K8S中的secret
configMap是用来存放明文数据的,如环境变量、配置文件等,对于蜜柑数据,如密码、私钥等数据,就要用到secret类型。
secret可选参数:
1、generic:通用类型,通常用于存储密码数据
2、tls:用于存储私钥和证书
3、docker-registry:保存docker仓库的认证信息
secret的类型:
1、ServiceAccount:用于被 serviceaccount 引用。serviceaccout 创建时 Kubernetes 会默认创建对应的 secret。Pod 如果使用了 serviceaccount,对应的 secret 会自动挂载到 Pod 的 /run/secrets/kubernetes.io/serviceaccount 目录中
2、Opaque:base64编码格式的Secret,用来存储密码、秘钥等,可通过base64 --decode解码获得原始数据,安全性较弱
3、kubernetes.io/dockerconfigjson:用来存储私有docker registry的认证信息。**
kubectl create secret generic password --from-literal=password=1qaz\!QAZ
[root@mast01 secret]# kubectl get secret
NAME TYPE DATA AGE
password Opaque 1 35s
[root@mast01 secret]# kubectl describe secret password
Name: password
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
password: 8 bytes 使用secret的两种方式:
1、通过环境变量
# 创建pod,加载将secret加载到环境变量
vi pod-secret.yaml
kind: Pod
metadata:
name: pod-cm
spec:
containers:
- name: busybox
image: 172.16.80.140/busybox/busybox:latest
command: [ "/bin/sh", "-c", "sleep 3600" ]
env:
- name: PASSWORD #定义环境变量
valueFrom:
secretKeyRef:
name: password #指定secret的名字
key: password #指定secret中的key
restartPolicy: Never
[root@mast01 secret]# kubectl get pods -owide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nfs-provisioner-7559c6b4fc-nbmb6 1/1 Running 0 93m 10.244.140.65 node02 <none> <none>
pod-cm 1/1 Running 0 47s 10.244.196.130 node01 <none> <none>
[root@mast01 secret]# kubectl exec -it pod-cm -- /bin/sh
/ # env
KUBERNETES_SERVICE_PORT=443
KUBERNETES_PORT=tcp://10.96.0.1:443
HOSTNAME=pod-cm
SHLVL=1
HOME=/root
TERM=xterm
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
KUBERNETES_SERVICE_HOST=10.96.0.1
PWD=/
PASSWORD=1qaz!QAZ # 加载secret到环境变量,直接明文,不安全 2、通过volume挂载
# 创建pod,加载将secret加载到环境变量
vi pod-secret-volume.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-secret
spec:
containers:
- name: busybox
image: 172.16.80.140/busybox/busybox:latest
command: [ "/bin/sh", "-c", "sleep 3600" ]
volumeMounts:
- name: secret-volume
mountPath: /etc/secret
readOnly: true
volumes:
- name: secret-volume
secret:
secretName: password
restartPolicy: Never
[root@mast01 secret]# kubectl get pods -owide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nfs-provisioner-7559c6b4fc-nbmb6 1/1 Running 0 107m 10.244.140.65 node02 <none> <none>
pod-secret 1/1 Running 0 7s 10.244.196.132 node01 <none> <none>
[root@mast01 secret]# kubectl exec -it pod-secret -- /bin/sh
/ # cd /etc/secret
/etc/secret # ls
password
/etc/secret # cat password
1qaz!QAZ/etc/secret # # 明文密码,不安全