-test
spec:
volumes:
- name: secrets
secret:
secretName: mysecret
containers:
- image: wangyanglinux/myapp:v1
name: db
volumeMounts:
- name: secrets
mountPath: "/etc/secret"
readOnly: true
2.2、將 Secret 導出到環境變量中
apiVersion: apps/v1
kind: ReplicaSet
metadata:
name: nginx
spec:
replicas: 3
selector:
matchLabels:
tier: nginx-deploy
template:
metadata:
labels:
tier: nginx-deploy
spec:
containers:
- name: nginx-deployment
image: wangyanglinux/myapp:v1
ports:
- containerPort: 80
env:
- name: TEST_USER
valueFrom:
secretKeyRef:
name: mysecret
key: username
- name: TEST_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: password
kubernetes.io/dockerconfigjson
使用 Kuberctl 創建 docker registry 認證的 secret
kubectl create secret docker-registry myregistrykey --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL
在創建 Pod 的時候,通過imagePullSecrets來引用剛創建的 myregistrykey
apiVersion: v1
kind: Pod
metadata:
name: pod-test
spec:
containers:
- name: container-test
image: hub.ljxwtl.cn/library/nginx-deployment:v1.0
imagePullSecrets:
- name: myregistrykey