1,Secret介绍
Secret解决了密码、token、密钥等敏感数据的配置问题,而不需要把这些敏感数据暴露到镜像或者Pod Spec中,Secret可以以Volume或者环境变量的方式使用。
Secret有三种类型:
- Service Account:用来访问Kubernetes API,由Kubernetes自动创建,并且会自动挂载到Pod的/run/secrets/kubernetes.io/serviceaccount目录中;
- Opaque:base64编码格式的Secret,用来存储密码、密钥等;
- kubernetes.io/dockerconfigjson:用来存储私有docker registry的认证信息。
Opaque Secret
Opaque类型的数据是一个map类型,要求value是base64编码格式
$ echo -n "admin" | base64YWRtaW4=$ echo -n "1f2d1e2e67df" | base64MWYyZDFlMmU2N2Rm
apiVersion: v1kind: Secretmetadata:name: mysecrettype: Opaquedata:password: MWYyZDFlMmU2N2Rmusername: YWRtaW4=
创建好secret之后,有两种方式来使用它:
以Volume方式
apiVersion: v1kind: Podmetadata:labels:name: dbname: dbspec:volumes:- name: secretssecret:secretName: mysecretcontainers:- image: gcr.io/my_project_id/pg:v1name: dbvolumeMounts:- name: secretsmountPath: "/etc/secrets"readOnly: trueports:- name: cpcontainerPort: 5432hostPort: 5432
以环境变量方式
apiVersion: extensions/v1beta1kind: Deploymentmetadata:name: wordpress-deploymentspec:replicas: 2strategy:type: RollingUpdatetemplate:metadata:labels:app: wordpressvisualize: "true"spec:containers:- name: "wordpress"image: "wordpress"ports:- containerPort: 80env:- name: WORDPRESS_DB_USERvalueFrom:secretKeyRef:name: mysecretkey: username- name: WORDPRESS_DB_PASSWORDvalueFrom:secretKeyRef:name: mysecretkey: password
kubernetes.io/dockerconfigjson
Service Account
若有收获,就点个赞吧
0 人点赞
