16-K8S Basic-Secret资源使用示例
一、Secret解析
1.1、Secret资源介绍
- Secret对象存储数据的方式是以键值方式存储数据,在Pod资源进行调用Secret的方式是通过环境变量或者存储卷的方式进行访问数据,解决了密码、token、密钥等敏感数据的配置问题,而不需要把这些敏感数据暴露到镜像或者Pod Spec中。另外,Secret对象的数据存储和打印格式为Base64编码的字符串,因此用户在创建Secret对象时,也需要提供该类型的编码格式的数据。在容器中以环境变量或存储卷的方式访问时,会自动解码为明文格式。需要注意的是,如果是在Master节点上,Secret对象以非加密的格式存储在etcd中,所以需要对etcd的管理和权限进行严格控制。
1.2、Secret类型
Service Account:用来访问Kubernetes API,由Kubernetes自动创建,并且会自动挂载到Pod的/run/secrets/kubernetes.io/serviceaccount目录中;Opaque:base64编码格式的Secret,用来存储密码、密钥、信息、证书等,类型标识符为generic;kubernetes.io/dockerconfigjson:用来存储私有docker registry的认证信息,类型标识为docker-registry。- kubectl explain pods.spec.imagePullSecrets
kubernetes.io/tls:用于为SSL通信模式存储证书和私钥文件,命令式创建类型标识为tls。
configmap]# kubectl create secret -h
Create a secret using specified subcommand.
Available Commands:
docker-registry Create a secret for use with a Docker registry
generic Create a secret from a local file, directory or literal value
tls Create a TLS secret
Usage:
kubectl create secret [flags] [options]
Use "kubectl <command> --help" for more information about a given command.
Use "kubectl options" for a list of global command-line options (applies to all commands).
1.3、secret创建及引用方式说明
- secret创建方式 :
- 通过 --from-literal:
- 直接命令行给出,每个 --from-literal 对应一个信息条目。
- 通过 --from-file:
- 从文件中加载,每个文件内容对应一个信息条目。(默认为文件名称为key,文件内容为value)
- 通过 --from-literal:
- secret引用方式 :
- 基于存储卷方式引用secret (pod.spec.volumes.secret)
- 基于变量方式引用secret (env)
1.4、mysql-pod创建实战(secret类型为generic)
1.4.1、secret创建 类型为generic → --from-literal及解码测试
1、查看创建类型为generic的secret帮助
configmap]# kubectl create secret generic -h
2、在此名称空间下创建一个类型为generic的secret使用命令行直接方式给出key/value
# mysql容器创建时需要创建数据库初始化信息必须传入的为MYSQL_ROOT_PASSWORD=xxxxx
# 类型 名称 名称空间 命令行类型创建 key/value
configmap]# kubectl create secret generic mysql-root-password -n config --from-literal=password=daizhe
secret/mysql-root-password created
3、获取创建的secret信息及yaml格式详细信息
configmap]# kubectl get secret -n config
NAME TYPE DATA AGE
default-token-k5gh4 kubernetes.io/service-account-token 3 6h47m
mysql-root-password Opaque 1 118s
configmap]# kubectl get secret mysql-root-password -n config -o yaml
apiVersion: v1
data:
password: ZGFpemhl # 密码输入的为daizhe,但是这里显示的是base64编码过的格式
kind: Secret
metadata:
creationTimestamp: "2020-05-20T12:28:16Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:password: {}
f:type: {}
manager: kubectl
operation: Update
time: "2020-05-20T12:28:16Z"
name: mysql-root-password
namespace: config
resourceVersion: "5297672"
selfLink: /api/v1/namespaces/config/secrets/mysql-root-password
uid: ab0aa170-f72f-4a21-801e-ac8ea5f2fd5a
type: Opaque
4、解码类型为generic的secret中的刚创建的密码
configmap]# echo ZGFpemhl | base64 -d
daizhe[root@k8s configmap]#
1.4.2、定义pod引用类型为generic的secret
- secret引用方式 :
- 基于存储卷方式引用secret (pod.spec.volumes.secret)
- 基于变量方式引用secret (env)
1.4.2.1、基于变量引用方式使得Pod引用secret
- kubectl explain pods.spec.containers.env
- name
- value
- valueFrom
- secretKeyRef
- key : 所引用的secret 中的哪个key
- name : 要引用的secret 名称,必须和pod在同一名称空间下
- optional :此引用是否为可选即有此变量或无此变量都不影响启动,默认为非可选必须值
1、创建pod资源配置清单
configmap]# cat config-mysql.yaml
apiVersion: v1
kind: Pod
# 定义元数据
metadata:
# pod名称
name: mysql
# 名称空间需要和secret在同一空间下
namespace: config
labels:
app: mysql
# 定义pod规格
spec:
# 定义pod中运行的容器
containers:
- name: mysql
image: mysql:5.6
# 指定变量引用方式传值
env:
# 指定容器镜像中所接受的变量名称
- name: MYSQL_ROOT_PASSWORD
# 之前使用的方式为value: xxxx, 现在需要使用通过一个位置来引用值
valueFrom:
# 使用secret方式引用变量
secretKeyRef:
# 指定引用的secret名称
name: mysql-root-password
# secret中此前定义的对应的key名称
key: password
# - name: MYSQL_ROOT_PASSWORD
# valueFrom:
# secretKeyRef:
# name: mysql_root_password
# key: password
2、使用声明式接口创建pod资源
configmap]# kubectl apply -f config-mysql.yaml
pod/mysql created
3、查看创建的pod信息
configmap]# kubectl get pods -n config -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
myapp-pod 1/1 Running 0 4h35m 10.244.2.36 k8s.node2 <none> <none>
mysql 1/1 Running 0 93s 10.244.2.37 k8s.node2 <none> <none>
4、连入pod验证变量是否传入成功
configmap]# kubectl exec -it mysql -n config -- /bin/sh
# mysql
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)
# mysql -pdaizhe
Warning: Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.6.48 MySQL Community Server (GPL)
Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> exit
Bye
# printenv
KUBERNETES_SERVICE_PORT=443
KUBERNETES_PORT=tcp://10.96.0.1:443
HOSTNAME=mysql
MYSQL_MAJOR=5.6
HOME=/root
MYSQL_ROOT_PASSWORD=daizhe # 可以查看到明文的引用变量
TERM=xterm
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
MYSQL_VERSION=5.6.48-1debian9
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
GOSU_VERSION=1.12
KUBERNETES_SERVICE_HOST=10.96.0.1
PWD=/
1.5、演示Secret通过--from-file文件中加载,以及基于存储卷方式引用
1.5.1、Secret常用示例
- 比如 tomcat basic的user.html配置文件,将认证页面中的用户密码通过Secret 进行base64加密并通过挂载卷方式进行挂载到tomcat-pod中。
1.5.2、--from-file 文件内容方式创建Secret
[root@k8s-master ~]# echo -n admin > ./username
[root@k8s-master ~]# echo -n 123456 > ./password
[root@k8s-master ~]# kubectl create secret generic mysecret --from-file=./username --from-file=./password
secret/mysecret created
[root@k8s-master ~]# kubectl get secret
NAME TYPE DATA AGE
mysecret Opaque 2 6s
1.5.3、定义Pod引用Secret
- Secret引用方式 :
- 基于存储卷方式引用Secret
- 基于变量方式引用Secret
1.5.3.1、基于存储卷引用方式使得Pod引用Secrte
-
kubectl explain pods.spec.volumes.Secret
- name : 指定Secret资源名称
- items : 打算将此Secret中的哪个键映射为配置文件
- key : 指定引用键名称
- mode : 映射为文件的权限,如果未设置权限的话,则defaultMode生效
- path : 映射的文件路径,必须为相对路径
- defaultMode : 映射为配置文件后的权限为多少 默认为文件权限为0644,目录权限为0777
-
可以看到,Kubernetes 会在指定的路径 /etc/foo 下为每条敏感数据创建一个文件,文件名就是数据条目的 Key,这里是 /etc/foo/username 和 /etc/foo/password,Value 则以明文存放在文件中。
-
也可以自定义存放数据的文件名,比如将配置文件改为:
[root@k8s-master volumes]# cat pod-secret-demo.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-secret
spec:
containers:
- name: pod-secret
image: busybox
args:
- /bin/sh
- -c
- sleep 10;touch /tmp/healthy;sleep 30000
volumeMounts:
- name: foo
mountPath: "/etc/foo"
readOnly: true
volumes:
- name: foo
secret:
secretName: mysecret
items: #自定义存放数据的文件名
- key: username
path: my-secret/my-username
- key: password
path: my-secret/my-password
[root@k8s-master volumes]# kubectl delete pods pod-secret
pod "pod-secret" deleted
[root@k8s-master volumes]# kubectl apply -f pod-secret-demo.yaml
pod/pod-secret created
[root@k8s-master volumes]# kubectl exec -it pod-secret sh
/ # cat /etc/foo/my-secret/my-username
admin
/ # cat /etc/foo/my-secret/my-password
123456
1.6、tls类型的Secret使用示例
12-Ingress资源介绍及实战 → tls类型的secret使用示例
1.6.1、tls类型的secret创建
1、生成自签名证书
[root@k8s ingress]# mkdir ssl
[root@k8s ingress]# cd ssl/
# 私钥
ssl]# openssl genrsa -out myapp.key 2048
Generating RSA private key, 2048 bit long modulus
.................+++
..................................+++
e is 65537 (0x10001)
You have new mail in /var/spool/mail/root
# 证书
ssl]# openssl req -new -x509 -key myapp.key -out myapp.crt -subj /C=CN/ST/Beijing/L=Beijing/O=Ops/CN=www.toptops.top -days 3650
ssl]# ls
myapp.crt myapp.key
2、创建tls 类型 secret(将自签名证书转为secret资源才能使得k8s所引用)
ssl]# kubectl create secret -h
Create a secret using specified subcommand.
Available Commands: # secret 类型
docker-registry Create a secret for use with a Docker registry
generic Create a secret from a local file, directory or literal value
tls Create a TLS secret
Usage:
kubectl create secret [flags] [options]
Use "kubectl <command> --help" for more information about a given command.
Use "kubectl options" for a list of global command-line options (applies to all commands).
ssl]# kubectl create secret tls -h
Usage:
kubectl create secret tls NAME --cert=path/to/cert/file --key=path/to/key/file [--dry-run=server|client|none] [options]
# -n 指定名称空间,必须和pod在同一名称空间下
# --dry-run 干跑模式
# toptops 创建的secret 名称
ssl]# kubectl create secret tls mysql-crt -n config --cert=myapp.crt --key=myapp.key --dry-run
ssl]# kubectl create secret tls mysql-crt --cert=myapp.crt --key=myapp.key -n config
secret/mysql-crt created
3、查看创建的secret及根据创建secret名称查看证书详细信息
ssl]# kubectl get secret -n config
NAME TYPE DATA AGE
default-token-k5gh4 kubernetes.io/service-account-token 3 3d2h
mysql-crt kubernetes.io/tls 2 78s
mysql-root-password Opaque 1 2d19h
ssl]# kubectl get secret -n config -o yaml
apiVersion: v1
items:
- apiVersion: v1
data:
ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJd01EUXlOREUyTkRrd05Gb1hEVE13TURReU1qRTJORGt3TkZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTkhKCjE4WTNjcCtUNSsrRnBzWnZuVmNwejhIalpuV0Z4TzNvRXpyRDBYd1gxN01rSkxOQjNySGlSenp3blZvRVppKzMKZE5rOGRPem5XOCtlV0U1UjNQOFhlUDRkUEFab0FlT1Nvc1JIYnpqMGsydlFiSHJuV0dlZDhQZ001R015em82UQorRUFKeTBvd0tZeXBET1VERjViQ1NyYjFxY3NTUWZzZHlFQXFlL2VNY3B6UDhZR3pscCt1bGhsUTlNeTBINWtHCmV0bDBYTG5wNm9SVDlyaVlSZEE3NFhCcjhlRExGZ3RjVVpDdWVSM0c1akQyZjBneDhmTmcxcnZBc1FNOWcxWUsKczdlZDE2bDJHZGpFWUxWQ3N6Q01IZXVCeEE1Z2EwNzNhUG9hZWNtcU5NK0FsemZrTVNnZ29qQnVoMFdzbTQ2MQpZczhLM1RYY1VpaTVObG41L0pjQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFGWXdWS3VTNjRGVHZaTzJFM2ZPTGZvYVBZRWQKUXg3SDdYbnNkZVRRR2ROd2JzMzhFRU91bDJzYVBRY0xCdjZNS1VQWVlNUjNJdTBkZ0hBRFZtRkwrQkdZajhqSQpYSkh0VlovY3VzV3dPY3FkUGRmaUlJektNNnlpdDJ2WnJieDJ0Nm5mdXVPM1lwZUtVUVJ5aXhxbitoTDVsTVJUCldya0dMcUhYSy9oc1kvdkl1dFMzdk9CVlR4ZUhPSk9VVDdESytuL09FNGs2anFmTGNqY3dKTVNOZ0hZOGc1YmcKYnRhcWlRZFpNajBrMkRkdDA0VGZmaWNNdlJpTVVDUHJRQmM5TS9LUGpKcHV3Z0hkZUhrd1pIMXRrcVZWMzgxKwpTem1pUS9xS1ViSWZad3FSYitpclpWMFp3SnRXQWU5Y0dzYTYyeGpTVkF0YmN6cWF5ZDllRWJ2a1RXTT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
namespace: Y29uZmln
token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklrZGxWa1ZwV1hJd1UwRkVWbVZEVDJwd2JHdHJhVGxoV0RZMlVtRkNkMlpoVUhNM2VtdHFZMFZxVDBVaWZRLmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUpqYjI1bWFXY2lMQ0pyZFdKbGNtNWxkR1Z6TG1sdkwzTmxjblpwWTJWaFkyTnZkVzUwTDNObFkzSmxkQzV1WVcxbElqb2laR1ZtWVhWc2RDMTBiMnRsYmkxck5XZG9OQ0lzSW10MVltVnlibVYwWlhNdWFXOHZjMlZ5ZG1salpXRmpZMjkxYm5RdmMyVnlkbWxqWlMxaFkyTnZkVzUwTG01aGJXVWlPaUprWldaaGRXeDBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5elpYSjJhV05sTFdGalkyOTFiblF1ZFdsa0lqb2lNV0ZsTm1ZeU56VXRPV0U0WVMwME9EUXpMV0ZrWVRZdE9Ua3pZalJsTkdRd09ESTBJaXdpYzNWaUlqb2ljM2x6ZEdWdE9uTmxjblpwWTJWaFkyTnZkVzUwT21OdmJtWnBaenBrWldaaGRXeDBJbjAuRHFMaVlLV2lsekpYQlBrT3YydEo4cWl0Q09OSW9fV0ExMVc2dlk2RVY0RG42Tkx4cDlxRzdXZXktM3RNNUVUUy1lbDJDRHJNMzhYeUwtNlpOdlRHeEFydmNYQXpZN0lDNWpMMmRMWUxYbkZaODZhdF9nSEwtUGp1dzVxeVMxMTR1Q09tRXpJRDRpcTlVVEk1bjhEQWowUE00QVo2Yzh3YTVodEpFNlh5czhCd3ljSlIyX3h3cTJveEd0NmE0dFpYb0xEdVk3WEpERkMyRTBGaHlfcWhlamRBRjU2SElONUNQalpyMUYwRW1qRXJtal9HTnN0VmhmaU1qWnA0WUlQaXF4OHM4OEpyRXpaX1NoalNqa3pkZjRLT0hkSG9TLUJhREFXcTlvZ244VEE1TWdxd2kzUkRfNExnVUFUQ01MVmw1TlY4QWhXVFE2aUpGbTVYMnpvNkxB
kind: Secret
metadata:
annotations:
kubernetes.io/service-account.name: default
kubernetes.io/service-account.uid: 1ae6f275-9a8a-4843-ada6-993b4e4d0824
creationTimestamp: "2020-05-20T05:43:03Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:ca.crt: {}
f:namespace: {}
f:token: {}
f:metadata:
f:annotations:
.: {}
f:kubernetes.io/service-account.name: {}
f:kubernetes.io/service-account.uid: {}
f:type: {}
manager: kube-controller-manager
operation: Update
time: "2020-05-20T05:43:03Z"
name: default-token-k5gh4
namespace: config
resourceVersion: "5236383"
selfLink: /api/v1/namespaces/config/secrets/default-token-k5gh4
uid: 97bc5a57-702e-4302-92a4-fdd772b100d6
type: kubernetes.io/service-account-token
- apiVersion: v1
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURQVENDQWlXZ0F3SUJBZ0lKQU1XblJhQ3FMU2xNTUEwR0NTcUdTSWIzRFFFQkN3VUFNRFV4Q3pBSkJnTlYKQkFZVEFrTk9NUXd3Q2dZRFZRUUtEQU5QY0hNeEdEQVdCZ05WQkFNTUQzZDNkeTUwYjNCMGIzQnpMblJ2Y0RBZQpGdzB5TURBMU1UTXhNVEk1TkRkYUZ3MHpNREExTVRFeE1USTVORGRhTURVeEN6QUpCZ05WQkFZVEFrTk9NUXd3CkNnWURWUVFLREFOUGNITXhHREFXQmdOVkJBTU1EM2QzZHk1MGIzQjBiM0J6TG5SdmNEQ0NBU0l3RFFZSktvWkkKaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKOEtWRkQzNFpkaUNWNlpuL2pSSU1QdUJwOXh0SHBjY3h3Ywo4OWlBWTF3UUFocGd0SkZ2S1ZENWdjbUNLaGxXMytLek1TcjBHVWRWRDR5a1c3V0REendzTllNVGpSK3M2aUw3CjBOWVJPam5wdVRVcVZzcVZlbElLbXNSUFFOR2dZdngrWXdDaGVvZ3l3Wk95S0I2aTdYK1RVNUMyVUxWb0hCZEUKMmhuQzlUZVB0ck1rdXY2NEd0UDNvSlU1dlVZRXgra0JnYmxITWw4RFlkM0haTnEyVXNYMHh1cG5mb2N5ZEREOAo5YndxOFZxRXROck9leXgwaWtDMlBFeFh6dm91M0RoUllxNElsbHZHcElISnFzeDdMNFVpbzFGSXZyRG1RZ2FTClg4NXdMNzlVb0duODAzY29SZHdSY2dTZFZIQmRBZzFKNlZ5QTNMVVd6S2pqL2JGeEorRUNBd0VBQWFOUU1FNHcKSFFZRFZSME9CQllFRkcySE41a1lkT214QUFxNjVhQnZ1Z1lqQkp3Y01COEdBMVVkSXdRWU1CYUFGRzJITjVrWQpkT214QUFxNjVhQnZ1Z1lqQkp3Y01Bd0dBMVVkRXdRRk1BTUJBZjh3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCCkFGTUU2NmxrZlZpUFdsRUZEaVNpamFMRWpIWHE2SUQyUGhVQTd0NlZNckVnWUdYTHNWcS9HWFh4QXExRWc5eHoKUnEwRkxvUHJlcXBodkI3TnlWK1VRY0wxOENnVTBER1YrU3BCWkFYMHY5Qk9CcHcrbUFPSWdTbVRGY3NFaWFCcgp3ZTdCMU10THJ3RTdHM1d0OHBPZFVua09tRFNHMW5CRzFub0NwczBTZnlGeXpaWWJwR2Q1a2txYThaWGltVTZtCmp4b3lXbGJVSnNwTHZwTGR1YitUWkpXbkFoMStoMHQ5c2ZvazZBOGZQKzlmWHNVQXhUZGw3WDI5RUp4V0l4VlIKOTFUREI3VkQxVFBoQTd6a0ZpdVFtR3B2WSsvb29EOU12S0NYaDRiZ3hxL3BmUlg4emhPb05wY2w3WHl0bVc0WQpIeTJwMUhoVWdoUkJMSnl4S3pScVlyTT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBbndwVVVQZmhsMklKWHBtZitORWd3KzRHbjNHMGVseHpIQnp6MklCalhCQUNHbUMwCmtXOHBVUG1CeVlJcUdWYmY0ck14S3ZRWlIxVVBqS1JidFlNUFBDdzFneE9OSDZ6cUl2dlExaEU2T2VtNU5TcFcKeXBWNlVncWF4RTlBMGFCaS9INWpBS0Y2aURMQms3SW9IcUx0ZjVOVGtMWlF0V2djRjBUYUdjTDFONCsyc3lTNgovcmdhMC9lZ2xUbTlSZ1RINlFHQnVVY3lYd05oM2NkazJyWlN4ZlRHNm1kK2h6SjBNUHoxdkNyeFdvUzAyczU3CkxIU0tRTFk4VEZmTytpN2NPRkZpcmdpV1c4YWtnY21xekhzdmhTS2pVVWkrc09aQ0JwSmZ6bkF2djFTZ2FmelQKZHloRjNCRnlCSjFVY0YwQ0RVbnBYSURjdFJiTXFPUDlzWEVuNFFJREFRQUJBb0lCQUFmOUlOY2dYSGlhT0JaRQphVUM2WUliM0FlWW9kQVJoZUhiRkRZcW1pRmNyaHErRWhBMTZJLzBwUzFldjdpVnZzN2RUZ1BqRFlqR3ZHQ1RjCmJLN2xjbkozVmdqTGhwODh0RllsaUF2NHVaQUhLWUorS2ZYckpFWFN1b3Q1MzZ1bi90RG9HRmtEdzMvcjdNVmEKZ2FGb1ZiMit6TWZNSUttOEhRMGVMRVozQUpKVjFXKzNLZEpNSDFNNVVLYU9CbjAzMytCejJiVWRnb3ZLekhzMAp5Z1hCVVhhS25MNTl0Tm42RzBZY2srRXI4V2l6NVlubzhwOCszMEdpQ2ZZaHU4ckdRcXE3ajZyUjc0dm1Lck0vCjV1NFVGSzlKd28xZ01UczdOWllCVi9hTmp0QTM1dG1aNStkbGR4amd6L1RRK05EWVMxTEJCSXFxdTRCbUFmbmsKNGhUTG5IRUNnWUVBMUFqTzFwd3RzYUFRc0c1ejZpNmJ6aHMySEhMcFZReldlNnVQNmh5ZmNqY1FUdVlObjlSYQp3ZThTZ3JNczZleUZvQThEZVpRbnQrZ2ZTLzlwOTVmWFRRV1I1alk2dGxXV2NxQ1dKUm5NM3N6blIyMURoVjl6CnVJQUc4Wko5WlhSY3huOGxQSWRRTHpoL0cxb0QrOFhOYTNuZGdKUkhLZXo0SFdDQUlUWHN1RDhDZ1lFQXdBUisKMVFlUGtwL0tCUUNkbmZXaDBHaHBQcUR4OUR6clByRUhleXF6RnJGcDk4YVNPTzRHUWZMck9rbGxHV3Uzck1NegpldVJrbEJocFBxeHlnMXYyRmg2cXhSSDJ3Q2RXa0ZTMlRzeER1QW9wTEsxZk9rdlFhYlFLejVwa09FVFkwV2JsCktMaXVObjdmdWhQNXBhckpIdVNWTm1wWHM4aFFST2lzVnVpUkY5OENnWUJDMkdnRTVvWE5TczRZSVNvditQT3IKblk2SWwzMlNENU1LdUFLTjV1b3Bnc3lFWXlpR2E5Y1U3cjdpTDRTSVZzV2x1VFg2UFVmc1JhU2dPK3gzWHdwRQpRTzVIS20rR0RpTjVEY0ZuL3VORWxrcVBqUlhOVlZOUkppT0tRd2wvVTVqd0J5T0JHcE9mMzJySy82emowZTg1CjQ5aDk4Y0VocVpCckNvSTZkaHFqMXdLQmdRQzlHN0JOM2NSb2d6WlM5dWhFU1VXMEd5Q0xyYmFjOCtJN085NUMKVHl0UmppanUvWUhFejZjYURFUGVnNm90L3doRi9Ya1Y3eG1mUU90bDdqQlpicGhOOEtYK3NGSnpyRXAwbXZseApZWHJRSmpHbTdwaDZzVy93cW9CN05YSytlQStSSytWRTFaMjl6ZlpKTEtNUnBjR3R5ekdwQmRLYUhRM3d6N1hyClllQ0R3UUtCZ1FDNU9BSXFXb21IOVRIazRDOHprYUpLcm50NEdWeDdpd0dXUkFCcTdyWmY2NWFsRUVsL1BsdEsKaUlzQ1Zxa2s2cG9mT1dwcm1SNU1CUmkyUDhIY0U4OEhxd29aY1dUejhIZENQcEF6clc0ZzJ4aTFoWk5rTXNNegp2dTBMOHhQY3k4dHVQZ1RESmt4a25UNURpbEVXbmgxSkdnMHlZYkt2eUJVQVBpYjhnRkUyN3c9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
kind: Secret
metadata:
creationTimestamp: "2020-05-23T07:43:28Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:tls.crt: {}
f:tls.key: {}
f:type: {}
manager: kubectl
operation: Update
time: "2020-05-23T07:43:28Z"
name: mysql-crt
namespace: config
resourceVersion: "5907201"
selfLink: /api/v1/namespaces/config/secrets/mysql-crt
uid: fb0d81da-9280-49d9-a740-81033bf4124a
type: kubernetes.io/tls
- apiVersion: v1
data:
password: ZGFpemhl
kind: Secret
metadata:
creationTimestamp: "2020-05-20T12:28:16Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:password: {}
f:type: {}
manager: kubectl
operation: Update
time: "2020-05-20T12:28:16Z"
name: mysql-root-password
namespace: config
resourceVersion: "5297672"
selfLink: /api/v1/namespaces/config/secrets/mysql-root-password
uid: ab0aa170-f72f-4a21-801e-ac8ea5f2fd5a
type: Opaque
kind: List
metadata:
resourceVersion: ""
selfLink: ""
ssl]# kubectl describe secret mysql-crt -n config
Name: mysql-crt
Namespace: config
Labels: <none>
Annotations: <none>
Type: kubernetes.io/tls
Data
====
tls.crt: 1184 bytes
tls.key: 1679 bytes
1.6.2、创建一个myapp-pod,将创建好的secret使用挂载卷的方式使用其secret
1、创建pod资源清单
configmap]# cat config-myapp-tls.yaml
apiVersion: v1
kind: Pod
# 定义元数据
metadata:
# pod名称
name: myapp-pod-tls
# 名称空间需要和ConfigMap在同一空间下
namespace: config
labels:
app: myapp
# 定义pod规格
spec:
# 定义pod中运行的容器
containers:
- name: myapp
image: ikubernetes/myapp:v1
# 定义pod中容器的挂载卷
volumeMounts:
# 指定下面定义的挂载卷名称
- name: config
# 指定容器的挂载点
mountPath: /etc/nginx/conf.d/
#########tls#########
- name: tls
mountPath: /etc/nginx/certs/
# 定义pod中可使用的挂载卷
volumes:
# 指定挂载卷名称
- name: config
# 定义挂载卷类型
configMap:
# 指定事先创建好的configmap名称
name: nginx-cfg
# 引用此configmap中的哪个键
items:
# 指定引用的键名
- key: server1.conf
# 映射到容器中的文件名称(如果不指定则和原始配置同名)
path: server-first.conf
- key: server-second.conf
path: server-second..conf
#############tls############
- name: tls
secret:
name: mysql-crt
item:
- key: tls.crt
path: myapp.crt
- key: tls.key
path: myapp.key
mode: 0600
[root@k8s configmap]# vim config-myapp-tls.yaml
[root@k8s configmap]# cat config-myapp-tls.yaml
apiVersion: v1
kind: Pod
# 定义元数据
metadata:
# pod名称
name: myapp-pod-tls
# 名称空间需要和ConfigMap在同一空间下
namespace: config
labels:
app: myapp
# 定义pod规格
spec:
# 定义pod中运行的容器
containers:
- name: myapp
image: ikubernetes/myapp:v1
# 定义pod中容器的挂载卷
volumeMounts:
# 指定下面定义的挂载卷名称
- name: config
# 指定容器的挂载点
mountPath: /etc/nginx/conf.d/
#########secret-tls-挂载#########
- name: tls
mountPath: /etc/nginx/certs/
# 定义pod中可使用的挂载卷
volumes:
# 指定挂载卷名称
- name: config
# 定义挂载卷类型
configMap:
# 指定事先创建好的configmap名称
name: nginx-cfg
# 引用此configmap中的哪个键
items:
# 指定引用的键名
- key: server1.conf
# 映射到容器中的文件名称(如果不指定则和原始配置同名)
path: server-first.conf
- key: server-second.conf
path: server-second..conf
#############secret-tls-卷定义############
- name: tls
secret:
secretName: mysql-crt
items:
- key: tls.crt
path: myapp.crt
- key: tls.key
path: myapp.key
mode: 0600
2、使用声明式接口创建此pod资源
configmap]# kubectl apply -f config-myapp-tls.yaml
pod/myapp-pod-tls created
3、查看pod资源及详细信息
configmap]# kubectl get pods -n config -o wide --show-labels
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES LABELS
myapp-pod 1/1 Running 0 2d23h 10.244.2.36 k8s.node2 <none> <none> app=redis
myapp-pod-tls 1/1 Running 0 117s 10.244.1.46 k8s.node1 <none> <none> app=myapp
4、使用交互式模式验证挂载卷
configmap]# kubectl exec -it myapp-pod-tls -n config -- /bin/sh
/ # cd /etc/nginx/
/etc/nginx # ls
certs fastcgi.conf.default koi-utf mime.types.default nginx.conf.default uwsgi_params
conf.d fastcgi_params koi-win modules scgi_params uwsgi_params.default
fastcgi.conf fastcgi_params.default mime.types nginx.conf scgi_params.default win-utf
/etc/nginx # cd certs/
/etc/nginx/certs # ls
myapp.crt myapp.key
/etc/nginx/certs # ll
/bin/sh: ll: not found
/etc/nginx/certs # ls -l
total 0
lrwxrwxrwx 1 root root 16 May 23 07:59 myapp.crt -> ..data/myapp.crt
lrwxrwxrwx 1 root root 16 May 23 07:59 myapp.key -> ..data/myapp.key
/etc/nginx/certs # cat myapp.crt
-----BEGIN CERTIFICATE-----
MIIDPTCCAiWgAwIBAgIJAMWnRaCqLSlMMA0GCSqGSIb3DQEBCwUAMDUxCzAJBgNV
BAYTAkNOMQwwCgYDVQQKDANPcHMxGDAWBgNVBAMMD3d3dy50b3B0b3BzLnRvcDAe
Fw0yMDA1MTMxMTI5NDdaFw0zMDA1MTExMTI5NDdaMDUxCzAJBgNVBAYTAkNOMQww
CgYDVQQKDANPcHMxGDAWBgNVBAMMD3d3dy50b3B0b3BzLnRvcDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAJ8KVFD34ZdiCV6Zn/jRIMPuBp9xtHpccxwc
89iAY1wQAhpgtJFvKVD5gcmCKhlW3+KzMSr0GUdVD4ykW7WDDzwsNYMTjR+s6iL7
0NYROjnpuTUqVsqVelIKmsRPQNGgYvx+YwCheogywZOyKB6i7X+TU5C2ULVoHBdE
2hnC9TePtrMkuv64GtP3oJU5vUYEx+kBgblHMl8DYd3HZNq2UsX0xupnfocydDD8
9bwq8VqEtNrOeyx0ikC2PExXzvou3DhRYq4IllvGpIHJqsx7L4Uio1FIvrDmQgaS
X85wL79UoGn803coRdwRcgSdVHBdAg1J6VyA3LUWzKjj/bFxJ+ECAwEAAaNQME4w
HQYDVR0OBBYEFG2HN5kYdOmxAAq65aBvugYjBJwcMB8GA1UdIwQYMBaAFG2HN5kY
dOmxAAq65aBvugYjBJwcMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
AFME66lkfViPWlEFDiSijaLEjHXq6ID2PhUA7t6VMrEgYGXLsVq/GXXxAq1Eg9xz
Rq0FLoPreqphvB7NyV+UQcL18CgU0DGV+SpBZAX0v9BOBpw+mAOIgSmTFcsEiaBr
we7B1MtLrwE7G3Wt8pOdUnkOmDSG1nBG1noCps0SfyFyzZYbpGd5kkqa8ZXimU6m
jxoyWlbUJspLvpLdub+TZJWnAh1+h0t9sfok6A8fP+9fXsUAxTdl7X29EJxWIxVR
91TDB7VD1TPhA7zkFiuQmGpvY+/ooD9MvKCXh4bgxq/pfRX8zhOoNpcl7XytmW4Y
Hy2p1HhUghRBLJyxKzRqYrM=
-----END CERTIFICATE-----
1.7、docker-registry类型的Secret
1、docker-registry类型的Secret示例
configmap]# kubectl create secret docker-registry -h
Create a new secret for use with Docker registries.
Dockercfg secrets are used to authenticate against Docker registries.
When using the Docker command line to push images, you can authenticate to a given registry by running:
'$ docker login DOCKER_REGISTRY_SERVER --username=DOCKER_USER --password=DOCKER_PASSWORD --email=DOCKER_EMAIL'.
That produces a ~/.dockercfg file that is used by subsequent 'docker push' and 'docker pull' commands to authenticate
to the registry. The email address is optional.
When creating applications, you may have a Docker registry that requires authentication. In order for the
nodes to pull images on your behalf, they have to have the credentials. You can provide this information
by creating a dockercfg secret and attaching it to your service account.
Examples:
# If you don't already have a .dockercfg file, you can create a dockercfg secret directly by using:
# 示例
kubectl create secret docker-registry my-secret --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER
--docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL
2、如果创建的pod中的容器引用一个私有的镜像仓库的话需要引用此secret
http://www.imooc.com/article/263322
https://blog.csdn.net/triThirty/article/details/100040819
https://www.jianshu.com/p/a0f9a19beb62
1.7.1、docker-registry类型的Secret连接私有仓库实战
1、修改k8s各个节点的docker
# 其他docker端想要直接使用此本地镜像仓库需要修改docker-unitfile
~]# cat /lib/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
BindsTo=containerd.service
After=network-online.target firewalld.service containerd.service
Wants=network-online.target
Requires=docker.socket
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --insecure-registry=192.168.20.248 \
-H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always
ExecStartPost=/usr/sbin/iptables -P FORWARD ACCEPT
2、创建secret
configmap]# kubectl create secret docker-registry regsecret --docker-server=192.168.20.248 --docker-username=admin --docker-password=Harbor12345 --docker-email=zhe.dai@xiaoyangedu.com -n config
configmap]# kubectl get secret -n config
NAME TYPE DATA AGE
default-token-k5gh4 kubernetes.io/service-account-token 3 3d2h
mysql-crt kubernetes.io/tls 2 33m
mysql-root-password Opaque 1 2d19h
regsecret kubernetes.io/dockerconfigjson 1 33s
3、自主式创建pod
configmap]# cat config-reg-pod.yaml
apiVersion: v1
kind: Pod
# 定义元数据
metadata:
# pod名称
name: xygateway-demo
# 名称空间需要和ConfigMap在同一空间下
namespace: config
labels:
app: xygateway
# 定义pod规格
spec:
# 定义pod中运行的容器
containers:
- name: xygateway
image: 192.168.20.248/paikecloud/gateway:1.0.0-alpha
imagePullSecrets:
- name: regsecret
configmap]# kubectl apply -f config-reg-pod.yaml
pod/xygateway-demo created
configmap]# kubectl get pods -n config
NAME READY STATUS RESTARTS AGE
xygateway-demo 1/1 Running 1 107s
向往的地方很远,喜欢的东西很贵,这就是我努力的目标。
