Secret 存在意义
Secret解决了密码、token、密钥等敏感数据的配置问题,而不需要把这些敏感数据暴露到镜像或者Pod Spec中。Secret可以以Volume或者环境变量的方式使用
Secret有三种类型:
- Service Account: 用来访问Kubernetes API,由 Kubernetes 自动创建,并且会自动挂载到Pod的/run/secrets/kubernetes.io/serviceaccount 目录中
- Opaque: base64编码格式的Secret,用来存储密码、密钥等
- kubernetes.io/dockerconfigjson:用来存储私有docker registry的认证信息
Service Account
Service Account 用来访问Kubernetes API,由Kubernetes自动创建,并且会自动挂载到Pod的/run/secrets/kubernetes.io/serviceaccount 目录中
[root@k8s-master ~]# kubectl get pod -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-5c98db65d4-pxl78 1/1 Running 0 8d
coredns-5c98db65d4-vdtsr 1/1 Running 0 8d
etcd-k8s-master 1/1 Running 0 8d
kube-apiserver-k8s-master 1/1 Running 0 8d
kube-controller-manager-k8s-master 1/1 Running 0 8d
kube-flannel-ds-amd64-852cl 1/1 Running 0 8d
kube-flannel-ds-amd64-p5h64 1/1 Running 0 8d
kube-flannel-ds-amd64-rglvq 1/1 Running 0 6d18h
kube-proxy-6sp4j 1/1 Running 0 8d
kube-proxy-hbnkf 1/1 Running 0 6d18h
kube-proxy-ttjcn 1/1 Running 0 8d
kube-scheduler-k8s-master 1/1 Running 0 8d
[root@k8s-master ~]# kubectl exec kube-proxy-ttjcn -it -n kube-system -- /bin/sh
# cd /run/secrets
# ls
kubernetes.io
# cd kubernetes.io
# cd serviceaccount
# ls
ca.crt namespace token
# cat ca.crt
-----BEGIN CERTIFICATE-----
MIICyDCCAbCgAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
cm5ldGVzMB4XDTE5MTEyMzA2MjEzNVoXDTI5MTEyMDA2MjEzNVowFTETMBEGA1UE
AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqj
o541wpNZ42IyS4UXUOtpfgxS37vFo95D2oQoktzjE9hZetkdhDV3J262OVh9sysE
UY0p/97A+E8Dex45KnfmqAAZdlG3hq7T5sGHtx/zP81wVs9hxf4SchCIRstCUrOx
kErwViu8FOsN+tEPst3TgJaYbFz38zpK0N8769LiwLaVmQMcb07/n2k2uvbion7S
6nlEVlS7yQ6fouEaoSULUrEm565A8mu2hloiSSNIlbQBJV8/mlzop4QdKRxvfYt2
S3uqqYloenYdWOPAACpWzJn8kkUxBO8xJrzEiGHmUOXz75CmF5flgOQPtgedmWJa
KegkvGSsl7Tp28Kv750CAwEAAaMjMCEwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB
/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBALfpP6jWWtCdlAfCBXV49eLlIFUR
yVmsNs16uCxQQbOQLNHMp+3WoZLsyl2xkqwGkruLoG2opWL5ab7FnYlZJpa9QJ12
ic6wee0uvb70HLRfc8W2Ep+blgU8nq5zMFknlHS9nEk5PfFkq4T3ZTxZdSbXewxP
URl+NLXVVgjNcFDdPpv0srnerLhL7qWYYGEHENxkA60Ons0KIZMZQzabQ4VpXhmv
CLhPdmdVL9GbsZcqPQWZD9o23afDHhxNTg3vBnX/8IVm8NO5a5QP9ixzRBVgGzms
hr2y5/Xdaqm32FfVZs1R1BURzedwkqssqyRKghqePpdLQznImjJcSQ3bGcI=
-----END CERTIFICATE-----
# cat token
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlLXByb3h5LXRva2VuLW54NzhwIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6Imt1YmUtcHJveHkiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIzZmViYjlhOC0yOTU2LTRjMzEtODU1Mi01Mzc2ZTMxOGE3NWIiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06a3ViZS1wcm94eSJ9.xy-rX7AKuPzS6Z2ecFZRy32FHFJuR5WZZ5ziWEhG64rXV5Hcy9gA1ptatwLxQmGGkYFVZ5rEDTcNRGsM1ADHQKFjFhf5TpsXEUfk3U67JtnWUC_KDB8G2P1cBN7s6O1JKYVn-uWGq0LTcxoR62TpMgCFdLKR38CXIR-ItUTmpGVVKlhWgg3pIvvbQgFWOwpHxBM8Ce-Er8J6uhKuPvXfhO28K0ppf0OZFihWPhVs-BLAI855F7UC8dhi0_db10w_zmeaa_EcMRddrs0FYnup_kubevTc7geUOzAetMCfkON4EJv91xVtHVOctpdi2wX4WmhNs9mbuJhBqJPGkp-24Q#
# ls
ca.crt namespace token
# cat namespace
kube-system
#
Opaque Secret
I、创建说明
Opaque类型的数据是一个map类型,要求value是base65编码格式
[root@k8s-master ~]# echo -n "admin" |base64
YWRtaW4=
[root@k8s-master ~]# echo -n "adbdfes" | base64
YWRiZGZlcw==
secrets.yaml
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
password: YWRiZGZlcw==
username: YWRtaW4=
II、使用方式
1. 将Secret 挂载到 Volume中
apiVersion: v1
kind: Pod
metadata:
labels:
name: secret-test
name: secret-test
spec:
volumes:
- name: secrets
secret:
secretName: mysecret
containers:
- image: harbor.bwingame8.com/library/myapp:v1
name: db
volumeMounts:
- name: secrets
mountPath: "/etc/secrets"
readOnly: true
2、将 Secret 导出到环境变量中
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: pod-deployment
spec:
replicas: 2
template:
metadata:
labels:
app: pod-deployment
spec:
containers:
- name: pod-1
image: harbor.bwingame8.com/library/myapp:v1
ports:
- containerPort: 80
env:
- name: TEST_USER
valueFrom:
secretKeyRef:
name: mysecret
key: username
- name: TEST_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: password
Kubernetes.io/dockerconfigjson
使用 Kuberctl 创建 docker registry 认证的secret
$ kubectl create secret docker-registry myregistrykey --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL
secret "myregistrykey" created
*在创建 Pod 的时候,通过 imagePullSecrets
来引用刚创建的myregistrykey
*
apiVersion: v1
kind: Pod
metadata:
name: foo
spec:
containers:
- name: foo
image: harbor.bwingame8.com/library/myapp:v1
imagePullSecrets:
- name: myregistrykey