k8s-kubernettes-sercet存储

Secret

Secret存在意义

Secret解决了密码、token、密钥等敏感数据的配置问题,而不需要把这些敏感数据暴露到镜像或者Pod Spec中。Secret可以以Volume或者环境变量的方式使用

secret有三种类型:

• Service Account :用来访问Kubernetes API,由Kubernetes自动创建,并且会自动挂载到Pod的 /run/secrets/kubernetes.io/serviceaccount目录中

• Opaque : base64编码格式的Secret,用来存储密码、密钥等

• kubernetes.io/dockerconfigison :用来存储私有docker registry的认证信息

Service Account

Service Account用来访问Kubernetes API,由Kubernetes自动创建,并且会自动挂载到Pod的 /run/secrets/kubernetes.io/serviceaccount目录中

[root@k8s-master01 ~]# kubectl exec kube-proxy-hjkqb -n kube-system  -it -- ls /run/secrets/kubernetes.io/serviceaccount
ca.crt  namespace  token
​
kubectl exec kube-proxy-hjkqb -n kube-system  -it -- /bin/sh cd /run/secrets/kubernetes.io/serviceaccount
​
cat ca.crt

kubectl get pod -n kube-system
kubectl exec kube-proxy-hjkqb -n kube-system  -it -- /bin/sh

Opaque Secret

Ⅰ、 创建说明

Opaque类型的数据是一个map类型,要求value是base64编码格式:

[root@k8s-master01 ~]# echo -n "admin" | base64
YWRtaW4=
[root@k8s-master01 ~]# echo -n "admin123" | base64
YWRtaW4xMjM=
[root@k8s-master01 ~]# echo -n "YWRtaW4xMjM=" | base64 -d
admin123
[root@k8s-master01 ~]# base64 --help

secrets.yaml

apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  password: YWRtaW4xMjM=
  username: YWRtal4=

kubectl get secret

Ⅱ、使用方式

1、将Secret挂载到volume中

apiVersion: v1
kind: Pod
metadata:
  labels:
    name: seret-test
  name: seret-test
spec:
  volumes:
    - name: secrets
      secret: 
        secretName: mysecret
  containers:
    - image: hub.atguigu.com/library/myapp:v1 
      name: db
      volumeMounts:
        - name: secrets
          mountPath: "/etc/secrets"
          readOnly: true

kubectl exec seret-test  -it -- /bin/sh
/ # cd /etc/secrets/
/etc/secrets # ls
password  username
/etc/secrets # cat username 
/etc/secrets # cat password 
admin123

2、将Secret导出到环境变量中

apiVersion: extensions/v1beta1
kind: Deployment
metadata: 
  name: pod-deployment
spec:
  replicas: 2
  template:
    metadata:
      labels:
        app: pod-deployment
    spec:
      containers:
        - name: pod-1
          image: hub.atguigu.com/library/myapp:v1
          ports:
            - containerPort: 80 
          env:
            - name: TEST_USER 
              valueFrom: 
                secretKeyRef:
                  name: mysecret 
                  key: username 
            - name: TEST_PASSWORD 
              valueFrom: 
                secretKeyRef: 
                  name: mysecret 
                  key: password

[root@k8s-master01 ~]# kubectl exec  pod-deployment-57cf4db6cc-68j9r  -it -- /bin/sh
/ # echo $TEST_USER
admj^
/ # echo $TEST_PASSWORD
admin123
/ # 

kubernetes.io/dockerconfigjson

使用Kuberctl创建docker registry认证的secret

kubectl create secret docker-registry myregistrykey --docker-server=DOCKER REGISTRY SERVER- docker-username-DOCKER USER--docker-password-DOCKER PASSWORD ---docker-emai1-DOCKER EMAIL secret "myregistrykey" created.

在创建Pod的时候,通过imagePullsecrets来引用刚创建的myregistrykey

apiVersion: v1
kind: Pod
metadata:
  name: foo
spec:
  containers:
    name: foo
    image: hub.atguigu.com/library/myapp:v1
    imagePullsecrets: 
      name: myregistrykey