Kubernetes存储之Secret

153 阅读1分钟

Secret解决了密码、token、密钥等敏感数据的配置问题,而不需要把这些敏感数据暴露到镜像或者Pod Spec中,Secret可以以Volume或者环境变量的方式使用

Secret有三种类型:

  • Service Account: 用来访问Kubernetes API,有Kubernetes自动创建,并且会自动挂载到Pod的/run/secrets/kubernetes.io/serviceaccount 目录中
  • Opaque:base64编码格式的Secret,用来存储密码、密钥等
  • kubernetes.io/dockerconfigjson:用来存储私有docker registry的认证信息

Service Account

Service Account用来访问Kubernetes API,有Kubernetes自动创建,并且会自动挂载到Pod的/run/secrets/kubernetes.io/serviceaccount 目录中

$ kubectl run nginx --image nginx
deployment "nginx" created
$ kubectl get pods
...
$ kubectl exec nginx-xxx ls /run/secrets/kubernetes.io/serviceaccount
ca.crt
namespace
token

Opaque Secret

1.创建说明

$ echo -n "admin" | base64
YWRtaW4=
$ echo -n "1f2d1e2e67df" | base64
MWYyZDFlMmU2N2Rm

secrets.yaml

apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  password: MWYyZDFlMmU2N2Rm
  username: YWRtaW4=

2.使用方式

2.1 将Secret挂载到Volume中

apiVersion: v1
kind: Pod
metadata:
  labels:
    name: secret-test
  name: secret-test
spec:
  volumes:
  - name: secrets
    secret:
      secretName: mysecret
  containers:
  - image: myapp:v1
    name: db
    volumeMounts:
    - name: secrets
      mountPath: "/etc/secrets"
      readOnly: true

2.2 将Secret导入到环境变量中

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: pod-deployment
spec:
  replicas: 2
  template:
    metadata:
      labels:
        app: pod-deployment
    spec:
      containers:
      - name: pod-1
        image: myapp:v1
        ports:
        - containerPort: 80
        env:
        - name: TEST_USER
          valueFrom:
            secretKeyRef:
              name: mysecret
              key: username
        - name: TEST_PASSWORD
          valueFrom:
            secreKeyRef:
              name: mysecret
              key: password

Kubernetes.io/dockerconfigjson

使用Kubectl创建docker registry认证的secret

$ kubectl create docker-registry myregistrykey --docker-server=hub.example.com --docker-username=admin --docker-password=Harbor12345 --docker-email=Yuan_sr@163.com

在创建Pod的时候,通过imagePullSecrets 来引用刚创建的myregistrykey

apiVersion: v1
kind: Pod
metadata:
  name: foo
spec:
  containers:
    - name: foo
      image: wst/example:v1 #私有仓库中的镜像
  imagePullSecrets:
    - name: myregistrykey