配置容器应用Secret
Secret资源的功能类似于ConfigMap,但它专用于存放敏感数据,例如密码、数字证书、私钥、令牌和SSH key等,而不需要把这些敏感数据暴露到镜像或者Pod Spec中。Secret可以以Volume或者环境变量的方式使用。
一、 Secret概述
Secret对象储存数据的方式及使用方法类似于ConfigMap对象,以键值方式存储数据,在pod资源中通过环境变量或存储卷进行数据访问。不同的是,Secret对象仅会被分发至调用了此对象的Pod资源所在的工作节点,且只能由节点将其存储于内存中。另外,Secret对象的数据的存储即打印格式为Base64编码的字符串,因此用户在创建Secret对象时也要提供此种编码格式的数据。不过,在容器中以环境变量或存储卷的方式访问时,它们会被自动解码为明文格式。
1. Secret对象的用途
Secret对象主要有两种用途,一是作为存储卷注入到Pod上由容器应用程序所使用,二是用于kubelet为Pod里的容器拉取镜像时向私有仓库提供认证信息。不过,后面使用ServiceAccount资源自建的Secret对象是一种更具安全性的方式。
2. Secret资源的类型
Secret资源主要由四种类型组成,具体如下:
1)Opaque:自定义数据内容;base64编码格式的Secret,用来存储密码、秘钥、信息、证书等数据,类型标识符为generic。可以通过base64 --decode解码获得原始数据,因此安全性弱
2)kubernetes.io/service-account-token: Service Account的认证信息,可在创建Service Account时由kubernetes自动创建。Pod 如果使用了 ServiceAccount,对应的 secret 会自动挂载到 Pod 的 /run/secrets/kubernetes.io/serviceaccount 目录中。
3)kubernetes.io/dockerconfigjson:用来存储docker镜像仓库的认证信息,类型标识为docker registry
4)kubernetes.io/tls:用于为SSL通信模式存储证书和私钥文件,命令式创建时类型标识为tls
二、创建Secret资源
手动创建Secret对象方式有两种:通过kubectl create命令和使用Secret配置文件
1. 命令式创建
语法格式如下:
[root@k8s-master1 ~]# kubectl create secret --help Create a secret using specified subcommand. Available Commands: docker-registry Create a secret for use with a Docker registry generic Create a secret from a local file, directory or literal value tls Create a TLS secret Usage: kubectl create secret [flags] [options] Use "kubectl <command> --help" for more information about a given command. Use "kubectl options" for a list of global command-line options (applies to all commands).
若要创建generic类型的Secret对象, 语法格式如下:
[root@k8s-master1 ~]# kubectl create secret generic --help
Create a secret based on a file, directory, or specified literal value.
A single secret may package one or more key/value pairs.
When creating a secret based on a file, the key will default to the basename of the file, and the value will default to
the file content. If the basename is an invalid key or you wish to chose your own, you may specify an alternate key.
When creating a secret based on a directory, each file whose basename is a valid key in the directory will be packaged
into the secret. Any directory entries except regular files are ignored (e.g. subdirectories, symlinks, devices, pipes,
etc).
Examples:
# Create a new secret named my-secret with keys for each file in folder bar
kubectl create secret generic my-secret --from-file=path/to/bar
# Create a new secret named my-secret with specified keys instead of names on disk
kubectl create secret generic my-secret --from-file=ssh-privatekey=path/to/id_rsa
--from-file=ssh-publickey=path/to/id_rsa.pub
# Create a new secret named my-secret with key1=supersecret and key2=topsecret
kubectl create secret generic my-secret --from-literal=key1=supersecret --from-literal=key2=topsecret
# Create a new secret named my-secret using a combination of a file and a literal
kubectl create secret generic my-secret --from-file=ssh-privatekey=path/to/id_rsa --from-literal=passphrase=topsecret
# Create a new secret named my-secret from an env file
kubectl create secret generic my-secret --from-env-file=path/to/bar.env
Options:
--allow-missing-template-keys=true: If true, ignore any errors in templates when a field or map key is missing in
the template. Only applies to golang and jsonpath output formats.
--append-hash=false: Append a hash of the secret to its name.
--dry-run='none': Must be "none", "server", or "client". If client strategy, only print the object that would be
sent, without sending it. If server strategy, submit server-side request without persisting the resource.
--field-manager='kubectl-create': Name of the manager used to track field ownership.
--from-env-file='': Specify the path to a file to read lines of key=val pairs to create a secret (i.e. a Docker
.env file).
--from-file=[]: Key files can be specified using their file path, in which case a default name will be given to
them, or optionally with a name and file path, in which case the given name will be used. Specifying a directory will
iterate each named file in the directory that is a valid secret key.
--from-literal=[]: Specify a key and literal value to insert in secret (i.e. mykey=somevalue)
-o, --output='': Output format. One of:
json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file.
--save-config=false: If true, the configuration of current object will be saved in its annotation. Otherwise, the
annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.
--template='': Template string or path to template file to use when -o=go-template, -o=go-template-file. The
template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].
--type='': The type of secret to create
--validate=true: If true, use a schema to validate the input before sending it
Usage:
kubectl create secret generic NAME [--type=string] [--from-file=[key=]source] [--from-literal=key1=value1]
[--dry-run=server|client|none] [options]
Use "kubectl options" for a list of global command-line options (applies to all commands).
不少场景中,Pod中的应用需要通过用户名和密码访问其他服务,例如访问数据库系统等。创建此类的Secret对象,可以使用“kubectl create secret generic <SECRET_NAME> --from-literal=key=value”命令直接创建,不过为用户认证之需进行创建时,其使用的键名通常是username和password。例如下面的命令,以“root/ikubernetes”分别为用户名和密码创建了一个名为mysql-auth的Secret对象:
[root@k8s-master1 ~]# kubectl create secret generic mysql-auth --from-literal=username=root --from-literal=password=ikubernetes secret/mysql-auth created
而后即可查看新建资源的属性信息,由下面命令及其输出结果可以看出,以generic标识符创建的Secret对象是为Opaque类型,其键值数据会以Base64的编码格式进行保存和打印:
[root@k8s-master1 ~]# kubectl get secrets mysql-auth
NAME TYPE DATA AGE
mysql-auth Opaque 2 3m29s
[root@k8s-master1 ~]# kubectl get secrets mysql-auth -o yaml
apiVersion: v1
data:
password: aWt1YmVybmV0ZXM=
username: cm9vdA==
kind: Secret
metadata:
creationTimestamp: "2022-10-13T14:01:51Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:password: {}
f:username: {}
f:type: {}
manager: kubectl-create
operation: Update
time: "2022-10-13T14:01:51Z"
name: mysql-auth
namespace: default
resourceVersion: "814371"
selfLink: /api/v1/namespaces/default/secrets/mysql-auth
uid: 5c42fb3b-af1f-4e29-90be-6ab40c2841b7
type: Opaque
不过,Kubernetes系统的Secret对象的Base64编码的数据并非加密格式,许多相关的工具程序均可轻松完成解码,如下面所示的Base64命令:
[root@k8s-master1 ~]# echo aWt1YmVybmV0ZXM= | base64 -d ikubernetes
对于本身业已存储于文件中的数据,也可以在创建generic格式Secret对象时使用“--from-file”选项从文件中直接进行加载。例如创建用于SSH认证的Secret对象时,如果尚且没有认证信息文件,则需要首先使用命令生成一对认证文件:
[root@k8s-master1 ~]# ssh-keygen -t rsa -P '' -f ${HOME}/.ssh/id_rsa
而后使用“kubectl create secret generic NAME --from-file=[key=]/PATH/TO/FILE”命令加载文件内容并生成为Secret对象:
[root@k8s-master1 ~]# kubectl create secret generic ssh-key-secret --from-file=ssh-privatekey=${HOME}/.ssh/id_rsa --from-file=ssh-publickey=${HOME}/.ssh/id_rsa.pub secret/ssh-key-secret created
You have new mail in /var/spool/mail/root
[root@k8s-master1 ~]# kubectl get secret ssh-key-secret
NAME TYPE DATA AGE
ssh-key-secret Opaque 2 17s
[root@k8s-master1 ~]# kubectl describe secret ssh-key-secret
Name: ssh-key-secret
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
ssh-privatekey: 1679 bytes
ssh-publickey: 398 bytes
[root@k8s-master1 ~]# kubectl get secret ssh-key-secret -o yaml
apiVersion: v1
data:
ssh-privatekey: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBb3hOZmp2eXlXWFpIcEFEZVNYQUNxcHhoU05vWXdnSE9xZGJJY3p2M2lpSFR6OHUxCjhCQnZEbVVYWHRZUy9kVWJSdCtqSUtPdG1aN3lOMG4xQUFKaFZFbHBNTEk4YVZzYVFxcXBSaFhiNEVHTW1jMTkKYmxmVS8wRjVZVEhVZzhIejl4RTZaaGZaS1NCdjJqQnkxOE5tZWRXM2wrUmp3ZWVIL3JRNUtONU9uL3RSVGVLUgpnOC9VWWNVY1RpbjVDL29Vcldhait6bjI2SDc0LzZ4WlFaT0haMW1PSHY0ZDJzMm9ncUh2eDBGOWxGOXQvY081CmNKN3d3M21OaW4wSFh3NGdBUFQ3YTZlNy9IM2tkMWtxZUpyOElscmcvTFlJMGQrYkxPRnd0cnlLbVlhOFdiU1AKSU1jcjhML0FPWjhnRVdIbitVNXpERWNXeDQ2NjF4NE5HV1hybVFJREFRQUJBb0lCQVFDWGpncXlEWUVIQ1pqYwovMzJXaklXOTM2VytHZ3NHU3IyeE5BNklvY09WV1lqTFJvd290bTB2MkoyV29xZDF4ZGNhei81LzkvMy9saXVQClhLbFlQOTRLZ2t0RFdYSXhpOXhrOXN4b2VTb21TV1VORDEreDYrams3UW1NWGM0ZVFXT2xTeHFXQlRYcU5kNGQKemdiOUpQa1k0NWxEalp0MGV1UDF2N0tibTdkQWo4bVBDU0RHVFIxZDVscXE1Z0VjdENPaVV2RDNUMzdXcGFnUApIT1BKanFrR29SS1Y4L3VEaVpKQW1rcjVDSXhxb055bTRRSUdRRWxpd2ZzWE9FRW5tL25TbncweVA1V1VNYmFqCjVHTVFBZjQvU2tTMlVvNVozRDJBNzBqaERzTVNWYXVuZnhrS1ZNamp0ZUJwY29mUTFrWDcwRWxydXFuZ0R5SkoKVG5pZmRmbk5Bb0dCQU5CUzFlWnJuSEo2dmlPZVRVVWNPaExYT2pjTnZvUXVqdTBNUVg5TThDVVpwK1F5dWhQZAptaHFIdGlJcTFmYzBMbWxGWlhSR2RvRXNsQXZWeWdJZGh4WVNoOGlQYTR6aFc1WTZ2Qm53dEFTNDhUSWJoNng2CmpkaGJyR1JINlRYVWhhWEZkNGt5bnVyYmQwTHkyajF6Z3Bvc0RxYUJQQ1VCSnAyTHBQelNpSnR6QW9HQkFNaGwKa3kxOGhYOEVlS2pVcFNSRU1helk3cjA1SXZpK0ZIT0RRZEVRYWpHYTFXZ0JVQXFMd0FwM3ZDVktoenYzamF2SgppaG5PN1g4M2E3OHhUY2MyMGxMTWFsVTVUQ2tzRHd3dGgwUndGMXcyMThKRk51WU0rTkVxZkoyMFNLSyszM3JpCjAwaGtnRlJ5OXFkbkxmM2t1VnZiVGFmZDF2L25KUlBJQWlsYmI3SERBb0dCQUlsdWpHUlZpOEZPVGsrcktHaTIKWlcxMmhaWTZQL3h0eHFhRmxsUUlDc2srOHE2dDlHb1VvSXh1Q1c3aStZTDY3cjlPSTg4Z2lSOVFyRjVlYk1VVwplNzdJL01FSU5MaWRGMUcxYjlCaEpqR1RYTE5rekEyeVVBOXk4dmk1SkJYNkhTMHVaMXlnZzR5R3VsZjFaSnB6CnNLNUs4R05TRUw2TTBzL09oMHF2RGFZWEFvR0FPUTdTelF5N1plTDhCL1lqM3lPYmtUOWpHblYrUTV5N2JmaGQKY1ExZmJ5aEt3d1k4cUFRS2RmQ0puWVNPNU1Bamtsb2IvQ1V5OGhueGo4cVYvcmJaUThINE5MUFB2NWxQMzRQSApFL0ZtZFZjWUw3Uk5ZVXNvUFVYL25WZUxwdXI1N3A5TzBUbnNZQjhybzVaNVBlVTE4YldMY3RSek53RzFTT0NWCjNQaXY0TWtDZ1lBMU5FSDV6cG5MN0hSejNjZGxiMXIvRVViOW90NWNPZlh5S0VIcHBVL3RLV3krM1BLcFJ5Qi8KQkhYejM3blBmSWdRL3dzQTMzUllrOW1MQldMVUFuOEUvNTRLS3p0S0tvNHdTaXBOSE82emRwemloZUJvU1prcwo1dzAraGI3RXU2N1lUdGxoa3hLeERMR3pVcDd2clNleERzNlFxbXMwdG1sOTdKNEVNU1k2anc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
ssh-publickey: c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDakUxK08vTEpaZGtla0FONUpjQUtxbkdGSTJoakNBYzZwMXNoek8vZUtJZFBQeTdYd0VHOE9aUmRlMWhMOTFSdEczNk1nbzYyWm52STNTZlVBQW1GVVNXa3dzanhwV3hwQ3FxbEdGZHZnUVl5WnpYMXVWOVQvUVhsaE1kU0R3ZlAzRVRwbUY5a3BJRy9hTUhMWHcyWjUxYmVYNUdQQjU0Zit0RGtvM2s2ZisxRk40cEdEejlSaHhSeE9LZmtMK2hTdFpxUDdPZmJvZnZqL3JGbEJrNGRuV1k0ZS9oM2F6YWlDb2UvSFFYMlVYMjM5dzdsd252RERlWTJLZlFkZkRpQUE5UHRycDd2OGZlUjNXU3A0bXZ3aVd1RDh0Z2pSMzVzczRYQzJ2SXFaaHJ4WnRJOGd4eXZ3djhBNW55QVJZZWY1VG5NTVJ4YkhqcnJYSGcwWlpldVogcm9vdEBrOHMtbWFzdGVyMQo=
kind: Secret
metadata:
creationTimestamp: "2022-10-13T15:07:16Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:ssh-privatekey: {}
f:ssh-publickey: {}
f:type: {}
manager: kubectl-create
operation: Update
time: "2022-10-13T15:07:16Z"
name: ssh-key-secret
namespace: default
resourceVersion: "825667"
selfLink: /api/v1/namespaces/default/secrets/ssh-key-secret
uid: 0c29717a-bf12-4535-a039-0e557239508d
type: Opaque
以上创建的Secret类型均为“Opaque”。
另外,若要基于私钥和数字证书文件创建用于SSL/TLS通信的Secret对象,则需要使用“kubectl create secret tls NAME --cert=path/to/cert/file --key=path/to/key/file”命令来进行,语法格式如下:
[root@k8s-master1 ~]# kubectl create secret tls --help
Create a TLS secret from the given public/private key pair.
The public/private key pair must exist before hand. The public key certificate must be .PEM encoded and match the given
private key.
Examples:
# Create a new TLS secret named tls-secret with the given key pair:
kubectl create secret tls tls-secret --cert=path/to/tls.cert --key=path/to/tls.key
Options:
--allow-missing-template-keys=true: If true, ignore any errors in templates when a field or map key is missing in
the template. Only applies to golang and jsonpath output formats.
--append-hash=false: Append a hash of the secret to its name.
--cert='': Path to PEM encoded public key certificate.
--dry-run='none': Must be "none", "server", or "client". If client strategy, only print the object that would be
sent, without sending it. If server strategy, submit server-side request without persisting the resource.
--field-manager='kubectl-create': Name of the manager used to track field ownership.
--key='': Path to private key associated with given certificate.
-o, --output='': Output format. One of:
json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file.
--save-config=false: If true, the configuration of current object will be saved in its annotation. Otherwise, the
annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.
--template='': Template string or path to template file to use when -o=go-template, -o=go-template-file. The
template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].
--validate=true: If true, use a schema to validate the input before sending it
Usage:
kubectl create secret tls NAME --cert=path/to/cert/file --key=path/to/key/file [--dry-run=server|client|none]
[options]
Use "kubectl options" for a list of global command-line options (applies to all commands).
例如,假设需要为Nginx测试创建SSL虚拟主机,用户首先使用了类似如下的命令生成了私钥和自签证书:
[root@k8s-master1 ~]# openssl genrsa -out nginx.key 2048 Generating RSA private key, 2048 bit long modulus ...................+++ ...........+++ e is 65537 (0x10001) [root@k8s-master1 ~]# openssl req -new -x509 -key nginx.key -out nginx.crt -subj /C=CN/ST=Beijing/L=Beijing/O=DevOps/CN=www.ilinux.io [root@k8s-master1 ~]# ll nginx* -rw-r--r-- 1 root root 1285 Oct 15 16:57 nginx.crt -rw-r--r-- 1 root root 1679 Oct 15 16:42 nginx.key
而后即可使用如下命令将这两个文件创建为Secret对象。需要注意的是,无论用户提供的证书和私钥文件使用的是什么名称,它们一律会被转换为分别以tls.key(私钥)和tls.crt为其键名:
[root@k8s-master1 ~]# mkdir secret You have new mail in /var/spool/mail/root [root@k8s-master1 ~]# cd secret/ [root@k8s-master1 secret]# cp /root/nginx.crt . [root@k8s-master1 secret]# cp /root/nginx.key . [root@k8s-master1 secret]# ll total 8 -rw-r--r-- 1 root root 1285 Oct 15 17:01 nginx.crt -rw-r--r-- 1 root root 1679 Oct 15 17:01 nginx.key [root@k8s-master1 secret]# kubectl create secret tls nginx-ssl --cert=./nginx.crt --key=./nginx.key secret/nginx-ssl created
创建的Secret类型应该为“kubernetes.io/tls”,例如下面命令结果中的显示:
[root@k8s-master1 secret]# kubectl get secrets nginx-ssl
NAME TYPE DATA AGE
nginx-ssl kubernetes.io/tls 2 17s
[root@k8s-master1 secret]# kubectl get secrets nginx-ssl -o yaml
apiVersion: v1
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURoekNDQW0rZ0F3SUJBZ0lKQUpvVndVai9lYW1uTUEwR0NTcUdTSWIzRFFFQkN3VUFNRm94Q3pBSkJnTlYKQkFZVEFrTk9NUkF3RGdZRFZRUUlEQWRDWldscWFXNW5NUkF3RGdZRFZRUUhEQWRDWldscWFXNW5NUTh3RFFZRApWUVFLREFaRVpYWlBjSE14RmpBVUJnTlZCQU1NRFhkM2R5NXBiR2x1ZFhndWFXOHdIaGNOTWpJeE1ERTFNRGcxCk56TTFXaGNOTWpJeE1URTBNRGcxTnpNMVdqQmFNUXN3Q1FZRFZRUUdFd0pEVGpFUU1BNEdBMVVFQ0F3SFFtVnAKYW1sdVp6RVFNQTRHQTFVRUJ3d0hRbVZwYW1sdVp6RVBNQTBHQTFVRUNnd0dSR1YyVDNCek1SWXdGQVlEVlFRRApEQTEzZDNjdWFXeHBiblY0TG1sdk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBCnRjQ3ZLLy9qbUo5Um1FSDBOcXhlSjBCZDZvMWhaNUpQV0xwV3dXdVp1MU4yN1dIWE9Vd3JLblpWeU9RY0lFQUsKUGdhZmlrR05jVVVMa1pkZE9ONG9uRVhGYVJybWV3M0ZFYi9YRVEralVXN29ScG5SM0pTVFo0ZEFvaXMwbnovcwphNXpOSCtsRCtuYXd1anNHTmdvZVhoUWJUTXRqSlBBZ1dWRkVHeG0wbGhrTHF5Rk5LWitSd0FlUW53L2hUQUxrCkE1aHhOTDlPSWRBUGNjTlJzUVRRYlV6ZDVhZ3o2RjJhb0hhVXRTMGxkdGxOd2tOcE9QR056cGdVbGRvaDBITDUKVmtMUXcrcGpDeGRZWGZRd2VJVy96WEFlSjlRMW5TN1BsaFIrTVpJdHFGRWJmdkkwT084RFNtYjhaS0tLL20rRQowbTNCTG44NUdPNHdJVjIvMWlHc3h3SURBUUFCbzFBd1RqQWRCZ05WSFE0RUZnUVVoRkVLZENzUzVGME5WN0EvClozRG9BSUxtbCtVd0h3WURWUjBqQkJnd0ZvQVVoRkVLZENzUzVGME5WN0EvWjNEb0FJTG1sK1V3REFZRFZSMFQKQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBSEhVUkVEdGxOWnRucVF4L1Q4RkFYZEd3V0dTbApCc0xwOEV2R0l3MjMrbGQvTWNPaFA4dmpmM3ZTcDMzV1lRSDNqaFJFbzJZNmZhVDUxRkJNMklXZGhzZ0ZNclZVCkVwaU9XQlcvdTNvOElpcUo4MWJLMVhvVnd4RXNHWFlRdzFubDFhcU8yOTNTTUJobXQweXpnREtXT0ZCcnJWcWoKMTlwZG5Ibml1S1ZBU1pnZDlBdm91WDN5SnY5ZGtPYnluMVBrMFpHQUxwcHdoY21zNEpocG1aYWo1VVhxV25QaApyN01KRVlYcGtjeFpGSWY5dUV0QlNPTmdFeWZYREhjMEQySWJEU3RabG05WVVHZkVrQUY0Z0dYYWQrbDZkK3JYCjFYUm9Jc0NFb3pLdjcrdDFzay9Na2ExSDVQemh5bmVMS3hDRXBvTmVGbXZkejlOcm9pOW1LV1BCUmc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdGNDdksvL2ptSjlSbUVIME5xeGVKMEJkNm8xaFo1SlBXTHBXd1d1WnUxTjI3V0hYCk9Vd3JLblpWeU9RY0lFQUtQZ2FmaWtHTmNVVUxrWmRkT040b25FWEZhUnJtZXczRkViL1hFUStqVVc3b1JwblIKM0pTVFo0ZEFvaXMwbnovc2E1ek5IK2xEK25hd3Vqc0dOZ29lWGhRYlRNdGpKUEFnV1ZGRUd4bTBsaGtMcXlGTgpLWitSd0FlUW53L2hUQUxrQTVoeE5MOU9JZEFQY2NOUnNRVFFiVXpkNWFnejZGMmFvSGFVdFMwbGR0bE53a05wCk9QR056cGdVbGRvaDBITDVWa0xRdytwakN4ZFlYZlF3ZUlXL3pYQWVKOVExblM3UGxoUitNWkl0cUZFYmZ2STAKT084RFNtYjhaS0tLL20rRTBtM0JMbjg1R080d0lWMi8xaUdzeHdJREFRQUJBb0lCQVFDaFhjT280dlhsS1g0KwpHa0NDMGlKOTR1My9NeXNKMDZMUytnM1FpSUhqQ1VXTG1OU0hNSk1hamhtMzFKOE1Hdzk4NWxCN1padjR0djZBCmNzejNrbmFuMkdKZTROMUUzNExhTVdMMjZOVnRsWFJ3U2wxQzVEN0RLaGcrWXZIRGVmT2p6NEZuRmFtZkZBWHcKTWp0ZmV6aGUrcWNLVllGZTZEc3dVYkNRQnhDSU9aRlZDcjFuYURLbWtHbTJYNGZOd3BTK0l4ZENhbG1sNjlvLwpqbzdWd2p4ZzhIKzJJcTUvR3l6T0I4MVR6QnpqMlJxVnF2N2NWSUFZS2YyS3Vwdm9yQ2IxcUtrbGVXZ0krMWNpClhwS0lzc1lwTDZpK3ROWnJMdHdTRnhLTnZaakhiT05hWWc3SngyMmREZ2UveTk3Sjh5SXpQYS9jWWttL24vSFcKU2xjNHpZZmhBb0dCQU5pRW9Fbmo1NEhySEFEZXpNZ3ZkbEp3MFVvS1p0enpCT1NzNEVkRGRldjF3bkhlZlVUSwpwZFhBV2NyODEvV1A2L21KNE1sZmZMUWM1L29KYjJqUFk0MUtKL0RKTjEra2I4Nlh0dHZ3V0NEMmlLYnFqeUo2CjdSdXhXeGJrUmlHQktJMFUxMjZYRDVLeE95bGIvWUZqcGV3K1IxaFh0eVlweEMyNU5LNFZOODl2QW9HQkFOYmwKS05kV0lhNHVpWHVKRVNid1BobzdzUHN5ZUJFWHJneVpRWTJTaFFUYUxZR3djcjR2Q1ZTdG5uZVNKNTczeE9LYgp0SitXb3dsUU40azdpbzVVa3lRemh4OEdzdjB5RzN5bjRnOG04cis1RHJoVjMrdktzRUxoQmdJTFJsV2JCNnR0CjM1Q1FaWFQxNzRsTi9FRVlJRUtrZHUxOU9JNUIvQzlHR09nMDY4d3BBb0dBSnNheDBpbmZ0ek85QXlianMrSlUKSlhXUTlkcWhDMmIyZEdIRmxOMnZDOEFxdjZ2aDhXVDlpQ2QzclZQVTlXUitGV1dzL1VOOW1PQW9aMjR6SnFrbApvaE1xemdPclNCU3g5V1RVV2RWVVl5cmoxRWpqczRBaVlMaEZvUGJtM0c4K0xPNFRtdm13ejB1d1Zicmt6cnhpCjVjbE5pN1BCMkRMWXNIdWZ4S0dHS2o4Q2dZQWNEVC8rbEJ6RGF3bkJXWXdtcEJmSFB1R0VlUHNaYUJqdFJoZzcKamRQVlpWR3BhMG9mTDI2dFloaWNqVFNrMkwwWHc3R1pYNFdhMHFEZFJpdDVGdXM2UDR1MDdoL3hVMWdwTnBVWQoyMEcyNjBaVG84b2VNcEE5dXJnWkRqVzVPUXFRUTBCNjA0NmE3UHUrMWJKSElRb2RDUEVKWVY0L203ZDZ5RkM2CkJ5Wjh1UUtCZ1FEVk9pQ21qeStZdit2YXlVZ2NVNkRRTW42dXNCN3J6ZGtZQTVodEo1M0RlQVNPU3pIRE1MUVgKSlo2RDVnWDVhaVNHVHBPU2dkWlhBcnNYMkVyQ2xURVp4eWZhY3M2cE5oU2gxUm55RkZ2QWdRbGlXMnlCQytUTgppMCs1bGg2anRUbm5CR2lZYk5hZm9nWW1OVTVmcDMxUGZEeFY5OFpPL28wWWt1UUJkT2ZjOFE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
kind: Secret
metadata:
creationTimestamp: "2022-10-15T09:03:05Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:tls.crt: {}
f:tls.key: {}
f:type: {}
manager: kubectl-create
operation: Update
time: "2022-10-15T09:03:05Z"
name: nginx-ssl
namespace: default
resourceVersion: "834160"
selfLink: /api/v1/namespaces/default/secrets/nginx-ssl
uid: d6c1af85-7b43-4345-b082-9e4090860935
type: kubernetes.io/tls
You have new mail in /var/spool/mail/root
[root@k8s-master1 secret]# kubectl describe secrets nginx-ssl
Name: nginx-ssl
Namespace: default
Labels: <none>
Annotations: <none>
Type: kubernetes.io/tls
Data
====
tls.crt: 1285 bytes
tls.key: 1679 bytes
由上述操作过程可见,命令式创建的Secret对象与ConfigMap对象的方式几乎没有明显区别。
2. 清单式创建
Secret资源时标准的Kubernetes API对象,除了标准的apiVersion、kind和metadata字段,它可用的其他字段具体如下:
[root@k8s-master1 secret]# kubectl explain secret
KIND: Secret
VERSION: v1
DESCRIPTION:
Secret holds secret data of a certain type. The total bytes of the values
in the Data field must be less than MaxSecretSize bytes.
FIELDS:
apiVersion <string>
APIVersion defines the versioned schema of this representation of an
object. Servers should convert recognized schemas to the latest internal
value, and may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
data <map[string]string> #"key:value"格式的数据,通常是敏感信息,数据格式需是以Base64格式编码的字符串,因此需要用户事先完成编码
Data contains the secret data. Each key must consist of alphanumeric
characters, '-', '_' or '.'. The serialized form of the secret data is a
base64 encoded string, representing the arbitrary (possibly non-string)
data value here. Described in https://tools.ietf.org/html/rfc4648#section-4
immutable <boolean>
Immutable, if set to true, ensures that data stored in the Secret cannot be
updated (only object metadata can be modified). If not set to true, the
field can be modified at any time. Defaulted to nil. This is a beta field
enabled by ImmutableEphemeralVolumes feature gate.
kind <string>
Kind is a string value representing the REST resource this object
represents. Servers may infer this from the endpoint the client submits
requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata <Object>
Standard object's metadata. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
stringData <map[string]string> #以明文格式(非Base64编码)定义的"key:value"数据;无须用户事先对数据进行Base64编码,而是在创建为Secret对象时自动进行编码并保存于data字段中;stringData字段中的明文不会被API Server输出,不过若使用"kubectl apply"命令进行的创建,那么注解信息中还是可能会直接输出这些信息的。
stringData allows specifying non-binary secret data in string form. It is
provided as a write-only convenience method. All keys and values are merged
into the data field on write, overwriting any existing values. It is never
output when reading from the API.
type <string> # 仅是为了便于编程方式处理Secret数据而提供的类型标识
Used to facilitate programmatic handling of secret data.
1)数据类型为Base64编码
手动加密数据,以Base64位编码:
[root@k8s-master1 secret]# echo -n 'admin' | base64 YWRtaW4= [root@k8s-master1 secret]# echo -n 'Admin12345' | base64 QWRtaW4xMjM0NQ== [root@k8s-master1 secret]#
解码:
[root@k8s-master1 secret]# echo QWRtaW4xMjM0NQ== |base64 -d Admin12345
创建Secret资源清单示例secret-demo-1.yaml
[root@k8s-master1 secret]# vim secret-demo-1.yaml
[root@k8s-master1 secret]# cat secret-demo-1.yaml
apiVersion: v1
kind: Secret
metadata:
name: secret-demo-1
type: Opaque
data:
username: YWRtaW4=
password: QWRtaW4xMjM0NQ==
[root@k8s-master1 secret]# kubectl apply -f secret-demo-1.yaml
secret/secret-demo-1 created
[root@k8s-master1 secret]# kubectl get secrets secret-demo-1
NAME TYPE DATA AGE
secret-demo-1 Opaque 2 23s
[root@k8s-master1 secret]# kubectl get secrets secret-demo-1 -o yaml
apiVersion: v1
data:
password: QWRtaW4xMjM0NQ==
username: YWRtaW4=
kind: Secret
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","data":{"password":"QWRtaW4xMjM0NQ==","username":"YWRtaW4="},"kind":"Secret","metadata":{"annotations":{},"name":"secret-demo-1","namespace":"default"},"type":"Opaque"}
creationTimestamp: "2022-10-15T09:28:29Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:password: {}
f:username: {}
f:metadata:
f:annotations:
.: {}
f:kubectl.kubernetes.io/last-applied-configuration: {}
f:type: {}
manager: kubectl-client-side-apply
operation: Update
time: "2022-10-15T09:28:29Z"
name: secret-demo-1
namespace: default
resourceVersion: "838558"
selfLink: /api/v1/namespaces/default/secrets/secret-demo-1
uid: ed53f504-467b-40f4-bad8-10548d2cab5f
type: Opaque
[root@k8s-master1 secret]# kubectl describe secrets secret-demo-1
Name: secret-demo-1
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
password: 10 bytes
username: 5 bytes
2)数据类型为明文格式的键值数据
[root@k8s-master1 secret]# vim secret-demo-2.yaml
[root@k8s-master1 secret]# cat secret-demo-2.yaml
apiVersion: v1
kind: Secret
metadata:
name: secret-demo-2
type: Opaque
stringData:
username: redis
password: redisp@ss
[root@k8s-master1 secret]# kubectl apply -f secret-demo-2.yaml
secret/secret-demo-2 created
[root@k8s-master1 secret]# kubectl get secrets secret-demo-2
NAME TYPE DATA AGE
secret-demo-2 Opaque 2 13s
[root@k8s-master1 secret]# kubectl get secrets secret-demo-2 -o yaml
apiVersion: v1
data:
password: cmVkaXNwQHNz
username: cmVkaXM=
kind: Secret
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","kind":"Secret","metadata":{"annotations":{},"name":"secret-demo-2","namespace":"default"},"stringData":{"password":"redisp@ss","username":"redis"},"type":"Opaque"}
creationTimestamp: "2022-10-15T09:32:59Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:password: {}
f:username: {}
f:metadata:
f:annotations:
.: {}
f:kubectl.kubernetes.io/last-applied-configuration: {}
f:type: {}
manager: kubectl-client-side-apply
operation: Update
time: "2022-10-15T09:32:59Z"
name: secret-demo-2
namespace: default
resourceVersion: "839335"
selfLink: /api/v1/namespaces/default/secrets/secret-demo-2
uid: c21c3a61-8541-4b0b-86f8-1a7dad95053b
type: Opaque
[root@k8s-master1 secret]# kubectl describe secrets secret-demo-2
Name: secret-demo-2
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
password: 9 bytes
username: 5 bytes
相比较来说,基于清单文件将保存于文件中的敏感信息创建Secret对象时,用户首先需要将敏感信息读出,转为Base64编码格式,而后再将其创建为清单文件,过程繁琐,反不如命令式创建来的便捷。不过,如果存在多次创建或重构之需,那么将其保存为配置清单也是情势所需。
三、Secret的使用
类似Pod使用COnfigMap对象的方式,Secret对象可以注入为环境变量,也可以存储为卷形式挂载使用。
1. 以环境变量注入Secret对象
通过在env字段中为valueFrom内嵌secretKeyRef对象中的数据,语法格式如下:
[root@k8s-master1 secret]# kubectl explain pod.spec.containers.env.valueFrom.secretKeyRef
KIND: Pod
VERSION: v1
RESOURCE: secretKeyRef <Object>
DESCRIPTION:
Selects a key of a secret in the pod's namespace
SecretKeySelector selects a key of a Secret.
FIELDS:
key <string> -required- #用于指定要引用secret对象中的某键的键名
The key of the secret to select from. Must be a valid secret key.
name <string> #secret对象的名称
Name of the referent. More info:
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
optional <boolean> #用于为当前pod资源指明此引用是否为可选
Specify whether the Secret or its key must be defined
此类调用环境变量的使用方式与直接定义的环境变量并无区别。下面是保存于配置文件secret-env.yaml的资源定义示例,使用之前创建的mysql-auth的secret对象的数据,并将其直接传递给了自定义运行的容器应用:
secret对象mysql-auth详细信息结果如下:
[root@k8s-master1 secret]# kubectl describe secret mysql-auth Name: mysql-auth Namespace: default Labels: <none> Annotations: <none> Type: Opaque Data ==== password: 11 bytes username: 4 bytes
创建pod资源,使用mysql-auth对象,将secret对象的值直接传递给容器,创建pod对象完成后,通过“kubectl exec”命令即可查看环境变量:
[root@k8s-master1 secret]# vim secret-env.yaml
[root@k8s-master1 secret]# cat secret-env.yaml
apiVersion: v1
kind: Pod
metadata:
name: secret-env
labels:
app: myapp
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v1
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 80
env:
- name: MYSQL_USER_PASSWORD
valueFrom:
secretKeyRef:
name: mysql-auth
key: password
- name: MYSQL_USER_NAME
valueFrom:
secretKeyRef:
name: mysql-auth
key: username
optional: true
[root@k8s-master1 secret]# kubectl apply -f secret-env.yaml
pod/secret-env created
[root@k8s-master1 secret]# kubectl get pods secret-env -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
secret-env 1/1 Running 0 13s 10.244.36.104 k8s-node1 <none> <none>
[root@k8s-master1 secret]# kubectl exec secret-env -- printenv
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=secret-env
MYSQL_USER_PASSWORD=ikubernetes
MYSQL_USER_NAME=root
KUBERNETES_SERVICE_HOST=10.96.0.1
KUBERNETES_SERVICE_PORT=443
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT=tcp://10.96.0.1:443
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
MYAPP_SVC_PORT_80_TCP_PROTO=tcp
MYAPP_SVC_PORT=tcp://10.98.57.156:80
MYAPP_SVC_PORT_80_TCP_ADDR=10.98.57.156
MYAPP_SVC_SERVICE_HOST=10.98.57.156
MYAPP_SVC_SERVICE_PORT=80
MYAPP_SVC_PORT_80_TCP=tcp://10.98.57.156:80
MYAPP_SVC_PORT_80_TCP_PORT=80
NGINX_VERSION=1.12.2
HOME=/root
通过envFrom字段直接将secret资源一次性导入或者导入多个secret资源对象,语法格式如下:
[root@k8s-master1 secret]# kubectl explain pod.spec.containers.envFrom.secretRef
KIND: Pod
VERSION: v1
RESOURCE: secretRef <Object>
DESCRIPTION:
The Secret to select from
SecretEnvSource selects a Secret to populate the environment variables
with.
The contents of the target Secret's Data field will represent the key-value
pairs as environment variables.
FIELDS:
name <string>
Name of the referent. More info:
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
optional <boolean>
Specify whether the Secret must be defined
例如,将上述示例中的pod资源转为如下形式的定义secret-envfrom.yaml配置文件后,其引用的Secret进行配置的效果并无不同:
[root@k8s-master1 secret]# vim secret-envfrom.yaml
[root@k8s-master1 secret]# cat secret-envfrom.yaml
apiVersion: v1
kind: Pod
metadata:
name: secret-envfrom
labels:
app: myapp
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v1
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 80
envFrom:
- secretRef:
name: mysql-auth
[root@k8s-master1 secret]# kubectl apply -f secret-envfrom.yaml
pod/secret-envfrom created
[root@k8s-master1 secret]# kubectl get pods secret-envfrom
NAME READY STATUS RESTARTS AGE
secret-envfrom 1/1 Running 0 13s
[root@k8s-master1 secret]# kubectl exec secret-envfrom -- printenv
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=secret-envfrom
password=ikubernetes
username=root
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
KUBERNETES_SERVICE_HOST=10.96.0.1
KUBERNETES_SERVICE_PORT=443
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT=tcp://10.96.0.1:443
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
MYAPP_SVC_PORT_80_TCP_PROTO=tcp
MYAPP_SVC_PORT=tcp://10.98.57.156:80
MYAPP_SVC_PORT_80_TCP_ADDR=10.98.57.156
MYAPP_SVC_SERVICE_HOST=10.98.57.156
MYAPP_SVC_SERVICE_PORT=80
MYAPP_SVC_PORT_80_TCP=tcp://10.98.57.156:80
MYAPP_SVC_PORT_80_TCP_PORT=80
NGINX_VERSION=1.12.2
HOME=/root
2. Secret存储卷
在Pod中使用Secret存储卷的方式,除了其类型及引用表示要替换为Secret及secretName之外,几乎完全类似于ConfigMap存储卷,包括支持使用挂载整个存储卷、只挂载存储卷中的指定键值以及独立挂载存储卷中的键等使用方式。
下面是定义在配置文件secret-volume.yaml中的secret资源使用示例,它将nginx-ssl关联为pod资源的名为nginxcert的Secret存储卷,而后由容器web-server挂载至/etc/nginx/ssl/目录下:
[root@k8s-master1 secret]# vim secret-volume.yaml
You have new mail in /var/spool/mail/root
[root@k8s-master1 secret]# cat secret-volume.yaml
apiVersion: v1
kind: Pod
metadata:
name: secret-volume
spec:
containers:
- name: web-server
image: nginx:alpine
imagePullPolicy: IfNotPresent
volumeMounts:
- name: nginxcert
mountPath: /etc/nginx/ssl/
readOnly: true
volumes:
- name: nginxcert
secret:
secretName: nginx-ssl
[root@k8s-master1 secret]# kubectl apply -f secret-volume.yaml
pod/secret-volume created
[root@k8s-master1 secret]# kubectl get pods secret-volume
NAME READY STATUS RESTARTS AGE
secret-volume 1/1 Running 0 10s
创建完成后,查看容器挂载点目录中的文件,以确认其挂载是否成功完成。下面命令的结果显示,私钥文件tls.key和证书文件tls.crt已经成功保存于挂载点路径之下:
[root@k8s-master1 secret]# kubectl exec secret-volume -- ls /etc/nginx/ssl/ tls.crt tls.key
此时,通过ConfigMap对象为容器应用Nginx提供HTTPS虚拟主机配置,它只要使用由Secret对象生成的私钥文件和证书文件,即可定义出容器化运行的Nginx服务。
四、imagePullSecret资源对象
imagePullSecret资源可用于辅助kubelet从需要认证的私有镜像仓库获取镜像,它通过将secret提供的密码传递给kubelet从而在拉取镜像前完成必要的认证过程。
使用imagePullSecret的方式有两种:一是创建docker-registry类型的Secret对象,并在定义pod资源时明确通过“imagePullSecrets”字段给出;另一个是创建docker-registry类型的Secret对象,将其添加到某特定的ServiceAccount对象中,那些使用该ServiceAccount资源创建的pod对象,以及默认使用该ServiceAccount的pod对象都将会直接使用imagePullSecrets中的认证信息。
创建docker-registry类型的Secret对象时,要使用“kubectl create secret docker-registry NAME --docker-username=user --docker-password=password --docker-email=email”的命令格式,其中的用户名、密码及邮件信息是在使用docker login命令登录时使用的认证信息。语法格式详情如下:
[root@k8s-master1 ~]# kubectl create secret docker-registry --help
Create a new secret for use with Docker registries.
Dockercfg secrets are used to authenticate against Docker registries.
When using the Docker command line to push images, you can authenticate to a given registry by running:
'$ docker login DOCKER_REGISTRY_SERVER --username=DOCKER_USER --password=DOCKER_PASSWORD --email=DOCKER_EMAIL'.
That produces a ~/.dockercfg file that is used by subsequent 'docker push' and 'docker pull' commands to authenticate
to the registry. The email address is optional.
When creating applications, you may have a Docker registry that requires authentication. In order for the
nodes to pull images on your behalf, they have to have the credentials. You can provide this information
by creating a dockercfg secret and attaching it to your service account.
Examples:
# If you don't already have a .dockercfg file, you can create a dockercfg secret directly by using:
kubectl create secret docker-registry my-secret --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER
--docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL
Options:
--allow-missing-template-keys=true: If true, ignore any errors in templates when a field or map key is missing in
the template. Only applies to golang and jsonpath output formats.
--append-hash=false: Append a hash of the secret to its name.
--docker-email='': Email for Docker registry
--docker-password='': Password for Docker registry authentication
--docker-server='https://index.docker.io/v1/': Server location for Docker registry
--docker-username='': Username for Docker registry authentication
--dry-run='none': Must be "none", "server", or "client". If client strategy, only print the object that would be
sent, without sending it. If server strategy, submit server-side request without persisting the resource.
--field-manager='kubectl-create': Name of the manager used to track field ownership.
--from-file=[]: Key files can be specified using their file path, in which case a default name will be given to
them, or optionally with a name and file path, in which case the given name will be used. Specifying a directory will
iterate each named file in the directory that is a valid secret key.
-o, --output='': Output format. One of:
json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file.
--save-config=false: If true, the configuration of current object will be saved in its annotation. Otherwise, the
annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.
--template='': Template string or path to template file to use when -o=go-template, -o=go-template-file. The
template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].
--validate=true: If true, use a schema to validate the input before sending it
Usage:
kubectl create secret docker-registry NAME --docker-username=user --docker-password=password --docker-email=email
[--docker-server=string] [--from-literal=key1=value1] [--dry-run=server|client|none] [options]
Use "kubectl options" for a list of global command-line options (applies to all commands).
例如,下面的命令创建了名为local-registry的imagePullSecret对象:
[root@k8s-master1 ~]# kubectl create secret docker-registry local-registry --docker-username=Ops --docker-password=Opspass --docker-email=ops@ilinux.io secret/local-registry created
此类Secret对象打印的类型信息为“kubernetes.io/dockerconfigjson”,如下面的命令结果所示:
[root@k8s-master1 ~]# kubectl get secrets local-registry
NAME TYPE DATA AGE
local-registry kubernetes.io/dockerconfigjson 1 21s
[root@k8s-master1 ~]# kubectl describe secret local-registry
Name: local-registry
Namespace: default
Labels: <none>
Annotations: <none>
Type: kubernetes.io/dockerconfigjson
Data
====
.dockerconfigjson: 131 bytes
You have new mail in /var/spool/mail/root
[root@k8s-master1 ~]# kubectl get secret local-registry -o yaml
apiVersion: v1
data:
.dockerconfigjson: eyJhdXRocyI6eyJodHRwczovL2luZGV4LmRvY2tlci5pby92MS8iOnsidXNlcm5hbWUiOiJPcHMiLCJwYXNzd29yZCI6Ik9wc3Bhc3MiLCJlbWFpbCI6Im9wc0BpbGludXguaW8iLCJhdXRoIjoiVDNCek9rOXdjM0JoYzNNPSJ9fX0=
kind: Secret
metadata:
creationTimestamp: "2022-10-15T12:09:27Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:.dockerconfigjson: {}
f:type: {}
manager: kubectl-create
operation: Update
time: "2022-10-15T12:09:27Z"
name: local-registry
namespace: default
resourceVersion: "865782"
selfLink: /api/v1/namespaces/default/secrets/local-registry
uid: 1af41af5-28ee-4f4d-a53d-28dd4413f85f
type: kubernetes.io/dockerconfigjson
而后,使用相应的私有registry中镜像的pod资源的定义,即可通过imagePullSecrets字段使用此Secret对象,使用示例如下面的配置清单所示:
[root@k8s-master1 secret]# vim secret-imagePull.yaml
[root@k8s-master1 secret]# cat secret-imagePull.yaml
apiVersion: v1
kind: Pod
metadata:
name: secret-env
labels:
app: myapp
spec:
imagePullSecrets:
- name: local-registry
containers:
- name: myapp
image: registry.ilinux.io/dev/myimage
上述的配置清单仅是一个示例,拉取私有仓库镜像registry.ilinux.io/dev/myimage。运行时,需要将其Secret中的内容及清单资源的镜像等信息的定义修改为实际可用的信息。
