一、secret的认识
在kubernetes中,还存在一种和ConfigMap非常类似的对象,称为Secret对象。
它主要用于存储敏感信息,例如密码、秘钥、证书等等。
Secret解决了密码、token、密钥等敏感数据的配置问题,而不需要把这些敏感数据暴露到镜像或者Pod Spec中。
Secret可以以Volume或者环境变量的方式使用。
Secret有三种类型:
用来访问Kubernetes API,由Kubernetes自动创建,并且会自动挂载到Pod的
/run/secrets/kubernetes.io/serviceaccount目录中;
Opaque :base64编码格式的Secret,用来存储密码、密钥等;
kubernetes.io/dockerconfigjson :用来存储私有docker registry的认证信息。
tls: 一般用来部署证书
Opaque : 一般用来部署密码
Service Account : 部署kubernetes API认证信息
kubernetes.io/dockerconfigjson : 部署容器仓库登录信息
1、serviceaccount
目录:/run/secrets/kubernetes.io/serviceaccount
[root@k8s-master-01 mnt]
NAME READY STATUS RESTARTS AGE
coredns-f68b4c98f-nkqlm 1/1 Running 2 21d
coredns-f68b4c98f-wzrrq 1/1 Running 2 21d
etcd-k8s-master-01 1/1 Running 3 21d
kube-apiserver-k8s-master-01 1/1 Running 3 21d
kube-controller-manager-k8s-master-01 1/1 Running 4 21d
kube-flannel-ds-8zj9t 1/1 Running 1 10d
kube-flannel-ds-jmq5p 1/1 Running 0 10d
kube-flannel-ds-vjt8b 1/1 Running 4 10d
kube-proxy-kl2qj 1/1 Running 2 21d
kube-proxy-rrlg4 1/1 Running 1 21d
kube-proxy-tc2nd 1/1 Running 0 21d
kube-scheduler-k8s-master-01 1/1 Running 4 21d
[root@k8s-master-01 mnt]
lock secrets utmp xtables.lock
ca.crt namespace token
-----BEGIN CERTIFICATE-----
MIIC5zCCAc+gAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
cm5ldGVzMB4XDTIxMTIwNDEyNDE0OVoXDTMxMTIwMjEyNDE0OVowFTETMBEGA1UE
AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM++
PZjizoRHCr9NjVCwc4REglPuHZX4edV8dMGen3EWFNNSqaLmk2C8MsO4zZEgGRt+
p58qG/S6CQ/ZT4McRf2sUOk5bI5sUAjN7DzBKhgweGwyYXM/1mtkyq7S7yr7twAq
6994lb+MspTIbNsqMnEzas8Y3HfMgg494ymjGQPfG2jpy2qOTgRLqavg6LXxyi7v
aIEfBpliINW0Y2+Bwpg5P1wivF5LnxIsjFZryeMYwe0iy/jxkO2JBR+RlI3+AxCt
e9VY7RTXKdC94gx4emhIunCDIe1XgFLmz1vjpU6foZBF2xmD4umw9m0W0Wplw0nO
8Pan0DNFdfqkzMSDjFcCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB
/wQFMAMBAf8wHQYDVR0OBBYEFHxyQbDzqZDFguCbkFuw85rqFqXVMA0GCSqGSIb3
DQEBCwUAA4IBAQDAf2IMj3wJWdyZZ5cmwpyESicshdsz1NQdzvMfbVFq+TiExJcH
KGc9HZPIjt2nH0doxAW6OHwSFJ6sZ4vaRgbmLLxS1sNVU0Pke0oiICgfiioZDi6+
hQRpPIU2WGUDf4SqttGql1cFy/0tUyoRgMrAVPSxbTqNakwzARmMCpyQIo0xZgor
gdW4UsKm+lMp0hIk0swdoEvhWuHEsVVgZ9wW5v3kTxi+IEN/ru4Atb/pcqWxTRPI
eBYHO5fvs6UqbI2WGxr2EmjB0Mz73KyI4RBKvjn1Kdw1g12jTeNNxr0srQr2GtZX
AbOmyc+IiM9+gkz8lWE40a/skhyvSUSEgPRS
-----END CERTIFICATE-----
kube-system
eyJhbGciOiJSUzI1NiIsImtpZCI6InVZNmNCRXo3SC1XVnMxLWlsWEZfZ3ctc2V0ZXFqWkNsRy1ic3ZYSTczVkkifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlLXByb3h5LXRva2VuLWcyaGxtIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6Imt1YmUtcHJveHkiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJlN2Q4NTIzNC0wZWMzLTQ0MjQtOTNkMC1hODQ5ZjA0NGI0MzEiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06a3ViZS1wcm94eSJ9.rFdcQnRXuhQscLdVmS5-hAY7Eef6HY5KD6MPvChpCsK8FPpvuOGGP4NtAwX6oBHjxrBunjGI_5h44zl6t-f-tzmPejr3WspedmvLiBz4w5Ykf0EB7vBzUHIU1WILzGF_g5vi64I-FohXxgL1s_tV4qxAxcNO53R74lVqAW-Ssfu4Nx2L77K6fSaKch2nJjSUwHoJnNeQCNlMTeCQLz4vf012IPDPRF50rjf0LRpMA554wBFHGp50GogurgxOsWPFrq0wh4-GvePVHY9hZD3c3vaMxPcI3C2nlxcgMIQBMBFJjJKWjnCzy4PVf-HiuqTEHrxvh-iPtuqzEJM0toDVJA
2.Opaque Secret
Opaque类型的数据是一个map类型,要求value是base64编码格式。
[root@k8s-master-01 mnt]
YWRtaW4=
[root@k8s-master-01 mnt]
MTIzNDU2Nzg=
[root@k8s-master-01 mnt]
12345678
1)创建secret
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
password: MTIzNDU2Nzg=
username: YWRtaW4=
[root@k8s-master-01 mnt]
default-token-hd5m9 kubernetes.io/service-account-token 3 21d
mysecret Opaque
2)将secret挂载到volume中
[root@k8s-master-01 mnt]
apiVersion: v1
kind: Pod
metadata:
name: secret-test
labels:
name: secret-test
spec:
volumes:
- name: secrets
secret:
secretName: mysecret
containers:
- image: wangyanglinux/myapp:v1
name: db
volumeMounts:
- name: secrets
mountPath: "/etc/secrets"
readOnly: true
[root@k8s-master-01 mnt]
pod/secret-test created
[root@k8s-master-01 mnt]
NAME READY STATUS RESTARTS AGE
my-nginx-76b6998ccc-vbk72 1/1 Running 0 3h34m
secret-test 1/1 Running 0 7s
[root@k8s-master-01 mnt]
NAME TYPE DATA AGE
basic-auth Opaque 1 3d8h
default-token-hd5m9 kubernetes.io/service-account-token 3 21d
ingress-tls kubernetes.io/tls 2 4d22h
mysecret Opaque 2 7m11s
[root@k8s-master-01 mnt]
/
/etc/secrets
password username
/etc/secrets
/etc/secrets
admin/etc/secrets
12345678/etc/secrets
3)将secret挂载到环境变量中
apiVersion: apps/v1
kind: Deployment
metadata:
name: pod-deployment
spec:
replicas: 2
selector:
matchLabels:
app: pod-deployment
template:
metadata:
labels:
app: pod-deployment
spec:
containers:
- name: pod-deloy
image: wangyanglinux/myapp:v1
ports:
- containerPort: 80
env:
- name: TEST_USER
valueFrom:
secretKeyRef:
name: mysecret
key: username
- name: TEST_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: password
[root@k8s-master-01 mnt]
NAME READY STATUS RESTARTS AGE
my-nginx-76b6998ccc-vbk72 1/1 Running 0 3h51m
pod-deployment-68b66f6d4b-jskrd 1/1 Running 0 11s
pod-deployment-68b66f6d4b-nnqdb 1/1 Running 0 11s
secret-test 1/1 Running 0 17m
[root@k8s-master-01 mnt]
/
sh: cd: can't cd to /etc/secrets
/
admin
/
12345678
4)Secre存储私有docker registry的认证
1、kubernetes.io/dockerconfigjson
用来存储私有docker registry的认证信息
1、创建secret
export DOCKER_REGISTRY_SERVER="仓库URL"
export DOCKER_USER="仓库用户名"
export DOCKER_PASSWORD="密码"
export DOCKER_EMAIL="邮箱"
--docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL
使用kubectl创建docker regiestry认证的secret
kubectl create secret docker-registry aliyun --docker-server=registry.cn-shanghai.aliyuncs.com --docker-username=明明爷青回 --docker-password=xxx
[root@k8s-m-01 ~]
secret/aliyun created
[root@k8s-m-01 ~]
NAME TYPE DATA AGE
aliyun kubernetes.io/dockerconfigjson 1 10s
default-token-tg92f kubernetes.io/service-account-token 3 11d
[root@k8s-m-01 ~]
secret "aliyun" deleted
[root@k8s-m-01 ~]
kind: Deployment
apiVersion: apps/v1
metadata:
name: test-docker-registry
spec:
selector:
matchLabels:
app: test-docker-registry
template:
metadata:
labels:
app: test-docker-registry
spec:
imagePullSecrets:
- name: aliyun
containers:
- name: php
imagePullPolicy: Always
image: registry.cn-shanghai.aliyuncs.com/aliyun_mm/discuz:php-v1
- name: nginx
imagePullPolicy: Always
image: registry.cn-shanghai.aliyuncs.com/aliyun_mm/discuz:nginx-v1
[root@k8s-m-01 ~]
[root@k8s-m-01 ~]
NAME READY STATUS RESTARTS AGE
nfs-client-nfs-client-provisioner-777fbc4cd6-d9gkj 1/1 Running 0 4h43m
test-docker-registry-f9d86c548-p8nll 2/2 Running 0 4s
4、kubernetes.io/dockerconfigjson
除了上面的Opaque这种类型外,我们还可以来创建用户docker registry认证的Secret,直接使用kubectl create命令创建即可,如下:
$ kubectl create secret docker-registry myregistry --docker-server=DOCKER_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL
secret "myregistry" created
然后查看Secret列表:
$ kubectl get secret
NAME TYPE DATA AGE
default-token-n9w2d kubernetes.io/service-account-token 3 33d
myregistry kubernetes.io/dockerconfigjson 1 15s
mysecret Opaque 2 34m
注意看上面的TYPE类型,myregistry是不是对应的kubernetes.io/dockerconfigjson,同样的可以使用describe命令来查看详细信息:
$ kubectl describe secret myregistry
Name: myregistry
Namespace: default
Labels: <none>
Annotations: <none>
Type: kubernetes.io/dockerconfigjson
Data
====
.dockerconfigjson: 152 bytes
同样的可以看到Data区域没有直接展示出来,如果想查看的话可以使用-o yaml来输出展示出来:
$ kubectl get secret myregistry -o yaml
apiVersion: v1
data:
.dockerconfigjson: eyJhdXRocyI6eyJET0NLRVJfU0VSVkVSIjp7InVzZXJuYW1lIjoiRE9DS0VSX1VTRVIiLCJwYXNzd29yZCI6IkRPQ0tFUl9QQVNTV09SRCIsImVtYWlsIjoiRE9DS0VSX0VNQUlMIiwiYXV0aCI6IlJFOURTMFZTWDFWVFJWSTZSRTlEUzBWU1gxQkJVMU5YVDFKRSJ9fX0=
kind: Secret
metadata:
creationTimestamp: 2018-06-19T16:01:05Z
name: myregistry
namespace: default
resourceVersion: "3696966"
selfLink: /api/v1/namespaces/default/secrets/myregistry
uid: f91db707-73d9-11e8-a101-525400db4df7
type: kubernetes.io/dockerconfigjson
可以把上面的data.dockerconfigjson下面的数据做一个base64解码,看看里面的数据是怎样的呢?
$ echo eyJhdXRocyI6eyJET0NLRVJfU0VSVkVSIjp7InVzZXJuYW1lIjoiRE9DS0VSX1VTRVIiLCJwYXNzd29yZCI6IkRPQ0tFUl9QQVNTV09SRCIsImVtYWlsIjoiRE9DS0VSX0VNQUlMIiwiYXV0aCI6IlJFOURTMFZTWDFWVFJWSTZSRTlEUzBWU1gxQkJVMU5YVDFKRSJ9fX0= | base64 -d
{"auths":{"DOCKER_SERVER":{"username":"DOCKER_USER","password":"DOCKER_PASSWORD","email":"DOCKER_EMAIL","auth":"RE9DS0VSX1VTRVI6RE9DS0VSX1BBU1NXT1JE"}}}
如果我们需要拉取私有仓库中的docker镜像的话就需要使用到上面的myregistry这个Secret:
apiVersion: v1
kind: Pod
metadata:
name: foo
spec:
containers:
- name: foo
image: 192.168.1.100:5000/test:v1
imagePullSecrets:
- name: myregistrykey
我们需要拉取私有仓库镜像192.168.1.100:5000/test:v1,我们就需要针对该私有仓库来创建一个如上的Secret,然后在Pod的 YAML 文件中指定imagePullSecrets,我们会在后面的私有仓库搭建的课程中跟大家详细说明的。
5、kubernetes.io/service-account-token
另外一种Secret类型就是kubernetes.io/service-account-token,用于被serviceaccount引用。serviceaccout创建时 Kubernetes 会默认创建对应的 secret。Pod 如果使用了serviceaccount,对应的secret会自动挂载到Pod的/run/secrets/kubernetes.io/serviceaccount目录中。
这里我们使用一个nginx镜像来验证一下,大家想一想为什么不是呀busybox镜像来验证?当然也是可以的,但是我们就不能在command里面来验证了,因为token是需要Pod运行起来过后才会被挂载上去的,直接在command命令中去查看肯定是还没有 token 文件的。
$ kubectl run secret-pod3 --image nginx:1.7.9
deployment.apps "secret-pod3" created
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
...
secret-pod3-78c8c76db8-7zmqm 1/1 Running 0 13s
...
$ kubectl exec secret-pod3-78c8c76db8-7zmqm ls /run/secrets/kubernetes.io/serviceaccount
ca.crt
namespace
token
$ kubectl exec secret-pod3-78c8c76db8-7zmqm cat /run/secrets/kubernetes.io/serviceaccount/token
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9rZW4tbjl3MmQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjMzY2FkOWQxLTU5MmYtMTFlOC1hMTAxLTUyNTQwMGRiNGRmNyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.0FpzPD8WO_fwnMjwpGIOphdVu4K9wUINwpXpBOJAQ-Tawd0RTbAUHcgYy3sEHSk9uvgnl1FJRQpbQN3yVR_DWSIlAtbmd4dIPxK4O7ZVdd4UnmC467cNXEBqL1sDWLfS5f03d7D1dw1ljFJ_pJw2P65Fjd13reKJvvTQnpu5U0SDcfxj675-Z3z-iOO3XSalZmkFIw2MfYMzf_WpxW0yMFCVkUZ8tBSTegA9-NJZededceA_VCOdKcUjDPrDo-CNti3wZqax5WPw95Ou8RJDMAIS5EcVym7M2_zjGiqHEL3VTvcwXbdFKxsNX-1VW6nr_KKuMGKOyx-5vgxebl71QQ
6、kubernetes.io/service-account-token
另外一种Secret类型就是kubernetes.io/service-account-token,用于被serviceaccount引用。serviceaccout创建时Kubernetes 会默认创建对应的 secret。Pod 如果使用了 serviceaccount,对应的secret会自动挂载到Pod的/run/secrets/kubernetes.io/serviceaccount目录中。
这里我们使用一个nginx镜像来验证一下,大家想一想为什么不是呀busybox镜像来验证?当然也是可以的,但是我们就不能在command里面来验证了,因为token是需要Pod运行起来过后才会被挂载上去的,直接在command命令中去查看肯定是还没有 token 文件的。
$ kubectl run secret-pod3 --image nginx:1.7.9
deployment.apps "secret-pod3" created
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
...
secret-pod3-78c8c76db8-7zmqm 1/1 Running 0 13s
...
$ kubectl exec secret-pod3-78c8c76db8-7zmqm ls /run/secrets/kubernetes.io/serviceaccount
ca.crt
namespace
token
$ kubectl exec secret-pod3-78c8c76db8-7zmqm cat /run/secrets/kubernetes.io/serviceaccount/token
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9rZW4tbjl3MmQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjMzY2FkOWQxLTU5MmYtMTFlOC1hMTAxLTUyNTQwMGRiNGRmNyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.0FpzPD8WO_fwnMjwpGIOphdVu4K9wUINwpXpBOJAQ-Tawd0RTbAUHcgYy3sEHSk9uvgnl1FJRQpbQN3yVR_DWSIlAtbmd4dIPxK4O7ZVdd4UnmC467cNXEBqL1sDWLfS5f03d7D1dw1ljFJ_pJw2P65Fjd13reKJvvTQnpu5U0SDcfxj675-Z3z-iOO3XSalZmkFIw2MfYMzf_WpxW0yMFCVkUZ8tBSTegA9-NJZededceA_VCOdKcUjDPrDo-CNti3wZqax5WPw95Ou8RJDMAIS5EcVym7M2_zjGiqHEL3VTvcwXbdFKxsNX-1VW6nr_KKuMGKOyx-5vgxebl71QQ
7、Secret 与 ConfigMap 对比
最后我们来对比下Secret和ConfigMap这两种资源对象的异同点:
相同点:
- key/value的形式
- 属于某个特定的namespace
- 可以导出到环境变量
- 可以通过目录/文件形式挂载
- 通过 volume 挂载的配置信息均可热更新
不同点:
- Secret 可以被 ServerAccount 关联
- Secret 可以存储 docker register 的鉴权信息,用在 ImagePullSecret 参数中,用于拉取私有仓库的镜像
- Secret 支持 Base64 加密
- Secret 分为 kubernetes.io/service-account-token、kubernetes.io/dockerconfigjson、Opaque 三种类型,而 Configmap 不区分类型
|