1. Secret類型
Secret有三種類型:
Opaque:使用base64編碼存儲信息,可以通過base64 --decode解碼獲得原始數據,因此安全性弱。
kubernetes.io/dockerconfigjson:用於存儲docker registry的認證信息。
kubernetes.io/service-account-token:用於被 serviceaccount 引用。serviceaccout 創建時 Kubernetes 會默認創建對應的 secret。Pod 如果使用了 serviceaccount,對應的 secret 會自動掛載到 Pod 的 /run/secrets/kubernetes.io/serviceaccount 目錄中。
指定secret的類型時,需要在metadata中聲明annotation name信息
metadata:
annotations:
kubernetes.io/service-account.name: default
type:kubernetes.io/service-account-token
2. Opaque Secret
Opaque類型的Secret,其value爲base64編碼後的值。
2.1 從文件中創建Secret
分別創建兩個名爲username.txt和password.txt的文件:
$ echo -n "admin" > ./username.txt $ echo -n "1f2d1e2e67df" > ./password.txt
使用kubectl create secret命令創建secret:
$ kubectl create secret generic db-user-pass --from-file=./username.txt --from-file=./password.txt secret "db-user-pass" created
2.2 使用描述文件創建Secret
首先使用base64對數據進行編碼:
$ echo -n 'admin' | base64 YWRtaW4= $ echo -n '1f2d1e2e67df' | base64 MWYyZDFlMmU2N2Rm
創建一個類型爲Secret的描述文件:
apiVersion: v1 kind: Secret metadata: name: mysecret type: Opaque data: username: YWRtaW4= password: MWYyZDFlMmU2N2Rm $ kubectl create -f ./secret.yaml secret "mysecret" created
查看此Secret:
$ kubectl get secret mysecret -o yaml apiVersion: v1 data: username: YWRtaW4= password: MWYyZDFlMmU2N2Rm kind: Secret metadata: creationTimestamp: 2016-01-22T18:41:56Z name: mysecret namespace: default resourceVersion: "164619" selfLink: /api/v1/namespaces/default/secrets/mysecret uid: cfee02d6-c137-11e5-8d73-42010af00002type: Opaque
2.3 Secret的使用
創建好Secret之後,可以通過兩種方式使用:
以Volume方式
以環境變量方式
2.3.1 將Secret掛載到Volume中
apiVersion: v1 kind: Pod metadata: name: mypod spec: containers: - name: mypod image: redis volumeMounts: - name: foo mountPath: "/etc/foo" readOnly: true volumes: - name: foo secret: secretName: mysecret
進入Pod查看掛載的Secret:
# ls /etc/secrets password username # cat /etc/secrets/username admin # cat /etc/secrets/password 1f2d1e2e67df
也可以只掛載Secret中特定的key:
apiVersion: v1 kind: Podmetadata: name: mypod spec: containers: - name: mypod image: redis volumeMounts: - name: foo mountPath: "/etc/foo" readOnly: true volumes: - name: foo secret: secretName: mysecret items: - key: username path: my-group/my-username
在這種情況下:
username 存儲在/etc/foo/my-group/my-username中
password未被掛載
2.3.2 將Secret設置爲環境變量
apiVersion: v1 kind: Pod metadata: name: secret-env-pod spec: containers: - name: mycontainer image: redis env: - name: SECRET_USERNAME valueFrom: secretKeyRef: name: mysecret key: username - name: SECRET_PASSWORD valueFrom: secretKeyRef: name: mysecret key: password restartPolicy: Never
需要注意的是,環境變量讀取Secret很方便,但無法支撐Secret動態更新
3. kubernetes.io/dockerconfigjson
kubernetes.io/dockerconfigjson用於存儲docker registry的認證信息,可以直接使用kubectl create secret命令創建:
$ kubectl create secret docker-registry myregistrykey --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAILsecret "myregistrykey" created.#$kubectl create secret docker-registry regcred --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-pword> --docker-email=<your-email>
查看secret的內容:
$ kubectl get secret myregistrykey -o yaml apiVersion: v1 data: .dockercfg: eyJjY3IuY2NzLnRlbmNlbnR5dW4uY29tL3RlbmNlbnR5dW4iOnsidXNlcm5hbWUiOiIzMzIxMzM3OTk0IiwicGFzc3dvcmQiOiIxMjM0NTYuY29tIiwiZW1haWwiOiIzMzIxMzM3OTk0QHFxLmNvbSIsImF1dGgiOiJNek15TVRNek56azVORG94TWpNME5UWXVZMjl0In19 kind: Secret metadata: creationTimestamp: 2017-08-04T02:06:05Z name: myregistrykey namespace: default resourceVersion: "1374279324" selfLink: /api/v1/namespaces/default/secrets/myregistrykey uid: 78f6a423-78b9-11e7-a70a-525400bc11f0type: kubernetes.io/dockercfg
通過 base64 對 secret 中的內容解碼:
$ echo "eyJjY3IuY2NzLnRlbmNlbnR5dW4uY29tL3RlbmNlbnR5dW4iOnsidXNlcm5hbWUiOiIzMzIxMzM3OTk0IiwicGFzc3dvcmQiOiIxMjM0NTYuY29tIiwiZW1haWwiOiIzMzIxMzM3OTk0QHFxLmNvbSIsImF1dGgiOiJNek15TVRNek56azVORG94TWpNME5UWXVZMjl0XXXX" | base64 --decode
{"ccr.ccs.tencentyun.com/XXXXXXX":{"username":"3321337XXX","password":"123456.com","email":"[email protected]","auth":"MzMyMTMzNzk5NDoxMjM0NTYuY29t"}}也可以直接讀取 ~/.dockercfg 的內容來創建:
$ kubectl create secret docker-registry myregistrykey \ --from-file="~/.dockercfg"
在創建 Pod 的時候,通過 imagePullSecrets 來引用剛創建的 myregistrykey:
apiVersion: v1 kind: Pod metadata: name: foo spec: containers: - name: foo image: janedoe/awesomeapp:v1 imagePullSecrets: - name: myregistrykey
4. kubernetes.io/service-account-token
用於被 serviceaccount 引用。serviceaccout 創建時 Kubernetes 會默認創建對應的 secret。Pod 如果使用了 serviceaccount,對應的 secret 會自動掛載到 Pod 的 /run/secrets/kubernetes.io/serviceaccount 目錄中。
$ kubectl run nginx --image nginx deployment "nginx" created $ kubectl get podsNAME READY STATUS RESTARTS AGEnginx-3137573019-md1u2 1/1 Running 0 13s $ kubectl exec nginx-3137573019-md1u2 ls /run/secrets/kubernetes.io/serviceaccount ca.crt namespace token
ServiceAccount
每個namespace下有一個名爲default的默認的ServiceAccount對象,這個ServiceAccount裏有一個名爲Tokens的可以作爲Volume一樣被Mount到Pod裏的Secret,當Pod啓動時這個Secret會被自動Mount到Pod的指定目錄下,用來協助完成Pod中的進程訪問API Server時的身份鑑權過程。
apiVersion: v1 kind: Podmetadata: ......spec: containers: .... volumeMounts: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: default-token-xxxx readOnly: true ...... ......
apiVersion: v1 kind: Secret data: ca.crt: xxxx namespace: xxxx service-ca.crt: xxxxx token: xxxx metadata: ......type: kubernetes.io/service-account-token
如果一個Pod在定義時沒有指定spec.service.AccountName屬性,則系統會自動爲其賦值爲“Default”,即使用同一namespace下默認的ServiceAccount,如果某個Pod需要使用非default的ServiceAccount,需要在定義時指定:
apiVersion:v1 kind:Pod metadata: name:mypod spec: containers: - name:mycontainer image: serviceAccountName:myserviceaccount