应用配置--Secret资源
存储敏感数据
创建Secret对象时也支持使用诸如字面量值,文件,目录等等数据源,而且根据存储格式和用途的不同,还划分为generic、docker-registry、tls三种类型
1.通用Secret
通用类型的secret资源用于保存除(TLS:用于TLS通信认证)和专用于认证docker注册表之外的敏感信息
[root@k8s-master01 yaml]# kubectl create secret generic mysql-root-authn --from-literal=username=root --from-literal=password=iLinux secret/mysql-root-authn created [root@k8s-master01 yaml]# kubectl get secrets/mysql-root-authn -o yaml apiVersion: v1 data: password: aUxpbnV4 username: cm9vdA== kind: Secret metadata: creationTimestamp: "2021-08-20T15:02:17Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:password: {} f:username: {} f:type: {} manager: kubectl-create operation: Update time: "2021-08-20T15:02:17Z" name: mysql-root-authn namespace: default resourceVersion: "1947307" selfLink: /api/v1/namespaces/default/secrets/mysql-root-authn uid: e590071a-e240-49d3-81bd-ec1562b603b0 type: Opaque [root@k8s-master01 yaml]# echo aUxpbnV4 | base64 -d #解码 iLinux[root@k8s-master01 yaml]#
[root@k8s-master01 ~]# ssh-keygen -t rsa -P "" -f ${HOME}/.ssh/id_rsa ##创建用于SSH认证的Secret对象时就可以直接从认证的私钥文件加载认证信息,其键名需要使用ssh-privatekey,标识类型为kubernetes.io/ssh-auth
Generating public/private rsa key pair. /root/.ssh/id_rsa already exists. Overwrite (y/n)? Y Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: SHA256:ntAFAl3mhXKTsUj1I0c35mTHEbQhLYXWdClUeROyNaY root@k8s-master01 The key's randomart image is: +---[RSA 2048]----+ | .ooo*+o O@XO=| | .o==* *+=XBo| | .o+.=..Eo o| | . + . | | . S | | o . | | o | | | | | +----[SHA256]-----+ [root@k8s-master01 ~]# kubectl create secret generic ssh-key-secret --from-file=ssh-privatekey=${HOME}/.ssh/id_rsa --type="kubernetes.io/ssh-auth" secret/ssh-key-secret created [root@k8s-master01 ~]#
出于测试的目的,我们先使用类似如下命令,生成nginx的私钥和字签证书 [root@k8s-master01 ~]# openssl rand -writerand $HOME/.rnd Usage: rand [options] num where options are -out file - write to file -engine e - use engine e, possibly a hardware device. -rand file:file:... - seed PRNG from files -base64 - base64 encode output -hex - hex encode output [root@k8s-master01 ~]# (umask 077; openssl genrsa -out nginx.key 2048) Generating RSA private key, 2048 bit long modulus ....................................+++ ..............................................+++ e is 65537 (0x10001) [root@k8s-master01 ~]# openssl req -new -x509 -key nginx.key -out nginx.crt -subj /C=CN/ST=Beijing/O=devOps/CN=www.ilinux.io 而后使用如下命令将这2个文件创建为secret对象。 [root@k8s-master01 ~]# kubectl create secret tls nginx-ssl-secret --key=./nginx.key --cert=./nginx.crt secret/nginx-ssl-secret created 查看一下: [root@k8s-master01 ~]# kubectl get secret nginx-ssl-secret -o yaml apiVersion: v1 data: tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURZekNDQWt1Z0F3SUJBZ0lKQUxwMHZnSEt6S3VsTUEwR0NTcUdTSWIzRFFFQkN3VUFNRWd4Q3pBSkJnTlYKQkFZVEFrTk9NUkF3RGdZRFZRUUlEQWRDWldscWFXNW5NUTh3RFFZRFZRUUtEQVprWlhaUGNITXhGakFVQmdOVgpCQU1NRFhkM2R5NXBiR2x1ZFhndWFXOHdIaGNOTWpFd09ESXdNVGN3TlRReVdoY05NakV3T1RFNU1UY3dOVFF5CldqQklNUXN3Q1FZRFZRUUdFd0pEVGpFUU1BNEdBMVVFQ0F3SFFtVnBhbWx1WnpFUE1BMEdBMVVFQ2d3R1pHVjIKVDNCek1SWXdGQVlEVlFRRERBMTNkM2N1YVd4cGJuVjRMbWx2TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQwpBUThBTUlJQkNnS0NBUUVBbWJDR0tXM09XT0k2K3dhd1hYZGtxYzlUdWNtajhCc3IyVnpNdmMxTFdBOWZTblVTClc5WGxUOGtldGh5R2JKbzJzd1MwL1U4K1FLMU9ETCttQVlHS2hhN3RqUVpaYVYzWUN5VnFNcVdaYkpUMkRrUXoKNi8zblNnYU0welJaOVJJd0Q3ZXM4WVhYSGduZEpUZVI3QW10Mzl4clpybHNqbUJiZHVGdVZrZzhBSjZKK3AycApNQ2lRcHEwUFhrQ0hCUll3MFhtb3VraTlpOHE5MWFubFRXR1pRQkE1alpzSnNseE9pbGNGa2JlWjIwNDFqeVptClhlZktaTFNjcEpJNDNmTktoTHgvMFkyZnhidjg4d2JUa1lpaGpXNG1CM2NkaXRKT3BrQW9UZkIzNWY2bFhuM3AKSFNOUkRyRzEwemN0dDZxT0JnTXBUZzRCL1VNeUwyM0hDRkRldFFJREFRQUJvMUF3VGpBZEJnTlZIUTRFRmdRVQpMeFBKRlV0Mit4V05KSjI3aXdwR3Z3bzM5VFl3SHdZRFZSMGpCQmd3Rm9BVUx4UEpGVXQyK3hXTkpKMjdpd3BHCnZ3bzM5VFl3REFZRFZSMFRCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFDbll3NzBXVHdiYmoKVHJ5b3JVVjRSRHF2WDhhejdKZUN3L0FIUUF5bXgzQURuS2ZYcXpsZWhqdUhxZHZBNFpEYUhBbVN1NUNVZWNxbgpCMjJydnZHVFMycmpVdUxPSUxyNHYxYUtYUitVc1JrRnRJSEsvbk1zSm9XNytmRnFXd3ZSUkU5NUcvd2VHekRNClRneGNNVXZ3NkFIRVZkTFlZYk5jR01YUVlTNWljelAxc1YxYmlwaERPRGtMS1pDbzlidG5TZHVBdmdUL0dORk4KNElBSDVVQzRtRWxzcm1EOVk0SjJhSkdlZ084TGxyb1VQL1RWb0xPU1lUMktFRXZKYnVicEZLeHIrbnkrRlduegphclBNM0hUZy9Wc0pjOFlkY25pQnhtZW1PME9zRElmdjFXc2FhMTdRTXRBVW1WNlNrcWZUTDVBRmxqT0JxZEZWCngvc0ZxVHFJMHc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBbWJDR0tXM09XT0k2K3dhd1hYZGtxYzlUdWNtajhCc3IyVnpNdmMxTFdBOWZTblVTClc5WGxUOGtldGh5R2JKbzJzd1MwL1U4K1FLMU9ETCttQVlHS2hhN3RqUVpaYVYzWUN5VnFNcVdaYkpUMkRrUXoKNi8zblNnYU0welJaOVJJd0Q3ZXM4WVhYSGduZEpUZVI3QW10Mzl4clpybHNqbUJiZHVGdVZrZzhBSjZKK3AycApNQ2lRcHEwUFhrQ0hCUll3MFhtb3VraTlpOHE5MWFubFRXR1pRQkE1alpzSnNseE9pbGNGa2JlWjIwNDFqeVptClhlZktaTFNjcEpJNDNmTktoTHgvMFkyZnhidjg4d2JUa1lpaGpXNG1CM2NkaXRKT3BrQW9UZkIzNWY2bFhuM3AKSFNOUkRyRzEwemN0dDZxT0JnTXBUZzRCL1VNeUwyM0hDRkRldFFJREFRQUJBb0lCQUhBaDQwRUc1SzdsSUxOVwpSZ2RydlA1SVRvWVhJSTFteGE5cGpkaE5tTk0vSS85bk8yWFZ3ZUZjbEJPNjdEa0FxemdpRHd0aWJjRXlzT2VNClRNcDhnVnpZTEduZ1lBd0lkRUJ0by9ZZjdMalVWbEpDWUwrbUdNSmgxUTJqL0o1YURzYm85RDJqc1RneGFqQmwKUXdvOFphZ1hZaVVvMUpOc3FrOHFXeDZJeFg2TkRBdzZBNVFWVkkycWhxeHRWWElnaSt0RzcrcVBVZGhzZVJPNApsSEp0STFkbkVXODlDWjB2a2RCUzI1Sm0wSXBEajJIWWYwUHFpVnNPM1BaZ3IzZTRuWFRuZ00yb3IvWVVDMldyCldLOEQwdTdyZmk5ZDM3OWdxbHRLS2JoZjd3RW9jZ2FxWndvRk1qMVhYZUY1cDNNaWVpVERKUWgvanlORjZESkgKNERGanVnRUNnWUVBeXA5aWxyUnp1clRnQUNYMlVZaG01UUtkb0hWRmFVMm94NE95dGVBZ3ZsTkpJRVYxSjRITQpPMUNPS0lTV0ZhWUxreHRsbmFBZnNkU0hVekg3YjA1WGtNaEdCcytvWHk4QWhjSXljckR6a050aS85SjRFanNKCncyWVlkT2JLRXN4S0txN0tvS0JNMGw2NWduOC9QU0E3MjhyaUdkREhTZkx0OWJHd1drRmh2NlVDZ1lFQXdpMG4KdHJUM1pEWnJ4SEZjcUxSMkZhWTlsWG1TRDRzYjFFKzZ3QUgwSFQ3ZkgxUjl6NHZmTUdUajZXYTRaTTZva0MxaAo4MkNTY1lrbXhza1R2SW5JYWNqRmdnUmZLV0dPeVAwTng5UjYxNkZPRy85NmtyYjE3M1FncGxOd1hmd1JxWUZWCmFRUHlUK2NLbWJ0b1VyRDkrdUJNcHhkUWNZYU82UzhsR3V1cGRkRUNnWUVBc08xZjN3eVBDWGNyS2JYOFVkRnoKVjRGak5sdHdVclVYTGJBWCtxeE1xeVI2ZEExeWNSN3J3TmRrYW9qcnJOZWl2NzlxaWFycVFoTzhYcThFU0hyMgpCMXg1bVRUMlpyYmFFL0l3cnVsSXBUS01UYW53WXFyZXFacWF2R2xTQmZ3UXZ4aUZvcUNXdEJNMmxYYWJON3JQCnllcHNaL0pnTW5oSHhRUjFZem80S21rQ2dZRUFtVTZMZjI1cnNKeGpBNnM1TEIybTZicmgvb1VJYytzeDRyTzgKVDJKN2VTZXRoQS95Y1E0Ty9pZDU1a3BxcFhTZ2s0eXhQRFZ3Q2VIdVVwNXBUYjgvRTM0bnFscUhRNlc1MVNndQpYQ3AvZm9YbHBLZFdBRVloOEpld080Ry9Rd1VFY044akx4R2xtNzVmbVRia3kvemYyZGFEenB6U3IzODhrQkRmCjY5eEtaREVDZ1lFQWhiNXRPcldOL3BOYml1dTZRbm1RTzlrTmhISkZWWmU4L3hJRmU5dVJ5YXFTY3RkR0MvOUcKYkYveUphMkpwYkRsZHlIaS85eFlnWXdnNWNoRThJaDVsaXgwSTRiaFdUcXRmeXh5T1JBS2daZjdEZU1qS0ZONApQOTJobEhvbERNbm9uWFlNOXJvRVZjQ0p0ZzVjaWdYMXhKSmxhVWIvbDFwRkNzbENaRjkyYjlrPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= kind: Secret metadata: creationTimestamp: "2021-08-20T17:06:59Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:tls.crt: {} f:tls.key: {} f:type: {} manager: kubectl-create operation: Update time: "2021-08-20T17:06:59Z" name: nginx-ssl-secret namespace: default resourceVersion: "1966656" selfLink: /api/v1/namespaces/default/secrets/nginx-ssl-secret uid: 60de30e7-2d98-42bc-9a5b-02d0cb897b72 type: kubernetes.io/tls [root@k8s-master01 ~]#
Docker Registry Secret
当pod配置清单定义容器时指定要使用的镜像来自私有仓库时,需要先认证到registry以下载指定镜像
docker-registry提供4个子命令
--docker-server:服务器导致
--docker-user:用户名
--docker-password: 用户密码
--docker-email:邮箱地址
[root@k8s-master01 ~]# kubectl create secret docker-registry local-registry --docker-username=Ops --docker-password=Opspass --docker-email=ops@ilinux.io
secret/local-registry created
通过环境变量来使用secret资源
[root@k8s-master01 yaml]# cat secrets-env-demo.yaml apiVersion: v1 kind: Pod metadata: name: secrets-env-demo namespace: default ##这里的空间名称必须与之前创建的mysql-root-authn,名称空间一致 spec: containers: - name: mariadb image: mariadb imagePullPolicy: IfNotPresent env: - name: MYSQL_ROOT_PASSWORD valueFrom: secretKeyRef: name: mysql-root-authn key: password
##
前面通过命令行创建了一个名称叫mysql-root-authn的secretdx
kubectl create secret generic mysql-root-authn --from-literal=username=root --from-literal=password=iLinux
kubectl exec -it secrets-env-demo -- mysql -uroot -piLinux 访问数据库
浙公网安备 33010602011771号