一、认识Secret
Secret资源的功能类似于ConfigMap,但是它专用于存放敏感数据,例如密码、数字证书、私钥、令牌和SSH key等。
Secret对象存储数据的方式及使用方法类似于ConfigMap对象,以键值对方式存储数据,在Pod资源中通过环境变量或存储卷进行数据访问。不同的是,Secret对象仅会被分发至调用了此对象的Pod资源所在的工作节点,且只能由节点将其存储于内存中。另外,Secret对象的数据的存储及打印格式为Base64编码的字符串,因此用户在创建Secret对象时也要提供此种编码格式的数据。不过,在容器中以环境变量或存储卷的方式访问时,它们会被自动解码为明文格式。
需要注意的是,在Master节点上,Secret对象以非加密的格式存储于etcd中,因此管理员必须加以精心管控以确保敏感数据的机密性,必须确保etcd集群节点间以及与API Server的安全通信,etcd服务的访问授权,还包括用户访问API Server时的授权,因为拥有创建Pod资源的用户都可以使用Secret资源并能够通过Pod中的容器访问其数据。
Secret对象主要有两种用途,一是作为存储卷注入到Pod上由容器应用程序所使用,二是用于kubelet为Pod里的容器拉取镜像时向私有仓库提供认证信息。不过,后面使用ServiceAccount资源自建的Secret对象是一种更安全的方式。通过ConfigMap和Secret配置容器的方式如下图:
Secret资源主要由四种类型组成,具体如下:
Opaque:自定义数据内容;base64编码,用来存储密码、秘钥、信息、证书等数据,类型标识符为generic。
kubernetes.io/service-account-token:Service Account的认证信息,可在创建Servcie Account时由Kubernetes自动创建。
kubernetes.io/dockerconfigjson:用来存储Docker镜像仓库的认证信息,类型标识为docker-registry。
kubernetes.io/tls:用于为SSL通信模式存储证书和私钥文件,命令式创建时类型标识为tls。
二、命令式创建Secret资源
不少场景中,Pod中的应用都需要通过用户名和面来访问其他服务,例如访问数据库系统等等。创建此类的Secret对象时,可以使用"kubelet create secret generic
1)创建Secret资源对象
]# kubectl create secret generic mysq-auth --from-literal=username=root --from-literal=password=123456
secret/mysq-auth created
2)查看Secret资源对象的详细信息
]# kubectl get secret -o wide
NAME TYPE DATA AGE
mysq-auth Opaque 2 17s
]# kubectl describe secret mysql-auth
Name: mysql-auth
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
password: 6 bytes
username: 4 bytes
# kubectl get secret mysql-auth -o yaml
apiVersion: v1
data:
password: MTIzNDU2
username: cm9vdA==
kind: Secret
metadata:
creationTimestamp: "2020-08-30T09:56:41Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:password: {}
f:username: {}
f:type: {}
manager: kubectl
operation: Update
time: "2020-08-30T09:56:41Z"
name: mysql-auth
namespace: default
resourceVersion: "6479799"
selfLink: /api/v1/namespaces/default/secrets/mysql-auth
uid: e6c28302-9480-408f-a657-6ba23869c833
type: Opaque
3)尝试解密查看数据内容
]# echo cm9vdA== | base64 -d
root
]# echo MTIzNDU2 | base64 -d
123456
4)使用文件创建Secret资源对象
对于本身已经已存储于文件中的数据,也可以在创建generic格式Secret对象时使用"–from-file"选项从文件中直接进行加载;例如,如下命令使用公私钥来生成Secret资源对象:
]# kubectl create secret generic ssh-key-secret --from-file=ssh-privatekey=/root/.ssh/id_rsa \
> --from-file=ssh-publickey=/root/.ssh/id_rsa.pub
secret/ssh-key-secret created
5)查看Secret资源的详细信息
]# kubectl get secret -o wide
NAME TYPE DATA AGE
ssh-key-secret Opaque 2 36s
]# kubectl get secret ssh-key-secret -o yaml
apiVersion: v1
data:
ssh-privatekey: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBdXFJSWEycHdORERjYjBRTEhKcG1PUEdxajNoRnZOQmRmVEg0YjRGbmVyRHhtOWtqCmw0WFJab0Z1ZkVUTHZuc2tQcHZYUllOeVdsN3JONW0vTit2eTVoTzdZVjErTWVORFlKb0JSMzZwT3YxUkxIN3UKdHIrbGYwRnJsMkI1ZE9EVnhHekd5c01HVE12Z1ByUWVWK3RRMkdUYk5ZWFY2cm1YVmkrbm0wczhOQnAvdnQ1cgpBVnNRdjR0ckdhak5SSHNQbUJlWDdXaVRibVlDaFBTbEcrOXV2MGcraVZxSm51VUE0aEdKNUVVZGREZGpIQmRTCldGMVg0SU83UkRKdEl3ME15RGdUUjYyYWlndjJiS1BUS1FrZ2ZoTmpvV3ZiZ0FBQzVxck95bmVXU0JUZTZPSGcKbGt2Y2tPQUtjUEM2ZlJLR0E4bTR1azFlSUJWU01TRkFvRUVyMlFJREFRQUJBb0lCQUJ1QTZYQzYvTklVS1VnVQpaUGJRSWlSZUtONS93UGMwVmJLdmZJY2lNTmU1MzhFeDNMYmx0NWc5bHNTbGRza1phSnY1WjE0Tkl2c0NaZk9KCnFzNVk3VERPMDV4anBNZEJVSnFaMTNwcnhoQzFhQk1BbWJsQXdPamlBVE1MdXBwb3o5ZmtsOThsb25ZS3pYOHcKR0JDbzB2OHd6Y1V6ZGZUamFOUUFyZGlLMjlKcG5OTFJscWdDQTZ0dE95VnpUMnJyVFZqbWx5cWhnUzRpZUlWSgo1aGZLZzF1aXdZbmlFNnJmS1E1dm03Uk45L1RhOXhpanB0cEpKQjRSdVlUQWRrZHJIRk51ZWlsYmh5dGF5SHF2CjYxOXFEM0pXYmZxanYrMzBtZnV3eXYyOG1UajVZVFVyRnhESHR3cVczaDF6bmtPYWt3ZEJEYW9zazlNdUgzZW4KVG5jS3NBRUNnWUVBNDk3dHpwRjR2VGRRL2pLbll1YWoxM0dxa1RUaU1OK2Y2Q2p6eUlYeVBMMjF0WkhyYXFWLwpmRUgyVTZCZExYUzQ2MHVub08rQnNNQi9uVzc3eHdXeFFLL3ZQNXV0QVhwZ25LZDl6TFF0UVUyL2dYYWpLSW1OCk4xK1JIQUU5dVllUVk4RlNMYWNUYzk2ZkVja3JBRnZGYTBBc2RwRXJ6SjkzK2x6alNhQUszdGtDZ1lFQTBhdnMKVkxpWnAybmhnZUNod2Nkc2Nhbno4Vkw4dHhIdjkwVm9uK1RvenRDVjEvMzNBVjRuQklEcXdSdldPV1kxZUdobgpwZ054dU5venU3RnVJRkFidGhSL3orbVBCNjBRK3lmbXVkN0xRWVIyY0lnbHF6c0lnV2hpb0ZMT1JmNkczS0dKClZNbG12MEl2eHNMNW9tYWV1bGFDNHZnL0psRUNva1ByaHNOU2xRRUNnWUJYZUdxbXdiYXNRNENtbzBFWHVOc3AKeDJzbkpEcXpjaFFLNVRWM1F0dVNyMndDRDhwamZMWHNOOUhibGhKT2NhRE9TWk5HTnNuODFGZm9VZ0w2Q2RoWgpzVzlRWm16SnhYVXlqU1RBSUdYQ3pKcDNrdGZjcHJoN2lnYkV6a0VvWjc1b1hIdzBKQTlXaWgxYmtYSWRTQjBICkozSXA3VjMzeFRzajh1WVlqQVBBT1FLQmdRQ3pzT243dWJGRnZ3SmE4bzd1cWVDUWtSelZoMCs1L1k5d2xYV1QKQXZWYXVYeVIvYitBMXBZTjBBWmd0V0NsRktsaXBlZWVhWGsrK1JJNUcxak1MSnR6TXFKUEoxVkRPTmxDeGZHQQovaVduNHNRMnNSZkhaZkptSlhYUS9PWjNLaW1lVUhxSHhZdGZBblE3bmNHZm90OEp4emFwR2lQVXpMeTdJQVpzCkdsMWVBUUtCZ0ZKRFRnMVg4Q3JTWmMwVGh2a0w5QUZwWmxtSzcxQ1BEVzg3bzQ5Y2U5cTVOWW9lTlQrbVZlak8KeDl4VDBZMkt0WTVQc1l4ZVdUSDVMM200Mk55ak93MU9ZSENiUjFMUFJFMkNEbTE4ZzM1aHRuTXNTd1hyY3c5RAp3OEthMVBqRmN3ZHg3b1dSQWR6blovM3NKdC9FaVQ5ZkQrYjIrTnpkSHZiT2ZzQlFmR1kxCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
ssh-publickey: c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDNm9naHJhbkEwTU54dlJBc2NtbVk0OGFxUGVFVzgwRjE5TWZodmdXZDZzUEdiMlNPWGhkRm1nVzU4Uk11K2V5USttOWRGZzNKYVh1czNtYjgzNi9MbUU3dGhYWDR4NDBOZ21nRkhmcWs2L1ZFc2Z1NjJ2NlYvUVd1WFlIbDA0TlhFYk1iS3d3Wk15K0ErdEI1WDYxRFlaTnMxaGRYcXVaZFdMNmViU3p3MEduKyszbXNCV3hDL2kyc1pxTTFFZXcrWUY1ZnRhSk51WmdLRTlLVWI3MjYvU0Q2SldvbWU1UURpRVlua1JSMTBOMk1jRjFKWVhWZmdnN3RFTW0wakRReklPQk5IclpxS0MvWnNvOU1wQ1NCK0UyT2hhOXVBQUFMbXFzN0tkNVpJRk43bzRlQ1dTOXlRNEFwdzhMcDlFb1lEeWJpNlRWNGdGVkl4SVVDZ1FTdlogcm9vdEBtYXN0ZXIK
kind: Secret
metadata:
creationTimestamp: "2020-08-30T10:04:52Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:ssh-privatekey: {}
f:ssh-publickey: {}
f:type: {}
manager: kubectl
operation: Update
time: "2020-08-30T10:04:52Z"
name: ssh-key-secret
namespace: default
resourceVersion: "6481203"
selfLink: /api/v1/namespaces/default/secrets/ssh-key-secret
uid: 2fa50101-13fb-445c-a91d-acf5d8df35fd
type: Opaque
6)创建TLS类型的Secret资源
]# (umask 077;openssl genrsa -out nginx.key 2048)
]# openssl req -new -x509 -key nginx.key -out nginx.crt -subj /C=CN/ST=Beijing/O=DevOps/CN=www.ilinux.io
]# kubectl create secret tls nginx-ssl --key=nginx.key --cert=nginx.crt
secret/nginx-ssl created
7)查看TLS类型的Secret资源对象
]# kubectl get secret -o wide
NAME TYPE DATA AGE
nginx-ssl kubernetes.io/tls 2 40s
]# kubectl get secret nginx-ssl -o yaml
apiVersion: v1
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURZekNDQWt1Z0F3SUJBZ0lKQU5mblh6TE1NQnZ4TUEwR0NTcUdTSWIzRFFFQkN3VUFNRWd4Q3pBSkJnTlYKQkFZVEFrTk9NUkF3RGdZRFZRUUlEQWRDWldscWFXNW5NUTh3RFFZRFZRUUtEQVpFWlhaUGNITXhGakFVQmdOVgpCQU1NRFhkM2R5NXBiR2x1ZFhndWFXOHdIaGNOTWpBd09ETXdNVEF4TURNMVdoY05NakF3T1RJNU1UQXhNRE0xCldqQklNUXN3Q1FZRFZRUUdFd0pEVGpFUU1BNEdBMVVFQ0F3SFFtVnBhbWx1WnpFUE1BMEdBMVVFQ2d3R1JHVjIKVDNCek1SWXdGQVlEVlFRRERBMTNkM2N1YVd4cGJuVjRMbWx2TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQwpBUThBTUlJQkNnS0NBUUVBdjAwcm5zeUZUY1pPbWJEMTA4aXhFcDd6T0pvaFlaVDBuVE14Ti9Edmg2cDhrajhsCkZTRVRZOCtwdVh0dXllemNSNUdJU3BNeGdiWnN3U0F0Z3AySmIvZ0JQOElrQUR2dGc1SnlGbjFRaFlzRnBSdUoKaHRCcW1QRnEwSktFbStZMVZmYURBc0NndjVockkrL1BIOXFQYVExMWhUVFdEYWJKU0V2WHRjb3l1Y1ZBMTd3dQoyNFRFYTR3NTZpM1IvZVlseW9MZnBrdW9MQzBuQm1Ub1RhWWdoTGNwNG9IblhJVWdiSkJlUHIreVFRelE1TmQ0CkdQbG0vOVB4U05mYVBzZ1VQM2llb1BIaTNjT1NCRzlGb0ZGT1RFV0dEdTBIRVNuRUREek1FdnBqNXphRTBGVUYKSmpJNy9VczBiTEUxbTFidlRxNDZCK2MwMWNPd0ZDSTgvTHpUOXdJREFRQUJvMUF3VGpBZEJnTlZIUTRFRmdRVQpvN3pLNkQ0ZGgzb0J3WWVDYlRiN1ptRGorWG93SHdZRFZSMGpCQmd3Rm9BVW83eks2RDRkaDNvQndZZUNiVGI3ClptRGorWG93REFZRFZSMFRCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFjM1lrTmg5RUt1UzYKUGRJbFg4Z3B1UW9EZ1dkaFJLWmZ1cHJHZEY3SnpYM1VheTZYL3QwU096QXhTU1RHdVVFVnRGaDdzVEwzS2F4ZgpsSnVYK1JnYjZ0ZVZRY3N5MHJ0cURHc0dwRHZLcXlnU2R1N05BcllOalhaMHVuQ3hwOEZiVjlYQVowQmRxeUZLClgrTHV5Q0dQclQ1bC9JZUt1OTNLVWFVZEZZUmJVUmhlOWE5bndQMFN4VWtJdW95U0tkQ3YyUExjb3B3ajMxRy8KODdMRkg4QUp5K2JjRHVmemJXbUtOdVhIRXhFZ0ZRakxORitlNXJwRElzNjYvMTFlOXdiRDIrSjdFbDFKUHRZTQptcWFUaEc1Q1VIcU9FQmVLd3VCenhwU1BGUlRJbmJyem1oTU0xbndQTENMQkVxUkRCQUtpV3lSYzV6b2FwZ1BiCkZJVDJpVjlYUWc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdjAwcm5zeUZUY1pPbWJEMTA4aXhFcDd6T0pvaFlaVDBuVE14Ti9Edmg2cDhrajhsCkZTRVRZOCtwdVh0dXllemNSNUdJU3BNeGdiWnN3U0F0Z3AySmIvZ0JQOElrQUR2dGc1SnlGbjFRaFlzRnBSdUoKaHRCcW1QRnEwSktFbStZMVZmYURBc0NndjVockkrL1BIOXFQYVExMWhUVFdEYWJKU0V2WHRjb3l1Y1ZBMTd3dQoyNFRFYTR3NTZpM1IvZVlseW9MZnBrdW9MQzBuQm1Ub1RhWWdoTGNwNG9IblhJVWdiSkJlUHIreVFRelE1TmQ0CkdQbG0vOVB4U05mYVBzZ1VQM2llb1BIaTNjT1NCRzlGb0ZGT1RFV0dEdTBIRVNuRUREek1FdnBqNXphRTBGVUYKSmpJNy9VczBiTEUxbTFidlRxNDZCK2MwMWNPd0ZDSTgvTHpUOXdJREFRQUJBb0lCQUNsMkZFb3FrWW0xdlR0YQpPeTFYaGVrL1FmKzJpQjJhSnhvYkNrUFJtRmlTL3NURG9zbmRqVkpJbzhScm1DdHpocHFNVkRtMWhUbFR6R1pmCkR2NE1Ic21CdXVPU3RETEl5a1dGNit3cjVOUE11Y0I3STJkd3JHblJpUkVEY0hKSmhxM0c2OFlnOGJZVTFzUEgKS2VFQmdhdUhHejF2b2lUN1RReTZRMXBISkk5V2JIbHk5ei9DTVFIWXZHU2J5bjVSUXVabkc3WTUzZWRuTmVOTApoVkxUaVMwdERyN1NlZlYrUmUrYkpodXpjc1pJT2IwSThOdnp4a3VMd2ZFLzV0TGFpbXhVS2Y1MFZreXIrV0VHCmhvQUs0Y05jT0xNMVV6OTNscGlrcFRCMFBVa0Vubmo3THkxaVdlNkFobTZCTzR4eERBd1cxeXNqRkdIY0FIbkUKNW9paS9HRUNnWUVBK25yMld5bmpvUUZ4aGV1bnFUd1k5a3lldDFwVzh4VHE0aGs0TGFYcVp0eHV3N3NpQUxIZQpENVQ3WTV2cFRmT0E4d2cvNHZhZ1RqWUtFZS9NVHpOZUdCTDl4Uy9KUHlLcERBVVZ6Z3ROeG9WaWdGRTZWckpyCjNSWllIdW4wKy9OS3IxSkJOaSt2L01SNGRaTjByOCtDVEdCYXAwWERvMnFyeERUNysySU5NV3NDZ1lFQXc0UmMKanpxbXJQZE5SWVpGU3RHWUdvVFpGdE9JZnBEdVFpUk16SkJjSVhVaENidktjSUg5QXBzbUpHWDJwUUs3aFBMMgo3VGNHOFhBa0NINlNiVGlFN0xHN1p2djNkWUJoSXhHWEw4M01NL2NVc1djNUJseXNEdVZBNis3Ukc1V1hFQUN0CnkzNER6eXpQeGR2bzdqcFdaTmJGdFhpaTVFN0JGSC8yZEIwQWJxVUNnWUVBdGsvTGdqMHlEbDF6bUlzV2hJcFcKak9ibDJ3U3BKdExCeDRHZHJ6UUZNWXNlSDk3VDkvZCtibzc4anRyTGJFNWhQQU4wSktsbnNxV0luTmVTT005bApuRll1V1ZqWHZObG9lM1EwRTcyTWhZTk9WNkZIdWhTeGg4RWNzSnVQRWRkYU05UEYzVC9HYzA4NWNqSzZpc0NaCjBTZU10QldHT1NxS0RReVhuN2dWYkRNQ2dZQXhTWWV2ejZBKzBDVFpsdXlXM05sVUxoTXZ6dW1FeG5KWm1COEkKSG9nckl3VE9HRm9ESExHMFczbzFDTU14ZTh2Ynl3ZjJhcjNFVlhtdjdvQnBLaXRRSThuVFAwZDFob1IyTzdQNgpLQTRITjQwdTM0K2ZpL01QMmprUWdPYVQ1cFRyUXRDTkVOcFMrci94NStzRFN3K0dZaUg3Q2tzOTlLQjEwNEJFCmF4ODF4UUtCZ1FDZzlJeG1KQlYybDhZMnJaTnEvaU00d2YwTGgyY2NYQkNjVzlZMVVHNWhUdGZCN0pyaHpseEgKc3ZFSklNNC9lVkl2a2FSTlNWNm1EdDRMdXp2dHQzZ1piSkxDM0FHQmFNZ00vVyszZWNMYllXa3dMMFNyUlc1Ugp2WHNaMzF3V2FuUCswSVd5S1NHQ1NIQXhTVnExTVJyUStYSDhjUENIcWl0SFFiYTUyUnZRYXc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
kind: Secret
metadata:
creationTimestamp: "2020-08-30T10:11:38Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:tls.crt: {}
f:tls.key: {}
f:type: {}
manager: kubectl
operation: Update
time: "2020-08-30T10:11:38Z"
name: nginx-ssl
namespace: default
resourceVersion: "6482359"
selfLink: /api/v1/namespaces/default/secrets/nginx-ssl
uid: ecbbe79b-1c68-4bb1-8e58-3388e83ba8fe
type: kubernetes.io/tls
三、清单式创建Secret资源
Secret资源是标准的Kubernetes API对象,除了标准的apiVersion、kind和metadata字段外,它可用的其他字段具体如下:
data:"key:value"格式的数据,通常是敏感信息,数据格式需要是以Base64格式编码的字符串,因此需要用户事先完成编码。
stringData:以明文格式(非Base64编码)定义的"key:value"数据;无须用户事先对数据进行Base64编码,而是在创建为Secret对象时自动进行编码保存于data字段中;stringData字段中的明文不会被API Server输出,不过若是使用"kubectl apply"命令进行创建,那么注解信息中还是可能会直接输出这些信息的。
type
1)编写创建Secret资源的yaml文件
]# cat secret-demo.yaml
apiVersion: v1
kind: Secret
metadata:
name: secret-demo
stringData:
username: redis
password: redis123
type: Opaque
]# kubectl apply -f secret-demo.yaml
secret/secret-demo created
2)查看Secret资源详细信息
]# kubectl get secret -o wide
NAME TYPE DATA AGE
secret-demo Opaque 2 8s
]# kubectl get secret secret-demo -o yaml
apiVersion: v1
data:
password: cmVkaXMxMjM=
username: cmVkaXM=
kind: Secret
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","kind":"Secret","metadata":{"annotations":{},"name":"secret-demo","namespace":"default"},"stringData":{"password":"redis123","username":"redis"},"type":"Opaque"}
creationTimestamp: "2020-08-30T10:21:05Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:password: {}
f:username: {}
f:metadata:
f:annotations:
.: {}
f:kubectl.kubernetes.io/last-applied-configuration: {}
f:type: {}
manager: kubectl
operation: Update
time: "2020-08-30T10:21:05Z"
name: secret-demo
namespace: default
resourceVersion: "6483976"
selfLink: /api/v1/namespaces/default/secrets/secret-demo
uid: b9514dfe-08f5-4cce-935b-24fd94cb7bf9
type: Opaque
四、Secret存储卷
类似于Pod消费ConfigMap对象的方式,Secret对象可以注入为环境变量,也可以存储为卷形式挂载使用。不过,容器应用通常会在发生错误时将所有环境变量保存于日志信息中,甚至有些应用在启动时即会将运行环境打印到日志中;另外,容器应用调用第三方程序为子进程时,这些子进程能够继承父进程的所有环境变量。有鉴于此,使用环境变量引用Secret对象中的敏感信息实在算不上明智之举。
在Pod中使用Secret存储卷的方式,除了其类型及引用标签要替换为Secret及secretName之外,几乎类似于ConfigMap存储卷,包括支持使用挂载整个存储卷、只挂载存储卷中指定的键值以及独立挂载存储卷中的键等使用访问。例如,下面通过一个实例来将之前创建的nginx-ssl资源挂载到一个Pod中,实现SSL加密访问。
1)编写Pod资源的yaml文件
]# cat nginx-ssl.yaml
apiVersion: v1
kind: Service
metadata:
name: svc-nodeport
spec:
type: NodePort
selector:
app: myapp
ports:
- protocol: TCP
port: 80
targetPort: 80
nodePort: 32222
---
apiVersion: v1
kind: Pod
metadata:
name: secret-volume-demo
namespace: default
labels:
app: myapp
spec:
containers:
- name: web-server
image: nginx:alpine
imagePullPolicy: IfNotPresent
volumeMounts:
- name: nginxcert
mountPath: /etc/nginx/ssl/
readOnly: true
volumes:
- name: nginxcert
secret:
secretName: nginx-ssl
]# kubectl apply -f svc-nodeport.yaml
service/svc-nodeport created
pod/secret-volume-demo created
2)查看Pod资源信息
]# kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
secret-volume-demo 1/1 Running 0 7s 10.244.1.125 node1 <none> <none>
]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
svc-nodeport NodePort 10.107.183.226 <none> 80:32222/TCP 14s
3)查看Secret资源是否已经挂载
]# kubectl exec -it secret-volume-demo -- ls /etc/nginx/ssl/
tls.crt tls.key