secret的认识

文章目录

  • 一、secret的认识
    • 1、serviceaccount
    • 2.Opaque Secret
      • 1)创建secret
      • 2)将secret挂载到volume中
      • 3)将secret挂载到环境变量中
      • 4)Secre存储私有docker registry的认证
      • 使用kubectl创建docker regiestry认证的secret
    • 4、kubernetes.io/dockerconfigjson
    • 5、kubernetes.io/service-account-token
    • 6、kubernetes.io/service-account-token
    • 7、Secret 与 ConfigMap 对比
      • 相同点:
      • 不同点:

一、secret的认识

在kubernetes中,还存在一种和ConfigMap非常类似的对象,称为Secret对象。
它主要用于存储敏感信息,例如密码、秘钥、证书等等。

Secret解决了密码、token、密钥等敏感数据的配置问题,而不需要把这些敏感数据暴露到镜像或者Pod Spec中。
Secret可以以Volume或者环境变量的方式使用。

Secret有三种类型:
# Service Account :
用来访问Kubernetes API,由Kubernetes自动创建,并且会自动挂载到Pod的
/run/secrets/kubernetes.io/serviceaccount目录中;
Opaque :base64编码格式的Secret,用来存储密码、密钥等;
kubernetes.io/dockerconfigjson :用来存储私有docker registry的认证信息。

# Secret类型:

	tls: 一般用来部署证书
	Opaque : 一般用来部署密码
	Service Account : 部署kubernetes API认证信息
	kubernetes.io/dockerconfigjson : 部署容器仓库登录信息


1、serviceaccount

目录:/run/secrets/kubernetes.io/serviceaccount

[root@k8s-master-01 mnt]# kubectl get pods -n kube-system 
NAME                                    READY   STATUS    RESTARTS   AGE
coredns-f68b4c98f-nkqlm                 1/1     Running   2          21d
coredns-f68b4c98f-wzrrq                 1/1     Running   2          21d
etcd-k8s-master-01                      1/1     Running   3          21d
kube-apiserver-k8s-master-01            1/1     Running   3          21d
kube-controller-manager-k8s-master-01   1/1     Running   4          21d
kube-flannel-ds-8zj9t                   1/1     Running   1          10d
kube-flannel-ds-jmq5p                   1/1     Running   0          10d
kube-flannel-ds-vjt8b                   1/1     Running   4          10d
kube-proxy-kl2qj                        1/1     Running   2          21d
kube-proxy-rrlg4                        1/1     Running   1          21d
kube-proxy-tc2nd                        1/1     Running   0          21d
kube-scheduler-k8s-master-01            1/1     Running   4          21d

[root@k8s-master-01 mnt]# kubectl exec -it kube-proxy-kl2qj -n kube-system -- sh
# cd run
# ls
lock  secrets  utmp  xtables.lock
# cd secrets
# cd kubernetes.io
# cd serviceaccount
# ls
ca.crt	namespace  token
# cat ca.crt
-----BEGIN CERTIFICATE-----
MIIC5zCCAc+gAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
cm5ldGVzMB4XDTIxMTIwNDEyNDE0OVoXDTMxMTIwMjEyNDE0OVowFTETMBEGA1UE
AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM++
PZjizoRHCr9NjVCwc4REglPuHZX4edV8dMGen3EWFNNSqaLmk2C8MsO4zZEgGRt+
p58qG/S6CQ/ZT4McRf2sUOk5bI5sUAjN7DzBKhgweGwyYXM/1mtkyq7S7yr7twAq
6994lb+MspTIbNsqMnEzas8Y3HfMgg494ymjGQPfG2jpy2qOTgRLqavg6LXxyi7v
aIEfBpliINW0Y2+Bwpg5P1wivF5LnxIsjFZryeMYwe0iy/jxkO2JBR+RlI3+AxCt
e9VY7RTXKdC94gx4emhIunCDIe1XgFLmz1vjpU6foZBF2xmD4umw9m0W0Wplw0nO
8Pan0DNFdfqkzMSDjFcCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB
/wQFMAMBAf8wHQYDVR0OBBYEFHxyQbDzqZDFguCbkFuw85rqFqXVMA0GCSqGSIb3
DQEBCwUAA4IBAQDAf2IMj3wJWdyZZ5cmwpyESicshdsz1NQdzvMfbVFq+TiExJcH
KGc9HZPIjt2nH0doxAW6OHwSFJ6sZ4vaRgbmLLxS1sNVU0Pke0oiICgfiioZDi6+
hQRpPIU2WGUDf4SqttGql1cFy/0tUyoRgMrAVPSxbTqNakwzARmMCpyQIo0xZgor
gdW4UsKm+lMp0hIk0swdoEvhWuHEsVVgZ9wW5v3kTxi+IEN/ru4Atb/pcqWxTRPI
eBYHO5fvs6UqbI2WGxr2EmjB0Mz73KyI4RBKvjn1Kdw1g12jTeNNxr0srQr2GtZX
AbOmyc+IiM9+gkz8lWE40a/skhyvSUSEgPRS
-----END CERTIFICATE-----
# cat namespace
kube-system# 
# cat token
eyJhbGciOiJSUzI1NiIsImtpZCI6InVZNmNCRXo3SC1XVnMxLWlsWEZfZ3ctc2V0ZXFqWkNsRy1ic3ZYSTczVkkifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlLXByb3h5LXRva2VuLWcyaGxtIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6Imt1YmUtcHJveHkiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJlN2Q4NTIzNC0wZWMzLTQ0MjQtOTNkMC1hODQ5ZjA0NGI0MzEiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06a3ViZS1wcm94eSJ9.rFdcQnRXuhQscLdVmS5-hAY7Eef6HY5KD6MPvChpCsK8FPpvuOGGP4NtAwX6oBHjxrBunjGI_5h44zl6t-f-tzmPejr3WspedmvLiBz4w5Ykf0EB7vBzUHIU1WILzGF_g5vi64I-FohXxgL1s_tV4qxAxcNO53R74lVqAW-Ssfu4Nx2L77K6fSaKch2nJjSUwHoJnNeQCNlMTeCQLz4vf012IPDPRF50rjf0LRpMA554wBFHGp50GogurgxOsWPFrq0wh4-GvePVHY9hZD3c3vaMxPcI3C2nlxcgMIQBMBFJjJKWjnCzy4PVf-HiuqTEHrxvh-iPtuqzEJM0toDVJA# 

2.Opaque Secret

Opaque类型的数据是一个map类型,要求value是base64编码格式。

[root@k8s-master-01 mnt]# echo -n "admin"  |base64
YWRtaW4=
[root@k8s-master-01 mnt]# echo -n "12345678"  |base64
MTIzNDU2Nzg=
[root@k8s-master-01 mnt]# echo -n "MTIzNDU2Nzg="  |base64 -d
12345678

1)创建secret

apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  password: MTIzNDU2Nzg=
  username: YWRtaW4=


[root@k8s-master-01 mnt]# kubectl get secrets 

default-token-hd5m9   kubernetes.io/service-account-token   3      21d
mysecret              Opaque 

2)将secret挂载到volume中

[root@k8s-master-01 mnt]# vim secret-pod.yaml 

apiVersion: v1
kind: Pod
metadata:
  name: secret-test
  labels:
    name: secret-test
spec:
  volumes:   #挂载卷
  - name: secrets  #挂在卷的名字
    secret:     #挂在卷的方式(secret)
      secretName: mysecret  #前文创建的secret的名字
  containers:
  - image: wangyanglinux/myapp:v1
    name: db
    volumeMounts:
    - name: secrets
      mountPath: "/etc/secrets"
      readOnly: true




[root@k8s-master-01 mnt]# kubectl apply -f secret-pod.yaml 
pod/secret-test created
[root@k8s-master-01 mnt]# kubectl get pods
NAME                        READY   STATUS    RESTARTS   AGE
my-nginx-76b6998ccc-vbk72   1/1     Running   0          3h34m
secret-test                 1/1     Running   0          7s
[root@k8s-master-01 mnt]# kubectl get secrets 
NAME                  TYPE                                  DATA   AGE
basic-auth            Opaque                                1      3d8h
default-token-hd5m9   kubernetes.io/service-account-token   3      21d
ingress-tls           kubernetes.io/tls                     2      4d22h
mysecret              Opaque                                2      7m11s

# 进入容器,查看secret信息,发现已经自动解码了

[root@k8s-master-01 mnt]# kubectl exec -it secret-test -- sh
/ # cd /etc/secrets
/etc/secrets # ls
password  username
/etc/secrets # cd username
/etc/secrets # cat username
admin/etc/secrets # cat password
12345678/etc/secrets # 


3)将secret挂载到环境变量中


apiVersion: apps/v1
kind: Deployment
metadata:
  name: pod-deployment
spec:
  replicas: 2
  selector:
    matchLabels:
      app: pod-deployment
  template:
    metadata:
      labels:
        app: pod-deployment
    spec:
      containers:
      - name: pod-deloy
        image: wangyanglinux/myapp:v1
        ports:
        - containerPort: 80
        env:      #环境变量
        - name: TEST_USER  #环境变量的名字
          valueFrom:       # 值的来源
            secretKeyRef:   #secret的方式
              name: mysecret  #secret的名字
              key: username   # secret的键名
        - name: TEST_PASSWORD
          valueFrom:
            secretKeyRef:
              name: mysecret
              key: password




# 进入容器里查看明文密码
[root@k8s-master-01 mnt]# kubectl get pods
NAME                              READY   STATUS    RESTARTS   AGE
my-nginx-76b6998ccc-vbk72         1/1     Running   0          3h51m
pod-deployment-68b66f6d4b-jskrd   1/1     Running   0          11s
pod-deployment-68b66f6d4b-nnqdb   1/1     Running   0          11s
secret-test                       1/1     Running   0          17m
[root@k8s-master-01 mnt]# kubectl exec -it pod-deployment-68b66f6d4b-jskrd -- sh
/ # cd /etc/secrets
sh: cd: can't cd to /etc/secrets
/ # echo $TEST_USER
admin
/ # echo $TEST_PASSWORD
12345678

4)Secre存储私有docker registry的认证

1、kubernetes.io/dockerconfigjson

用来存储私有docker registry的认证信息

1、创建secret # 使用阿里云私有仓库进入
export DOCKER_REGISTRY_SERVER="仓库URL"
export DOCKER_USER="仓库用户名"
export DOCKER_PASSWORD="密码"
export DOCKER_EMAIL="邮箱"

--docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL  #可以不指定邮箱


使用kubectl创建docker regiestry认证的secret

kubectl create secret docker-registry aliyun --docker-server=registry.cn-shanghai.aliyuncs.com --docker-username=明明爷青回 --docker-password=xxx # 密码
# 1、先创建sercre登录到阿里云
[root@k8s-m-01 ~]# kubectl create secret docker-registry aliyun --docker-server=registry.cn-shanghai.aliyuncs.com --docker-username=明明爷青回 --docker-password=xxx # 密码
secret/aliyun created
# 2、查看
[root@k8s-m-01 ~]# kubectl get secrets 
NAME                                            TYPE                                  DATA   AGE
aliyun                                          kubernetes.io/dockerconfigjson        1      10s
default-token-tg92f                             kubernetes.io/service-account-token   3      11d
# 3、删除secrets
[root@k8s-m-01 ~]# kubectl delete secrets aliyun 
secret "aliyun" deleted

# 4、编写配置文件拉取
[root@k8s-m-01 ~]# vim aliyun.yaml
kind: Deployment
apiVersion: apps/v1
metadata:
  name: test-docker-registry
spec:
  selector:
    matchLabels:
      app: test-docker-registry
  template:
    metadata:
      labels:
        app: test-docker-registry
    spec:
      imagePullSecrets: # 加上这个就是直接登录到阿里云,下载镜像的认证
        - name: aliyun  # 直接登录到阿里云,与上文创建secret对应
      containers:
        - name: php
          imagePullPolicy: Always
          image: registry.cn-shanghai.aliyuncs.com/aliyun_mm/discuz:php-v1
        - name: nginx
          imagePullPolicy: Always
          image: registry.cn-shanghai.aliyuncs.com/aliyun_mm/discuz:nginx-v1
# 4、生成yaml文件
[root@k8s-m-01 ~]# kubectl create -f aliyun.yaml
# 5、查看
[root@k8s-m-01 ~]# kubectl get pod
NAME                                                 READY   STATUS    RESTARTS   AGE
nfs-client-nfs-client-provisioner-777fbc4cd6-d9gkj   1/1     Running   0          4h43m
test-docker-registry-f9d86c548-p8nll                 2/2     Running   0          4s


4、kubernetes.io/dockerconfigjson

除了上面的Opaque这种类型外,我们还可以来创建用户docker registry认证的Secret,直接使用kubectl create命令创建即可,如下:

$ kubectl create secret docker-registry myregistry --docker-server=DOCKER_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL
secret "myregistry" created

然后查看Secret列表:

$ kubectl get secret
NAME                  TYPE                                  DATA      AGE
default-token-n9w2d   kubernetes.io/service-account-token   3         33d
myregistry            kubernetes.io/dockerconfigjson        1         15s
mysecret              Opaque                                2         34m

注意看上面的TYPE类型,myregistry是不是对应的kubernetes.io/dockerconfigjson,同样的可以使用describe命令来查看详细信息:

$ kubectl describe secret myregistry
Name:         myregistry
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  kubernetes.io/dockerconfigjson

Data
====
.dockerconfigjson:  152 bytes

同样的可以看到Data区域没有直接展示出来,如果想查看的话可以使用-o yaml来输出展示出来:

$ kubectl get secret myregistry -o yaml
apiVersion: v1
data:
  .dockerconfigjson: eyJhdXRocyI6eyJET0NLRVJfU0VSVkVSIjp7InVzZXJuYW1lIjoiRE9DS0VSX1VTRVIiLCJwYXNzd29yZCI6IkRPQ0tFUl9QQVNTV09SRCIsImVtYWlsIjoiRE9DS0VSX0VNQUlMIiwiYXV0aCI6IlJFOURTMFZTWDFWVFJWSTZSRTlEUzBWU1gxQkJVMU5YVDFKRSJ9fX0=
kind: Secret
metadata:
  creationTimestamp: 2018-06-19T16:01:05Z
  name: myregistry
  namespace: default
  resourceVersion: "3696966"
  selfLink: /api/v1/namespaces/default/secrets/myregistry
  uid: f91db707-73d9-11e8-a101-525400db4df7
type: kubernetes.io/dockerconfigjson

可以把上面的data.dockerconfigjson下面的数据做一个base64解码,看看里面的数据是怎样的呢?

$ echo eyJhdXRocyI6eyJET0NLRVJfU0VSVkVSIjp7InVzZXJuYW1lIjoiRE9DS0VSX1VTRVIiLCJwYXNzd29yZCI6IkRPQ0tFUl9QQVNTV09SRCIsImVtYWlsIjoiRE9DS0VSX0VNQUlMIiwiYXV0aCI6IlJFOURTMFZTWDFWVFJWSTZSRTlEUzBWU1gxQkJVMU5YVDFKRSJ9fX0= | base64 -d
{"auths":{"DOCKER_SERVER":{"username":"DOCKER_USER","password":"DOCKER_PASSWORD","email":"DOCKER_EMAIL","auth":"RE9DS0VSX1VTRVI6RE9DS0VSX1BBU1NXT1JE"}}}

如果我们需要拉取私有仓库中的docker镜像的话就需要使用到上面的myregistry这个Secret:

apiVersion: v1
kind: Pod
metadata:
  name: foo
spec:
  containers:
  - name: foo
    image: 192.168.1.100:5000/test:v1
  imagePullSecrets:
  - name: myregistrykey

我们需要拉取私有仓库镜像192.168.1.100:5000/test:v1,我们就需要针对该私有仓库来创建一个如上的Secret,然后在Pod的 YAML 文件中指定imagePullSecrets,我们会在后面的私有仓库搭建的课程中跟大家详细说明的。

5、kubernetes.io/service-account-token

另外一种Secret类型就是kubernetes.io/service-account-token,用于被serviceaccount引用。serviceaccout创建时 Kubernetes 会默认创建对应的 secret。Pod 如果使用了serviceaccount,对应的secret会自动挂载到Pod的/run/secrets/kubernetes.io/serviceaccount目录中。

这里我们使用一个nginx镜像来验证一下,大家想一想为什么不是呀busybox镜像来验证?当然也是可以的,但是我们就不能在command里面来验证了,因为token是需要Pod运行起来过后才会被挂载上去的,直接在command命令中去查看肯定是还没有 token 文件的。

$ kubectl run secret-pod3 --image nginx:1.7.9
deployment.apps "secret-pod3" created
$ kubectl get pods
NAME                           READY     STATUS    RESTARTS   AGE
...
secret-pod3-78c8c76db8-7zmqm   1/1       Running   0          13s
...
$ kubectl exec secret-pod3-78c8c76db8-7zmqm ls /run/secrets/kubernetes.io/serviceaccount
ca.crt
namespace
token
$ kubectl exec secret-pod3-78c8c76db8-7zmqm cat /run/secrets/kubernetes.io/serviceaccount/token
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9rZW4tbjl3MmQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjMzY2FkOWQxLTU5MmYtMTFlOC1hMTAxLTUyNTQwMGRiNGRmNyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.0FpzPD8WO_fwnMjwpGIOphdVu4K9wUINwpXpBOJAQ-Tawd0RTbAUHcgYy3sEHSk9uvgnl1FJRQpbQN3yVR_DWSIlAtbmd4dIPxK4O7ZVdd4UnmC467cNXEBqL1sDWLfS5f03d7D1dw1ljFJ_pJw2P65Fjd13reKJvvTQnpu5U0SDcfxj675-Z3z-iOO3XSalZmkFIw2MfYMzf_WpxW0yMFCVkUZ8tBSTegA9-NJZededceA_VCOdKcUjDPrDo-CNti3wZqax5WPw95Ou8RJDMAIS5EcVym7M2_zjGiqHEL3VTvcwXbdFKxsNX-1VW6nr_KKuMGKOyx-5vgxebl71QQ

6、kubernetes.io/service-account-token

另外一种Secret类型就是kubernetes.io/service-account-token,用于被serviceaccount引用。serviceaccout创建时Kubernetes 会默认创建对应的 secretPod 如果使用了 serviceaccount,对应的secret会自动挂载到Pod的/run/secrets/kubernetes.io/serviceaccount目录中。

这里我们使用一个nginx镜像来验证一下,大家想一想为什么不是呀busybox镜像来验证?当然也是可以的,但是我们就不能在command里面来验证了,因为token是需要Pod运行起来过后才会被挂载上去的,直接在command命令中去查看肯定是还没有 token 文件的。

$ kubectl run secret-pod3 --image nginx:1.7.9
deployment.apps "secret-pod3" created
$ kubectl get pods
NAME                           READY     STATUS    RESTARTS   AGE
...
secret-pod3-78c8c76db8-7zmqm   1/1       Running   0          13s
...
$ kubectl exec secret-pod3-78c8c76db8-7zmqm ls /run/secrets/kubernetes.io/serviceaccount
ca.crt
namespace
token
$ kubectl exec secret-pod3-78c8c76db8-7zmqm cat /run/secrets/kubernetes.io/serviceaccount/token
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9rZW4tbjl3MmQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjMzY2FkOWQxLTU5MmYtMTFlOC1hMTAxLTUyNTQwMGRiNGRmNyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.0FpzPD8WO_fwnMjwpGIOphdVu4K9wUINwpXpBOJAQ-Tawd0RTbAUHcgYy3sEHSk9uvgnl1FJRQpbQN3yVR_DWSIlAtbmd4dIPxK4O7ZVdd4UnmC467cNXEBqL1sDWLfS5f03d7D1dw1ljFJ_pJw2P65Fjd13reKJvvTQnpu5U0SDcfxj675-Z3z-iOO3XSalZmkFIw2MfYMzf_WpxW0yMFCVkUZ8tBSTegA9-NJZededceA_VCOdKcUjDPrDo-CNti3wZqax5WPw95Ou8RJDMAIS5EcVym7M2_zjGiqHEL3VTvcwXbdFKxsNX-1VW6nr_KKuMGKOyx-5vgxebl71QQ

7、Secret 与 ConfigMap 对比

最后我们来对比下Secret和ConfigMap这两种资源对象的异同点:

相同点:

  • key/value的形式
  • 属于某个特定的namespace
  • 可以导出到环境变量
  • 可以通过目录/文件形式挂载
  • 通过 volume 挂载的配置信息均可热更新

不同点:

  • Secret 可以被 ServerAccount 关联
  • Secret 可以存储 docker register 的鉴权信息,用在 ImagePullSecret 参数中,用于拉取私有仓库的镜像
  • Secret 支持 Base64 加密
  • Secret 分为 kubernetes.io/service-account-token、kubernetes.io/dockerconfigjson、Opaque 三种类型,而 Configmap 不区分类型

你可能感兴趣的:(k8s初认识,kubernetes,docker,容器)