1,Secret介绍


Secret解决了密码、token、密钥等敏感数据的配置问题,而不需要把这些敏感数据暴露到镜像或者Pod Spec中,Secret可以以Volume或者环境变量的方式使用。

Secret有三种类型

  • Service Account:用来访问Kubernetes API,由Kubernetes自动创建,并且会自动挂载到Pod的/run/secrets/kubernetes.io/serviceaccount目录中;
  • Opaque:base64编码格式的Secret,用来存储密码、密钥等;
  • kubernetes.io/dockerconfigjson:用来存储私有docker registry的认证信息。

Opaque Secret

Opaque类型的数据是一个map类型,要求value是base64编码格式

  1. $ echo -n "admin" | base64
  2. YWRtaW4=
  3. $ echo -n "1f2d1e2e67df" | base64
  4. MWYyZDFlMmU2N2Rm
  1. apiVersion: v1
  2. kind: Secret
  3. metadata:
  4. name: mysecret
  5. type: Opaque
  6. data:
  7. password: MWYyZDFlMmU2N2Rm
  8. username: YWRtaW4=

创建好secret之后,有两种方式来使用它:

以Volume方式

  1. apiVersion: v1
  2. kind: Pod
  3. metadata:
  4. labels:
  5. name: db
  6. name: db
  7. spec:
  8. volumes:
  9. - name: secrets
  10. secret:
  11. secretName: mysecret
  12. containers:
  13. - image: gcr.io/my_project_id/pg:v1
  14. name: db
  15. volumeMounts:
  16. - name: secrets
  17. mountPath: "/etc/secrets"
  18. readOnly: true
  19. ports:
  20. - name: cp
  21. containerPort: 5432
  22. hostPort: 5432

以环境变量方式

  1. apiVersion: extensions/v1beta1
  2. kind: Deployment
  3. metadata:
  4. name: wordpress-deployment
  5. spec:
  6. replicas: 2
  7. strategy:
  8. type: RollingUpdate
  9. template:
  10. metadata:
  11. labels:
  12. app: wordpress
  13. visualize: "true"
  14. spec:
  15. containers:
  16. - name: "wordpress"
  17. image: "wordpress"
  18. ports:
  19. - containerPort: 80
  20. env:
  21. - name: WORDPRESS_DB_USER
  22. valueFrom:
  23. secretKeyRef:
  24. name: mysecret
  25. key: username
  26. - name: WORDPRESS_DB_PASSWORD
  27. valueFrom:
  28. secretKeyRef:
  29. name: mysecret
  30. key: password

kubernetes.io/dockerconfigjson

Service Account