标签:configmap 运维 kubernetes kubectl 配置管理 server2 secret mysecret root
kubernetes-Secret
Secret
Secret 有三种类型:
Service Account :用来访问 Kubernetes API,由 Kubernetes 自动创建,并且会自动挂载到 Pod 的/run/secrets/kubernetes.io/serviceaccount 目录中
Opaque :base64编码格式的Secret,用来存储密码、密钥等
kubernetes.io/dockerconfigjson :用来存储私有 docker registry 的认证信息
Secret 解决了密码、token、密钥等敏感数据的配置问题,而不需要把这些敏感数据暴露到镜像或者 Pod Spec 中。Secret 可以以 Volume 或者环境变量的方式使用
从文件创建secret
创建认证文本文件
[root@server2 configmap]# echo -n 'admin' > ./username.txt
[root@server2 configmap]# echo -n 'westos' > ./password.txt
[root@server2 configmap]# kubectl create secret generic db-user-pass --from-file=./username.txt --from-file=./password.txt
secret/db-user-pass created
[root@server2 configmap]# kubectl get secrets
NAME TYPE DATA AGE
db-user-pass Opaque 2 9s
default-token-pbw6h kubernetes.io/service-account-token 3 6d19h
查看认证信息
[root@server2 configmap]# kubectl describe secrets db-user-pass
Name: db-user-pass
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
password.txt: 6 bytes
username.txt: 5 bytes
[root@server2 configmap]#
为了安全 kubectl get和kubectl describe 默认不会显示密码,可以通过以下方式查看
[root@server2 configmap]# kubectl get secrets db-user-pass -o yaml
apiVersion: v1
data:
password.txt: d2VzdG9z
username.txt: YWRtaW4=
kind: Secret
metadata:
creationTimestamp: "2021-07-31T05:47:20Z"
name: db-user-pass
namespace: default
resourceVersion: "631826"
uid: f467583b-973c-4919-b799-1b9a2b27c618
type: Opaque
查看加密的明文
[root@server2 configmap]# echo d2VzdG9z | base64 -d
westos[root@server2 configmap]#
编写secret
[root@server2 configmap]# vim secret.yaml
[root@server2 configmap]# cat secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
username: YWRtaW4=
password: d2VzdG9z
[root@server2 configmap]# kubectl apply -f secret.yaml
secret/mysecret created
[root@server2 configmap]#
[root@server2 configmap]# kubectl get secret
NAME TYPE DATA AGE
db-user-pass Opaque 2 141m
default-token-pbw6h kubernetes.io/service-account-token 3 6d21h
mysecret Opaque 2 87s
将Secret挂载到Volume中
编写文件,创建
[root@server2 configmap]# cat secret.yaml
apiVersion: v1
kind: Pod
metadata:
name: mysecret
spec:
containers:
- name: nginx
image: nginx
volumeMounts:
- name: secrets
mountPath: "/secret"
readOnly: true
volumes:
- name: secrets
secret:
secretName: mysecret
[root@server2 configmap]# vim secret.yaml
[root@server2 configmap]# kubectl apply -f secret.yaml
pod/mysecret created
[root@server2 configmap]# kubectl get pod
NAME READY STATUS RESTARTS AGE
mysecret 1/1 Running 0 11s
进入容器查看挂载路径
[root@server2 configmap]# kubectl exec -it mysecret -- bash
root@mysecret:/# ls
bin docker-entrypoint.d home media proc sbin sys var
boot docker-entrypoint.sh lib mnt root secret tmp
dev etc lib64 opt run srv usr
root@mysecret:/# cd secret/
root@mysecret:/secret# ls
password username
root@mysecret:/secret# cat username
adminroot@mysecret:/secret# cat password
westosroot@mysecret:/secret# pwd
/secret
root@mysecret:/secret#
向指定路径映射密钥
[root@server2 configmap]# vim secret.yaml
[root@server2 configmap]# cat secret.yaml
apiVersion: v1
kind: Pod
metadata:
name: mysecret
spec:
containers:
- name: nginx
image: nginx
volumeMounts:
- name: secrets
mountPath: "/secret"
readOnly: true
volumes:
- name: secrets
secret:
secretName: mysecret
items:
- key: username
path: my-group/my-username
[root@server2 configmap]# kubectl apply -f secret.yaml
pod/mysecret created
[root@server2 configmap]# kubectl get pod
NAME READY STATUS RESTARTS AGE
mysecret 1/1 Running 0 16s
进入容器查看挂载路径
[root@server2 configmap]# kubectl exec -it mysecret -- bash
root@mysecret:/# cd secret/
root@mysecret:/secret# ls
my-group
root@mysecret:/secret# cd my-group
root@mysecret:/secret/my-group# ls
my-username
root@mysecret:/secret/my-group# cat my-username
adminroot@mysecret:/secret/my-group#
将Secret设置为环境变量
[root@server2 configmap]# kubectl delete -f secret.yaml
pod "mysecret" deleted
[root@server2 configmap]# vim secret.yaml
[root@server2 configmap]# cat secret.yaml
apiVersion: v1
kind: Pod
metadata:
name: secret-env
spec:
containers:
- name: nginx
image: nginx
env:
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
name: mysecret
key: username
- name: SECRET_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: password
[root@server2 configmap]# kubectl apply -f secret.yaml
pod/secret-env created
[root@server2 configmap]# kubectl get pod
NAME READY STATUS RESTARTS AGE
secret-env 1/1 Running 0 16s
进入容器查看环境
[root@server2 configmap]# kubectl exec -it secret-env -- bash
root@secret-env:/# env
...
SECRET_PASSWORD=westos
...
环境变量读取Secret很方便,但不支持Secret动态更新
存储docker registry的认证信息
创建secret的格式为docker-registry
[root@server2 configmap]# kubectl create secret docker-registry myregistrykey --docker-server=hyl.westos.org --docker-username=admin --docker-password=westos --docker-email=yakexi007@westos.org
secret/myregistrykey created
[root@server2 configmap]# kubectl get secrets
NAME TYPE DATA AGE
myregistrykey kubernetes.io/dockerconfigjson 1 36s
编写registry.yaml,拉取仓库中的镜像
[root@server2 configmap]# vim registry.yaml
[root@server2 configmap]# cat registry.yaml
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: perl
image: reg.westos.org/library/perl
imagePullSecrets:
- name: myregistrykey
[root@server2 configmap]# kubectl apply -f registry.yaml
pod/mypod created
[root@server2 configmap]# kubectl get pod
NAME READY STATUS RESTARTS AGE
mypod 0/1 ContainerCreating 0 6s
查看pod节点详细信息,可以看到已成功拉取
[root@server2 configmap]# kubectl describe pod mypod
Name: mypod
Namespace: default
Priority: 0
Node: server3/172.25.12.3
Start Time: Sat, 31 Jul 2021 04:41:48 -0400
Labels: <none>
Annotations: cni.projectcalico.org/podIP: 10.244.141.226/32
cni.projectcalico.org/podIPs: 10.244.141.226/32
Status: Running
IP: 10.244.141.226
IPs:
IP: 10.244.141.226
Containers:
perl:
Container ID: docker://6e11dbffb75f37ce4aba8a90cb7d756e860ae16daab6980811cef65d7945e160
Image: reg.westos.org/library/perl
Image ID: docker-pullable://reg.westos.org/library/perl@sha256:0245ddad7966262b2df36c6e7effb406b6eee45c1d7cb654097b574bf51e70b5
Port: <none>
Host Port: <none>
State: Waiting
Reason: CrashLoopBackOff
Last State: Terminated
Reason: Completed
Exit Code: 0
Started: Sat, 31 Jul 2021 04:44:48 -0400
Finished: Sat, 31 Jul 2021 04:44:48 -0400
Ready: False
Restart Count: 4
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-qfmn2 (ro)
Conditions:
Type Status
Initialized True
Ready False
ContainersReady False
PodScheduled True
Volumes:
kube-api-access-qfmn2:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 3607
ConfigMapName: kube-root-ca.crt
ConfigMapOptional: <nil>
DownwardAPI: true
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 3m31s default-scheduler Successfully assigned default/mypod to server3
Normal Pulled 118s kubelet Successfully pulled image "reg.westos.org/library/perl" in 1m30.671959322s
Normal Pulling 2m5s (x5 over 5m2s) kubelet Pulling image "reg.westos.org/library/perl"
Normal Created 73s (x4 over 117s) kubelet Created container perl
Normal Started 72s (x4 over 116s) kubelet Started container perl
标签:configmap,运维,kubernetes,kubectl,配置管理,server2,secret,mysecret,root 来源: https://blog.csdn.net/weixin_56892849/article/details/119274637
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。