secret
Secret is used to save the inscription information, such as password, ssh-key, token, etc.
- Storage format: K/V key-value pair
- Usage: environment variables and mounting (volumes)
- Encryption method: base64
- Creation method: command line creation and configuration list
- scenes to be used:
- opaque: general custom data, base64 encoding
- kubernetes.io/service-account-token: used to store SA user authentication information
- kubernetes.io/dockerconfigjson: user storage docker warehouse authentication information
- kubernetes.io/tls: used for tls communication mode authentication information
- kubernetes.io/ssh-auth: used for ssh authentication information
- bootstrap.kubernetes.io/token: start the boot token
Storage format
Secrets are stored in K/V key-value pairs, nodes are loaded into memory, and stored in etcd in plaintext
- username: secret
- passwd: YWRtaW4K
Ciphertext
The principle of base64 is actually to transcode the plaintext through 64 characters to become a ciphertext composed of 64 characters
- Base64 cannot be regarded as a kind of encryption, it is a way of changing plaintext into ciphertext
- base64 can be derived from each other
Usage scenario The
default common use is to define K/V key-value pair information for opaque, which is used to store passwords, ssh-keys, tokens, etc.
- opaque: general custom data, base64 encoding
- kubernetes.io/service-account-token: used to store SA user authentication information
- kubernetes.io/dockerconfigjson: user storage docker warehouse authentication information
- kubernetes.io/tls: used for tls communication mode authentication information
- kubernetes.io/ssh-auth: used for ssh authentication information
- bootstrap.kubernetes.io/token: start the boot token
Create method
Command Line
kubectl create secret generic test-secret --from-literal=username=test --from-literal=passwd=test
#命令行generic代表就是opaque类型,定义了2个数据
kubectl create secret generic test-secret --from-file=test
#同样也支持文件指定,k就是文件名称,v就是内容
Check the yaml file, the information in the plain text is automatically turned into the cipher text.
Confirmation can be deduced
Configure the list to create a secret
Compared with the previous parameters, there are several differences
- data: Define K/V format data, need to convert the data to base64 format in advance
- Encryption: echo -n test | base64
- Decryption: echo -n test | base64 -d
- stringData: Define K/V format data in plain text, and format conversion will be performed automatically after creation
- type: This is the usage scenario mentioned above, the default is Opaque
apiVersion: v1
stringData:
username: test
password: test
kind: Secret
metadata:
name: test-secret
type: Opaque
Check the information, because of the previous existence, it directly overlaps the previous
usage
- Environment variable: spec.containers.env.valueFrom, configured by secretKeyRef under the valueFrom field
- Disadvantages: the information cannot be changed or the parent environment variable cannot be read for the program calling the child process
- Storage volume: spec.volumes and spec.containers.volumeMounts are used together
- When the used Secret that has been stored in the volume is updated, the mapped key will eventually be updated, and the kubelet will check for updates during periodic synchronization.
apiVersion: v1
kind: Pod
metadata:
name: nginx
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.19
volumeMounts:
- name: secret
mountPath: /mnt/test-secret
volumes:
- name: secret
secret:
secretName: test-secret
kubectl exec nginx -it sh
ls -l /opt to
view the file is a soft connection
After testing and modifying the secret information, it is found that the Pod has also changed
The official also introduced the use of other types, such as based on ssh authentication information, you can also set the permissions and the number of information after the secret information is mapped.
Reference: https://v1-19.docs.kubernetes.io/en/docs/concepts/configuration/secret/#using-secrets
Reference: Books-kubernetes advanced combat-Ma Yongliang