在kubernetes中,还存在一种和ConfigMap非常类似的对象,称为Secret对象。
它主要用于存储敏感信息,例如密码、秘钥、证书等等。
Secret解决了密码、token、密钥等敏感数据的配置问题,而不需要把这些敏感数据暴露到镜像或者Pod Spec中。
Secret可以以Volume或者环境变量的方式使用。
Secret有三种类型:
# Service Account :
用来访问Kubernetes API,由Kubernetes自动创建,并且会自动挂载到Pod的
/run/secrets/kubernetes.io/serviceaccount目录中;
Opaque :base64编码格式的Secret,用来存储密码、密钥等;
kubernetes.io/dockerconfigjson :用来存储私有docker registry的认证信息。
# Secret类型:
tls: 一般用来部署证书
Opaque : 一般用来部署密码
Service Account : 部署kubernetes API认证信息
kubernetes.io/dockerconfigjson : 部署容器仓库登录信息
目录:/run/secrets/kubernetes.io/serviceaccount
[root@k8s-master-01 mnt]# kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-f68b4c98f-nkqlm 1/1 Running 2 21d
coredns-f68b4c98f-wzrrq 1/1 Running 2 21d
etcd-k8s-master-01 1/1 Running 3 21d
kube-apiserver-k8s-master-01 1/1 Running 3 21d
kube-controller-manager-k8s-master-01 1/1 Running 4 21d
kube-flannel-ds-8zj9t 1/1 Running 1 10d
kube-flannel-ds-jmq5p 1/1 Running 0 10d
kube-flannel-ds-vjt8b 1/1 Running 4 10d
kube-proxy-kl2qj 1/1 Running 2 21d
kube-proxy-rrlg4 1/1 Running 1 21d
kube-proxy-tc2nd 1/1 Running 0 21d
kube-scheduler-k8s-master-01 1/1 Running 4 21d
[root@k8s-master-01 mnt]# kubectl exec -it kube-proxy-kl2qj -n kube-system -- sh
# cd run
# ls
lock secrets utmp xtables.lock
# cd secrets
# cd kubernetes.io
# cd serviceaccount
# ls
ca.crt namespace token
# cat ca.crt
-----BEGIN CERTIFICATE-----
MIIC5zCCAc+gAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
cm5ldGVzMB4XDTIxMTIwNDEyNDE0OVoXDTMxMTIwMjEyNDE0OVowFTETMBEGA1UE
AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM++
PZjizoRHCr9NjVCwc4REglPuHZX4edV8dMGen3EWFNNSqaLmk2C8MsO4zZEgGRt+
p58qG/S6CQ/ZT4McRf2sUOk5bI5sUAjN7DzBKhgweGwyYXM/1mtkyq7S7yr7twAq
6994lb+MspTIbNsqMnEzas8Y3HfMgg494ymjGQPfG2jpy2qOTgRLqavg6LXxyi7v
aIEfBpliINW0Y2+Bwpg5P1wivF5LnxIsjFZryeMYwe0iy/jxkO2JBR+RlI3+AxCt
e9VY7RTXKdC94gx4emhIunCDIe1XgFLmz1vjpU6foZBF2xmD4umw9m0W0Wplw0nO
8Pan0DNFdfqkzMSDjFcCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB
/wQFMAMBAf8wHQYDVR0OBBYEFHxyQbDzqZDFguCbkFuw85rqFqXVMA0GCSqGSIb3
DQEBCwUAA4IBAQDAf2IMj3wJWdyZZ5cmwpyESicshdsz1NQdzvMfbVFq+TiExJcH
KGc9HZPIjt2nH0doxAW6OHwSFJ6sZ4vaRgbmLLxS1sNVU0Pke0oiICgfiioZDi6+
hQRpPIU2WGUDf4SqttGql1cFy/0tUyoRgMrAVPSxbTqNakwzARmMCpyQIo0xZgor
gdW4UsKm+lMp0hIk0swdoEvhWuHEsVVgZ9wW5v3kTxi+IEN/ru4Atb/pcqWxTRPI
eBYHO5fvs6UqbI2WGxr2EmjB0Mz73KyI4RBKvjn1Kdw1g12jTeNNxr0srQr2GtZX
AbOmyc+IiM9+gkz8lWE40a/skhyvSUSEgPRS
-----END CERTIFICATE-----
# cat namespace
kube-system#
# cat token
eyJhbGciOiJSUzI1NiIsImtpZCI6InVZNmNCRXo3SC1XVnMxLWlsWEZfZ3ctc2V0ZXFqWkNsRy1ic3ZYSTczVkkifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlLXByb3h5LXRva2VuLWcyaGxtIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6Imt1YmUtcHJveHkiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJlN2Q4NTIzNC0wZWMzLTQ0MjQtOTNkMC1hODQ5ZjA0NGI0MzEiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06a3ViZS1wcm94eSJ9.rFdcQnRXuhQscLdVmS5-hAY7Eef6HY5KD6MPvChpCsK8FPpvuOGGP4NtAwX6oBHjxrBunjGI_5h44zl6t-f-tzmPejr3WspedmvLiBz4w5Ykf0EB7vBzUHIU1WILzGF_g5vi64I-FohXxgL1s_tV4qxAxcNO53R74lVqAW-Ssfu4Nx2L77K6fSaKch2nJjSUwHoJnNeQCNlMTeCQLz4vf012IPDPRF50rjf0LRpMA554wBFHGp50GogurgxOsWPFrq0wh4-GvePVHY9hZD3c3vaMxPcI3C2nlxcgMIQBMBFJjJKWjnCzy4PVf-HiuqTEHrxvh-iPtuqzEJM0toDVJA#
Opaque类型的数据是一个map类型,要求value是base64编码格式。
[root@k8s-master-01 mnt]# echo -n "admin" |base64
YWRtaW4=
[root@k8s-master-01 mnt]# echo -n "12345678" |base64
MTIzNDU2Nzg=
[root@k8s-master-01 mnt]# echo -n "MTIzNDU2Nzg=" |base64 -d
12345678
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
password: MTIzNDU2Nzg=
username: YWRtaW4=
[root@k8s-master-01 mnt]# kubectl get secrets
default-token-hd5m9 kubernetes.io/service-account-token 3 21d
mysecret Opaque
[root@k8s-master-01 mnt]# vim secret-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: secret-test
labels:
name: secret-test
spec:
volumes: #挂载卷
- name: secrets #挂在卷的名字
secret: #挂在卷的方式(secret)
secretName: mysecret #前文创建的secret的名字
containers:
- image: wangyanglinux/myapp:v1
name: db
volumeMounts:
- name: secrets
mountPath: "/etc/secrets"
readOnly: true
[root@k8s-master-01 mnt]# kubectl apply -f secret-pod.yaml
pod/secret-test created
[root@k8s-master-01 mnt]# kubectl get pods
NAME READY STATUS RESTARTS AGE
my-nginx-76b6998ccc-vbk72 1/1 Running 0 3h34m
secret-test 1/1 Running 0 7s
[root@k8s-master-01 mnt]# kubectl get secrets
NAME TYPE DATA AGE
basic-auth Opaque 1 3d8h
default-token-hd5m9 kubernetes.io/service-account-token 3 21d
ingress-tls kubernetes.io/tls 2 4d22h
mysecret Opaque 2 7m11s
# 进入容器,查看secret信息,发现已经自动解码了
[root@k8s-master-01 mnt]# kubectl exec -it secret-test -- sh
/ # cd /etc/secrets
/etc/secrets # ls
password username
/etc/secrets # cd username
/etc/secrets # cat username
admin/etc/secrets # cat password
12345678/etc/secrets #
apiVersion: apps/v1
kind: Deployment
metadata:
name: pod-deployment
spec:
replicas: 2
selector:
matchLabels:
app: pod-deployment
template:
metadata:
labels:
app: pod-deployment
spec:
containers:
- name: pod-deloy
image: wangyanglinux/myapp:v1
ports:
- containerPort: 80
env: #环境变量
- name: TEST_USER #环境变量的名字
valueFrom: # 值的来源
secretKeyRef: #secret的方式
name: mysecret #secret的名字
key: username # secret的键名
- name: TEST_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: password
# 进入容器里查看明文密码
[root@k8s-master-01 mnt]# kubectl get pods
NAME READY STATUS RESTARTS AGE
my-nginx-76b6998ccc-vbk72 1/1 Running 0 3h51m
pod-deployment-68b66f6d4b-jskrd 1/1 Running 0 11s
pod-deployment-68b66f6d4b-nnqdb 1/1 Running 0 11s
secret-test 1/1 Running 0 17m
[root@k8s-master-01 mnt]# kubectl exec -it pod-deployment-68b66f6d4b-jskrd -- sh
/ # cd /etc/secrets
sh: cd: can't cd to /etc/secrets
/ # echo $TEST_USER
admin
/ # echo $TEST_PASSWORD
12345678
1、kubernetes.io/dockerconfigjson
用来存储私有docker registry的认证信息
1、创建secret # 使用阿里云私有仓库进入
export DOCKER_REGISTRY_SERVER="仓库URL"
export DOCKER_USER="仓库用户名"
export DOCKER_PASSWORD="密码"
export DOCKER_EMAIL="邮箱"
--docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL #可以不指定邮箱
kubectl create secret docker-registry aliyun --docker-server=registry.cn-shanghai.aliyuncs.com --docker-username=明明爷青回 --docker-password=xxx # 密码
# 1、先创建sercre登录到阿里云
[root@k8s-m-01 ~]# kubectl create secret docker-registry aliyun --docker-server=registry.cn-shanghai.aliyuncs.com --docker-username=明明爷青回 --docker-password=xxx # 密码
secret/aliyun created
# 2、查看
[root@k8s-m-01 ~]# kubectl get secrets
NAME TYPE DATA AGE
aliyun kubernetes.io/dockerconfigjson 1 10s
default-token-tg92f kubernetes.io/service-account-token 3 11d
# 3、删除secrets
[root@k8s-m-01 ~]# kubectl delete secrets aliyun
secret "aliyun" deleted
# 4、编写配置文件拉取
[root@k8s-m-01 ~]# vim aliyun.yaml
kind: Deployment
apiVersion: apps/v1
metadata:
name: test-docker-registry
spec:
selector:
matchLabels:
app: test-docker-registry
template:
metadata:
labels:
app: test-docker-registry
spec:
imagePullSecrets: # 加上这个就是直接登录到阿里云,下载镜像的认证
- name: aliyun # 直接登录到阿里云,与上文创建secret对应
containers:
- name: php
imagePullPolicy: Always
image: registry.cn-shanghai.aliyuncs.com/aliyun_mm/discuz:php-v1
- name: nginx
imagePullPolicy: Always
image: registry.cn-shanghai.aliyuncs.com/aliyun_mm/discuz:nginx-v1
# 4、生成yaml文件
[root@k8s-m-01 ~]# kubectl create -f aliyun.yaml
# 5、查看
[root@k8s-m-01 ~]# kubectl get pod
NAME READY STATUS RESTARTS AGE
nfs-client-nfs-client-provisioner-777fbc4cd6-d9gkj 1/1 Running 0 4h43m
test-docker-registry-f9d86c548-p8nll 2/2 Running 0 4s
除了上面的Opaque这种类型外,我们还可以来创建用户docker registry认证的Secret,直接使用kubectl create命令创建即可,如下:
$ kubectl create secret docker-registry myregistry --docker-server=DOCKER_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL
secret "myregistry" created
然后查看Secret列表:
$ kubectl get secret
NAME TYPE DATA AGE
default-token-n9w2d kubernetes.io/service-account-token 3 33d
myregistry kubernetes.io/dockerconfigjson 1 15s
mysecret Opaque 2 34m
注意看上面的TYPE类型,myregistry是不是对应的kubernetes.io/dockerconfigjson,同样的可以使用describe命令来查看详细信息:
$ kubectl describe secret myregistry
Name: myregistry
Namespace: default
Labels: <none>
Annotations: <none>
Type: kubernetes.io/dockerconfigjson
Data
====
.dockerconfigjson: 152 bytes
同样的可以看到Data区域没有直接展示出来,如果想查看的话可以使用-o yaml来输出展示出来:
$ kubectl get secret myregistry -o yaml
apiVersion: v1
data:
.dockerconfigjson: eyJhdXRocyI6eyJET0NLRVJfU0VSVkVSIjp7InVzZXJuYW1lIjoiRE9DS0VSX1VTRVIiLCJwYXNzd29yZCI6IkRPQ0tFUl9QQVNTV09SRCIsImVtYWlsIjoiRE9DS0VSX0VNQUlMIiwiYXV0aCI6IlJFOURTMFZTWDFWVFJWSTZSRTlEUzBWU1gxQkJVMU5YVDFKRSJ9fX0=
kind: Secret
metadata:
creationTimestamp: 2018-06-19T16:01:05Z
name: myregistry
namespace: default
resourceVersion: "3696966"
selfLink: /api/v1/namespaces/default/secrets/myregistry
uid: f91db707-73d9-11e8-a101-525400db4df7
type: kubernetes.io/dockerconfigjson
可以把上面的data.dockerconfigjson下面的数据做一个base64解码,看看里面的数据是怎样的呢?
$ echo eyJhdXRocyI6eyJET0NLRVJfU0VSVkVSIjp7InVzZXJuYW1lIjoiRE9DS0VSX1VTRVIiLCJwYXNzd29yZCI6IkRPQ0tFUl9QQVNTV09SRCIsImVtYWlsIjoiRE9DS0VSX0VNQUlMIiwiYXV0aCI6IlJFOURTMFZTWDFWVFJWSTZSRTlEUzBWU1gxQkJVMU5YVDFKRSJ9fX0= | base64 -d
{"auths":{"DOCKER_SERVER":{"username":"DOCKER_USER","password":"DOCKER_PASSWORD","email":"DOCKER_EMAIL","auth":"RE9DS0VSX1VTRVI6RE9DS0VSX1BBU1NXT1JE"}}}
如果我们需要拉取私有仓库中的docker镜像的话就需要使用到上面的myregistry这个Secret:
apiVersion: v1
kind: Pod
metadata:
name: foo
spec:
containers:
- name: foo
image: 192.168.1.100:5000/test:v1
imagePullSecrets:
- name: myregistrykey
我们需要拉取私有仓库镜像
192.168.1.100:5000/test:v1,我们就需要针对该私有仓库来创建一个如上的Secret
,然后在Pod的 YAML 文件中指定imagePullSecrets
,我们会在后面的私有仓库搭建的课程中跟大家详细说明的。
另外一种Secret类型就是kubernetes.io/service-account-token
,用于被serviceaccount引用。serviceaccout
创建时 Kubernetes 会默认创建对应的 secret。Pod 如果使用了serviceaccount,对应的secret会自动挂载到Pod的/run/secrets/kubernetes.io/serviceaccount
目录中。
这里我们使用一个nginx镜像来验证一下,大家想一想为什么不是呀busybox镜像来验证?当然也是可以的,但是我们就不能在command里面来验证了,因为token
是需要Pod运行起来过后才会被挂载上去的,直接在command命令中去查看肯定是还没有 token 文件的。
$ kubectl run secret-pod3 --image nginx:1.7.9
deployment.apps "secret-pod3" created
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
...
secret-pod3-78c8c76db8-7zmqm 1/1 Running 0 13s
...
$ kubectl exec secret-pod3-78c8c76db8-7zmqm ls /run/secrets/kubernetes.io/serviceaccount
ca.crt
namespace
token
$ kubectl exec secret-pod3-78c8c76db8-7zmqm cat /run/secrets/kubernetes.io/serviceaccount/token
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9rZW4tbjl3MmQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjMzY2FkOWQxLTU5MmYtMTFlOC1hMTAxLTUyNTQwMGRiNGRmNyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.0FpzPD8WO_fwnMjwpGIOphdVu4K9wUINwpXpBOJAQ-Tawd0RTbAUHcgYy3sEHSk9uvgnl1FJRQpbQN3yVR_DWSIlAtbmd4dIPxK4O7ZVdd4UnmC467cNXEBqL1sDWLfS5f03d7D1dw1ljFJ_pJw2P65Fjd13reKJvvTQnpu5U0SDcfxj675-Z3z-iOO3XSalZmkFIw2MfYMzf_WpxW0yMFCVkUZ8tBSTegA9-NJZededceA_VCOdKcUjDPrDo-CNti3wZqax5WPw95Ou8RJDMAIS5EcVym7M2_zjGiqHEL3VTvcwXbdFKxsNX-1VW6nr_KKuMGKOyx-5vgxebl71QQ
另外一种Secret类型就是kubernetes.io/service-account-token
,用于被serviceaccount
引用。serviceaccout
创建时Kubernetes 会默认创建对应的 secret
。Pod 如果使用了 serviceaccount
,对应的secret会自动挂载到Pod的/run/secrets/kubernetes.io/serviceaccount
目录中。
这里我们使用一个nginx镜像来验证一下,大家想一想为什么不是呀busybox镜像来验证?当然也是可以的,但是我们就不能在command里面来验证了,因为token是需要Pod运行起来过后才会被挂载上去的,直接在command命令中去查看肯定是还没有 token 文件的。
$ kubectl run secret-pod3 --image nginx:1.7.9
deployment.apps "secret-pod3" created
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
...
secret-pod3-78c8c76db8-7zmqm 1/1 Running 0 13s
...
$ kubectl exec secret-pod3-78c8c76db8-7zmqm ls /run/secrets/kubernetes.io/serviceaccount
ca.crt
namespace
token
$ kubectl exec secret-pod3-78c8c76db8-7zmqm cat /run/secrets/kubernetes.io/serviceaccount/token
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9rZW4tbjl3MmQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjMzY2FkOWQxLTU5MmYtMTFlOC1hMTAxLTUyNTQwMGRiNGRmNyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.0FpzPD8WO_fwnMjwpGIOphdVu4K9wUINwpXpBOJAQ-Tawd0RTbAUHcgYy3sEHSk9uvgnl1FJRQpbQN3yVR_DWSIlAtbmd4dIPxK4O7ZVdd4UnmC467cNXEBqL1sDWLfS5f03d7D1dw1ljFJ_pJw2P65Fjd13reKJvvTQnpu5U0SDcfxj675-Z3z-iOO3XSalZmkFIw2MfYMzf_WpxW0yMFCVkUZ8tBSTegA9-NJZededceA_VCOdKcUjDPrDo-CNti3wZqax5WPw95Ou8RJDMAIS5EcVym7M2_zjGiqHEL3VTvcwXbdFKxsNX-1VW6nr_KKuMGKOyx-5vgxebl71QQ
最后我们来对比下Secret和ConfigMap
这两种资源对象的异同点: