一、Secret介绍
二、创建secret的两种方式
1.使用命令kubectl create secret
1)pod访问数据库需要用户名和密码,分别存放在文件内
2)将用户名密码写到secret中,并在apiserver创建secret
[root@k8s-master ~]# kubectl create secret generic db-user-pass --from-file=./username.txt --from-file=./password.txt #db-user-pass为secret名字
3)查看结果
[root@k8s-master ~]# kubectl get secrets
NAME TYPE DATA AGE
db-user-pass Opaque 2 17s
4)查看详细信息——describe指令不会展示secret的实际内容,这是出于对数据的保护的考虑
[root@k8s-master ~]# kubectl describe secret db-user-pass
Name: db-user-pass
Namespace: default
Labels: <none>
Annotations: <none>Type: Opaque
Data
====
password.txt: 8 bytes
username.txt: 5 bytes
5)查看文件内容——编码之后的
[root@k8s-master ~]# kubectl get secret db-user-pass -o yaml
apiVersion: v1
data:
password.txt: MjAyNDA3MjM=
username.txt: YWRtaW4=
kind: Secret
metadata:
creationTimestamp: "2024-07-23T05:26:25Z"
name: db-user-pass
namespace: default
resourceVersion: "18685"
uid: ae232efd-802a-476b-bbf6-057bbf4aae3f
type: Opaque
6)base64编码、解码
[root@k8s-master ~]# echo 'MjAyNDA3MjM=' |base64 --decode
[root@k8s-master ~]#
[root@k8s-master ~]# echo 'YWRtaW4=' |base64 --decode
admin[root@k8s-master ~]#
[root@k8s-master ~]# echo "admin" |base64
YWRtaW4K
[root@k8s-master ~]# echo "" |base64
MjAyNDA3MjMK
2.使用yaml文件创建secret(常用)
1)创建secret.yaml文件
[root@k8s-master prome]# vim secret.yaml
[root@k8s-master prome]# cat secret.yaml
---
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
user: YWRtaW4K
password: MjAyNDA3MjMK
2)创建
3)查看信息
[root@k8s-master prome]# kubectl get secrets
NAME TYPE DATA AGE
db-user-pass Opaque 2 12m
mysecret Opaque 2 25s
[root@k8s-master prome]# kubectl get secrets mysecret -o yaml
apiVersion: v1
data:
password: MjAyNDA3MjMK
user: YWRtaW4K
kind: Secret
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","data":{"password":"MjAyNDA3MjMK","user":"YWRtaW4K"},"kind":"Secret","metadata":{"annotations":{},"name":"mysecret","namespace":"default"},"type":"Opaque"}
creationTimestamp: "2024-07-23T05:38:23Z"
name: mysecret
namespace: default
resourceVersion: "19703"
uid: fb-851f-4132-8939-c0fdd2ba783c
type: Opaque
三、引用Secret
1.卷挂载——pod中引用secret
1)创建yaml文件
[root@k8s-master prome]# vim pod-user-secret.yaml
[root@k8s-master prome]# cat pod-user-secret.yaml
---
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: nginx
image: daocloud.io/library/nginx:1.12.0-alpine
volumeMounts: #挂载⼀个卷
- name: fog #这个名字需要与定义的卷的名字⼀致
mountPath: "/etc/fog" #挂载到容器⾥哪个⽬录下,随便写
readOnly: true
volumes: #数据卷的定义
- name: fog #卷的名字这个名字⾃定义
secret: #卷是直接使⽤的secret。
secretName: mysecret #调⽤刚才定义的secret
2)创建
[root@k8s-master prome]# kubectl apply -f pod-user-secret.yaml
pod/mypod created
[root@k8s-master prome]# kubectl get pods
NAME READY STATUS RESTARTS AGE
mypod 1/1 Running 0 14s
tomcat 1/1 Running 0 56m
3)进入mypod查看
[root@k8s-master prome]# kubectl exec -it mypod /bin/sh
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
/ # ls /etc/fog/
password user
/ # ls /etc/fog/password
/etc/fog/password
/ # cat /etc/fog/password
/ # cat /etc/fog/user
admin
/ # exit
注意:每⼀个被引⽤的Secret都要在spec.volumes中定义;如果Pod中的多个容器都要引⽤这个Secret那么每⼀个容器定义中都要指定⾃⼰的volumeMounts,但是Pod定义中声明⼀次spec.volumes就好了。
2.映射secret key到指定路径
1)删除上一次操作并编写yaml文件
[root@k8s-master prome]# kubectl delete -f pod-user-secret.yaml
pod "mypod" deleted
[root@k8s-master prome]# vim pod-user-secret.yaml
[root@k8s-master prome]# cat pod-user-secret.yaml
---
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: nginx
image: daocloud.io/library/nginx:1.12.0-alpine
volumeMounts:
- name: fog
mountPath: "/etc/fog"
readOnly: true
volumes:
- name: fog
secret:
secretName: mysecret
items: #定义⼀个items
- key: password #将那个key重新定义到那个⽬录下
path: my-fog/my-password #相对路径,password被映射到了/etc/fog/my-fog/my-password而不是/etc/fog/password,
2)创建并查看
[root@k8s-master prome]# kubectl apply -f pod-user-secret.yaml
pod/mypod created
[root@k8s-master prome]# kubectl get pods
NAME READY STATUS RESTARTS AGE
mypod 1/1 Running 0 4m48s
tomcat 1/1 Running 0 75m
[root@k8s-master prome]# kubectl exec -it mypod /bin/sh
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
/ # ls /etc/fog/
my-fog
/ # ls /etc/fog/my-fog/
my-password
/ # cat /etc/fog/my-fog/my-password
/ # exit
3)被挂载的secret内容自动更新
修改secret.yaml文件中的数据,然后再kubectl apply -f secret.yaml
进入容器后查看修改的内容(有一定时间延迟)
3.以环境变量的形式使用Secret
1)编写yaml文件
[root@k8s-master secret]# echo 'root'| base64
cm9vdAo=
[root@k8s-master secret]# echo '' |base64
MTIzNDU2Cg==
[root@k8s-master secret]# vim mysql-secret.yaml
[root@k8s-master secret]# cat mysql-secret.yaml
---
apiVersion: v1
kind: Secret
metadata:
name: mysql-user-pass
type: Opaque
data:
username: cm9vdAo=
password: MTIzNDU2Cg==---
apiVersion: v1
kind: Pod
metadata:
name: mysql
spec:
containers:
- name: mysql
image: daocloud.io/library/mysql:8.0.1
env:
- name: MYSQL_ROOT_PASSWORD #创建新的环境变量名称
valueFrom:
secretKeyRef: #调⽤的key是什么
name: mysql-user-pass #变量的值来⾃于mysecret
key: password #username⾥⾯的值
[root@k8s-master secret]# kubectl apply -f mysql-secret.yaml
secret/mysql-user-pass created
pod/mysql created
2)进入容易验证
kubectl exec -it mysql /bin/bash
mysql -uroot -p''
四、docker私有仓库Secret应用
1.编写/etc/docker/daemon.json文件
{"insecure-registries" : [ "私有仓库ip地址" ]}
2.创建secret命令
[root@k8s-master ~] # kubectl create secret docker-registry myregistrykey -- docker-server=私有仓库地址 --docker-username=仓库用户 --docker-password=用户密码#myregistrykey为sceret名字
3.引用示例
kind: Pod
apiVersion: v1
metadata:
namespace: kube-system
name: nginx
labels:
app: nginx
spec:
nodeName: k8s-node1
imagePullSecrets: #引用secret
- name: myregistrykey #此处是创建的secret名字
containers:
- image: daocloud.io/library/nginx:1.12.0-alpine
name: nginx
ports:
- containerPort: 80
版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。
如需转载请保留出处:https://bianchenghao.cn/bian-cheng-ji-chu/88962.html