kubernetes-密码管理
secret
官网地址: https://kubernetes.io/docs/concepts/configuration/secret/
创建
命令行创建
[root@bjcy-200 secret]# kubectl create secret generic mysecret1 --from-literal=username=bob --from-literal=password=123456 secret/mysecret1 created [root@bjcy-200 secret]# kubectl get secret NAME TYPE DATA AGE default-token-24blg kubernetes.io/service-account-token 3 5d1h mysecret1 Opaque 2 8s
从文件中创建
[root@bjcy-200 secret]# echo -n "devops" > password [root@bjcy-200 secret]# kubectl create secret generic mysecret2 --from-file=./password secret/mysecret2 created [root@bjcy-200 secret]# kubectl get secrets NAME TYPE DATA AGE default-token-24blg kubernetes.io/service-account-token 3 5d1h mysecret1 Opaque 2 6m5s mysecret2 Opaque 1 8s
从文件读取变量创建
[root@bjcy-200 secret]# cat env.txt password=devops [root@bjcy-200 secret]# kubectl create secret generic mysecret3 --from-env-file=./env.txt secret/mysecret3 created [root@bjcy-200 secret]# kubectl get secrets NAME TYPE DATA AGE default-token-24blg kubernetes.io/service-account-token 3 5d1h mysecret1 Opaque 2 7m55s mysecret2 Opaque 1 118s mysecret3 Opaque 1 5s
yaml文件创建
yaml方式创建需要使用 base64 进行编码.
[root@bjcy-200 secret]# echo -n "devops" | base64 # 编码 devops ZGV2b3Bz [root@bjcy-200 secret]# cat secret1.yaml apiVersion: v1 kind: Secret metadata: name: mysecret4 type: Opaque data: password: ZGV2b3Bz [root@bjcy-200 secret]# kubectl apply -f secret1.yaml secret/mysecret4 created [root@bjcy-200 secret]# kubectl get secrets NAME TYPE DATA AGE default-token-24blg kubernetes.io/service-account-token 3 5d1h mysecret1 Opaque 2 11m mysecret2 Opaque 1 5m24s mysecret3 Opaque 1 3m31s mysecret4 Opaque 1 8s
查看
[root@bjcy-200 secret]# kubectl describe secrets mysecret1 Name: mysecret1 Namespace: default Labels: <none> Annotations: <none> Type: Opaque Data ==== username: 3 bytes password: 6 bytes [root@bjcy-200 secret]# kubectl get secrets mysecret1 -o yaml apiVersion: v1 data: password: MTIzNDU2 username: Ym9i kind: Secret metadata: creationTimestamp: "2020-09-03T16:30:33Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:password: {} f:username: {} f:type: {} manager: kubectl operation: Update time: "2020-09-03T16:30:33Z" name: mysecret1 namespace: default resourceVersion: "18499" selfLink: /api/v1/namespaces/default/secrets/mysecret1 uid: 95540124-c44f-426b-9ec2-844cbf8dfa72 type: Opaque # base64 解码 [root@bjcy-200 secret]# echo -n "Ym9i" | base64 --decode bob[root@bjcy-200 secret]#
使用
变量方式
root@env-pod:/# env KUBERNETES_SERVICE_PORT_HTTPS=443 KUBERNETES_SERVICE_PORT=443 HOSTNAME=env-pod PWD=/ PKG_RELEASE=1~buster HOME=/root KUBERNETES_PORT_443_TCP=tcp://192.168.0.1:443 SECRET_USERNAME=bob NJS_VERSION=0.4.2 TERM=xterm SHLVL=1 KUBERNETES_PORT_443_TCP_PROTO=tcp KUBERNETES_PORT_443_TCP_ADDR=192.168.0.1 KUBERNETES_SERVICE_HOST=192.168.0.1 KUBERNETES_PORT=tcp://192.168.0.1:443 KUBERNETES_PORT_443_TCP_PORT=443 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin NGINX_VERSION=1.19.1 SECRET_PASSWORD=123456 _=/usr/bin/env root@env-pod:/# echo $SECRET_PASSWORD 123456 root@env-pod:/# echo $SECRET_USERNAME bob root@env-pod:/# exit exit [root@bjcy-200 secret]# cat env-pod1.yaml apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: env-pod name: env-pod spec: containers: - image: harbor.tcc.com/public/nginx name: env-pod env: - name: SECRET_USERNAME valueFrom: secretKeyRef: name: mysecret1 key: username - name: SECRET_PASSWORD valueFrom: secretKeyRef: name: mysecret1 key: password resources: {} dnsPolicy: ClusterFirst restartPolicy: Always status: {} [root@bjcy-200 secret]# kubectl apply -f env-pod1.yaml pod/env-pod created [root@bjcy-200 secret]# kubectl get pods NAME READY STATUS RESTARTS AGE busyboxxx 1/1 Running 2 5d1h env-pod 1/1 Running 0 5s [root@bjcy-200 secret]# kubectl exec -it env-pod bash kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl kubectl exec [POD] -- [COMMAND] instead. root@env-pod:/#
挂载卷方式
[root@bjcy-200 secret]# cat vloume-pod.yaml apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: vloume-pod name: vloume-pod spec: volumes: - name: vloume secret: secretName: mysecret1 items: - key: username path: my-group/my-username - key: password path: my-group/my-password mode: 0777 containers: - image: harbor.tcc.com/public/nginx name: vloume-pod volumeMounts: - name: vloume mountPath: "/vloume" resources: {} dnsPolicy: ClusterFirst restartPolicy: Always status: {} [root@bjcy-200 secret]# kubectl apply -f vloume-pod.yaml pod/vloume-pod created [root@bjcy-200 secret]# kubectl exec -it vloume-pod sh kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl kubectl exec [POD] -- [COMMAND] instead. # ls /vloume/my-group/ my-password my-username # ls -l /vloume/my-group/ total 8 -rwxrwxrwx 1 root root 6 Sep 3 16:54 my-password -rw-r--r-- 1 root root 3 Sep 3 16:54 my-username # exit [root@bjcy-200 secret]# cat vloume-pod.yaml apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: vloume-pod name: vloume-pod spec: volumes: - name: vloume secret: secretName: mysecret1 containers: - image: harbor.tcc.com/public/nginx name: vloume-pod volumeMounts: - name: vloume mountPath: "/vloume" resources: {} dnsPolicy: ClusterFirst restartPolicy: Always status: {}
mysql示例
[root@bjcy-200 secret]# cat mysql.yaml apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: mysql name: mysql spec: containers: - image: harbor.tcc.com/public/mysql name: mysql env: - name: MYSQL_ROOT_PASSWORD valueFrom: secretKeyRef: name: mysecret1 key: password resources: {} dnsPolicy: ClusterFirst restartPolicy: Always status: {} [root@bjcy-200 secret]# kubectl get pods -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES busyboxxx 1/1 Running 2 5d2h 10.244.235.199 bjcy-182.host.io <none> <none> env-pod 1/1 Running 0 13m 10.244.235.201 bjcy-182.host.io <none> <none> mysql 1/1 Running 0 4m35s 10.244.235.202 bjcy-182.host.io <none> <none> [root@bjcy-200 secret]# mysql -h 10.244.235.202 -uroot -p123456 Welcome to the MariaDB monitor. Commands end with ; or \g. Your MySQL connection id is 3 Server version: 5.7.18 MySQL Community Server (GPL) Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MySQL [(none)]> exit Bye
configmap
官网地址: https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/
configmap 配置 和secret类似
创建
[root@bjcy-200 secret]# kubectl create configmap cm1 --from-literal=password=devops configmap/cm1 created [root@bjcy-200 secret]# cat cm-envpod.yaml apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: cm-pod name: cm-pod spec: containers: - image: harbor.tcc.com/public/nginx name: cm-pod env: - name: SECRET_USERNAME valueFrom: configMapKeyRef: name: mysecret1 key: username resources: {} dnsPolicy: ClusterFirst restartPolicy: Always status: {} [root@bjcy-200 secret]# cat cm.yaml apiVersion: v1 kind: ConfigMap metadata: name: cm2 namespace: default data: password: data1
查看
[root@bjcy-200 secret]# kubectl describe configmaps cm2 Name: cm2 Namespace: default Labels: <none> Annotations: Data ==== password: ---- data1 Events: <none> [root@bjcy-200 secret]# kubectl get configmaps cm2 -o yaml apiVersion: v1 data: password: data1 kind: ConfigMap metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"v1","data":{"password":"data1"},"kind":"ConfigMap","metadata":{"annotations":{},"name":"cm2","namespace":"default"}} creationTimestamp: "2020-09-03T17:29:25Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:password: {} f:metadata: f:annotations: .: {} f:kubectl.kubernetes.io/last-applied-configuration: {} manager: kubectl operation: Update time: "2020-09-03T17:29:25Z" name: cm2 namespace: default resourceVersion: "29597" selfLink: /api/v1/namespaces/default/configmaps/cm2 uid: 0097fb1d-25ac-4add-a702-8bdc939e9556
使用
[root@bjcy-200 secret]# cat cm-envpod.yaml apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: cm-pod name: cm-pod spec: containers: - image: harbor.tcc.com/public/nginx name: cm-pod env: - name: SECRET_USERNAME valueFrom: configMapKeyRef: name: mysecret1 key: username resources: {} dnsPolicy: ClusterFirst restartPolicy: Always status: {} [root@bjcy-200 secret]# cat cm.yaml apiVersion: v1 kind: ConfigMap metadata: name: cm2 namespace: default data: password: data1
作者:闫世成
出处:http://cnblogs.com/yanshicheng
本文版权归作者和博客园共有,欢迎转载,但未经作者同意必须保留此段声明,且在文章页面明显位置给出原文连接。如有问题或建议,请联系上述邮箱,非常感谢。