k8s的存储（secret使用）

1、Secret概览
Secret是一种包含少量敏感信息例如密码、token 或 key 的对象。将这些信息放在secret中比放在Pod的定义或者容器镜像中来说更加安全和灵活，并降低意外暴露的风险。

2、内置secret
Service Account使用 API 凭证自动创建和附加 secret
Kubernetes自动创建包含访问 API凭据的secret，并自动修改您的 pod 以使用此类型的 secret。
[root@k8smaster test]# kubectl get pod
NAME         READY   STATUS    RESTARTS   AGE
volume-pod   1/1     Running   0          47m
[root@k8smaster test]# kubectl exec -it volume-pod -- /bin/bash
root@volume-pod:/usr/local/tomcat# ls -lrt /run/secrets/kubernetes.io/serviceaccount/
total 0
lrwxrwxrwx 1 root root 12 Feb 18 16:05 token -> ..data/token
lrwxrwxrwx 1 root root 16 Feb 18 16:05 namespace -> ..data/namespace
lrwxrwxrwx 1 root root 13 Feb 18 16:05 ca.crt -> ..data/ca.crt
root@volume-pod:/usr/local/tomcat# 

3、手动创建Opaque Secret
要使用数据字段将两个字符串存储在 Secret中，请按如下所示将它们转换为 base64：
[root@k8smaster test]# echo -n 'admin' | base64
YWRtaW4=
[root@k8smaster test]# echo -n '1f2d1e2e67df' | base64
MWYyZDFlMmU2N2Rm
[root@k8smaster test]# 

[root@k8smaster test]# more mysecret.yanl 
apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  uname: YWRtaW4=
  password: MWYyZDFlMmU2N2Rm
[root@k8smaster test]# kubectl create -f mysecret.yanl 
secret/mysecret created
[root@k8smaster test]# kubectl get secret
NAME                  TYPE                                  DATA   AGE
basic-auth            Opaque                                1      2d8h
default-token-vt7pl   kubernetes.io/service-account-token   3      6d20h
mysecret              Opaque                                2      31s
tls-secret            kubernetes.io/tls                     2      2d8h
[root@k8smaster test]# kubectl describe secret mysecret
Name:         mysecret
Namespace:    default
Labels:      
Annotations:  

Type:  Opaque

Data
====
password:  12 bytes
uname:     3 bytes
[root@k8smaster test]# 

4、创建pod
1）通过数据卷插件使用
[root@k8smaster test]# more env-volume.yaml 
apiVersion: v1
kind: Pod
metadata:
  name: volume-pod
spec:
  containers:
  - name: volume-pod-ctn
    image: 192.168.23.100:5000/tomcat:v2
    volumeMounts:
    - name: config-volume
      mountPath: /tmp/config
      readOnly: true
  volumes:
    - name: config-volume
      secret:
        secretName: mysecret
  restartPolicy: Never
[root@k8smaster test]# kubectl create -f env-volume.yaml 
pod/volume-pod created
[root@k8smaster test]# kubectl get pod
NAME         READY   STATUS    RESTARTS   AGE
volume-pod   1/1     Running   0          6s
[root@k8smaster test]# kubectl exec -it volume-pod /bin/bash
root@volume-pod:/usr/local/tomcat# cd /tmp/config/
root@volume-pod:/tmp/config# ls -lrt
total 0
lrwxrwxrwx 1 root root 12 Feb 18 17:15 uname -> ..data/uname
lrwxrwxrwx 1 root root 15 Feb 18 17:15 password -> ..data/password
root@volume-pod:/tmp/config# more uname 
admin
root@volume-pod:/tmp/config# more password 
1f2d1e2e67df
root@volume-pod:/tmp/config# 

2）通过环境变量使用
[root@k8smaster test]# more env-pod.yaml 
apiVersion: v1
kind: Pod
metadata:
  name: env-pod
spec:
  containers:
  - name: env-pod-ctn
    image: 192.168.23.100:5000/tomcat:v2
    command: ["/bin/bash","-c","env"]
    env:
    - name: SECRET_NAME
      valueFrom:
        secretKeyRef:
          name: mysecret
          key: uname
    - name: SECRET_PWD
      valueFrom:
        secretKeyRef:
          name: mysecret
          key: password
  restartPolicy: Never
[root@k8smaster test]# kubectl create -f env-pod.yaml 
pod/env-pod created
[root@k8smaster test]# kubectl get pod
NAME      READY   STATUS      RESTARTS   AGE
env-pod   0/1     Completed   0          5s
[root@k8smaster test]# kubectl logs env-pod|grep SECRET
SECRET_PWD=1f2d1e2e67df
SECRET_NAME=admin
[root@k8smaster test]#