kubernetes-密码管理
secret
官网地址: https://kubernetes.io/docs/concepts/configuration/secret/
创建
命令行创建
[root@bjcy-200 secret]# kubectl create secret generic mysecret1 --from-literal=username=bob --from-literal=password=123456 secret/mysecret1 created [root@bjcy-200 secret]# kubectl get secret NAME TYPE DATA AGE default-token-24blg kubernetes.io/service-account-token 3 5d1h mysecret1 Opaque 2 8s
从文件中创建
[root@bjcy-200 secret]# echo -n "devops" > password [root@bjcy-200 secret]# kubectl create secret generic mysecret2 --from-file=./password secret/mysecret2 created [root@bjcy-200 secret]# kubectl get secrets NAME TYPE DATA AGE default-token-24blg kubernetes.io/service-account-token 3 5d1h mysecret1 Opaque 2 6m5s mysecret2 Opaque 1 8s
从文件读取变量创建
[root@bjcy-200 secret]# cat env.txt password=devops [root@bjcy-200 secret]# kubectl create secret generic mysecret3 --from-env-file=./env.txt secret/mysecret3 created [root@bjcy-200 secret]# kubectl get secrets NAME TYPE DATA AGE default-token-24blg kubernetes.io/service-account-token 3 5d1h mysecret1 Opaque 2 7m55s mysecret2 Opaque 1 118s mysecret3 Opaque 1 5s
yaml文件创建
yaml方式创建需要使用 base64 进行编码.
[root@bjcy-200 secret]# echo -n "devops" | base64 # 编码 devops ZGV2b3Bz [root@bjcy-200 secret]# cat secret1.yaml apiVersion: v1 kind: Secret metadata: name: mysecret4 type: Opaque data: password: ZGV2b3Bz [root@bjcy-200 secret]# kubectl apply -f secret1.yaml secret/mysecret4 created [root@bjcy-200 secret]# kubectl get secrets NAME TYPE DATA AGE default-token-24blg kubernetes.io/service-account-token 3 5d1h mysecret1 Opaque 2 11m mysecret2 Opaque 1 5m24s mysecret3 Opaque 1 3m31s mysecret4 Opaque 1 8s
查看
[root@bjcy-200 secret]# kubectl describe secrets mysecret1
Name: mysecret1
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
username: 3 bytes
password: 6 bytes
[root@bjcy-200 secret]# kubectl get secrets mysecret1 -o yaml
apiVersion: v1
data:
password: MTIzNDU2
username: Ym9i
kind: Secret
metadata:
creationTimestamp: "2020-09-03T16:30:33Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:password: {}
f:username: {}
f:type: {}
manager: kubectl
operation: Update
time: "2020-09-03T16:30:33Z"
name: mysecret1
namespace: default
resourceVersion: "18499"
selfLink: /api/v1/namespaces/default/secrets/mysecret1
uid: 95540124-c44f-426b-9ec2-844cbf8dfa72
type: Opaque
# base64 解码
[root@bjcy-200 secret]# echo -n "Ym9i" | base64 --decode
bob[root@bjcy-200 secret]#
使用
变量方式
root@env-pod:/# env
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_SERVICE_PORT=443
HOSTNAME=env-pod
PWD=/
PKG_RELEASE=1~buster
HOME=/root
KUBERNETES_PORT_443_TCP=tcp://192.168.0.1:443
SECRET_USERNAME=bob
NJS_VERSION=0.4.2
TERM=xterm
SHLVL=1
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP_ADDR=192.168.0.1
KUBERNETES_SERVICE_HOST=192.168.0.1
KUBERNETES_PORT=tcp://192.168.0.1:443
KUBERNETES_PORT_443_TCP_PORT=443
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
NGINX_VERSION=1.19.1
SECRET_PASSWORD=123456
_=/usr/bin/env
root@env-pod:/# echo $SECRET_PASSWORD
123456
root@env-pod:/# echo $SECRET_USERNAME
bob
root@env-pod:/# exit
exit
[root@bjcy-200 secret]# cat env-pod1.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: env-pod
name: env-pod
spec:
containers:
- image: harbor.tcc.com/public/nginx
name: env-pod
env:
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
name: mysecret1
key: username
- name: SECRET_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret1
key: password
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
[root@bjcy-200 secret]# kubectl apply -f env-pod1.yaml
pod/env-pod created
[root@bjcy-200 secret]# kubectl get pods
NAME READY STATUS RESTARTS AGE
busyboxxx 1/1 Running 2 5d1h
env-pod 1/1 Running 0 5s
[root@bjcy-200 secret]# kubectl exec -it env-pod bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl kubectl exec [POD] -- [COMMAND] instead.
root@env-pod:/#
挂载卷方式
[root@bjcy-200 secret]# cat vloume-pod.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: vloume-pod
name: vloume-pod
spec:
volumes:
- name: vloume
secret:
secretName: mysecret1
items:
- key: username
path: my-group/my-username
- key: password
path: my-group/my-password
mode: 0777
containers:
- image: harbor.tcc.com/public/nginx
name: vloume-pod
volumeMounts:
- name: vloume
mountPath: "/vloume"
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
[root@bjcy-200 secret]# kubectl apply -f vloume-pod.yaml
pod/vloume-pod created
[root@bjcy-200 secret]# kubectl exec -it vloume-pod sh
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl kubectl exec [POD] -- [COMMAND] instead.
# ls /vloume/my-group/
my-password my-username
# ls -l /vloume/my-group/
total 8
-rwxrwxrwx 1 root root 6 Sep 3 16:54 my-password
-rw-r--r-- 1 root root 3 Sep 3 16:54 my-username
# exit
[root@bjcy-200 secret]# cat vloume-pod.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: vloume-pod
name: vloume-pod
spec:
volumes:
- name: vloume
secret:
secretName: mysecret1
containers:
- image: harbor.tcc.com/public/nginx
name: vloume-pod
volumeMounts:
- name: vloume
mountPath: "/vloume"
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
mysql示例
[root@bjcy-200 secret]# cat mysql.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: mysql
name: mysql
spec:
containers:
- image: harbor.tcc.com/public/mysql
name: mysql
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret1
key: password
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
[root@bjcy-200 secret]# kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
busyboxxx 1/1 Running 2 5d2h 10.244.235.199 bjcy-182.host.io <none> <none>
env-pod 1/1 Running 0 13m 10.244.235.201 bjcy-182.host.io <none> <none>
mysql 1/1 Running 0 4m35s 10.244.235.202 bjcy-182.host.io <none> <none>
[root@bjcy-200 secret]# mysql -h 10.244.235.202 -uroot -p123456
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.7.18 MySQL Community Server (GPL)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]> exit
Bye
configmap
官网地址: https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/
configmap 配置 和secret类似
创建
[root@bjcy-200 secret]# kubectl create configmap cm1 --from-literal=password=devops
configmap/cm1 created
[root@bjcy-200 secret]# cat cm-envpod.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: cm-pod
name: cm-pod
spec:
containers:
- image: harbor.tcc.com/public/nginx
name: cm-pod
env:
- name: SECRET_USERNAME
valueFrom:
configMapKeyRef:
name: mysecret1
key: username
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
[root@bjcy-200 secret]# cat cm.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: cm2
namespace: default
data:
password: data1
查看
[root@bjcy-200 secret]# kubectl describe configmaps cm2
Name: cm2
Namespace: default
Labels: <none>
Annotations:
Data
====
password:
----
data1
Events: <none>
[root@bjcy-200 secret]# kubectl get configmaps cm2 -o yaml
apiVersion: v1
data:
password: data1
kind: ConfigMap
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","data":{"password":"data1"},"kind":"ConfigMap","metadata":{"annotations":{},"name":"cm2","namespace":"default"}}
creationTimestamp: "2020-09-03T17:29:25Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:password: {}
f:metadata:
f:annotations:
.: {}
f:kubectl.kubernetes.io/last-applied-configuration: {}
manager: kubectl
operation: Update
time: "2020-09-03T17:29:25Z"
name: cm2
namespace: default
resourceVersion: "29597"
selfLink: /api/v1/namespaces/default/configmaps/cm2
uid: 0097fb1d-25ac-4add-a702-8bdc939e9556
使用
[root@bjcy-200 secret]# cat cm-envpod.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: cm-pod
name: cm-pod
spec:
containers:
- image: harbor.tcc.com/public/nginx
name: cm-pod
env:
- name: SECRET_USERNAME
valueFrom:
configMapKeyRef:
name: mysecret1
key: username
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
[root@bjcy-200 secret]# cat cm.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: cm2
namespace: default
data:
password: data1
作者:闫世成
出处:http://cnblogs.com/yanshicheng
本文版权归作者和博客园共有,欢迎转载,但未经作者同意必须保留此段声明,且在文章页面明显位置给出原文连接。如有问题或建议,请联系上述邮箱,非常感谢。
浙公网安备 33010602011771号