ljzsdut
GitHubToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Welcome to the ljzsdut's notes
  2. /
  3. 云原生
  4. /
  5. Kubernetes
  6. /
  7. 5.2 K8s配置中心之 Secret
Edit page

5.2 K8s配置中心之 Secret

Secret:敏感存储卷

Secret与ConfigMap作用类似,但是ConfigMap是明文存储,而Secret是使用的base64编码的密文字符串。我们使用get secret -o yaml可以查看其base64加密后的字符串,然后使用echo xxxx |base64 -d就能解码。

secret类型

secret类型相关描述
genericCreate a secret from a local file, directory or literal value。普通的帐号、密码
tlsCreate a TLS secret。证书、私钥
docker-registryCreate a secret for use with a Docker registry。kubelet使用该Secret来认证私有镜像仓库:imagePullPolicy

1、secret generic 类型

1.1、命令行定义secret generic:

语法:kubectl create secret generic NAME [--from-file=[key=]source] [--from-literal=key1=value1]

[root@k8smaster secret]# kubectl create secret generic mysql-root-password --from-literal=root_password=MyP@ssword
secret/mysql-root-password created
[root@k8smaster secret]# kubectl get secret 
NAME                  TYPE                                  DATA      AGE
default-token-cm4hr   kubernetes.io/service-account-token   3         33d
mysql-root-password   Opaque                                1         25s
[root@k8smaster secret]# kubectl describe secret mysql-root-password
Name:         mysql-root-password
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
root_password:  10 bytes

[root@k8smaster secret]# kubectl get secret mysql-root-password -o yaml
apiVersion: v1
data:
  root_password: TXlQQHNzd29yZA==    #echo MyP@ssword |base64可以转换
kind: Secret
metadata:
  creationTimestamp: 2018-08-30T06:05:52Z
  name: mysql-root-password
  namespace: default
  resourceVersion: "1311865"
  selfLink: /api/v1/namespaces/default/secrets/mysql-root-password
  uid: bfc1e322-ac1a-11e8-8232-5254001d21da
type: Opaque
[root@k8smaster secret]# echo TXlQQHNzd29yZA== |base64 -d
MyP@ssword

1.2、配置清单定义Secret generic: 

$ echo -n 'admin' | base64
YWRtaW4=
$ echo -n '1f2d1e2e67df' | base64
MWYyZDFlMmU2N2Rm

apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque  #generic类型的secret
data:
  username: YWRtaW4=
  password: MWYyZDFlMmU2N2Rm

1.3、在Pod中使用secret generic(环境变量): 

[root@k8smaster secret]# cat pod-secret.yaml 
apiVersion: v1
kind: Pod
metadata:
  name: pod-secret
  namespace: default
  labels:
    app: myapp
    tier: frontend
  #labels: {app:myapp,tier:frontend}
spec:
  containers:
  - name: myapp
    image: ikubernetes/myapp:v1
    ports:
    - name: http
      containerPort: 80
    env:  #方式1
    - name: MYSQL_ROOT_PASSWORD #变量名,注意:在docker中,定义的变量名使用中划线也会自动转换为下划线
      valueFrom:
        secretKeyRef:
          name: mysql-root-password
          key: root_password
    #envFrom:  #方式2
    #  - secretRef:
    #      name: mysql-root-password

1.4、在Pod中使用secret generic(存储卷):

Secret与ConfigMap一样,也可以用作存储卷。

apiVersion: v1
kind: Pod
metadata:
  name: myapp-vol-pvc
  namespace: default
spec:
  containers:
  - name: myapp-pod-vol-pvc
    image: ikubernetes/myapp:v1
    volumeMounts:
    - name: mysql_pwd  #要挂载的volume名称
      mountPath: /usr/share/mysql_pwd
  volumes:
  - name: mysql_pwd
    secret:   #定义secret类型的存储卷
      secretName: mypvc

2、secret docker-registry 类型

2.1、定义Secret docker-registry

当在需要安全验证的环境中拉取容器镜像的时候,需要通过用户名和密码, 而且需要将用户名和密码封装在docker-registry类型的Secret中。

[root@k8smaster secret]# kubectl create secret docker-registry myregistrykey --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL

或者:

apiVersion: v1
kind: Secret
metadata:
  name: myregistrykey
  namespace: default
type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: eyJhdXRocyI6eyJET0NLRVJfUkVHSVNUUllfU0VSVkVSIjp7InVzZXJuYW1lIjoiRE9DS0VSX1VTRVIiLCJwYXNzd29yZCI6IkRPQ0tFUl9QQVNTV09SRCIsImVtYWlsIjoiRE9DS0VSX0VNQUlMIiwiYXV0aCI6IlJFOURTMFZTWDFWVFJWSTZSRTlEUzBWU1gxQkJVMU5YVDFKRSJ9fX0=

➜  ~ echo -n 'eyJhdXRocyI6eyJET0NLRVJfUkVHSVNUUllfU0VSVkVSIjp7InVzZXJuYW1lIjoiRE9DS0VSX1VTRVIiLCJwYXNzd29yZCI6IkRPQ0tFUl9QQVNTV09SRCIsImVtYWlsIjoiRE9DS0VSX0VNQUlMIiwiYXV0aCI6IlJFOURTMFZTWDFWVFJWSTZSRTlEUzBWU1gxQkJVMU5YVDFKRSJ9fX0='|base64 -d;echo
{"auths":{"DOCKER_REGISTRY_SERVER":{"username":"DOCKER_USER","password":"DOCKER_PASSWORD","email":"DOCKER_EMAIL","auth":"RE9DS0VSX1VTRVI6RE9DS0VSX1BBU1NXT1JE"}}}
➜  ~ echo -n 'RE9DS0VSX1VTRVI6RE9DS0VSX1BBU1NXT1JE' |base64 -d ;echo
DOCKER_USER:DOCKER_PASSWORD

2.2、使用Secret docker-registry:

在pod.spec.containers.imagePullPolicy中指定拉取该容器使用的Secret(用户名和密码信息)

apiVersion: v1
kind: Pod
metadata:
  name: foo
  namespace: awesomeapps
spec:
  containers:
    - name: foo
      image: janedoe/awesomeapp:v1
  imagePullSecrets:  #使用imagePullSecrets
    - name: myregistrykey

其实本质上还是kubelet把这个认证放到了docker的目录下面,如下:

cat ~/.docker/config.json 
{
    "auths": {
        "10.39.0.118": {
            "auth": "Y2hlbm1vOmNtMTM4MTE2NjY3ODY="
        },
        "10.39.0.12:5000": {
            "auth": "dXNlcjAxOjEyMzQ1YQ=="
        },
        "http://10.39.0.12:5000": {
            "auth": "dXNlcjAxOjEyMzQ1YQ=="
        }
    }
}

3、secret tls 类型

3.1、定义secret tls 

#将证书生成为Secret
[root@physerver manifests]# kubectl create secret tls ljzsdut-ingress-secret --cert=pki/tls.crt --key=pki/tls.key 
secret/ljzsdut-ingress-secret created

说明:

tls类型的secret,data字段的key名称是固定的。私钥文件的名称为tls.key;证书文件的名称为tls.crt。

3.2、使用secret tls

参见:Ingress TLS部分