简介
Secret解决了密码,Tocken,密钥等敏感数据的配置问题,不需要将这些敏感数据暴露到镜像或者PodSpec中,Secret可以以Volume或者环境变量的方式使用。
三种类型:
- Service Account:用来访问KubernetesAPI,由Kubernetes自动创建,并且会自动挂在到Pod的“/run/secrets/kubernetes.io/serviceaccount”目录中
- Opaque:base64编码格式的Secret,用来存储密码,密钥等
- kubernetes.io/dockerconfigjson:用来存储私有docker registry的认证信息
Service Account
# kubectl run nginx --image ntp.weijiayu.club/myapp/nginx:v1
# kubectl get pods
NAME READY STATUS RESTARTS AGE
nginx-84485bfff7-lk7t4 1/1 Running 0 41s
# kubectl exec -it nginx-84485bfff7-lk7t4 -- /bin/bash
# ls /run/secrets/kubernetes.io/serviceaccount/
ca.crt namespace token
Opaque
先用base64进行编码
# echo "admin"| base64
YWRtaW4K
# echo "Mypasswd123" | base64
TXlwYXNzd2QxMjMK
编写secret文件
# vim test-secrets.yaml
apiVersion: v1
kind: Secret
metadata:
name: testsecret
type: Opaque
data:
username: YWRtaW4K
password: TXlwYXNzd2QxMjMK
将Secret挂载到Volume中
# vim test-deployment.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: test
namespace: default
spec:
replicas: 2
selector:
matchLabels:
app: test
template:
metadata:
name: test
namespace: default
labels:
app: test
spec:
volumes:
- name: test-secret
secret:
secretName: testsecret
containers:
- name: test
image: ntp.weijiayu.club/myapp/nginx:v1
ports:
- containerPort: 80
volumeMounts:
- name: test-secret
mountPath: "/etc/secrets"
readOnly: true
将Secret赋值到env中
# vim test-env-deployment.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: test-env
namespace: default
spec:
replicas: 2
selector:
matchLabels:
app: test-env
template:
metadata:
name: test-env
namespace: default
labels:
app: test-env
spec:
containers:
- name: test-env
image: ntp.weijiayu.club/myapp/nginx:v1
ports:
- containerPort: 80
env:
- name: TEST_USER
valueFrom:
secretKeyRef:
name: testsecret
key: username
- name: TEST_PASSWD
valueFrom:
secretKeyRef:
name: testsecret
key: password
kubernetes.io/dockerconfigjson
# kubectl create secret docker-registry harbor-login --docker-server=ntp.weijiayu.club --docker-username=admin --docker-password=Mypasswd123 [email protected]
# kubectl get secrets
NAME TYPE DATA AGE
default-token-x7vtb kubernetes.io/service-account-token 3 15d
harbor-login kubernetes.io/dockerconfigjson 1 5s
kubelet-api-test-token-4vwf6 kubernetes.io/service-account-token 3 15d
调用刚才的secret来实现自动登陆Harbor下载镜像
vim pull-image.yaml
apiVersion: extensions/v1beta1
kind: Pod
metadata:
name: test
namespace: default
spec:
containers:
- name: test
image: ntp.weijiayu.club/myapp/nginx:v2
imagePullSecrets:
- name: harbor-login