kubernetes-密码管理

secret

官网地址: https://kubernetes.io/docs/concepts/configuration/secret/

创建

命令行创建

[root@bjcy-200 secret]# kubectl create secret generic mysecret1 --from-literal=username=bob --from-literal=password=123456
secret/mysecret1 created
[root@bjcy-200 secret]# kubectl get secret
NAME                  TYPE                                  DATA   AGE
default-token-24blg   kubernetes.io/service-account-token   3      5d1h
mysecret1             Opaque                                2      8s

从文件中创建

[root@bjcy-200 secret]# echo -n "devops" > password
[root@bjcy-200 secret]# kubectl create secret generic mysecret2 --from-file=./password  
secret/mysecret2 created
[root@bjcy-200 secret]# kubectl get secrets 
NAME                  TYPE                                  DATA   AGE
default-token-24blg   kubernetes.io/service-account-token   3      5d1h
mysecret1             Opaque                                2      6m5s
mysecret2             Opaque                                1      8s

从文件读取变量创建

[root@bjcy-200 secret]# cat env.txt 
password=devops
[root@bjcy-200 secret]# kubectl create secret generic mysecret3 --from-env-file=./env.txt 
secret/mysecret3 created
[root@bjcy-200 secret]# kubectl get secrets 
NAME                  TYPE                                  DATA   AGE
default-token-24blg   kubernetes.io/service-account-token   3      5d1h
mysecret1             Opaque                                2      7m55s
mysecret2             Opaque                                1      118s
mysecret3             Opaque                                1      5s

yaml文件创建

    yaml方式创建需要使用 base64 进行编码.

[root@bjcy-200 secret]# echo -n "devops" | base64   # 编码 devops
ZGV2b3Bz
[root@bjcy-200 secret]# cat secret1.yaml 
apiVersion: v1
kind: Secret
metadata:
  name: mysecret4
type: Opaque
data:
  password: ZGV2b3Bz
[root@bjcy-200 secret]# kubectl apply -f secret1.yaml 
secret/mysecret4 created
[root@bjcy-200 secret]# kubectl get secrets 
NAME                  TYPE                                  DATA   AGE
default-token-24blg   kubernetes.io/service-account-token   3      5d1h
mysecret1             Opaque                                2      11m
mysecret2             Opaque                                1      5m24s
mysecret3             Opaque                                1      3m31s
mysecret4             Opaque                                1      8s

查看

[root@bjcy-200 secret]# kubectl describe secrets mysecret1 
Name:         mysecret1
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
username:  3 bytes
password:  6 bytes
[root@bjcy-200 secret]# kubectl get secrets mysecret1 -o yaml
apiVersion: v1
data:
  password: MTIzNDU2
  username: Ym9i
kind: Secret
metadata:
  creationTimestamp: "2020-09-03T16:30:33Z"
  managedFields:
  - apiVersion: v1
    fieldsType: FieldsV1
    fieldsV1:
      f:data:
        .: {}
        f:password: {}
        f:username: {}
      f:type: {}
    manager: kubectl
    operation: Update
    time: "2020-09-03T16:30:33Z"
  name: mysecret1
  namespace: default
  resourceVersion: "18499"
  selfLink: /api/v1/namespaces/default/secrets/mysecret1
  uid: 95540124-c44f-426b-9ec2-844cbf8dfa72
type: Opaque

# base64 解码
[root@bjcy-200 secret]# echo -n "Ym9i" | base64 --decode
bob[root@bjcy-200 secret]# 

使用

变量方式

root@env-pod:/# env
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_SERVICE_PORT=443
HOSTNAME=env-pod
PWD=/
PKG_RELEASE=1~buster
HOME=/root
KUBERNETES_PORT_443_TCP=tcp://192.168.0.1:443
SECRET_USERNAME=bob
NJS_VERSION=0.4.2
TERM=xterm
SHLVL=1
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP_ADDR=192.168.0.1
KUBERNETES_SERVICE_HOST=192.168.0.1
KUBERNETES_PORT=tcp://192.168.0.1:443
KUBERNETES_PORT_443_TCP_PORT=443
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
NGINX_VERSION=1.19.1
SECRET_PASSWORD=123456
_=/usr/bin/env
root@env-pod:/# echo $SECRET_PASSWORD
123456
root@env-pod:/# echo $SECRET_USERNAME
bob
root@env-pod:/# exit
exit
[root@bjcy-200 secret]# cat env-pod1.yaml
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: env-pod
  name: env-pod
spec:
  containers:
  - image: harbor.tcc.com/public/nginx
    name: env-pod
    env:
      - name: SECRET_USERNAME
        valueFrom:
          secretKeyRef:
            name: mysecret1
            key: username
      - name: SECRET_PASSWORD
        valueFrom:
          secretKeyRef:
            name: mysecret1
            key: password
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

[root@bjcy-200 secret]# kubectl apply -f env-pod1.yaml 
pod/env-pod created
[root@bjcy-200 secret]# kubectl get pods
NAME        READY   STATUS    RESTARTS   AGE
busyboxxx   1/1     Running   2          5d1h
env-pod     1/1     Running   0          5s
[root@bjcy-200 secret]# kubectl exec -it env-pod bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl kubectl exec [POD] -- [COMMAND] instead.
root@env-pod:/# 

挂载卷方式

[root@bjcy-200 secret]# cat vloume-pod.yaml
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: vloume-pod
  name: vloume-pod
spec:
  volumes:
  - name: vloume
    secret:
      secretName: mysecret1
      items:
      - key: username
        path: my-group/my-username
      - key: password
        path: my-group/my-password
        mode: 0777
  containers:
  - image: harbor.tcc.com/public/nginx
    name: vloume-pod
    volumeMounts:
    - name: vloume
      mountPath: "/vloume"
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

[root@bjcy-200 secret]# kubectl apply -f vloume-pod.yaml 
pod/vloume-pod created

[root@bjcy-200 secret]# kubectl exec -it vloume-pod sh
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl kubectl exec [POD] -- [COMMAND] instead.
# ls /vloume/my-group/
my-password  my-username
# ls -l /vloume/my-group/
total 8
-rwxrwxrwx 1 root root 6 Sep  3 16:54 my-password
-rw-r--r-- 1 root root 3 Sep  3 16:54 my-username
# exit  
[root@bjcy-200 secret]# cat vloume-pod.yaml
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: vloume-pod
  name: vloume-pod
spec:
  volumes:
  - name: vloume
    secret:
      secretName: mysecret1
  containers:
  - image: harbor.tcc.com/public/nginx
    name: vloume-pod
    volumeMounts:
    - name: vloume
      mountPath: "/vloume"
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

mysql示例

[root@bjcy-200 secret]# cat mysql.yaml 
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: mysql
  name: mysql
spec:
  containers:
  - image: harbor.tcc.com/public/mysql
    name: mysql
    env:
      - name: MYSQL_ROOT_PASSWORD
        valueFrom:
          secretKeyRef:
            name: mysecret1
            key: password
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

[root@bjcy-200 secret]# kubectl get pods -o wide
NAME        READY   STATUS    RESTARTS   AGE     IP               NODE               NOMINATED NODE   READINESS GATES
busyboxxx   1/1     Running   2          5d2h    10.244.235.199   bjcy-182.host.io   <none>           <none>
env-pod     1/1     Running   0          13m     10.244.235.201   bjcy-182.host.io   <none>           <none>
mysql       1/1     Running   0          4m35s   10.244.235.202   bjcy-182.host.io   <none>           <none>
[root@bjcy-200 secret]# mysql -h 10.244.235.202 -uroot -p123456
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.7.18 MySQL Community Server (GPL)

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]> exit
Bye

configmap

   官网地址: https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/

   configmap 配置 和secret类似

创建

[root@bjcy-200 secret]# kubectl create configmap cm1 --from-literal=password=devops
configmap/cm1 created
[root@bjcy-200 secret]# cat cm-envpod.yaml 
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: cm-pod
  name: cm-pod
spec:
  containers:
  - image: harbor.tcc.com/public/nginx
    name: cm-pod
    env:
      - name: SECRET_USERNAME
        valueFrom:
          configMapKeyRef:
            name: mysecret1
            key: username
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}
[root@bjcy-200 secret]# cat cm.yaml 
apiVersion: v1
kind: ConfigMap
metadata:
  name: cm2
  namespace: default
data:
  password: data1

查看

[root@bjcy-200 secret]# kubectl describe configmaps cm2
Name:         cm2
Namespace:    default
Labels:       <none>
Annotations:  
Data
====
password:
----
data1
Events:  <none>
[root@bjcy-200 secret]# kubectl get configmaps cm2 -o yaml
apiVersion: v1
data:
  password: data1
kind: ConfigMap
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","data":{"password":"data1"},"kind":"ConfigMap","metadata":{"annotations":{},"name":"cm2","namespace":"default"}}
  creationTimestamp: "2020-09-03T17:29:25Z"
  managedFields:
  - apiVersion: v1
    fieldsType: FieldsV1
    fieldsV1:
      f:data:
        .: {}
        f:password: {}
      f:metadata:
        f:annotations:
          .: {}
          f:kubectl.kubernetes.io/last-applied-configuration: {}
    manager: kubectl
    operation: Update
    time: "2020-09-03T17:29:25Z"
  name: cm2
  namespace: default
  resourceVersion: "29597"
  selfLink: /api/v1/namespaces/default/configmaps/cm2
  uid: 0097fb1d-25ac-4add-a702-8bdc939e9556

使用

[root@bjcy-200 secret]# cat cm-envpod.yaml 
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: cm-pod
  name: cm-pod
spec:
  containers:
  - image: harbor.tcc.com/public/nginx
    name: cm-pod
    env:
      - name: SECRET_USERNAME
        valueFrom:
          configMapKeyRef:
            name: mysecret1
            key: username
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}
[root@bjcy-200 secret]# cat cm.yaml 
apiVersion: v1
kind: ConfigMap
metadata:
  name: cm2
  namespace: default
data:
  password: data1

  

posted @ 2020-09-04 01:36  闫世成  阅读(399)  评论(0编辑  收藏  举报