内置类型

Opaque 用户定义的任意数据
kubernetes.io/service-account-token 服务账号令牌
kubernetes.io/dockercfg ~/.dockercfg 文件的序列化形式
kubernetes.io/dockerconfigjson ~/.docker/config.json 文件的序列化形式
kubernetes.io/basic-auth 用于基本身份认证的凭据
kubernetes.io/ssh-auth 用于 SSH 身份认证的凭据
kubernetes.io/tls 用于 TLS 客户端或者服务器端的数据
bootstrap.kubernetes.io/token 启动引导令牌数据

generic 类型

创建

kubectl create secret generic db-user1 —from-literal=name=user1 —from-literal=password=123456

apiVersion: v1
kind: Secret
metadata:
name: db-user1
data:
name: dXNlcjE= # value 以 base64格式 编码
password: MTIzNDU2

使用文件
echo user2 > name.txt
echo 123456 > password.txt
kubectl create secret generic db-user2 —from-literal=name.txt —from-literal=password.txt

文件名为 key , 内容为 value
image.png

使用

pod env

  1. apiVersion: v1
  2. kind: Pod
  3. metadata:
  4.   name: pod-env
  5. spec:
  6.   containers:
  7.   - name: pod-env-bb
  8.     image: busybox
  9.     command: ["/bin/sh","-c","sleep 3600"]
  10.     env:
  11.     - name: my_name
  12.       valueFrom:
  13.         secretKeyRef:
  14.           name: db-user1
  15.           key: name
  16.     - name: my_pwd
  17.         valueFrom:
  18.           secretKeyRef:
  19.             name: db-user1
  20.             key: password

image.png

pod 卷挂载

挂载全部

apiVersion: v1
kind: Pod
metadata:
  name: pod-vol
spec:
  volumes:
  - name: db
    secret:
     secretName: db-user1
  containers:
  - name: pod-vol-bb
    image: busybox
    command: ["/bin/sh","-c","sleep 3600"]
    volumeMounts:
    - name: db
      mountPath: /db-user

image.png
默认 key 对应文件名 , value 对应内容

挂载指定项

apiVersion: v1
kind: Pod
metadata:
  name: pod-vol
spec:
  volumes:
  - name: db
    secret:
     secretName: db-user1
     items:
     - key: name
       path: sql-name.txt   # 相对 mountPath 目录下的文件名
  containers:
  - name: pod-vol-bb
    image: busybox
    command: ["/bin/sh","-c","sleep 3600"]
    volumeMounts:
    - name: db
      mountPath: /db-user

image.png

dockerconfigjson 类型

创建用户 docker registry 认证的 Secret

kubectl create secret docker-registry XXX \
—docker-server=DOCKER_SERVER \
—docker-username=DOCKER_USER \
—docker-password=DOCKER_PASSWORD

kubectl create secret docker-registry harbor-secret —docker-server=xxx —docker-username=xxx—docker-password=xxx

apiVersion: v1
kind: Secret
metadata:
name: harbor-secret
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: eyJhdXRocyI6eyIyMC4wLjAuNzo4MDk5Ijp7InVzZXJuYW1lIjoiYWRtaW4iLCJwYXNzd29yZCI6IjEyMzQ1NiIsImF1dGgiOiJZV1J0YVc0Nk1USXpORFUyIn19fQ==

创建 pod 时引入
apiVersion: v1
kind: Pod
metadata:
name: pod
spec:
containers:
- name: pod
image: 20.0.0.7:8099/ops/nginx:1.7.9
imagePullSecrets:
- name: harbor-secret


service-account-token 类型

用于被 ServiceAccount 引用

ServiceAccout 创建时 k8s 会默认创建对应的 Secret
Pod 如果使用 ServiceAccount,对应的 Secret 会自动挂载到 Pod 的 /var/run/secrets/kubernetes.io/serviceaccount/ 目录中

image.png