1, Secret overview
Secret contain minor amounts of sensitive information is a password e.g., token or key objects. Put that information in secret rather than in the definitions or container Pod is mirrored in a more secure and flexible, and to reduce the risk of accidental exposure.
2, built-secret
Service API using the Account credentials to automatically create and attach secret
Kubernetes automatically create a secret API includes access credentials and automatically modify your pod to use this type of secret.
[root @ k8smaster the Test] # kubectl POD GET
NAME AGE RESTARTS the STATUS READY
Volume-POD 1/1 0 Running 47M
[root @ k8smaster the Test] # kubectl Exec -it Volume-POD - / bin / bash
root @ Volume-POD: / usr / local / Tomcat # LS -lrt /run/secrets/kubernetes.io/serviceaccount/
Total 0
lrwxrwxrwx. 1 On Feb 18 is the root 12 is the root token 16:05 -> ..data / token
lrwxrwxrwx On Feb 16 the root 18 is the root. 1 16: namespace 05 -> ..data / namespace
lrwxrwxrwx 1 root root 13 Feb 18 16:05 ca.crt -> ..data / ca.crt
root @ Volume-POD: / usr / local / Tomcat #
3, of Opaque Secret manually created
data field to use two strings stored in the Secret, as shown below when they are converted to Base64:
[@ k8smaster the root Test] # echo -n 'ADMIN' | Base64
YWRtaW4 =
[the root k8smaster the Test @] # echo -n '1f2d1e2e67df' | Base64
MWYyZDFlMmU2N2Rm
[root @ k8smaster the Test] #
[root@k8smaster test]# more mysecret.yanl
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
uname: YWRtaW4=
password: MWYyZDFlMmU2N2Rm
[root@k8smaster test]# kubectl create -f mysecret.yanl
secret/mysecret created
[root@k8smaster test]# kubectl get secret
NAME TYPE DATA AGE
basic-auth Opaque 1 2d8h
default-token-vt7pl kubernetes.io/service-account-token 3 6d20h
mysecret Opaque 2 31s
tls-secret kubernetes.io/tls 2 2d8h
[root@k8smaster test]# kubectl describe secret mysecret
Name: mysecret
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
password: 12 bytes
uname: 3 bytes
[root@k8smaster test]#
4、创建pod
1)通过数据卷插件使用
[root@k8smaster test]# more env-volume.yaml
apiVersion: v1
kind: Pod
metadata:
name: volume-pod
spec:
containers:
- name: volume-pod-ctn
image: 192.168.23.100:5000/tomcat:v2
volumeMounts:
- name: config-volume
mountPath: /tmp/config
readOnly: true
volumes:
- name: config-volume
secret:
secretName: mysecret
restartPolicy: Never
[root@k8smaster test]# kubectl create -f env-volume.yaml
pod/volume-pod created
[root@k8smaster test]# kubectl get pod
NAME READY STATUS RESTARTS AGE
volume-pod 1/1 Running 0 6s
[root@k8smaster test]# kubectl exec -it volume-pod /bin/bash
root@volume-pod:/usr/local/tomcat# cd /tmp/config/
root@volume-pod:/tmp/config# ls -lrt
total 0
lrwxrwxrwx 1 root root 12 Feb 18 17:15 uname -> ..data/uname
lrwxrwxrwx 1 root root 15 Feb 18 17:15 password -> ..data/password
root@volume-pod:/tmp/config# more uname
admin
root@volume-pod:/tmp/config# more password
1f2d1e2e67df
root@volume-pod:/tmp/config#
2)通过环境变量使用
[root@k8smaster test]# more env-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: env-pod
spec:
containers:
- name: env-pod-ctn
image: 192.168.23.100:5000/tomcat:v2
command: ["/bin/bash","-c","env"]
env:
- name: SECRET_NAME
valueFrom:
secretKeyRef:
name: mysecret
key: uname
- name: SECRET_PWD
valueFrom:
secretKeyRef:
name: mysecret
key: password
restartPolicy: Never
[root@k8smaster test]# kubectl create -f env-pod.yaml
pod/env-pod created
[root@k8smaster test]# kubectl get pod
NAME READY STATUS RESTARTS AGE
env-pod 0/1 Completed 0 5s
[root@k8smaster test]# kubectl logs env-pod|grep SECRET
SECRET_PWD=1f2d1e2e67df
SECRET_NAME=admin
[root@k8smaster test]#