Secret can encrypt the data you want to access, store to Etcd then Volume Pod by way of access to information Secret saved, every time when data modification, Pod Secret mount the file will be modified, in particular, used to store the password for account
First, create an object Secret
1. Create a file
Two files, and are username.txt password.txt
echo "chenqionghe" > ./username.txt
echo "111111" > ./password.txt
create
kubectl create secret generic user --from-file=./username.txt
kubectl create secret generic pass --from-file=./password.txt
2. Create a yaml
Note: The value must be base64 transcoding
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
user: Y2hlbnFpb25naGUK
pass: MTExMTExCg==
create
kubectl apply -f mysecret.yaml
Second, obtaining secret objects
root@VM-0-8-ubuntu:/home/ubuntu/project-volume# kubectl get secrets
NAME TYPE DATA AGE
default-token-gqfrx kubernetes.io/service-account-token 3 20d
mysecret Opaque 2 1m
pass Opaque 1 6m
user Opaque 1 6m
Third, by using the secret pod example
Projected volume is here designated type, reference is secret and Pass the user, the mount path / projected-volume
apiVersion: v1
kind: Pod
metadata:
name: test-projected-volume
spec:
containers:
- name: test-secret-volume
image: busybox
args:
- sleep
- "86400"
volumeMounts:
- name: mysql-cred
mountPath: "/projected-volume"
readOnly: true
volumes:
- name: mysql-cred
projected:
sources:
- secret:
name: user
- secret:
name: pass
Creating execution
kubectl apply -f test-projected-volume.yaml
View pod has been created out
root@VM-0-8-ubuntu:/home/ubuntu/project-volume# kubectl get pod
NAME READY STATUS RESTARTS AGE
test-projected-volume 1/1 Running 0 5m
Re-entering the view within the pod, see the file already exists, and the same content and settings
root@VM-0-8-ubuntu:/home/ubuntu/project-volume# kubectl exec -it test-projected-volume -- /bin/sh
/ # ls /projected-volume/
password.txt username.txt
/ # cat /projected-volume/username.txt
chenqionghe
Then we amend the username of secret files, chenqionghe modified to cqh (corresponding base encoded as Y3FoCg ==)
kubectl edit secret user
Modifications are as follows
apiVersion: v1
data:
username.txt: Y3FoCg==
kind: Secret
metadata:
creationTimestamp: 2019-09-27T09:14:00Z
name: user
namespace: default
resourceVersion: "2108808"
selfLink: /api/v1/namespaces/default/secrets/user
uid: 24566f8f-e107-11e9-8c22-f242c645cfec
type: Opaque
View pod mounted again in the file has changed
root@VM-0-8-ubuntu:/home/ubuntu# kubectl exec -it test-projected-volume -- cat /projected-volume/username.txt
cqh