+-
首页 专栏 云计算 文章详情
Yuan_sr 发布于 5 月 16 日
关注作者
关注作者
0
Kubernetes存储之Secret
Yuan_sr 发布于 5 月 16 日
Secret解决了密码、token、密钥等敏感数据的配置问题,而不需要把这些敏感数据暴露到镜像或者Pod Spec中,Secret可以以Volume或者环境变量的方式使用
Secret有三种类型:
Service Account: 用来访问Kubernetes API,有Kubernetes自动创建,并且会自动挂载到Pod的/run/secrets/kubernetes.io/serviceaccount 目录中 Opaque:base64编码格式的Secret,用来存储密码、密钥等 kubernetes.io/dockerconfigjson:用来存储私有docker registry的认证信息
Service Account
Service Account用来访问Kubernetes API,有Kubernetes自动创建,并且会自动挂载到Pod的/run/secrets/kubernetes.io/serviceaccount 目录中
$ kubectl run nginx --image nginx deployment "nginx" created $ kubectl get pods ... $ kubectl exec nginx-xxx ls /run/secrets/kubernetes.io/serviceaccount ca.crt namespace token
Opaque Secret
1.创建说明
$ echo -n "admin" | base64 YWRtaW4= $ echo -n "1f2d1e2e67df" | base64 MWYyZDFlMmU2N2Rm
secrets.yaml
apiVersion: v1 kind: Secret metadata: name: mysecret type: Opaque data: password: MWYyZDFlMmU2N2Rm username: YWRtaW4=
2.使用方式
2.1 将Secret挂载到Volume中
apiVersion: v1 kind: Pod metadata: labels: name: secret-test name: secret-test spec: volumes: - name: secrets secret: secretName: mysecret containers: - image: myapp:v1 name: db volumeMounts: - name: secrets mountPath: "/etc/secrets" readOnly: true
2.2 将Secret导入到环境变量中
apiVersion: extensions/v1beta1 kind: Deployment metadata: name: pod-deployment spec: replicas: 2 template: metadata: labels: app: pod-deployment spec: containers: - name: pod-1 image: myapp:v1 ports: - containerPort: 80 env: - name: TEST_USER valueFrom: secretKeyRef: name: mysecret key: username - name: TEST_PASSWORD valueFrom: secreKeyRef: name: mysecret key: password
Kubernetes.io/dockerconfigjson
使用Kubectl创建docker registry认证的secret
$ kubectl create docker-registry myregistrykey --docker-server=hub.example.com --docker-username=admin --docker-password=Harbor12345 [email protected]
在创建Pod的时候,通过imagePullSecrets 来引用刚创建的myregistrykey
apiVersion: v1 kind: Pod metadata: name: foo spec: containers: - name: foo image: wst/example:v1 #私有仓库中的镜像 imagePullSecrets: - name: myregistrykey
kubernetes yaml 云计算
阅读 42 发布于 5 月 16 日
举报
赞
收藏
分享
本作品系原创, 采用《署名-非商业性使用-禁止演绎 4.0 国际》许可协议
Yuan_sr
4 声望
0 粉丝
0 条评论
得票数 最新
提交评论
Yuan_sr
4 声望
0 粉丝
宣传栏
目录
▲
Secret解决了密码、token、密钥等敏感数据的配置问题,而不需要把这些敏感数据暴露到镜像或者Pod Spec中,Secret可以以Volume或者环境变量的方式使用
Secret有三种类型:
Service Account: 用来访问Kubernetes API,有Kubernetes自动创建,并且会自动挂载到Pod的/run/secrets/kubernetes.io/serviceaccount 目录中 Opaque:base64编码格式的Secret,用来存储密码、密钥等 kubernetes.io/dockerconfigjson:用来存储私有docker registry的认证信息
Service Account
Service Account用来访问Kubernetes API,有Kubernetes自动创建,并且会自动挂载到Pod的/run/secrets/kubernetes.io/serviceaccount 目录中
$ kubectl run nginx --image nginx deployment "nginx" created $ kubectl get pods ... $ kubectl exec nginx-xxx ls /run/secrets/kubernetes.io/serviceaccount ca.crt namespace token
Opaque Secret
1.创建说明
$ echo -n "admin" | base64 YWRtaW4= $ echo -n "1f2d1e2e67df" | base64 MWYyZDFlMmU2N2Rm
secrets.yaml
apiVersion: v1 kind: Secret metadata: name: mysecret type: Opaque data: password: MWYyZDFlMmU2N2Rm username: YWRtaW4=
2.使用方式
2.1 将Secret挂载到Volume中
apiVersion: v1 kind: Pod metadata: labels: name: secret-test name: secret-test spec: volumes: - name: secrets secret: secretName: mysecret containers: - image: myapp:v1 name: db volumeMounts: - name: secrets mountPath: "/etc/secrets" readOnly: true
2.2 将Secret导入到环境变量中
apiVersion: extensions/v1beta1 kind: Deployment metadata: name: pod-deployment spec: replicas: 2 template: metadata: labels: app: pod-deployment spec: containers: - name: pod-1 image: myapp:v1 ports: - containerPort: 80 env: - name: TEST_USER valueFrom: secretKeyRef: name: mysecret key: username - name: TEST_PASSWORD valueFrom: secreKeyRef: name: mysecret key: password
Kubernetes.io/dockerconfigjson
使用Kubectl创建docker registry认证的secret
$ kubectl create docker-registry myregistrykey --docker-server=hub.example.com --docker-username=admin --docker-password=Harbor12345 [email protected]
在创建Pod的时候,通过imagePullSecrets 来引用刚创建的myregistrykey
apiVersion: v1 kind: Pod metadata: name: foo spec: containers: - name: foo image: wst/example:v1 #私有仓库中的镜像 imagePullSecrets: - name: myregistrykey
