Secret解决了密码、token、密钥等敏感数据的配置问题,而不需要把敏感数据暴露到镜像或者Pod Spec中。Secret可以通过Volume或者环境变量的方式使用。

Secret有三种类型:

  • Service Account :用来访问Kubernetes API
  • Opaque :base64编码格式的Secret,用来存储密码、密钥等
  • kubernetes.io/dockerconfigjson :用来存储私有docker registry的认证信息

    Service Account

Service Account用来访问Kubernetes API,由Kubernetes自动创建,并且会自动挂载到Pod的/run/secrets/kubernetes.io/serviceaccount目录中。

  1. $ kubectl run nginx --image nginx
  3. $ kubectl get pods
  4. NAME                     READY     STATUS    RESTARTS   AGE
  5. nginx-3137573019-md1u2   1/1       Running   0          13s
  6. $ kubectl exec nginx-3137573019-md1u2 ls /run/secrets/kubernetes.io/serviceaccount
  7. ca.crt
  8. namespace
  9. token
  11. # 查看 Pod 描述信息
  12.     volumeMounts:
  13.     - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
  14.       name: default-token-5tsh4
  15.       readOnly: true
  16.   ......
  17.   serviceAccount: default
  18.   serviceAccountName: default
  19.   volumes:
  20.   - name: default-token-5tsh4
  21.     secret:
  22.       defaultMode: 420
  23.       secretName: default-token-5tsh4

Opaque

创建

Opaque类型的数据是一个map类型,要求value是base64编码格式:

# 将信息内容做 base64 编码
$ echo -n "admin" | base64
YWRtaW4=

$ echo -n "1f2d1e2e67df" | base64
MWYyZDFlMmU2N2Rm

根据编码后的数据应用到资源清单文件 secrets.yml

apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  password: MWYyZDFlMmU2N2Rm
  username: YWRtaW4=

kubectl apply -f secrets.yml

使用

以volume方式
#将Secret挂载到Volume中

apiVersion: v1
kind: Pod
metadata:
  labels:
    name: db
  name: db
spec:
  volumes:
  - name: secrets
    secret:
      secretName: mysecret
  containers:
  - image: gcr.io/my_project_id/pg:v1
    name: db
    volumeMounts:
    - name: secrets
      mountPath: "/etc/secrets"
      readOnly: true
    ports:
    - name: cp
      containerPort: 5432
      hostPort: 5432

以环境变量方式
#将Secret导出到环境变量中

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: wordpress-deployment
spec:
  replicas: 2
  strategy:
      type: RollingUpdate
  template:
    metadata:
      labels:
        app: wordpress
        visualize: "true"
    spec:
      containers:
      - name: "wordpress"
        image: "wordpress"
        ports:
        - containerPort: 80
        env:
        - name: WORDPRESS_DB_USER
          valueFrom:
            secretKeyRef:
              name: mysecret
              key: username
        - name: WORDPRESS_DB_PASSWORD
          valueFrom:
            secretKeyRef:
              name: mysecret
              key: password

dockerconfigjson

创建

#方式一:kubectl命令创建

$ kubectl create secret docker-registry myregistrykey --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL

#方式二:读取config.json文件创建

$ cat ~/.docker/config.json | base64
UmVhbGx5IHJlYWxseSByZWVlZWVlZWVlZWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGx5eXl5eXl5eXl5eXl5eXl5eXl5eSBsbGxsbGxsbGxsbGxsbG9vb29vb29vb29vb29vb29vb29vb29vb29vb25ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubmdnZ2dnZ2dnZ2dnZ2dnZ2dnZ2cgYXV0aCBrZXlzCg==

$ cat > myregistrykey.yaml <<EOF
apiVersion: v1
kind: Secret
metadata:
  name: myregistrykey
data:
  .dockerconfigjson: UmVhbGx5IHJlYWxseSByZWVlZWVlZWVlZWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGx5eXl5eXl5eXl5eXl5eXl5eXl5eSBsbGxsbGxsbGxsbGxsbG9vb29vb29vb29vb29vb29vb29vb29vb29vb25ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubmdnZ2dnZ2dnZ2dnZ2dnZ2dnZ2cgYXV0aCBrZXlzCg==
type: kubernetes.io/dockerconfigjson
EOF

$ kubectl create -f myregistrykey.yaml

使用

在创建Pod的时候,通过imagePullSecrets来引用刚创建的myregistrykey:

apiVersion: v1
kind: Pod
metadata:
  name: foo
spec:
  containers:
    - name: foo
      image: janedoe/awesomeapp:v1
  imagePullSecrets:
    - name: myregistrykey