Secret
什么是Secret?作用是什么?
用来保存一些敏感信息,比如MySQL服务的账号和密码,或者一些秘钥、证书等。
举例:
用户名: root
密码: 123.com
将上述信息,保存为Secret资源,应该怎么做?
一、–from-literal
[root@master ~]# kubectl create secret generic mysecret1 --from-literal=username=root --from-literal=password=123.com
secret/mysecret1 created
PS: generic(通用的,公共的)–算法。
//查看Secrets资源对象
[root@master ~]# kubectl get secrets
NAME TYPE DATA AGE
default-token-vnwn4 kubernetes.io/service-account-token 3 5d21h
mysecret1 Opaque
//这里我们使用Describe命令,查看其详细信息,等看到对应的key值,却看不到详细values值,因为创建的时候,我们给这个数据做了一个加密动作
[root@master ~]# kubectl get secrets
NAME TYPE DATA AGE
default-token-vnwn4 kubernetes.io/service-account-token 3 5d21h
mysecret1 Opaque 2 2m40s
[root@master ~]# kubectl describe secrets mysecret1
Name: mysecret1
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
password: 7 bytes
username: 4 bytes
注意: 一个–from-literal语句,只能保存一条信息。
二、–from-file
[root@master secret]# echo root > username
[root@master secret]# echo 123.com > password
[root@master secret]# kubectl create secret generic mysecret2 --from-file=username --from-file=password
secret/mysecret2 created
[root@master secret]# kubectl get secrets
NAME TYPE DATA AGE
default-token-vnwn4 kubernetes.io/service-account-token 3 5d21h
mysecret1 Opaque 2 6m50s
mysecret2 Opaque 2 13s
PS: --from-file的方式,并没有想象中那么全面,厉害。因为每个文件中,只能够保存一条信息。
三、–from-env-file
[root@master secret]# cat env.txt
username=root
password=123.com
[root@master secret]# kubectl create secret generic mysecret3 --from-env-file=env.txt
secret/mysecret3 created
[root@master secret]# kubectl get secrets
NAME TYPE DATA AGE
default-token-vnwn4 kubernetes.io/service-account-token 3 5d21h
mysecret1 Opaque 2 8m49s
mysecret2 Opaque 2 2m12s
mysecret3 Opaque 2 9s
PS: 这种保存数据的方式,比第二种要方便的多,不过要注意的是,文件中,每一行只能记录一条数据(key=value)。
四、通过yaml文件创建
思考:在创建yaml文件的时候,为了避免能直接看到我们保存的数据,所以,我们通常为会保存的数据,进行加密。
[root@master secret]# echo root |base64
cm9vdAo=
[root@master secret]# echo 123.com | base64
MTIzLmNvbQo=
[root@master secret]# vim base.yaml
apiVersion: v1
kind: Secret
metadata:
name: mysecret4
data:
username: cm9vdAo=
password: MTIzLmNvbQo=
[root@master secret]# kubectl apply -f base.yaml
secret/mysecret4 created
[root@master secret]# kubectl get secrets
NAME TYPE DATA AGE
default-token-vnwn4 kubernetes.io/service-account-token 3 5d21h
mysecret1 Opaque 2 13m
mysecret2 Opaque 2 6m59s
mysecret3 Opaque 2 4m56s
mysecret4 Opaque 2 91s
PS:即使,在保存数据前,我们对要保存的数据做了加密处理,但,base64这种方法也不是绝对的安全,比如上边我们用base64这种方法得到的乱码字符串,就可以使用–decode解码
[root@master secret]# echo -n cm9vdAo= | base64 --decode
root
[root@master secret]# echo -n MTIzLmNvbQo= | base64 --decode
123.com
Secret资源的使用
1、Volume
举例:创建一个Pod资源,用volume的方式使用mysecret1.
[root@master secret]# vim volume.yaml
kind: Pod
apiVersion: v1
metadata:
name: mypod
spec:
containers:
- name: mypod
image: busybox
args:
- /bin/sh
- -c
- sleep 30000
volumeMounts:
- name: test-volume
mountPath: "/etc/volume"
readOnly: true
volumes:
- name: test-volume
secret:
secretName: mysecret1
[root@master secret]# kubectl apply -f volume.yaml
pod/mypod created
//通过yalm文件,运行此Pod资源,然后进入Pod对应的挂载目录,去验证是否有我们的secret资源保存的数据。
[root@master secret]# kubectl get pod
NAME READY STATUS RESTARTS AGE
mypod 1/1 Running 0 2m57s
[root@master secret]# kubectl exec -it mypod bash
OCI runtime exec failed: exec failed: container_linux.go:349: starting container process caused "exec: \"bash\": executable file not found in $PATH": unknown
command terminated with exit code 126
[root@master secret]# kubectl exec -it mypod sh
/ # cd /etc/volume/
/etc/volume # ls
password username
/etc/volume # cat username
root
/etc/volume # cat password
123.com
PS: 以volume的挂载方式去使用secret资源,它会随着secret资源对象数据的改变而改变。所以,通常用volume挂载的时候,为了保证secret资源的安全,在挂载的使用都是只读挂载(readOnly)
//我们也可以自安定存放数据的文件名,比如上述Pod资源,可以更改为:
kind: Pod
apiVersion: v1
metadata:
name: mypod
spec:
containers:
- name: mypod
image: busybox
args:
- /bin/sh
- -c
- sleep 30000
volumeMounts:
- name: test-volume
mountPath: "/etc/volume"
readOnly: true
volumes:
- name: test-volume
secret:
secretName: mysecret1
items:
- key: username
path: mygroup/my-username
- key: password
path: mygroup/my-password
//在对应的位置,仍然可以查看到我们更改过后的数据。数据会实时同步、更新.
[root@master secret]# kubectl exec -it mypod sh
/ # cd /etc/volume/
/etc/volume # ls
mygroup
/etc/volume # ls mygroup/
my-password my-username
2、用环境变量的方式
同样,我们更改一下上述的Pod,将它引用secret资源对象的方式更改为环境变量的方式:
kind: Pod
apiVersion: v1
metadata:
name: mypod
spec:
containers:
- name: mypod
image: busybox
args:
- /bin/sh
- -c
- sleep 30000
env:
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
name: mysecret1
key: username
- name: SECRET_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret1
key: password
[root@master secret]# kubectl apply -f volume.yaml
pod/mypod created
/运行此yaml文件,并进入Pod去验证一下变量的值是否正确。
[root@master secret]# kubectl get pod
NAME READY STATUS RESTARTS AGE
mypod 1/1 Running 0 83s
[root@master secret]# kubectl exec -it mypod sh
/ # echo $SECRET_USERNAME
root
/ # echo $SECRET_PASSWORD
123.com
//我们发现,用环境变量的方式也可以正确引用secret资源,但是,它并不会像Volume的方式一样,它引用数据不会进行动态的更新。
小的技巧:资源在创建的过程中,可以直接使用命令的方式创,也可以使用yaml文件的方式,虽然yaml文件的方式创建,相对比较麻烦,但是,它会将我们在创建对应资源的时候的基本状态做一个保存。
我们可以先使用命令的方式创建出来对应的资源,然后将此资源另存为一个yaml文件。比如我们刚刚创建的mysecret2:
[root@master secret]# kubectl get secrets mysecret2 -o yaml > mysecret2.yaml
[root@master secret]# cat mysecret2.yaml
apiVersion: v1
data:
password: MTIzLmNvbQo=
username: cm9vdAo=
kind: Secret
metadata:
creationTimestamp: "2020-11-09T07:49:43Z"
name: mysecret2
namespace: default
resourceVersion: "5047"
selfLink: /api/v1/namespaces/default/secrets/mysecret2
uid: 51d64fa7-0db9-42f5-ad12-9fa6910841aa
type: Opaque
Secret实践k8s连接Harbor
假设此时有一个deployment需要用到私有镜像,已知 Harbor地址为:192.168.1.131,首先应该确认各节点都修改了/usr/lib/systemd/system/docker.service文件,或者在/etc/docker/daemon.json文件中添加过私有仓库地址。因为登录Harbor需要用户名和密码,所以我们可以先创建一个Secret文件,将Harbor的信心进行保存到k8s集群中。
1.先登录Harbor仓库:
[root@master ~]# vim /usr/lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd --insecure-registry 192.168.1.23
[root@master ~]# systemctl daemon-reload
[root@master ~]# systemctl restart docker
[root@node1 ~]# vim /usr/lib/systemd/system/docker.service
[root@node1 ~]# systemctl daemon-reload
[root@node1 ~]# systemctl restart docker.service
[root@node2 ~]# vim /usr/lib/systemd/system/docker.service
[root@node2 ~]# systemctl daemon-reload
[root@node2 ~]# systemctl restart docker
[root@harbor harbor]# docker-compose restart
Restarting nginx ... done
Restarting harbor-portal ... done
Restarting harbor-jobservice ... done
Restarting harbor-core ... done
Restarting harbor-adminserver ... done
Restarting registryctl ... done
Restarting registry ... done
Restarting harbor-db ... done
Restarting redis ... done
Restarting harbor-log ... done
[root@master ~]# docker login -u admin -p Harbor12345 192.168.1.23
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
2.查看登录秘钥数据:
[root@master ~]# cat .docker/config.json
{
"auths": {
"192.168.1.23": {
"auth": "YWRtaW46SGFyYm9yMTIzNDU="
}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/18.09.0 (linux)"
}
}
3.进行加密:
[root@master ~]# cat .docker/config.json | base64
ewoJImF1dGhzIjogewoJCSIxOTIuMTY4LjIyOS4yMTQiOiB7CgkJCSJhdXRoIjogIllXUnRhVzQ2U0dGeVltOXlNVEl6TkRVPSIKCQl9Cgl9LAoJIkh0dHBIZWFkZXJzIjogewoJCSJVc2VyLUFnZW50IjogIkRvY2tlci1DbGllbnQvMTguMDkuMCAobGludXgpIgoJfQp9
4.创建secret资源:
[root@master ~]# mkdir secret
[root@master ~]# cd secret/
[root@master secret]# vim secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: harbor-secret
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: ewoJImF1dGhzIjogewoJCSIxOTIuMTY4LjIyOS4yMTQiOiB7CgkJCSJhdXRoIjogIllXUnRhVzQ2U0dGeVltOXlNVEl6TkRVPSIKCQl9Cgl9LAoJIkh0dHBIZWFkZXJzIjogewoJCSJVc2VyLUFnZW50IjogIkRvY2tlci1DbGllbnQvMTguMDkuMCAobGludXgpIgoJfQp9
[root@master secret]# kubectl apply -f secret.yaml
5.创建Deployment资源引用secret资源:
[root@master secret]# vim deploy.yaml
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
name: test
spec:
replicas: 2
template:
metadata:
labels:
test: registry
spec:
containers:
- name: test
image: 192.168.1.23/test/httpd:v1
imagePullPolicy: Always
imagePullSecrets:
- name: harbor-secret
[root@master secret]# kubectl apply -f deploy.yaml
[root@master secret]# kubectl get pod
NAME READY STATUS RESTARTS AGE
test-6d9c69c9f8-7nvlv 1/1 Running 0 42s
test-6d9c69c9f8-sc7w4 1/1 Running 0 42s
ConfigMap
与secret资源一样,configMap也可以保存一些数据信息,不同的是,secret资源保存的是相对敏感的信息或者是秘钥等,而configMap保存的是一些明文的数据。
举例:
user1=admin
user2=root
一、–from-literal
[root@master ~]# kubectl create configmap myconfigmap1 --from-literal=user1=admin --from-literal=user2=root
configmap/myconfigmap1 created
[root@master ~]# kubectl describe configmaps myconfigmap1
Name: myconfigmap1
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
user1:
----
admin
user2:
----
root
Events: <none>
[root@master ~]# kubectl get configmaps
NAME DATA AGE
myconfigmap1 2 2m22s
二、–from-file
[root@master ~]# echo admin > user1
[root@master ~]# echo root > user2
[root@master ~]# kubectl create configmap myconfigmap2 --from-file=user1 --from-file=user2
configmap/myconfigmap2 created
[root@master ~]# kubectl describe configmaps myconfigmap2
Name: myconfigmap2
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
user2:
----
root
user1:
----
admin
Events: <none>
[root@master ~]# kubectl get configmaps
NAME DATA AGE
myconfigmap1 2 2m22s
myconfigmap2 2 52s
三、–from-env-file
[root@master ~]# cat > user.txt <<EOF
> user1=admin
> user2=root
> EOF
[root@master ~]# kubectl create configmap myconfigmap3 --from-env-file=user.txt
configmap/myconfigmap3 created
[root@master ~]# kubectl describe configmaps myconfigmap3
Name: myconfigmap3
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
user1:
----
admin
user2:
----
root
Events: <none>
[root@master ~]# kubectl get configmaps
NAME DATA AGE
myconfigmap1 2 4m40s
myconfigmap2 2 3m10s
myconfigmap3 2 27s
四、通过yaml文件的方式
[root@master ~]# vim configmap.yaml
kind: ConfigMap
apiVersion: v1
metadata:
name: myconfigmap4
data:
user1: admin
user2: root
[root@master ~]# kubectl apply -f configmap.yaml
configmap/myconfigmap4 created
[root@master ~]# kubectl get configmaps
NAME DATA AGE
myconfigmap1 2 6m31s
myconfigmap2 2 5m1s
myconfigmap3 2 2m18s
myconfigmap4 2 5s
ConfigMap资源的使用
举例:创建一个Pod资源,引用上述myconfigmap1资源
1、Volume
[root@master ~]# vim pod1.yaml
kind: Pod
apiVersion: v1
metadata:
name: mypod3
spec:
containers:
- name: mypod3
image: busybox
args:
- /bin/sh
- -c
- sleep 30000
volumeMounts:
- name: volume2
mountPath: "/tmp/volume"
readOnly: true
volumes:
- name: volume2
configMap:
name: myconfigmap1
[root@master ~]# kubectl apply -f pod1.yaml
pod/mypod3 created
/创建并运行Pod资源,进入Pod查看验证保存的信息
[root@master ~]# kubectl get pod
NAME READY STATUS RESTARTS AGE
mypod3 1/1 Running 0 54s
[root@master ~]# kubectl exec -it mypod3 sh
/ # cat /tmp/volume/user1
admin
/ # cat /tmp/volume/user2
root
/这里假如我们将myconfigmap1对应的user1的值进行更改,会看到Pod内对应的值也会进行动态的更新
[root@master ~]# kubectl edit configmaps myconfigmap1
...
apiVersion: v1
data:
user1: test
user2: root
kind: ConfigMap
...
[root@master ~]# kubectl exec -it mypod3 sh
/ # cat /tmp/volume/user1
test
2、环境变量
[root@master ~]# vim pod2.yaml
kind: Pod
apiVersion: v1
metadata:
name: pod2
spec:
containers:
- name: pod2
image: busybox
args:
- /bin/sh
- -c
- sleep 30000
env:
- name: USER_1
valueFrom:
configMapKeyRef:
name: myconfigmap1
key: user1
- name: USER_2
valueFrom:
configMapKeyRef:
name: myconfigmap1
key: user2
[root@master ~]# kubectl apply -f pod2.yaml
pod/pod2 created
//创建并运行Pod,进入Pod验证环境变量对应的值
[root@master ~]# kubectl get pod
NAME READY STATUS RESTARTS AGE
mypod3 1/1 Running 0 25m
mypod4 1/1 Running 0 43s
[root@master ~]# kubectl exec -it mypod4 sh
/ # echo $USER_1
test
/ # echo $USER_2
root
//这里假如再讲user1对应的更改为admin,再次验证Pod内的变量值仍然不会变,说明环境变量的方式不伦引用的什么资源,都不会动态的更新。