Kubernetes-12:Secret介紹及演示
阿新 • • 發佈:2020-07-09
Secret介紹
Secret存在的意義
Secret解決了密碼、token、金鑰等敏感資料的配置問題,而不需要把這些敏感資料暴露到映象或者Pod Spec中,可以以Volume或者環境變數的方式使用
Secret有三種類型
Service Account:用來訪問Kubernetes API,由Kubernetes自動建立,並且會自動掛載到Pod的/run/secrets/kubernetes.io/serviceaccount目錄中
Opaque:base64編碼格式的Secret,用來儲存密碼、祕鑰等
kubernetes.io/dockerconfigjson:用來儲存私有 docker registry的認證資訊
Service Account
只要與Kubernetes API有互動的Pod,都會自動擁有此種類型的Secret,例如kube-system名稱空間下的Pod
### 隨便進入kube-system下的Pod內檢視是否有此型別 [root@Centos8 ~]# kubectl exec -it kube-proxy-76x2c -n kube-system -- /bin/sh # cd /run/secrets/kubernetes.io/serviceaccount # ls ca.crt namespace token ### 可以看到,其中儲存了crt、token等檔案
Opaque
此種加密型別為base64,其特點就是將明文改為了密文,但是解密也非常簡單,因為同一串字串加密後的密文永遠是相同的
## 加密 [root@Centos8 ~]# echo -n admin | base64 YWRtaW4= [root@Centos8 ~]# echo -n vfan123 | base64 dmZhbjEyMw== ## 解密 [root@Centos8 ~]# echo -n dmZhbjEyMw== | base64 -d vfan123 [root@Centos8 ~]# echo -n YWRtaW4= | base64 -d admin
建立一個Opaque型別的Secret
vim secrets.yaml ... apiVersion: v1 kind: Secret metadata: name: mysecret type: Opaque data: password: dmZhbjEyMw== username: YWRtaW4= ... kubectl create -f secrets.yaml
將此secret掛載到Pod中
[root@Centos8 secret]# vim s-volume.yaml ... apiVersion: v1 kind: Pod metadata: name: s-volume labels: type: opaque spec: volumes: - name: secrets secret: secretName: mysecret containers: - name: db image: hub.vfancloud.com/test/myapp:v1 imagePullPolicy: IfNotPresent volumeMounts: - name: secrets mountPath: /etc/secrets readOnly: true ... [root@Centos8 secret]# kubectl create -f secrets.yaml secret/mysecret created ## 進入container [root@Centos8 secret]# kubectl exec -it s-volume -- /bin/sh /etc/secrets # ls password username /etc/secrets # cat password vfan123 /etc/secrets # cat username admin ### secret加密後的使用者名稱和密碼,傳輸到container中已是明文
將此secret定義到Pod的環境變數中
vim s-env.yaml ... apiVersion: v1 kind: Pod metadata: name: s-env labels: type: opaque spec: containers: - name: pod-1 image: hub.vfancloud.com/test/myapp:v1 imagePullPolicy: IfNotPresent ports: - containerPort: 80 env: - name: DB_USER valueFrom: secretKeyRef: name: mysecret key: username - name: DB_PASSWD valueFrom: secretKeyRef: name: mysecret key: password ... kubectl create -f s-env.yaml ## 檢視環境變數 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin HOSTNAME=s-env TERM=xterm DB_USER=admin DB_PASSWD=vfan123
kubernetes.io/dockerconfigjson
儲存docker倉庫認證資訊
開啟我們之前搭建的Harbor映象倉庫,設定一個私有倉庫(若無搭建私有倉庫可以參考本人其他隨筆:https://www.cnblogs.com/v-fan/p/13034272.html)
建立Pod,使Pod匯入私有倉庫的映象檔案hub.vfancloud.com/test/myapp:v2
vim s-configjson.yaml ... apiVersion: v1 kind: Pod metadata: name: s-configjson spec: containers: - name: configjson image: hub.vfancloud.com/test/myapp:v2 ... [root@Centos8 secret]# kubectl create -f s-configjson.yaml pod/s-configjson created ### 映象匯入失敗,是因為私有倉庫中的映象必須登入後才可匯入 [root@Centos8 secret]# kubectl get pod NAME READY STATUS RESTARTS AGE s-configjson 0/1 ErrImagePull 0 22s ### 詳細資訊中的報錯資訊 Failed to pull image "hub.vfancloud.com/test/myapp:v2": rpc error: code = Unknown desc = Error response from daemon: pull access denied for hub.vfancloud.com/test/myapp, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
設定dockerconfigjson型別secret
## 建立secret [root@Centos8 secret]# kubectl create secret docker-registry myregistrykey --docker-server=hub.vfancloud.com --docker-username=admin --docker-password=Harbor12345 --docker-email=vfan8991 secret/myregistrykey created ## 在資源清單中新增配置 [root@Centos8 secret]# vim s-configjson.yaml ... apiVersion: v1 kind: Pod metadata: name: s-configjson spec: containers: - name: configjson image: hub.vfancloud.com/test/myapp:v2 imagePullSecrets: - name: myregistrykey ... [root@Centos8 secret]# kubectl create -f s-configjson.yaml pod/s-configjson created ## 檢視,匯入成功 [root@Centos8 secret]# kubectl get pod NAME READY STATUS RESTARTS AGE s-configjson 1/1 Running 0 5s