1 Secret 存在意義
Secret 解決了密碼、token、密鑰等敏感數據的配置問題,而不需要把這些敏感數據暴露到鏡像或者 Pod Spec中。Secret 可以以 Volume或者環境變量的方式使用
2 Secret 有三種類型
- Service Account:用來訪問 Kubernetes API,由 Kubernetes 自動創建,並且會自動掛載到 Pod的/run/secrets/kubernetes.io/serviceaccount目錄中
- Opaque:base64編碼格式的Secret,用來存儲密碼、密鑰等
- kubernetes.io/dockerconfigjson:用來存儲私有 docker registry 的認證信息
3 Service Account
Service Account 用來訪問 Kubernetes API,由 Kubernetes 自動創建,並且會自動掛載到 Pod的/run/secrets/kubernetes.io/serviceaccount目錄中
4、Opaque Secret
Opaque 類型的數據是一個 map 類型,要求 value 是 base64 編碼格式:
[root@wyl01 secrets]# echo -n"admin" | base64
YWRtaW4=
[root@wyl01 secrets]# echo -n"123456" | base64
MTIzNDU2
[root@wyl01 secrets]# cat mysecrets.yaml
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
password: MTIzNDU2
username: YWRtaW4=
[root@wyl01 secrets]# kubectl describe secrets mysecret
Name: mysecret
Namespace: default
Labels: <none>
Annotations:
Type: Opaque
Data
====
password: 6 bytes
username: 5 bytes
將 Secret 掛載到 Volume 中
[root@wyl01 secrets]# cat test1-secrets-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: test1-secret-pod
labels:
name: secret-test
spec:
volumes:
- name: secrets
secret:
secretName: mysecret
containers:
- image: ikubernetes/myapp:v1
name: db
volumeMounts:
- name: secrets
mountPath: "/etc/secrets"
readOnly: true
[root@wyl01 ~]# kubectl get pod -owide --show-labels |grep test1
test1-secret-pod 1/1 Running 0 28s 10.244.2.24 wyl01-hf-aiui <none> <none> name=secret-test
將 Secret 導出到環境變量中
[root@wyl01 secrets]# cat test2-secrets-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: pod-deployment
spec:
replicas: 2
selector:
matchLabels:
app: pod-deployment
template:
metadata:
labels:
app: pod-deployment
spec:
containers:
- name: pod-1
image: ikubernetes/myapp:v1
ports:
- containerPort: 80
env:
- name: TEST_USER
valueFrom:
secretKeyRef:
name: mysecret
key: username
- name: TEST_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: password