kubernetes资源--secret和ServiceAccount
咸星波
secret
https://blog.csdn.net/u010278923/article/details/72857928
https://www.cnblogs.com/cf532088799/p/7977083.html
概念
secret对象类型主要目的是保存和处理敏感信息/私密数据,比如密码,OAuth tokens,ssh keys等信息。将这些信息放在secret对象中比 直接放在pod或docker image中更安全,也更方便使用。
一个已经创建好的secrets对象有两种方式被pod对象使用,其一,在container中的volume对象里以file的形式被使用,其二,在pull images时被kubelet使用。
类型
Opaque任意字符串,默认类型
kubernetes.io/dockercfg:作用于Docker registry,用户下载docker镜像认证使用
kubernetes.io/service-account-token:作用于ServiceAccount
第一种使用方式的使用流程如下:
(1)执行login命令,登录私有Registry
#docker login 10.30.30.126:8123(输入账户及密码,如果是第1次登录则会创建新用户,并把相关信息写入~/.docker/config.json 文件中)
(2)用BASE64编码dockercfg的内容
#cat
~/.docker/config.json |base64
(3)将上一步命令的输出结果作为Secret的“data.dockercfg”域的内容,由此来创建一个Secret。
我试验不好用,之后我该用:
1、kubectl create secret docker-registry kubesystemsecret -n kube-system --docker-server=10.30.30.126:8123 --docker-username=admin --docker-password=admin123 --docker-email=wu_bo3@hoperun.com(本身就可以使用)
2、kubectl get secret kubesystemsecret -n kube-system -o yaml 来获取data.dockercfg的值
2、kubectl get secret kubesystemsecret -n kube-system -o yaml 来获取data.dockercfg的值
image-pull-secret.yaml:
apiVersion: v1
kind: Secret
metadata:
name: kubesystemsecret
namespace: default
data:
.dockercfg: eyIxMC4zMC4zMC4xMjY6ODEyMyI6eyJ1c2VybmFtZSI6ImFkbWluIiwicGFzc3dvcmQiOiJhZG1pbjEyMyIsImVtYWlsIjoid3VfYm8zQGhvcGVydW4uY29tIiwiYXV0aCI6IllXUnRhVzQ2WVdSdGFXNHhNak09In19
type: kubernetes.io/dockercfg
# kubectl create -f image-pull-secret.yaml
(4)在创建Pod的时候引用该Secret
pods.yaml
apiVersion: v1
kind: Pod
metadata:
#namespace: kube-system
namespace: default
labels:
name: busybox
role: master
name: busybox
spec:
containers:
- name: busybox
image: 10.30.30.126:8123/docker.io/busybox:latest
command:
- sleep
- "360000"
imagePullSecrets:
- name: kubesystemsecret
# kubectl create -f pods.yaml
(5)pod和
Secret合在一起写
pods.yaml
apiVersion: v1
kind: Secret
metadata:
name: kubesystemsecret
namespace: default
data:
.dockercfg: eyIxMC4zMC4zMC4xMjY6ODEyMyI6eyJ1c2VybmFtZSI6ImFkbWluIiwicGFzc3dvcmQiOiJhZG1pbjEyMyIsImVtYWlsIjoid3VfYm8zQGhvcGVydW4uY29tIiwiYXV0aCI6IllXUnRhVzQ2WVdSdGFXNHhNak09In19
type: kubernetes.io/dockercfg
---
apiVersion: v1
kind: Pod
metadata:
#namespace: kube-system
namespace: default
labels:
name: busybox
role: master
name: busybox
spec:
containers:
- name: busybox
image: 10.30.30.126:8123/docker.io/busybox:latest
command:
- sleep
- "360000"
imagePullSecrets:
- name: kubesystemsecret
# kubectl create -f pods.yaml
第二种使用方式的使用流程如下:
(1)
实现加密:
echo -n admin| base64 >>YWRtaW4=
echo -n admin123 | base64 >> YWRtaW4xMjM=
secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
password: YWRtaW4xMjM=
username: YWRtaW4=
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
password: YWRtaW4xMjM=
username: YWRtaW4=
kubectl create -f secret.yaml
或者
命令行方式:
kubectl create secret generic mysecret --from-literal=username=test --from-literal=password=test123
(2)pod引用。
在使用的时候可以选择已volume方式或者是已环境变量的方式放到容器内使用
参考:https://www.jianshu.com/p/530b3642c642
http://docs.kubernetes.org.cn/548.html
volume:
#cat nginx-mount.yaml
apiVersion: v1
kind: Pod
metadata:
name: secret-test-pod
spec:
containers:
- name: test-container
image: 10.30.30.126:8123/library/nginx:latest
volumeMounts:
# name must match the volume name below
- name: secret-volume
mountPath: /etc/secret-volume
imagePullSecrets:
- name: kubesystemsecret
volumes:
- name: secret-volume
secret:
secretName: mysecret
kind: Pod
metadata:
name: secret-test-pod
spec:
containers:
- name: test-container
image: 10.30.30.126:8123/library/nginx:latest
volumeMounts:
# name must match the volume name below
- name: secret-volume
mountPath: /etc/secret-volume
imagePullSecrets:
- name: kubesystemsecret
volumes:
- name: secret-volume
secret:
secretName: mysecret
这里讲secret作为一个volume挂载到pod容器得/etc/secret-volume
实际上Secret中的值会以文件生成到/etc/secret-volume下(文件名是key,此处是password和username
,文件内容是value,此处是admin123和admin),待pod运行后查看
$ kubectl exec secret-test-podls /etc/secret-volume/ password username $ kubectl exec secret-test-pod cat /etc/secret-volume/password admin123 $ kubectl exec secret-test-pod cat /etc/secret-volume/username admin
环境变量
cat nginx-env.yaml
apiVersion: v1
kind: Pod
metadata:
name: secret-envars-test-pod
spec:
containers:
- name: envars-test-container
image: 10.30.30.126:8123/library/nginx:latest
env:
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
name: opaque
key: username
- name: SECRET_PASSWORD
valueFrom:
secretKeyRef:
name: opaque
key: password
imagePullSecrets:
- name: kubesystemsecret
kind: Pod
metadata:
name: secret-envars-test-pod
spec:
containers:
- name: envars-test-container
image: 10.30.30.126:8123/library/nginx:latest
env:
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
name: opaque
key: username
- name: SECRET_PASSWORD
valueFrom:
secretKeyRef:
name: opaque
key: password
imagePullSecrets:
- name: kubesystemsecret
查看环境变量信息:kubectl exec -it secret-envars-test-pod -- /bin/bash
printenv
SECRET_USERNAME=admin
SECRET_PASSWORD=admin123
printenv
SECRET_USERNAME=admin
SECRET_PASSWORD=admin123
kubernetes.io/service-account-token:作用于ServiceAccount 不会用!!!
类似资料: