该卷主要是用来存储pod的一些敏感信息的
Secret 对象类型用来保存敏感信息,例如密码、OAuth 令牌和 ssh key。
敏感信息放在 secret 中比放在 Pod 的定义或者容器镜像中来说更加安全和灵活。
Pod 可以用两种方式使用 secret:
作为 volume 中的文件被挂载到 pod 中的一个或者多个容器里;
当 kubelet 为 pod 拉取镜像时使用。
Secret的类型:
Service Account
:Kubernetes 自动创建包含访问 API 凭据的 secret,并自动修改
pod 以使用此类型的 secret。
Opaque
:使用base64编码存储信息,可以通过base64 --decode解码获得原始数据,因此安全性弱。
kubernetes.io/dockerconfigjson
:用于存储docker registry的认证信息。
serviceaccout 创建时 Kubernetes 会默认创建对应的 secret。对应的 secret 会自动挂载到 Pod 的 /run/secrets/kubernetes.io/serviceaccount
目录中。
[kubeadm@server1 configmap]$ kubectl get secrets
NAME TYPE DATA AGE
default-token-jhnhn kubernetes.io/service-account-token 3 6d1h
[kubeadm@server1 configmap]$
[kubeadm@server2 cm]$ kubectl run test --image=busybox --restart=Never
pod/test created
[kubeadm@server2 cm]$ kubectl describe pod test
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from default-token-64lq2 (ro)
Volumes:
default-token-64lq2:
Type: Secret (a volume populated by a Secret)
SecretName: default-token-64lq2
Optional: false
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s
node.kubernetes.io/unreachable:NoExecute for 300s
[kubeadm@server2 cm]$ kubectl get sa
NAME SECRETS AGE
default 1 7d21h
[kubeadm@server2 cm]$ kubectl describe sa default
Name: default
Namespace: default
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: default-token-64lq2
Tokens: default-token-64lq2
Events: <none>
[kubeadm@server2 cm]$ kubectl run test --image=busybox -it
If you don't see a command prompt, try pressing enter.
/ # ls
bin dev etc home proc root sys tmp usr var
/ # cd /var/run/secrets/kubernetes.io/serviceaccount
/var/run/secrets/kubernetes.io/serviceaccount # ls
ca.crt namespace token
/var/run/secrets/kubernetes.io/serviceaccount #
[kubeadm@server2 cm]$ kubectl get secret
NAME TYPE DATA AGE
basic-auth Opaque 1 46h
default-token-64lq2 kubernetes.io/service-account-token 3 7d23h
tls-secret kubernetes.io/tls 2 46h
serviceaccount里有一个名为tokens的可以作为volume一样被mount到pod里的secret,当pod启动时这个secret会被自动mount到pod的指定目录下,用来协助完成pod中的进程访问api server时的身份鉴权过程
[kubeadm@server2 cm]$ kubectl get pod -o yaml
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: default-token-64lq2
readOnly: true
Opaque secret其value为base64编码后的值
[kubeadm@server2 cm]$ echo -n 'admin' > ./username.txt
[kubeadm@server2 cm]$ echo -n 'westos' > ./password.txt
[kubeadm@server2 cm]$ cat username.txt
admin
[kubeadm@server2 cm]$ cat password.txt
westos
[kubeadm@server2 cm]$ kubectl create secret generic my-secret --from-file=username.txt --from-file=password.txt
secret/my-secret created
[kubeadm@server2 cm]$ kubectl get secret
NAME TYPE DATA AGE
my-secret Opaque 2 6s
[kubeadm@server2 cm]$ kubectl describe secrets my-secret
Name: my-secret
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
password.txt: 6 bytes
username.txt: 5 bytes
[kubeadm@server2 cm]$ kubectl get secrets my-secret -o yaml
apiVersion: v1
data:
password.txt: d2VzdG9z
username.txt: YWRtaW4=
kind: Secret
metadata:
creationTimestamp: "2020-04-25T12:44:42Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:password.txt: {}
f:username.txt: {}
f:type: {}
manager: kubectl
operation: Update
time: "2020-04-25T12:44:42Z"
name: my-secret
namespace: default
resourceVersion: "730162"
selfLink: /api/v1/namespaces/default/secrets/my-secret
uid: c018589f-7971-4d84-9a2f-990789344ea1
type: Opaque
[kubeadm@server2 cm]$ echo d2VzdG9z|base64 -d # 解码
westos
如果密码具有特殊字符,则需要使用\字符对其进行转义,执行一下命令
[kubeadm@server2 cm]$ kubectl create secret generic dev-db-secret --from-literal=username=devuser --from-literal=password=S\!B\\*d\$zDsb
secret/dev-db-secret created
[kubeadm@server2 cm]$ kubectl get secrets dev-db-secret -o yaml
apiVersion: v1
data:
password: UyFCXCpkJHpEc2I=
username: ZGV2dXNlcg==
[kubeadm@server2 cm]$ echo UyFCXCpkJHpEc2I=|base64 -d
S!B\*d$zDsb
[kubeadm@server2 cm]$ echo -n 'admin'|base64
YWRtaW4=
[kubeadm@server2 cm]$ echo -n 'westos'|base64
d2VzdG9z
[kubeadm@server2 cm]$ cat mysecret.yaml
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
username: YWRtaW4=
password: d2VzdG9z
[kubeadm@server2 cm]$ kubectl apply -f mysecret.yaml
secret/mysecret created
[kubeadm@server2 cm]$ kubectl get secrets
NAME TYPE DATA AGE
mysecret Opaque 2 13s
[kubeadm@server2 cm]$ kubectl get secrets mysecret -o yaml
apiVersion: v1
data:
password: d2VzdG9z
username: YWRtaW4=
[kubeadm@server2 secret]$ cat pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: mysecret
spec:
containers:
- name: nginx
image: nginx
volumeMounts:
- name: secrets
mountPath: "/secret"
readOnly: true
volumes:
- name: secrets
secret:
secretName: mysecret
[kubeadm@server2 secret]$ kubectl apply -f pod.yaml
pod/mysecret created
[kubeadm@server2 secret]$ kubectl get pod
NAME READY STATUS RESTARTS AGE
mysecret 1/1 Running 0 5s
test 1/1 Running 1 161m
[kubeadm@server2 secret]$ kubectl exec -it mysecret -- sh
# ls
bin boot dev etc home lib lib64 media mnt opt proc root run sbin secret srv sys tmp usr var
# cd secret
# ls
password username
# cat password
westos#
[kubeadm@server2 secret]$ cat pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: mysecret
spec:
containers:
- name: nginx
image: nginx
volumeMounts:
- name: secrets
mountPath: "/secret"
readOnly: true
volumes:
- name: secrets
secret:
secretName: mysecret
items:
- key: username
path: my-group/my-username
[kubeadm@server2 secret]$ kubectl apply -f pod.yaml
pod/mysecret created
[kubeadm@server2 secret]$ kubectl get pod
NAME READY STATUS RESTARTS AGE
mysecret 1/1 Running 0 13s
[kubeadm@server2 secret]$ kubectl exec -it mysecret -- bash
root@mysecret:/# cd /secret/
root@mysecret:/secret# ls
my-group
root@mysecret:/secret# cd my-group
root@mysecret:/secret/my-group# ls
my-username
root@mysecret:/secret/my-group# cat my-username
admin
[kubeadm@server2 secret]$ cat pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: secret-env
spec:
containers:
- name: nginx
image: nginx
env:
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
name: mysecret
key: username
- name: SECRET_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: password
[kubeadm@server2 secret]$ kubectl apply -f pod.yaml
pod/secret-env created
[kubeadm@server2 secret]$ kubectl get pod
NAME READY STATUS RESTARTS AGE
secret-env 1/1 Running 0 17s
[kubeadm@server2 secret]$ kubectl exec -it secret-env -- bash
root@secret-env:/# env
SECRET_USERNAME=admin
SECRET_PASSWORD=westos
环境变量读取secret很方便,但无法支撑secret动态更新
[kubeadm@server2 secret]$ cat pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: game2048
image: reg.westos.org/westos/game2048
imagePullSecrets:
- name: myregistrykey
[kubeadm@server2 secret]$ kubectl create secret docker-registry myregistrykey --docker-server=reg.westos.org --docker-username=zjy --docker-password=Westos+001 --docker-email=941070082@qq.com
[kubeadm@server2 secret]$ kubectl describe secrets myregistrykey
Name: myregistrykey
Namespace: default
Labels: <none>
Annotations: <none>
Type: kubernetes.io/dockerconfigjson
Data
====
.dockerconfigjson: 128 bytes
[kubeadm@server2 secret]$ kubectl get secrets myregistrykey -o yaml
apiVersion: v1
data:
.dockerconfigjson: eyJhdXRocyI6eyJyZWcud2VzdG9zLm9yZyI6eyJ1c2VybmFtZSI6InpqeSIsInBhc3N3b3JkIjoiV2VzdG9zKzAwMSIsImVtYWlsIjoiOTQxMDcwMDgyQHFxLmNvbSIsImF1dGgiOiJlbXA1T2xkbGMzUnZjeXN3TURFPSJ9fX0=
kind: Secret
[kubeadm@server2 secret]$ kubectl apply -f pod.yaml
pod/mypod created
[kubeadm@server2 secret]$ kubectl get pod
NAME READY STATUS RESTARTS AGE
mypod 1/1 Running 0 23s