k8s的存储(secret使用)
1、Secret概览Secret是一种包含少量敏感信息例如密码、token 或 key 的对象。将这些信息放在secret中比放在Pod的定义或者容器镜像中来说更加安全和灵活,并降低意外暴露的风险。2、内置secretService Account使用 API 凭证自动创建和附加 secretKubernetes自动创建包含访问 API凭据的secret,并自动修改您的 pod 以使用此类型...
1、Secret概览
Secret是一种包含少量敏感信息例如密码、token 或 key 的对象。将这些信息放在secret中比放在Pod的定义或者容器镜像中来说更加安全和灵活,并降低意外暴露的风险。
2、内置secret
Service Account使用 API 凭证自动创建和附加 secret
Kubernetes自动创建包含访问 API凭据的secret,并自动修改您的 pod 以使用此类型的 secret。
[root@k8smaster test]# kubectl get pod
NAME READY STATUS RESTARTS AGE
volume-pod 1/1 Running 0 47m
[root@k8smaster test]# kubectl exec -it volume-pod -- /bin/bash
root@volume-pod:/usr/local/tomcat# ls -lrt /run/secrets/kubernetes.io/serviceaccount/
total 0
lrwxrwxrwx 1 root root 12 Feb 18 16:05 token -> ..data/token
lrwxrwxrwx 1 root root 16 Feb 18 16:05 namespace -> ..data/namespace
lrwxrwxrwx 1 root root 13 Feb 18 16:05 ca.crt -> ..data/ca.crt
root@volume-pod:/usr/local/tomcat#
3、手动创建Opaque Secret
要使用数据字段将两个字符串存储在 Secret中,请按如下所示将它们转换为 base64:
[root@k8smaster test]# echo -n 'admin' | base64
YWRtaW4=
[root@k8smaster test]# echo -n '1f2d1e2e67df' | base64
MWYyZDFlMmU2N2Rm
[root@k8smaster test]#
[root@k8smaster test]# more mysecret.yanl
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
uname: YWRtaW4=
password: MWYyZDFlMmU2N2Rm
[root@k8smaster test]# kubectl create -f mysecret.yanl
secret/mysecret created
[root@k8smaster test]# kubectl get secret
NAME TYPE DATA AGE
basic-auth Opaque 1 2d8h
default-token-vt7pl kubernetes.io/service-account-token 3 6d20h
mysecret Opaque 2 31s
tls-secret kubernetes.io/tls 2 2d8h
[root@k8smaster test]# kubectl describe secret mysecret
Name: mysecret
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
password: 12 bytes
uname: 3 bytes
[root@k8smaster test]#
4、创建pod
1)通过数据卷插件使用
[root@k8smaster test]# more env-volume.yaml
apiVersion: v1
kind: Pod
metadata:
name: volume-pod
spec:
containers:
- name: volume-pod-ctn
image: 192.168.23.100:5000/tomcat:v2
volumeMounts:
- name: config-volume
mountPath: /tmp/config
readOnly: true
volumes:
- name: config-volume
secret:
secretName: mysecret
restartPolicy: Never
[root@k8smaster test]# kubectl create -f env-volume.yaml
pod/volume-pod created
[root@k8smaster test]# kubectl get pod
NAME READY STATUS RESTARTS AGE
volume-pod 1/1 Running 0 6s
[root@k8smaster test]# kubectl exec -it volume-pod /bin/bash
root@volume-pod:/usr/local/tomcat# cd /tmp/config/
root@volume-pod:/tmp/config# ls -lrt
total 0
lrwxrwxrwx 1 root root 12 Feb 18 17:15 uname -> ..data/uname
lrwxrwxrwx 1 root root 15 Feb 18 17:15 password -> ..data/password
root@volume-pod:/tmp/config# more uname
admin
root@volume-pod:/tmp/config# more password
1f2d1e2e67df
root@volume-pod:/tmp/config#
2)通过环境变量使用
[root@k8smaster test]# more env-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: env-pod
spec:
containers:
- name: env-pod-ctn
image: 192.168.23.100:5000/tomcat:v2
command: ["/bin/bash","-c","env"]
env:
- name: SECRET_NAME
valueFrom:
secretKeyRef:
name: mysecret
key: uname
- name: SECRET_PWD
valueFrom:
secretKeyRef:
name: mysecret
key: password
restartPolicy: Never
[root@k8smaster test]# kubectl create -f env-pod.yaml
pod/env-pod created
[root@k8smaster test]# kubectl get pod
NAME READY STATUS RESTARTS AGE
env-pod 0/1 Completed 0 5s
[root@k8smaster test]# kubectl logs env-pod|grep SECRET
SECRET_PWD=1f2d1e2e67df
SECRET_NAME=admin
[root@k8smaster test]#
K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容
更多推荐
1
0- 0
已为社区贡献24条内容
所有评论(0)