1. Secret类型
Secret有三种类型:
Opaque:使用base64编码存储信息,可以通过base64 --decode解码获得原始数据,因此安全性弱。
kubernetes.io/dockerconfigjson:用于存储docker registry的认证信息。
kubernetes.io/service-account-token:用于被 serviceaccount 引用。serviceaccout 创建时 Kubernetes 会默认创建对应的 secret。Pod 如果使用了 serviceaccount,对应的 secret 会自动挂载到 Pod 的 /run/secrets/kubernetes.io/serviceaccount 目录中。
指定secret的类型时,需要在metadata中声明annotation name信息
metadata:
annotations:
kubernetes.io/service-account.name: default
type:kubernetes.io/service-account-token
2. Opaque Secret
Opaque类型的Secret,其value为base64编码后的值。
2.1 从文件中创建Secret
分别创建两个名为username.txt和password.txt的文件:
$ echo -n "admin" > ./username.txt $ echo -n "1f2d1e2e67df" > ./password.txt
使用kubectl create secret命令创建secret:
$ kubectl create secret generic db-user-pass --from-file=./username.txt --from-file=./password.txt secret "db-user-pass" created
2.2 使用描述文件创建Secret
首先使用base64对数据进行编码:
$ echo -n 'admin' | base64 YWRtaW4= $ echo -n '1f2d1e2e67df' | base64 MWYyZDFlMmU2N2Rm
创建一个类型为Secret的描述文件:
apiVersion: v1 kind: Secret metadata: name: mysecret type: Opaque data: username: YWRtaW4= password: MWYyZDFlMmU2N2Rm $ kubectl create -f ./secret.yaml secret "mysecret" created
查看此Secret:
$ kubectl get secret mysecret -o yaml apiVersion: v1 data: username: YWRtaW4= password: MWYyZDFlMmU2N2Rm kind: Secret metadata: creationTimestamp: 2016-01-22T18:41:56Z name: mysecret namespace: default resourceVersion: "164619" selfLink: /api/v1/namespaces/default/secrets/mysecret uid: cfee02d6-c137-11e5-8d73-42010af00002type: Opaque
2.3 Secret的使用
创建好Secret之后,可以通过两种方式使用:
以Volume方式
以环境变量方式
2.3.1 将Secret挂载到Volume中
apiVersion: v1 kind: Pod metadata: name: mypod spec: containers: - name: mypod image: redis volumeMounts: - name: foo mountPath: "/etc/foo" readOnly: true volumes: - name: foo secret: secretName: mysecret
进入Pod查看挂载的Secret:
# ls /etc/secrets password username # cat /etc/secrets/username admin # cat /etc/secrets/password 1f2d1e2e67df
也可以只挂载Secret中特定的key:
apiVersion: v1 kind: Podmetadata: name: mypod spec: containers: - name: mypod image: redis volumeMounts: - name: foo mountPath: "/etc/foo" readOnly: true volumes: - name: foo secret: secretName: mysecret items: - key: username path: my-group/my-username
在这种情况下:
username 存储在/etc/foo/my-group/my-username中
password未被挂载
2.3.2 将Secret设置为环境变量
apiVersion: v1 kind: Pod metadata: name: secret-env-pod spec: containers: - name: mycontainer image: redis env: - name: SECRET_USERNAME valueFrom: secretKeyRef: name: mysecret key: username - name: SECRET_PASSWORD valueFrom: secretKeyRef: name: mysecret key: password restartPolicy: Never
需要注意的是,环境变量读取Secret很方便,但无法支撑Secret动态更新
3. kubernetes.io/dockerconfigjson
kubernetes.io/dockerconfigjson用于存储docker registry的认证信息,可以直接使用kubectl create secret命令创建:
$ kubectl create secret docker-registry myregistrykey --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAILsecret "myregistrykey" created.#$kubectl create secret docker-registry regcred --docker-server=--docker-username= --docker-password= --docker-email=
查看secret的内容:
$ kubectl get secret myregistrykey -o yaml apiVersion: v1 data: .dockercfg: eyJjY3IuY2NzLnRlbmNlbnR5dW4uY29tL3RlbmNlbnR5dW4iOnsidXNlcm5hbWUiOiIzMzIxMzM3OTk0IiwicGFzc3dvcmQiOiIxMjM0NTYuY29tIiwiZW1haWwiOiIzMzIxMzM3OTk0QHFxLmNvbSIsImF1dGgiOiJNek15TVRNek56azVORG94TWpNME5UWXVZMjl0In19 kind: Secret metadata: creationTimestamp: 2017-08-04T02:06:05Z name: myregistrykey namespace: default resourceVersion: "1374279324" selfLink: /api/v1/namespaces/default/secrets/myregistrykey uid: 78f6a423-78b9-11e7-a70a-525400bc11f0type: kubernetes.io/dockercfg
通过 base64 对 secret 中的内容解码:
$ echo "eyJjY3IuY2NzLnRlbmNlbnR5dW4uY29tL3RlbmNlbnR5dW4iOnsidXNlcm5hbWUiOiIzMzIxMzM3OTk0IiwicGFzc3dvcmQiOiIxMjM0NTYuY29tIiwiZW1haWwiOiIzMzIxMzM3OTk0QHFxLmNvbSIsImF1dGgiOiJNek15TVRNek56azVORG94TWpNME5UWXVZMjl0XXXX" | base64 --decode
{"ccr.ccs.tencentyun.com/XXXXXXX":{"username":"3321337XXX","password":"123456.com","email":"[email protected]","auth":"MzMyMTMzNzk5NDoxMjM0NTYuY29t"}}
也可以直接读取 ~/.dockercfg 的内容来创建:
$ kubectl create secret docker-registry myregistrykey \ --from-file="~/.dockercfg"
在创建 Pod 的时候,通过 imagePullSecrets 来引用刚创建的 myregistrykey:
apiVersion: v1 kind: Pod metadata: name: foo spec: containers: - name: foo image: janedoe/awesomeapp:v1 imagePullSecrets: - name: myregistrykey
4. kubernetes.io/service-account-token
用于被 serviceaccount 引用。serviceaccout 创建时 Kubernetes 会默认创建对应的 secret。Pod 如果使用了 serviceaccount,对应的 secret 会自动挂载到 Pod 的 /run/secrets/kubernetes.io/serviceaccount 目录中。
$ kubectl run nginx --image nginx deployment "nginx" created $ kubectl get podsNAME READY STATUS RESTARTS AGEnginx-3137573019-md1u2 1/1 Running 0 13s $ kubectl exec nginx-3137573019-md1u2 ls /run/secrets/kubernetes.io/serviceaccount ca.crt namespace token
ServiceAccount
每个namespace下有一个名为default的默认的ServiceAccount对象,这个ServiceAccount里有一个名为Tokens的可以作为Volume一样被Mount到Pod里的Secret,当Pod启动时这个Secret会被自动Mount到Pod的指定目录下,用来协助完成Pod中的进程访问API Server时的身份鉴权过程。
apiVersion: v1 kind: Podmetadata: ......spec: containers: .... volumeMounts: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: default-token-xxxx readOnly: true ...... ......
apiVersion: v1 kind: Secret data: ca.crt: xxxx namespace: xxxx service-ca.crt: xxxxx token: xxxx metadata: ......type: kubernetes.io/service-account-token
如果一个Pod在定义时没有指定spec.service.AccountName属性,则系统会自动为其赋值为“Default”,即使用同一namespace下默认的ServiceAccount,如果某个Pod需要使用非default的ServiceAccount,需要在定义时指定:
apiVersion:v1 kind:Pod metadata: name:mypod spec: containers: - name:mycontainer image: serviceAccountName:myserviceaccount