k8s-kubernettes-sercet存储
Secret
Secret存在意义
Secret解决了密码、token、密钥等敏感数据的配置问题,而不需要把这些敏感数据暴露到镜像或者Pod Spec中。Secret可以以Volume或者环境变量的方式使用
secret有三种类型:
- Service Account :用来访问Kubernetes API,由Kubernetes自动创建,并且会自动挂载到Pod的 /run/secrets/kubernetes.io/serviceaccount目录中
- Opaque : base64编码格式的Secret,用来存储密码、密钥等
- kubernetes.io/dockerconfigison :用来存储私有docker registry的认证信息
Service Account
Service Account用来访问Kubernetes API,由Kubernetes自动创建,并且会自动挂载到Pod的 /run/secrets/kubernetes.io/serviceaccount目录中
[root@k8s-master01 ~]# kubectl exec kube-proxy-hjkqb -n kube-system -it -- ls /run/secrets/kubernetes.io/serviceaccount
ca.crt namespace token
kubectl exec kube-proxy-hjkqb -n kube-system -it -- /bin/sh cd /run/secrets/kubernetes.io/serviceaccount
cat ca.crtkubectl get pod -n kube-system
kubectl exec kube-proxy-hjkqb -n kube-system -it -- /bin/shOpaque Secret
Ⅰ、 创建说明
Opaque类型的数据是一个map类型,要求value是base64编码格式:
[root@k8s-master01 ~]# echo -n "admin" | base64
YWRtaW4=
[root@k8s-master01 ~]# echo -n "admin123" | base64
YWRtaW4xMjM=
[root@k8s-master01 ~]# echo -n "YWRtaW4xMjM=" | base64 -d
admin123
[root@k8s-master01 ~]# base64 --helpsecrets.yaml
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
password: YWRtaW4xMjM=
username: YWRtal4=kubectl get secretⅡ、使用方式
1、将Secret挂载到volume中
apiVersion: v1
kind: Pod
metadata:
labels:
name: seret-test
name: seret-test
spec:
volumes:
- name: secrets
secret:
secretName: mysecret
containers:
- image: hub.atguigu.com/library/myapp:v1
name: db
volumeMounts:
- name: secrets
mountPath: "/etc/secrets"
readOnly: truekubectl exec seret-test -it -- /bin/sh
/ # cd /etc/secrets/
/etc/secrets # ls
password username
/etc/secrets # cat username
/etc/secrets # cat password
admin1232、将Secret导出到环境变量中
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: pod-deployment
spec:
replicas: 2
template:
metadata:
labels:
app: pod-deployment
spec:
containers:
- name: pod-1
image: hub.atguigu.com/library/myapp:v1
ports:
- containerPort: 80
env:
- name: TEST_USER
valueFrom:
secretKeyRef:
name: mysecret
key: username
- name: TEST_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: password[root@k8s-master01 ~]# kubectl exec pod-deployment-57cf4db6cc-68j9r -it -- /bin/sh
/ # echo $TEST_USER
admj^
/ # echo $TEST_PASSWORD
admin123
/ # kubernetes.io/dockerconfigjson
使用Kuberctl创建docker registry认证的secret
kubectl create secret docker-registry myregistrykey --docker-server=DOCKER REGISTRY SERVER- docker-username-DOCKER USER--docker-password-DOCKER PASSWORD ---docker-emai1-DOCKER EMAIL secret "myregistrykey" created.在创建Pod的时候,通过imagePullsecrets来引用刚创建的myregistrykey
apiVersion: v1
kind: Pod
metadata:
name: foo
spec:
containers:
name: foo
image: hub.atguigu.com/library/myapp:v1
imagePullsecrets:
name: myregistrykey本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。
原始发表:2019-12-05 ,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录
相关产品与服务
容器镜像服务
容器镜像服务(Tencent Container Registry,TCR)为您提供安全独享、高性能的容器镜像托管分发服务。您可同时在全球多个地域创建独享实例,以实现容器镜像的就近拉取,降低拉取时间,节约带宽成本。TCR 提供细颗粒度的权限管理及访问控制,保障您的数据安全。
腾讯云开发者
