Secret 存在意义
Secret 解决了密码、token、密钥等敏感数据的配置问题,而不需要把这些敏感数据暴露到镜像或者 Pod Spec
中。Secret 可以以 Volume 或者环境变量的方式使用
Secret 有三种类型:
- Service Account :用来访问 Kubernetes API,由 Kubernetes 自动创建,并且会自动挂载到 Pod 的/run/secrets/kubernetes.io/serviceaccount 目录中。
- Opaque :base64编码格式的Secret,用来存储密码、密钥等
- kubernetes.io/dockerconfigjson :用来存储私有 docker registry 的认证信息
Service Account
Service Account 用来访问 Kubernetes API,由 Kubernetes 自动创建,并且会自动挂载到 Pod的
/run/secrets/kubernetes.io/serviceaccount 目录中
[root@k8s-master ~]# kubectl get pod -n kube-system NAME READY STATUS RESTARTS AGE coredns-58cc8c89f4-9gn5g 1/1 Running 5 6d16h coredns-58cc8c89f4-xxzx7 1/1 Running 5 6d16h etcd-k8s-master 1/1 Running 6 6d16h kube-apiserver-k8s-master 1/1 Running 6 6d16h kube-controller-manager-k8s-master 1/1 Running 9 6d16h kube-flannel-ds-amd64-4bc88 1/1 Running 7 6d15h kube-flannel-ds-amd64-lzwd6 1/1 Running 8 6d15h kube-flannel-ds-amd64-vw4vn 1/1 Running 8 6d15h kube-proxy-bs8sd 1/1 Running 6 6d15h kube-proxy-nfvtt 1/1 Running 5 6d15h kube-proxy-rn98b 1/1 Running 6 6d16h kube-scheduler-k8s-master 1/1 Running 8 6d16h [root@k8s-master ~]# kubectl exec kube-proxy-bs8sd -it -- /bin/sh Error from server (NotFound): pods "kube-proxy-bs8sd" not found [root@k8s-master ~]# kubectl exec kube-proxy-bs8sd -n kube-system -it -- /bin/sh # ls -l total 0 drwxr-xr-x 1 root root 31 Apr 1 2019 bin drwxr-xr-x 2 root root 6 Feb 3 2019 boot drwxr-xr-x 16 root root 3140 Dec 26 01:31 dev drwxr-xr-x 1 root root 66 Dec 26 01:31 etc drwxr-xr-x 2 root root 6 Feb 3 2019 home drwxr-xr-x 1 root root 21 Dec 26 01:31 lib drwxr-xr-x 2 root root 34 Feb 28 2019 lib64 drwxr-xr-x 2 root root 6 Feb 28 2019 media drwxr-xr-x 2 root root 6 Feb 28 2019 mnt drwxr-xr-x 2 root root 6 Feb 28 2019 opt dr-xr-xr-x 203 root root 0 Dec 26 01:31 proc drwx------ 2 root root 6 Mar 25 2019 root drwxr-xr-x 1 root root 41 Dec 26 01:31 run drwxr-xr-x 1 root root 311 Apr 1 2019 sbin drwxr-xr-x 2 root root 6 Feb 28 2019 srv dr-xr-xr-x 13 root root 0 Dec 26 01:28 sys drwxrwxrwt 1 root root 6 Apr 1 2019 tmp drwxr-xr-x 1 root root 19 Feb 28 2019 usr drwxr-xr-x 1 root root 17 Feb 28 2019 var # cd /run # ls -l total 0 drwxrwxrwt 2 root root 6 Feb 28 2019 lock drwxr-xr-x 3 root root 27 Dec 26 01:31 secrets -rw-rw-r-- 1 root utmp 0 Feb 28 2019 utmp -rw------- 1 root root 0 Dec 26 01:29 xtables.lock # cd se ^Hcrets^H^H /bin/sh: 4: cd: can't cd to se # cd secrets # cd kubernetes.io # ls -l total 0 drwxrwxrwt 3 root root 140 Dec 26 01:31 serviceaccount # cat serviceaccount cat: serviceaccount: Is a directory # cd serviceaccount # ls ca.crt namespace token # cat ca.crt -----BEGIN CERTIFICATE----- MIICyDCCAbCgAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl cm5ldGVzMB4XDTE5MTIxOTE0MjAwOFoXDTI5MTIxNjE0MjAwOFowFTETMBEGA1UE AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOS3 ApN2B1OzGwDCATVFjwO4WlFp4UX6a01YrMZ9PK6SnYUaEPqprh9lnebu31KzhMjA VQk1bAxaq3pnrX8VUywe0sFLqulSy6JlvvbnRQXqF6oB4pO5Zm3byYifex7XXkzc WFox9dnpYFLJ2BM1CACRix0dFUCvrYVuJozrh7iiHohRl4H61WoX2dyP4F9tMSOh Meztlduq4cLYxDSkL+OBrrV75Z3YffI8eYNwEjm9h9J+SfwglWCAvrvLEsZ7Htsp 77rsJHI8KcVywsyMjfDzeY3l+w67gmCshnqU7L8zBCPiCayq/p/ZL0Pdro2lTB3Q r3GwOr4Q0k0mkgaahxsCAwEAAaMjMCEwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB /wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAEt7tdYYbxPjrsILC3VhfHS0XxBZ Bq9lo7BeXuMlyf/pL1lvHHziacsyAzpA5L1DHg6lmpbjX4Ek4xNTRjy9MSnD4Rd3 v+l/ICEy5ZCptOA8uWNBpRDZPf88w3HoUh6Ew3bMJlRl1tITt1RCuLmi/29Kn/xq EHwimSAExFGGiiMtCueuhnRSdqb2fFfkKub0fFoQaUTmO2cB/2DYBWwxiq0ZFLL0 IBe0jTemhueFIPezRbe0+6RDiNu9/a8XRV+/LDpeeq4Oc8OkQjkE12bJjiXnDH+1 Ug7sDApg/jO+FVyBmuGBPtVLKXHuoKWUqbmnQ0MphYT7lsRFCyCIK1Qta+g= -----END CERTIFICATE----- # cat namespace kube-system# cat token eyJhbGciOiJSUzI1NiIsImtpZCI6IktTaWpWSDJoem5WTzNZdExreU9sV2dqLVpTa1NzVHdZeE56clZuZ2JxQncifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlLXByb3h5LXRva2VuLWo4cW1nIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6Imt1YmUtcHJveHkiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI3MDhjN2FmNy1lNTRmLTQzYzAtOThmMC0yMmIzNzJkYmViMmIiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06a3ViZS1wcm94eSJ9.jtInRSdyfO78kYy66nvlnzpoQ9s4G6n8aS3eqbyCw4VfTDUFzhvfBCHak5gncVSMERlOGFJbW2zyS3kGJwfFpyDBz_GpO1w7H7IQheRRhz2h1JAR8qQfottZD6QQvNbLWFr3xtca9UDkzytcN5wlV4HTnL0knLFeLDsD1K5QR-bpAZY6or2CG2U71XYy37RNqLhxNSJRvuvgaBfa-q46T6u9Z2GyrRESLPcHY9_CKRZ9greluyuzA9HvTUbDS57IuXy1qXQUYaxsjE3C6dpcSx4AszFGo70Zf2kj7us0iK_8tIAMFdsLURF88zeAKbega2LRMZ3g_h2okq-5BU2TZg# exit [root@k8s-master ~]#
Opaque Secret
Ⅰ、创建说明
Opaque 类型的数据是一个 map 类型,要求 value 是 base64 编码格式:
[root@k8s-master secrets]# echo -n "admin" | base64 YWRtaW4= [root@k8s-master secrets]# echo -n "1f2d1e2e67df" | base64 MWYyZDFlMmU2N2Rm
[root@k8s-master secrets]# cat sec.yaml apiVersion: v1 kind: Secret metadata: name: mysecret type: Opaque data: password: MWYyZDFlMmU2N2Rm username: YWRtaW4= [root@k8s-master secrets]#
Ⅱ、使用方式
1、将 Secret 挂载到 Volume 中
[root@k8s-master secrets]# cat pod1.yaml apiVersion: v1 kind: Pod metadata: labels: name: seret-test name: seret-test spec: volumes: - name: secrets secret: secretName: mysecret containers: - image: wangyanglinux/myapp:v1 name: db volumeMounts: - name: secrets mountPath: "/etc/secrets" readOnly: true [root@k8s-master secrets]#
[root@k8s-master secrets]# vim pod1.yaml [root@k8s-master secrets]# kubectl apply -f pod1.yaml pod/seret-test created [root@k8s-master secrets]# kubectl get pod NAME READY STATUS RESTARTS AGE my-nginx-5d57c6897b-fm2ql 1/1 Running 1 15h seret-test 1/1 Running 0 15s [root@k8s-master secrets]# kubectl exec seret-test -it -- cat /etc/secrets/admin cat: can't open '/etc/secrets/admin': No such file or directory command terminated with exit code 1 [root@k8s-master secrets]# kubectl exec seret-test -it -- cat /etc/secrets/username admin[root@k8s-master secrets]# kubectl exec seret-test -it -- cat /etc/secrets/password
2、将 Secret 导出到环境变量中
[root@k8s-master secrets]# cat deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: pod-deployment spec: replicas: 2 selector: matchLabels: app: pod-deployment template: metadata: labels: app: pod-deployment spec: containers: - name: pod-12 image: wangyanglinux/myapp:v1 ports: - containerPort: 80 env: - name: TEST_USER valueFrom: secretKeyRef: name: mysecret key: username - name: TEST_PASSWORD valueFrom: secretKeyRef: name: mysecret key: password [root@k8s-master secrets]#
[root@k8s-master secrets]# vim deployment.yaml [root@k8s-master secrets]# kubectl apply -f deployment.yaml deployment.apps/pod-deployment created [root@k8s-master secrets]# kubectl get pod NAME READY STATUS RESTARTS AGE my-nginx-5d57c6897b-gh5v6 1/1 Running 0 30m pod-deployment-86575c7c5-d2pjf 0/1 CreateContainerConfigError 0 5s pod-deployment-86575c7c5-rcmq8 0/1 CreateContainerConfigError 0 5s seret-test 1/1 Running 0 35m [root@k8s-master secrets]# kubectl get pod NAME READY STATUS RESTARTS AGE my-nginx-5d57c6897b-gh5v6 1/1 Running 0 30m pod-deployment-86575c7c5-d2pjf 0/1 CreateContainerConfigError 0 12s pod-deployment-86575c7c5-rcmq8 0/1 CreateContainerConfigError 0 12s seret-test 1/1 Running 0 35m [root@k8s-master secrets]# kubectl get pod NAME READY STATUS RESTARTS AGE my-nginx-5d57c6897b-gh5v6 1/1 Running 0 30m pod-deployment-86575c7c5-d2pjf 0/1 CreateContainerConfigError 0 13s pod-deployment-86575c7c5-rcmq8 0/1 CreateContainerConfigError 0 13s seret-test 1/1 Running 0 35m [root@k8s-master secrets]# kubectl get pod NAME READY STATUS RESTARTS AGE my-nginx-5d57c6897b-gh5v6 1/1 Running 0 30m pod-deployment-86575c7c5-d2pjf 0/1 CreateContainerConfigError 0 14s pod-deployment-86575c7c5-rcmq8 0/1 CreateContainerConfigError 0 14s seret-test 1/1 Running 0 35m [root@k8s-master secrets]# kubectl get secret NAME TYPE DATA AGE basic-auth Opaque 1 39h default-token-6wcrh kubernetes.io/service-account-token 3 6d17h tls-secret kubernetes.io/tls 2 40h [root@k8s-master secrets]# ll 总用量 12 -rw-r--r-- 1 root root 620 12月 26 15:37 deployment.yaml -rw-r--r-- 1 root root 0 12月 26 15:07 enc.yaml -rw-r--r-- 1 root root 311 12月 26 15:02 pod1.yaml -rw-r--r-- 1 root root 124 12月 26 14:55 sec.yaml [root@k8s-master secrets]# kubectl apply -f sec.yaml secret/mysecret created [root@k8s-master secrets]# kubectl get secret NAME TYPE DATA AGE basic-auth Opaque 1 39h default-token-6wcrh kubernetes.io/service-account-token 3 6d17h mysecret Opaque 2 3s tls-secret kubernetes.io/tls 2 40h [root@k8s-master secrets]# kubectl get pod NAME READY STATUS RESTARTS AGE my-nginx-5d57c6897b-gh5v6 1/1 Running 0 31m pod-deployment-86575c7c5-d2pjf 1/1 Running 0 80s pod-deployment-86575c7c5-rcmq8 0/1 CreateContainerConfigError 0 80s seret-test 1/1 Running 0 36m [root@k8s-master secrets]# kubectl get pod NAME READY STATUS RESTARTS AGE my-nginx-5d57c6897b-gh5v6 1/1 Running 0 31m pod-deployment-86575c7c5-d2pjf 1/1 Running 0 83s pod-deployment-86575c7c5-rcmq8 1/1 Running 0 83s seret-test 1/1 Running 0 36m [root@k8s-master secrets]# kubectl exec pod-deployment-86575c7c5-rcmq8 -it -- /bin/sh / # ls bin dev etc home lib media mnt proc root run sbin srv sys tmp usr var / # echo $TEST_USER admin / # echo $TEST_PASSWORD 1f2d1e2e67df / # exit
kubernetes.io/dockerconfigjson
使用 Kuberctl 创建 docker registry 认证的 secret:查看博客