Secret

13. Secret

概述

 Secret的功能类似于ConfigMap给pod提供额外的配置信息，但是Secret是一种包含少量敏感信息例如密码、令牌或秘钥的对象
 
Secret的名称必须是合法的DNS子域名
 
每个Secret的大小最多为1MiB,注意是为了避免用户创建非常大的Secret进而导致API服务器和kubelet内存耗尽，不过创建很多小的Secret也可能耗尽内存，可以使用资源配额来约束每个名字空间中Secret的个数
 
在通过YAML文件创建Secret时，可以设置data或stringData资源，data和stringData字段都是可选的，data字段中所有键值都必须base64编码的字符串，如果不希望执行这种base64字符串的转换操作，也可以选择设置stringData字段，其中可以使用任何非加密的字符串作为其取值
 
Pod可以用三种方式的任意一种来使用Secret：
作为挂载到一个或多个容器上的卷中的文件（crt文件、key文件）作为容器的环境变量
有kubelet在为Pod拉取镜像时使用（与镜像仓库的认证）

13.1 Secret简介类型

Kubernetes默认支持多种不同类型的Secret，用于一不同的使用场景，不同类型的Secret配置参数也不一样

Secret类型	使用场景
Opaque	用户定义的任意数据
kubernetes.io/service-account-token	ServiceAccoubt 令牌
kubernetes.io/dockercfg	~/.dockercfg 文件序列化形式
kubernetes.io/dockerconfigjson	~/.docker/config.json 文件的序列化形式
kubernetes.io/basic-auth	用于基本身份认证的凭据
kubernetes.io/ssh-auth	用于SSH身份认证的凭据
kubernetes.io/tls	用于TLS环境，保存crt证书和key证书
kubernetes.io/token	启动引导令牌数据

13.2 data类型加密

不是加密会报语法错误

 root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# echo admin | base64
YWRtaW4K
root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# echo 123456 | base64
MTIzNDU2Cg==
 
root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# cat 1-secret-Opaque-data.yaml 
apiVersion: v1
kind: Secret
metadata:
  name: mysecret-data
  namespace: myserver
type: Opaque
data:
  user: YWRtaW4K
  password: MTIzNDU2Cg==
  age: MTgK #非base64加密的会报错

解密

 root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# kubectl get secrets -n myserver mysecret-data -o yaml
apiVersion: v1
data:
  age: MTgK
  password: MTIzNDU2Cg==
  user: YWRtaW4K
kind: Secret
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","data":{"age":"MTgK","password":"MTIzNDU2Cg==","user":"YWRtaW4K"},"kind":"Secret","metadata":{"annotations":{},"name":"mysecret-data","namespace":"myserver"},"type":"Opaque"}
  creationTimestamp: "2022-11-26T02:47:26Z"
  name: mysecret-data
  namespace: myserver
  resourceVersion: "777078"
  uid: 5fef55f2-4eb0-4128-9ed6-cd97835b0643
type: Opaque
 
 
root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# echo YWRtaW4K | base64 -d
admin

13.3 StringData

自动加密

 root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# cat 2-secret-Opaque-stringData.yaml 
apiVersion: v1
kind: Secret
metadata:
  name: mysecret-stringdata
  namespace: myserver
type: Opaque
stringData:
  user: 'admin'
  password: '123456'

13.4 加密数据挂载做认证文件

 root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# cat 3-secret-Opaque-mount.yaml 
#apiVersion: extensions/v1beta1
apiVersion: apps/v1
kind: Deployment
metadata:
  name: myserver-myapp-app1-deployment
  namespace: myserver
spec:
  replicas: 1
  selector:
    matchLabels:
      app: myserver-myapp-app1
  template:
    metadata:
      labels:
        app: myserver-myapp-app1
    spec:
      containers:
      - name: myserver-myapp-app1
        image: tomcat:7.0.94-alpine
        ports:
        - containerPort: 8080
        volumeMounts:
        - mountPath: /data/myserver/auth
          name: myserver-auth-secret 
      volumes:
      - name: myserver-auth-secret
        secret:
          secretName: mysecret-data #挂载指定的secret,挂载后会将base64解密为明文
 
---
apiVersion: v1
kind: Service
metadata:
  name: myserver-myapp-app1
  namespace: myserver
spec:
  ports:
  - name: http
    port: 8080
    targetPort: 8080
    nodePort: 30018
    protocol: TCP
  type: NodePort
  selector:
    app: myserver-myapp-app1
 
root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# kubectl exec -it -n myserver myserver-myapp-app1-deployment-5f5776776b-4vrld bash
bash-4.4# cd /data/myserver/auth
bash-4.4# ls
age       password  user
bash-4.4# cat password 
123456
bash-4.4# cat user 
admin

挂载的数据可以在etcd中找到

 root@k8s-etcd1:~# etcdctl get / --keys-only --prefix | grep mysecret
/registry/secrets/myserver/mysecret-data
/registry/secrets/myserver/mysecret-stringdata
root@k8s-etcd1:~# etcdctl get /registry/secrets/myserver/mysecret-stringdata
/registry/secrets/myserver/mysecret-stringdata
k8s
 
 
v1Secretׄ 
« 
mysecret-stringdatmyserver"*$435fd42f-78d4-42d9-a077-8c001bdacf462ɾb
0kubectl.kubernetes.io/last-applied-configuration¸{"apiVersion":"v1","kind":"Secret","metadata":{"annotations":{},"name":"mysecret-stringdata","namespace":"myserver"},"stringData":{"password":"123456","user":"admin"},"type":"Opaque"}
z܁
kubectl-client-side-applyUpdatevɾFieldsV1: 
{"f:data":{".":{},"f:password":{},"f:user":{}},"f:metadata":{"f:annotations":{".":{},"f:kubectl.kubernetes.io/last-applied-configuration":{}}},"f:type":{}}B                                                                                                             password123456 
useradminOpaque"

13.5 Kubernetes.io/tls-为nginx提供证书

 root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# mkdir -p certs
#生成证书
openssl req -x509 -sha256 -newkey rsa:4096 -keyout ca.key -out ca.crt -days 3560 -nodes -subj '/CN=www.ca.com'
openssl req -new -newkey rsa:4096 -keyout server.key -out server.csr -nodes -subj '/CN=www.mysite.com'
openssl x509 -req -sha256 -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
#创建一个secrts 并指定证书 cert是公钥 key是私钥
kubectl create secret tls myserver-tls-key --cert=./server.crt --key=./server.key -n myserver
 
root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret/certs# kubectl get secrets -n myserver myserver-tls-key
NAME               TYPE                DATA   AGE
myserver-tls-key   kubernetes.io/tls   2      19m
 
root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret/certs# ll
total 28
drwxr-xr-x 2 root root 4096 Nov 26 05:17 ./
drwxr-xr-x 3 root root 4096 Jul 31 10:42 ../
-rw-r--r-- 1 root root 1809 Nov 26 05:14 ca.crt
-rw------- 1 root root 3272 Nov 26 05:14 ca.key
-rw-r--r-- 1 root root 1667 Nov 26 05:17 server.crt
-rw-r--r-- 1 root root 1590 Nov 26 05:16 server.csr
-rw------- 1 root root 3272 Nov 26 05:16 server.key
 
root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# cat 4-secret-tls.yaml 
apiVersion: v1
kind: ConfigMap
metadata:
  name: nginx-config
  namespace: myserver
data:
 default: |
    server {
       listen       80;
       server_name  www.mysite.com;
       listen 443 ssl;
       ssl_certificate /etc/nginx/conf.d/certs/tls.crt;
       ssl_certificate_key /etc/nginx/conf.d/certs/tls.key;
 
       location / {
           root /usr/share/nginx/html; 
           index index.html;
           if ($scheme = http ){  #未加条件判断，会导致死循环
              rewrite / https://www.mysite.com permanent;
           }  
 
           if (!-e $request_filename) {
               rewrite ^/(.*) /index.html last;
           }
       }
    }
 
---
#apiVersion: extensions/v1beta1
apiVersion: apps/v1
kind: Deployment
metadata:
  name: myserver-myapp-frontend-deployment
  namespace: myserver
spec:
  replicas: 1
  selector:
    matchLabels:
      app: myserver-myapp-frontend
  template:
    metadata:
      labels:
        app: myserver-myapp-frontend
    spec:
      containers:
      - name: myserver-myapp-frontend
        image: nginx:1.20.2-alpine 
        ports:
          - containerPort: 80
        volumeMounts:
          - name: nginx-config
            mountPath:  /etc/nginx/conf.d/myserver
          - name: myserver-tls-key
            mountPath:  /etc/nginx/conf.d/certs
      volumes:
      - name: nginx-config
        configMap:
          name: nginx-config
          items:
             - key: default
               path: mysite.conf
      - name: myserver-tls-key
        secret:
          secretName: myserver-tls-key 
 
 
---
apiVersion: v1
kind: Service
metadata:
  name: myserver-myapp-frontend
  namespace: myserver
spec:
  type: NodePort
  ports:
  - name: http
    port: 80
    targetPort: 80
    nodePort: 30020
    protocol: TCP
  - name: htts
    port: 443
    targetPort: 443
    nodePort: 30019
    protocol: TCP
  selector:
    app: myserver-myapp-frontend

检测

 #然后需要把证书引入到nginx配置文件中才能生效 否则你现在查看端口并没有监听443端口 然后重启 certs引入这个
#配置文件中已经把证书生成挂载过来了
/ # cd /etc/nginx/conf.d/certs
/etc/nginx/conf.d/certs # ls
tls.crt  tls.key
 
#nginx配置文件已经挂载过来
/ # cd /etc/nginx/conf.d/myserver/
/etc/nginx/conf.d/myserver # ls
mysite.conf
 
#nginx.conf主配置文件中添加包含
include /etc/nginx/conf.d/myserver/*.conf;
 
nginx -t
nginx -s reload
netstat -tanlp
#显示证书
curl -lvk https://www.mysite.com

13.6 kubernetes.io/dockerconfig.json

 #创建私有仓库认证文件
kubectl create secret generic aliyun-registry-image-pull-key \
--from-file=.dockerconfigjson=/root/.docker/config.json \
--type=kubernetes.io/dockerconfigjson \
-n myserver
 
root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# kubectl get secrets -n myserver 
NAME                             TYPE                             DATA   AGE
aliyun-registry-image-pull-key   kubernetes.io/dockerconfigjson   1      45s
myserver-tls-key                 kubernetes.io/tls                2      114m
 
#查看创建的认证信息
root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# kubectl get secrets -n myserver aliyun-registry-image-pull-key  -o yaml
 
apiVersion: v1
data:
  .dockerconfigjson: ewoJImF1dGhzIjogewoJCSJoYXJib3IubmJyaGNlLmNvbSI6IHsKCQkJImF1dGgiOiAiY1hWNWFUcElZWEppYjNJeE1qTTBOUT09IgoJCX0KCX0KfQ==
kind: Secret
metadata:
  creationTimestamp: "2022-11-26T07:13:15Z"
  name: aliyun-registry-image-pull-key
  namespace: myserver
  resourceVersion: "807752"
  uid: d8949f22-addc-4aef-a958-2249d967758c
type: kubernetes.io/dockerconfigjson

YAML文件可以拉取的

 #这个关键字就是 imagePullSecrets 拉取认证信息
root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# cat 5-secret-imagePull.yaml 
#apiVersion: extensions/v1beta1
apiVersion: apps/v1
kind: Deployment
metadata:
  name: myserver-myapp-frontend-deployment
  namespace: myserver
spec:
  replicas: 1
  selector:
    matchLabels:
      app: myserver-myapp-frontend
  template:
    metadata:
      labels:
        app: myserver-myapp-frontend
    spec:
      containers:
      - name: myserver-myapp-frontend
        image: registry.cn-qingdao.aliyuncs.com/zhangshijie/nginx:1.16.1-alpine-perl 
        ports:
          - containerPort: 80
      imagePullSecrets:
        - name: aliyun-registry-image-pull-key
 
---
apiVersion: v1
kind: Service
metadata:
  name: myserver-myapp-frontend
  namespace: myserver
spec:
  ports:
  - name: http
    port: 80
    targetPort: 80
    nodePort: 30022
    protocol: TCP
  type: NodePort
  selector:
    app: myserver-myapp-frontend

posted @ 2022-12-06 21:37 YIDADA-SRE 阅读(207) 评论(0) 编辑收藏举报

刷新页面返回顶部

登录后才能查看或发表评论，立即登录或者逛逛博客园首页

相关博文：

· Ingress

· 部署kuboard与使用

· 11、kubernetes资源对象

· Kubernetes-Secret

· Secret

阅读排行：
· TypeScript + Deepseek 打造卜卦网站：技术与玄学的结合
· 阿里巴巴 QwQ-32B真的超越了 DeepSeek R-1吗？
· 【译】Visual Studio 中新的强大生产力特性
· 10年+ .NET Coder 心语 ── 封装的思维：从隐藏、稳定开始理解其本质意义
· 【设计模式】告别冗长if-else语句：使用策略模式优化代码结构

阅读目录(Content)

此页目录为空

YIDADA-SRE

念两句诗

Secret

13. Secret

13.1 Secret简介类型

13.2 data类型加密

13.3 StringData

13.4 加密数据挂载做认证文件

13.5 Kubernetes.io/tls-为nginx提供证书

13.6 kubernetes.io/dockerconfig.json

公告

个人信息

日历

搜索

常用链接

随笔分类

随笔档案

相册

阅读排行榜

评论排行榜

最新评论

	Secret的功能类似于ConfigMap给pod提供额外的配置信息，但是Secret是一种包含少量敏感信息例如密码、令牌或秘钥的对象

	Secret的名称必须是合法的DNS子域名

	每个Secret的大小最多为1MiB,注意是为了避免用户创建非常大的Secret进而导致API服务器和kubelet内存耗尽，不过创建很多小的Secret也可能耗尽内存，可以使用资源配额来约束每个名字空间中Secret的个数

	在通过YAML文件创建Secret时，可以设置data或stringData资源，data和stringData字段都是可选的，data字段中所有键值都必须base64编码的字符串，如果不希望执行这种base64字符串的转换操作，也可以选择设置stringData字段，其中可以使用任何非加密的字符串作为其取值

	Pod可以用三种方式的任意一种来使用Secret：
	作为挂载到一个或多个容器上的卷中的文件（crt文件、key文件）作为容器的环境变量
	有kubelet在为Pod拉取镜像时使用（与镜像仓库的认证）

	root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# echo admin \| base64
	YWRtaW4K
	root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# echo 123456 \| base64
	MTIzNDU2Cg==

	root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# cat 1-secret-Opaque-data.yaml
	apiVersion: v1
	kind: Secret
	metadata:
	name: mysecret-data
	namespace: myserver
	type: Opaque
	data:
	user: YWRtaW4K
	password: MTIzNDU2Cg==
	age: MTgK #非base64加密的会报错

	root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# cat 3-secret-Opaque-mount.yaml
	#apiVersion: extensions/v1beta1
	apiVersion: apps/v1
	kind: Deployment
	metadata:
	name: myserver-myapp-app1-deployment
	namespace: myserver
	spec:
	replicas: 1
	selector:
	matchLabels:
	app: myserver-myapp-app1
	template:
	metadata:
	labels:
	app: myserver-myapp-app1
	spec:
	containers:
	- name: myserver-myapp-app1
	image: tomcat:7.0.94-alpine
	ports:
	- containerPort: 8080
	volumeMounts:
	- mountPath: /data/myserver/auth
	name: myserver-auth-secret
	volumes:
	- name: myserver-auth-secret
	secret:
	secretName: mysecret-data #挂载指定的secret,挂载后会将base64解密为明文

	---
	apiVersion: v1
	kind: Service
	metadata:
	name: myserver-myapp-app1
	namespace: myserver
	spec:
	ports:
	- name: http
	port: 8080
	targetPort: 8080
	nodePort: 30018
	protocol: TCP
	type: NodePort
	selector:
	app: myserver-myapp-app1

	root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# kubectl exec -it -n myserver myserver-myapp-app1-deployment-5f5776776b-4vrld bash
	bash-4.4# cd /data/myserver/auth
	bash-4.4# ls
	age password user
	bash-4.4# cat password
	123456
	bash-4.4# cat user
	admin

	root@k8s-etcd1:~# etcdctl get / --keys-only --prefix \| grep mysecret
	/registry/secrets/myserver/mysecret-data
	/registry/secrets/myserver/mysecret-stringdata
	root@k8s-etcd1:~# etcdctl get /registry/secrets/myserver/mysecret-stringdata
	/registry/secrets/myserver/mysecret-stringdata
	k8s


	v1Secretׄ
	«
	mysecret-stringdatmyserver"*$435fd42f-78d4-42d9-a077-8c001bdacf462ɾb
	0kubectl.kubernetes.io/last-applied-configuration¸{"apiVersion":"v1","kind":"Secret","metadata":{"annotations":{},"name":"mysecret-stringdata","namespace":"myserver"},"stringData":{"password":"123456","user":"admin"},"type":"Opaque"}
	z܁
	kubectl-client-side-applyUpdatevɾFieldsV1:
	{"f:data":{".":{},"f:password":{},"f:user":{}},"f:metadata":{"f:annotations":{".":{},"f:kubectl.kubernetes.io/last-applied-configuration":{}}},"f:type":{}}B password123456
	useradminOpaque"

	root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# mkdir -p certs
	#生成证书
	openssl req -x509 -sha256 -newkey rsa:4096 -keyout ca.key -out ca.crt -days 3560 -nodes -subj '/CN=www.ca.com'
	openssl req -new -newkey rsa:4096 -keyout server.key -out server.csr -nodes -subj '/CN=www.mysite.com'
	openssl x509 -req -sha256 -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
	#创建一个secrts 并指定证书 cert是公钥 key是私钥
	kubectl create secret tls myserver-tls-key --cert=./server.crt --key=./server.key -n myserver

	root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret/certs# kubectl get secrets -n myserver myserver-tls-key
	NAME TYPE DATA AGE
	myserver-tls-key kubernetes.io/tls 2 19m

	root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret/certs# ll
	total 28
	drwxr-xr-x 2 root root 4096 Nov 26 05:17 ./
	drwxr-xr-x 3 root root 4096 Jul 31 10:42 ../
	-rw-r--r-- 1 root root 1809 Nov 26 05:14 ca.crt
	-rw------- 1 root root 3272 Nov 26 05:14 ca.key
	-rw-r--r-- 1 root root 1667 Nov 26 05:17 server.crt
	-rw-r--r-- 1 root root 1590 Nov 26 05:16 server.csr
	-rw------- 1 root root 3272 Nov 26 05:16 server.key

	root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# cat 4-secret-tls.yaml
	apiVersion: v1
	kind: ConfigMap
	metadata:
	name: nginx-config
	namespace: myserver
	data:
	default: \|
	server {
	listen 80;
	server_name www.mysite.com;
	listen 443 ssl;
	ssl_certificate /etc/nginx/conf.d/certs/tls.crt;
	ssl_certificate_key /etc/nginx/conf.d/certs/tls.key;

	location / {
	root /usr/share/nginx/html;
	index index.html;
	if ($scheme = http ){ #未加条件判断，会导致死循环
	rewrite / https://www.mysite.com permanent;
	}

	if (!-e $request_filename) {
	rewrite ^/(.*) /index.html last;
	}
	}
	}

	---
	#apiVersion: extensions/v1beta1
	apiVersion: apps/v1
	kind: Deployment
	metadata:
	name: myserver-myapp-frontend-deployment
	namespace: myserver
	spec:
	replicas: 1
	selector:
	matchLabels:
	app: myserver-myapp-frontend
	template:
	metadata:
	labels:
	app: myserver-myapp-frontend
	spec:
	containers:
	- name: myserver-myapp-frontend
	image: nginx:1.20.2-alpine
	ports:
	- containerPort: 80
	volumeMounts:
	- name: nginx-config
	mountPath: /etc/nginx/conf.d/myserver
	- name: myserver-tls-key
	mountPath: /etc/nginx/conf.d/certs
	volumes:
	- name: nginx-config
	configMap:
	name: nginx-config
	items:
	- key: default
	path: mysite.conf
	- name: myserver-tls-key
	secret:
	secretName: myserver-tls-key


	---
	apiVersion: v1
	kind: Service
	metadata:
	name: myserver-myapp-frontend
	namespace: myserver
	spec:
	type: NodePort
	ports:
	- name: http
	port: 80
	targetPort: 80
	nodePort: 30020
	protocol: TCP
	- name: htts
	port: 443
	targetPort: 443
	nodePort: 30019
	protocol: TCP
	selector:
	app: myserver-myapp-frontend

	#然后需要把证书引入到nginx配置文件中才能生效否则你现在查看端口并没有监听443端口然后重启 certs引入这个
	#配置文件中已经把证书生成挂载过来了
	/ # cd /etc/nginx/conf.d/certs
	/etc/nginx/conf.d/certs # ls
	tls.crt tls.key

	#nginx配置文件已经挂载过来
	/ # cd /etc/nginx/conf.d/myserver/
	/etc/nginx/conf.d/myserver # ls
	mysite.conf

	#nginx.conf主配置文件中添加包含
	include /etc/nginx/conf.d/myserver/*.conf;

	nginx -t
	nginx -s reload
	netstat -tanlp
	#显示证书
	curl -lvk https://www.mysite.com

	#创建私有仓库认证文件
	kubectl create secret generic aliyun-registry-image-pull-key \
	--from-file=.dockerconfigjson=/root/.docker/config.json \
	--type=kubernetes.io/dockerconfigjson \
	-n myserver

	root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# kubectl get secrets -n myserver
	NAME TYPE DATA AGE
	aliyun-registry-image-pull-key kubernetes.io/dockerconfigjson 1 45s
	myserver-tls-key kubernetes.io/tls 2 114m

	#查看创建的认证信息
	root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# kubectl get secrets -n myserver aliyun-registry-image-pull-key -o yaml

	apiVersion: v1
	data:
	.dockerconfigjson: ewoJImF1dGhzIjogewoJCSJoYXJib3IubmJyaGNlLmNvbSI6IHsKCQkJImF1dGgiOiAiY1hWNWFUcElZWEppYjNJeE1qTTBOUT09IgoJCX0KCX0KfQ==
	kind: Secret
	metadata:
	creationTimestamp: "2022-11-26T07:13:15Z"
	name: aliyun-registry-image-pull-key
	namespace: myserver
	resourceVersion: "807752"
	uid: d8949f22-addc-4aef-a958-2249d967758c
	type: kubernetes.io/dockerconfigjson

	#这个关键字就是 imagePullSecrets 拉取认证信息
	root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# cat 5-secret-imagePull.yaml
	#apiVersion: extensions/v1beta1
	apiVersion: apps/v1
	kind: Deployment
	metadata:
	name: myserver-myapp-frontend-deployment
	namespace: myserver
	spec:
	replicas: 1
	selector:
	matchLabels:
	app: myserver-myapp-frontend
	template:
	metadata:
	labels:
	app: myserver-myapp-frontend
	spec:
	containers:
	- name: myserver-myapp-frontend
	image: registry.cn-qingdao.aliyuncs.com/zhangshijie/nginx:1.16.1-alpine-perl
	ports:
	- containerPort: 80
	imagePullSecrets:
	- name: aliyun-registry-image-pull-key

	---
	apiVersion: v1
	kind: Service
	metadata:
	name: myserver-myapp-frontend
	namespace: myserver
	spec:
	ports:
	- name: http
	port: 80
	targetPort: 80
	nodePort: 30022
	protocol: TCP
	type: NodePort
	selector:
	app: myserver-myapp-frontend