kubernetes-secret

Secret 存在意义

Secret解决了密码、token、密钥等敏感数据的配置问题,而不需要把这些敏感数据暴露到镜像或者Pod Spec中。Secret可以以Volume或者环境变量的方式使用

Secret有三种类型:

  • Service Account: 用来访问Kubernetes API,由 Kubernetes 自动创建,并且会自动挂载到Pod的/run/secrets/kubernetes.io/serviceaccount 目录中
  • Opaque: base64编码格式的Secret,用来存储密码、密钥等
  • kubernetes.io/dockerconfigjson:用来存储私有docker registry的认证信息

Service Account

Service Account 用来访问Kubernetes API,由Kubernetes自动创建,并且会自动挂载到Pod的/run/secrets/kubernetes.io/serviceaccount 目录中

[root@k8s-master ~]# kubectl get pod -n kube-system
NAME                                 READY   STATUS    RESTARTS   AGE
coredns-5c98db65d4-pxl78             1/1     Running   0          8d
coredns-5c98db65d4-vdtsr             1/1     Running   0          8d
etcd-k8s-master                      1/1     Running   0          8d
kube-apiserver-k8s-master            1/1     Running   0          8d
kube-controller-manager-k8s-master   1/1     Running   0          8d
kube-flannel-ds-amd64-852cl          1/1     Running   0          8d
kube-flannel-ds-amd64-p5h64          1/1     Running   0          8d
kube-flannel-ds-amd64-rglvq          1/1     Running   0          6d18h
kube-proxy-6sp4j                     1/1     Running   0          8d
kube-proxy-hbnkf                     1/1     Running   0          6d18h
kube-proxy-ttjcn                     1/1     Running   0          8d
kube-scheduler-k8s-master            1/1     Running   0          8d
[root@k8s-master ~]# kubectl exec kube-proxy-ttjcn -it -n kube-system -- /bin/sh
# cd /run/secrets
# ls
kubernetes.io
# cd kubernetes.io
# cd serviceaccount  
# ls
ca.crt    namespace  token
# cat ca.crt      
-----BEGIN CERTIFICATE-----
MIICyDCCAbCgAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
cm5ldGVzMB4XDTE5MTEyMzA2MjEzNVoXDTI5MTEyMDA2MjEzNVowFTETMBEGA1UE
AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqj
o541wpNZ42IyS4UXUOtpfgxS37vFo95D2oQoktzjE9hZetkdhDV3J262OVh9sysE
UY0p/97A+E8Dex45KnfmqAAZdlG3hq7T5sGHtx/zP81wVs9hxf4SchCIRstCUrOx
kErwViu8FOsN+tEPst3TgJaYbFz38zpK0N8769LiwLaVmQMcb07/n2k2uvbion7S
6nlEVlS7yQ6fouEaoSULUrEm565A8mu2hloiSSNIlbQBJV8/mlzop4QdKRxvfYt2
S3uqqYloenYdWOPAACpWzJn8kkUxBO8xJrzEiGHmUOXz75CmF5flgOQPtgedmWJa
KegkvGSsl7Tp28Kv750CAwEAAaMjMCEwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB
/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBALfpP6jWWtCdlAfCBXV49eLlIFUR
yVmsNs16uCxQQbOQLNHMp+3WoZLsyl2xkqwGkruLoG2opWL5ab7FnYlZJpa9QJ12
ic6wee0uvb70HLRfc8W2Ep+blgU8nq5zMFknlHS9nEk5PfFkq4T3ZTxZdSbXewxP
URl+NLXVVgjNcFDdPpv0srnerLhL7qWYYGEHENxkA60Ons0KIZMZQzabQ4VpXhmv
CLhPdmdVL9GbsZcqPQWZD9o23afDHhxNTg3vBnX/8IVm8NO5a5QP9ixzRBVgGzms
hr2y5/Xdaqm32FfVZs1R1BURzedwkqssqyRKghqePpdLQznImjJcSQ3bGcI=
-----END CERTIFICATE-----
# cat token
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlLXByb3h5LXRva2VuLW54NzhwIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6Imt1YmUtcHJveHkiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIzZmViYjlhOC0yOTU2LTRjMzEtODU1Mi01Mzc2ZTMxOGE3NWIiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06a3ViZS1wcm94eSJ9.xy-rX7AKuPzS6Z2ecFZRy32FHFJuR5WZZ5ziWEhG64rXV5Hcy9gA1ptatwLxQmGGkYFVZ5rEDTcNRGsM1ADHQKFjFhf5TpsXEUfk3U67JtnWUC_KDB8G2P1cBN7s6O1JKYVn-uWGq0LTcxoR62TpMgCFdLKR38CXIR-ItUTmpGVVKlhWgg3pIvvbQgFWOwpHxBM8Ce-Er8J6uhKuPvXfhO28K0ppf0OZFihWPhVs-BLAI855F7UC8dhi0_db10w_zmeaa_EcMRddrs0FYnup_kubevTc7geUOzAetMCfkON4EJv91xVtHVOctpdi2wX4WmhNs9mbuJhBqJPGkp-24Q# 
# ls    
ca.crt    namespace  token
# cat namespace     
kube-system
# 

Opaque Secret

I、创建说明

Opaque类型的数据是一个map类型,要求value是base65编码格式

[root@k8s-master ~]# echo -n "admin" |base64
YWRtaW4=
[root@k8s-master ~]# echo -n "adbdfes" | base64
YWRiZGZlcw==

secrets.yaml

apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  password: YWRiZGZlcw==
  username: YWRtaW4=

II、使用方式

1. 将Secret 挂载到 Volume中

apiVersion: v1
kind: Pod
metadata:
  labels:
    name: secret-test
  name: secret-test
spec:
  volumes:
  - name: secrets
    secret:
      secretName: mysecret
  containers:
  - image: harbor.bwingame8.com/library/myapp:v1
    name: db
    volumeMounts:
    - name: secrets
      mountPath: "/etc/secrets"
      readOnly: true

2、将 Secret 导出到环境变量中

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: pod-deployment
spec:
  replicas: 2
  template:
    metadata:
      labels:
        app: pod-deployment
    spec:
      containers:
      - name: pod-1
        image: harbor.bwingame8.com/library/myapp:v1
        ports:
        - containerPort: 80
        env:
        - name: TEST_USER
          valueFrom:
            secretKeyRef:
              name: mysecret
              key: username
         - name: TEST_PASSWORD
           valueFrom:
             secretKeyRef:
               name: mysecret
               key: password

Kubernetes.io/dockerconfigjson

使用 Kuberctl 创建 docker registry 认证的secret

$ kubectl create secret docker-registry myregistrykey --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL 

secret "myregistrykey" created

*在创建 Pod 的时候,通过 imagePullSecrets 来引用刚创建的myregistrykey *

apiVersion: v1
kind: Pod
metadata:
  name: foo
spec:
  containers:
    - name: foo
      image: harbor.bwingame8.com/library/myapp:v1
   imagePullSecrets:
     - name: myregistrykey

文章作者: 阿培
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 阿培 !
 上一篇
kubernetes-volume kubernetes-volume
容器磁盘上的文件的生命周期是短暂的,这就使得在容器中运行重要应用时会出现一些问题。首先,当容器崩溃时,kubelet会重启它,但是容器中的文件将丢失–容器以干净的状态(镜像最初的状态)重新启动。其次,在Pod中同时运行多个容器时,这些容器之
2019-12-01
下一篇 
kubenetes-configMap kubenetes-configMap
configMap 描述信息ConfigMap 功能在 Kubernetes1.2版本中引入,许多应用程序会从配置文件、命令行参数或环境变量中读取配置信息。ConfigMap API给我们提供了向容器中注入配置信息的机制,ConfigMap
2019-12-01
  目录