Secret

Secret解决了密码、token、密钥等敏感数据的配置问题,而不需要把这些敏感数据暴露到镜像或者Pod Spec中。Secret可以以Volume或者环境变量的方式使用。

Secret有三种类型:

  • Service Account :用来访问Kubernetes API,由Kubernetes自动创建,并且会自动挂载到Pod的/run/secrets/kubernetes.io/serviceaccount目录中;
  • Opaque :base64编码格式的Secret,用来存储密码、密钥等;
  • kubernetes.io/dockerconfigjson :用来存储私有docker registry的认证信息。

Opaque Secret

Opaque类型的数据是一个map类型,要求value是base64编码格式:

  1. $ echo -n "admin" | base64
  2. YWRtaW4=
  3. $ echo -n "1f2d1e2e67df" | base64
  4. MWYyZDFlMmU2N2Rm

secrets.yml

  1. apiVersion: v1
  2. kind: Secret
  3. metadata:
  4. name: mysecret
  5. type: Opaque
  6. data:
  7. password: MWYyZDFlMmU2N2Rm
  8. username: YWRtaW4=

接着,就可以创建secret了:kubectl create -f secrets.yml

创建好secret之后,有两种方式来使用它:

  • 以Volume方式
  • 以环境变量方式

将Secret挂载到Volume中

  1. apiVersion: v1
  2. kind: Pod
  3. metadata:
  4. labels:
  5. name: db
  6. name: db
  7. spec:
  8. volumes:
  9. - name: secrets
  10. secret:
  11. secretName: mysecret
  12. containers:
  13. - image: gcr.io/my_project_id/pg:v1
  14. name: db
  15. volumeMounts:
  16. - name: secrets
  17. mountPath: "/etc/secrets"
  18. readOnly: true
  19. ports:
  20. - name: cp
  21. containerPort: 5432
  22. hostPort: 5432

将Secret导出到环境变量中

  1. apiVersion: extensions/v1beta1
  2. kind: Deployment
  3. metadata:
  4. name: wordpress-deployment
  5. spec:
  6. replicas: 2
  7. strategy:
  8. type: RollingUpdate
  9. template:
  10. metadata:
  11. labels:
  12. app: wordpress
  13. visualize: "true"
  14. spec:
  15. containers:
  16. - name: "wordpress"
  17. image: "wordpress"
  18. ports:
  19. - containerPort: 80
  20. env:
  21. - name: WORDPRESS_DB_USER
  22. valueFrom:
  23. secretKeyRef:
  24. name: mysecret
  25. key: username
  26. - name: WORDPRESS_DB_PASSWORD
  27. valueFrom:
  28. secretKeyRef:
  29. name: mysecret
  30. key: password

kubernetes.io/dockerconfigjson

可以直接用kubectl命令来创建用于docker registry认证的secret:

  1. $ kubectl create secret docker-registry myregistrykey --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL
  2. secret "myregistrykey" created.

也可以直接读取~/.docker/config.json的内容来创建:

  1. $ cat ~/.docker/config.json | base64
  2. $ cat > myregistrykey.yaml <<EOF
  3. apiVersion: v1
  4. kind: Secret
  5. metadata:
  6. name: myregistrykey
  7. data:
  8. .dockerconfigjson: UmVhbGx5IHJlYWxseSByZWVlZWVlZWVlZWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGx5eXl5eXl5eXl5eXl5eXl5eXl5eSBsbGxsbGxsbGxsbGxsbG9vb29vb29vb29vb29vb29vb29vb29vb29vb25ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubmdnZ2dnZ2dnZ2dnZ2dnZ2dnZ2cgYXV0aCBrZXlzCg==
  9. type: kubernetes.io/dockerconfigjson
  10. EOF
  11. $ kubectl create -f myregistrykey.yaml

在创建Pod的时候,通过imagePullSecrets来引用刚创建的myregistrykey:

  1. apiVersion: v1
  2. kind: Pod
  3. metadata:
  4. name: foo
  5. spec:
  6. containers:
  7. - name: foo
  8. image: janedoe/awesomeapp:v1
  9. imagePullSecrets:
  10. - name: myregistrykey

Service Account

Service Account用来访问Kubernetes API,由Kubernetes自动创建,并且会自动挂载到Pod的/run/secrets/kubernetes.io/serviceaccount目录中。

  1. $ kubectl run nginx --image nginx
  2. deployment "nginx" created
  3. $ kubectl get pods
  4. NAME READY STATUS RESTARTS AGE
  5. nginx-3137573019-md1u2 1/1 Running 0 13s
  6. $ kubectl exec nginx-3137573019-md1u2 ls /run/secrets/kubernetes.io/serviceaccount
  7. ca.crt
  8. namespace
  9. token