Secret 存在意义

Secret 解决了密码、token、密钥等敏感数据的配置问题,而不需要把这些敏感数据暴露到镜像或者 Pod Spec
中。Secret 可以以 Volume 或者环境变量的方式使用

Secret 有三种类型:

  • Service Account:用来访问Kubernetes API,由Kubernetes自动创建,并且会自动挂载到Pod的/run/secrets/kubernetes.io/serviceaccount目录中;
  • Opaque:base64编码格式的Secret,用来存储密码、密钥等;
  • kubernetes.io/dockerconfigjson:用来存储私有docker registry的认证信息。

Service Account

Service Account 用来访问 Kubernetes API,由 Kubernetes 自动创建,并且会自动挂载到 Pod 的
/run/secrets/kubernetes.io/serviceaccount 目录中

  1. $ kubectl run nginx --image nginx  
  2. deployment "nginx" created  
  3. $ kubectl get pods  
  4. NAME                     READY     STATUS    RESTARTS   AGE  
  5. my-nginx-b748cbcc9-sn4jg   1/1     Running   0          48m
  6. $ kubectl exec nginx-3137573019-md1u2 ls /run/secrets/kubernetes.io/serviceaccount  
  7. ca.crt  
  8. namespace  
  9. token

Opaque Secret

常用

Ⅰ、创建说明

Opaque 类型的数据是一个 map 类型,要求 value 是 base64 编码格式:

  1. $ echo -n "admin"  | base64
  2. YWRtaW4=
  3. $ echo -n "1f2d1e2e67df"  | base64
  4. MWYyZDFlMmU2N2Rm
  1. cat <<EOF >./secrets.yaml
  2. apiVersion: v1
  3. kind: Secret
  4. metadata:
  5.   name: mysecret
  6. type: Opaque
  7. data:
  8.   password: MWYyZDFlMmU2N2Rm
  9.   username: YWRtaW4=
  10. EOF
  1. $ kubectl apply -f secrets.yaml
  2. secret/mysecret created

创建好 secret 之后,有两种方式来使用它:

  • 以 Volume 方式
  • 以环境变量方式

1、将 Secret 挂载到 Volume 中

  1. cat <<EOF >./secret-volume.yaml
  2. apiVersion: v1
  3. kind: Pod
  4. metadata:
  5.   labels:
  6.     name: secret-test-volume
  7.   name: secret-test-volume
  8. spec:
  9.   volumes:
  10.   - name: secrets
  11.     secret:
  12.       secretName: mysecret
  13.   containers:
  14.   - name: secret-volume
  15.     image: hub.yangguoxiang.com/library/myapp:v1.0
  16.     volumeMounts:
  17.     - name: secrets
  18.       mountPath: "/etc/secrets"
  19.       readOnly: true
  20. EOF
  1. $ kubectl apply -f secret-test-volume.yaml 
  2. pod/secret-test-volume created
  4. $ kubectl exec pod/secret-test-volume -it -- /bin/sh
  5. $ ls /etc/secrets/
  6. $ cat /etc/secrets/password

2、将Secret导出到环境变量中

  1. cat <<EOF >./secret-env.yaml
  2. apiVersion: extensions/v1beta1
  3. kind: Deployment
  4. metadata:
  5.   name: secret-test-env
  6. spec:
  7.   replicas: 2
  8.   strategy:
  9.       type: RollingUpdate
  10.   template:
  11.     metadata:
  12.       labels:
  13.         app: secret-test-env
  14.         visualize: "true"
  15.     spec:
  16.       containers:
  17.       - name: secret-env
  18.         image: hub.yangguoxiang.com/library/myapp:v1.0
  19.         ports:
  20.         - containerPort: 80
  21.         env:
  22.         - name: TEST_USER
  23.           valueFrom:
  24.             secretKeyRef:
  25.               name: mysecret
  26.               key: username
  27.         - name: TEST_PASSWORD
  28.           valueFrom:
  29.             secretKeyRef:
  30.               name: mysecret
  31.               key: password
  32. EOF
  1. $ kubectl apply -f secret-env.yaml 
  2. deployment.extensions/secret-test-env created
  4. $ kubectl exec pod/secret-test-env-75d6674bd5-997xj -it -- /bin/sh
  5. $ echo $TEST_PASSWORD

kubernetes.io/dockerconfigjson

可以直接用 kubectl 命令来创建用于 docker registry 认证的 secret:

  1. $ kubectl create secret docker-registry myregistrykey \
  2. --docker-server=hub.yangguoxiang.com \
  3. --docker-username=admin \
  4. --docker-password=123456 \
  5. --docker-email=741949068@qq.com
  7. secret/myregistrykey created

在创建 Pod 的时候,通过 imagePullSecrets来引用刚创建的 myregistrykey:

  1. cat <<EOF >./secret-hub.yaml
  2. apiVersion: v1
  3. kind: Pod
  4. metadata:
  5.   name: secret-hub
  6. spec:
  7.   containers:
  8.     - name: secret-hub
  9.       image: hub.yangguoxiang.com/test/myapp:v1.0
  10.   imagePullSecrets:
  11.     - name: myregistrykey
  12. EOF
  1. $ kubectl apply -f secret-hub.yaml 
  2. pod/secret-hub created
  4. # 查看详细信息
  5. $ kubectl describe pod/secret-hub