Kubernetes组件Secret

简介

Secret解决了密码,Tocken,密钥等敏感数据的配置问题，不需要将这些敏感数据暴露到镜像或者PodSpec中，Secret可以以Volume或者环境变量的方式使用。

三种类型：

1. Service Account:用来访问KubernetesAPI，由Kubernetes自动创建，并且会自动挂在到Pod的“/run/secrets/kubernetes.io/serviceaccount”目录中
2. Opaque:base64编码格式的Secret，用来存储密码，密钥等
3. kubernetes.io/dockerconfigjson:用来存储私有docker registry的认证信息

Service Account

    # kubectl run nginx --image ntp.weijiayu.club/myapp/nginx:v1

    # kubectl get pods

NAME                     READY   STATUS    RESTARTS   AGE
nginx-84485bfff7-lk7t4   1/1     Running   0          41s

    # kubectl exec -it nginx-84485bfff7-lk7t4 -- /bin/bash

    # ls /run/secrets/kubernetes.io/serviceaccount/ 

ca.crt    namespace  token

Opaque

     先用base64进行编码

    # echo "admin"| base64 

YWRtaW4K

    # echo "Mypasswd123" | base64

 TXlwYXNzd2QxMjMK

    编写secret文件

    # vim test-secrets.yaml

apiVersion: v1
kind: Secret
metadata:
  name: testsecret
type: Opaque
data:
  username: YWRtaW4K
  password: TXlwYXNzd2QxMjMK

     将Secret挂载到Volume中

     # vim test-deployment.yaml

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: test
  namespace: default
spec:
  replicas: 2
  selector:
    matchLabels:
      app: test
  template:
    metadata:
      name: test
      namespace: default
      labels:
        app: test
    spec:
      volumes:
      - name: test-secret
        secret:
          secretName: testsecret
      containers:
      - name: test
        image: ntp.weijiayu.club/myapp/nginx:v1
        ports:
        - containerPort: 80
        volumeMounts:
        - name: test-secret
          mountPath: "/etc/secrets"
          readOnly: true

将Secret赋值到env中

    # vim test-env-deployment.yaml

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: test-env
  namespace: default
spec:
  replicas: 2
  selector:
    matchLabels:
      app: test-env
  template:
    metadata:
      name: test-env
      namespace: default
      labels:
        app: test-env
    spec:
      containers:
      - name: test-env
        image: ntp.weijiayu.club/myapp/nginx:v1
        ports:
        - containerPort: 80
        env: 
        - name: TEST_USER
          valueFrom:
            secretKeyRef:
              name: testsecret
              key: username
        - name: TEST_PASSWD
          valueFrom:
            secretKeyRef:
              name: testsecret
              key: password

kubernetes.io/dockerconfigjson

# kubectl create secret docker-registry harbor-login --docker-server=ntp.weijiayu.club --docker-username=admin --docker-password=Mypasswd123 [email protected]

# kubectl get secrets

NAME                           TYPE                                  DATA   AGE
default-token-x7vtb            kubernetes.io/service-account-token   3      15d
harbor-login                   kubernetes.io/dockerconfigjson        1      5s
kubelet-api-test-token-4vwf6   kubernetes.io/service-account-token   3      15d

调用刚才的secret来实现自动登陆Harbor下载镜像

vim pull-image.yaml

apiVersion: extensions/v1beta1
kind: Pod
metadata:
  name: test
  namespace: default
spec: 
  containers:
  - name: test
    image: ntp.weijiayu.club/myapp/nginx:v2
  imagePullSecrets:
    - name: harbor-login