Secret简介
ConfigMap的配置信息基本没有类别之分,但Secret有所不同,根据其用户存在类型的概念;
- docker-registry:专用于让kubelet启动Pod时从私有镜像仓库pull镜像时,首先认证到Registry时使用;
- TLS:专门用于保存tls/ssl用到的证书和配对的私钥;
- generic:余下的为通用类型;在通用型中又存在多个子类型
子类型中系统默认的几个常用类型 都是用于系统组件通信时用到的认证
--type="kubernetes.io/basic-auth" --type="kubernetes.io/rbd" --type="kubernetes.io/ssh-auth"另外,保存有专用于ServiceAccount的相关的token信息的Secret资源会使用资源注解annotations来保存其使用场景。
kind: Secret metadata: annotations: kubernetes.io/service-account.name: node-controller kubernetes.io/service-account.uid: 5c7b00cc-8fae-48f7-9069-8efce3681f4d- 资源的元数据:除了name,namespace之外,常用的还有labels, annotations;
- annotation的名称遵循类似于labels的名称命名格式,但其数据长度不受限制;
- 它不能用于被标签选择器作为筛选条件;但常用于为那些仍处于Beta阶段的应用程序提供临时的配置接口;
管理命令:kubectl annotate TYPE/NANE KEY=VALUE,kubectl annotate TYPE/NAME KEY-
还有一种由kubeadm的bootstrap所使用的token专用的类型,它通常保存于kube-system名称空间,以bootstrap-token-为前缀.
--type="bootstrap. kubernetes.io/token"
TLS类型Secret
TLS类型是一种独特的类型,在创建secret的命令行中,除了类型标识的不同之外,它还需要使用专用的选项--cert和--key
无论证书和私钥文件名是什么,它们会统一为:
tls.crt
tls.key
Docker Registry类型Secret
[root@k8s-master ~]# kubectl create secret docker-registry --help #查看帮助 提示提供的信息
......
Options:
--allow-missing-template-keys=true: If true, ignore any errors in templates when a field or map key is missing in
the template. Only applies to golang and jsonpath output formats.
--append-hash=false: Append a hash of the secret to its name.
--docker-email='': Email for Docker registry
--docker-password='': Password for Docker registry authentication
--docker-server='https://index.docker.io/v1/': Server location for Docker registry
--docker-username='': Username 为 Docker registry authentication也能够从docker的认证文件中加载信息,这时使用--from-file选项;
$HOME/.dockercfg, ~/.docker/config.json何时引用,以及如何引用 通过以下字段在Pod中引用
pod.spec.imagePullSecretsSecret资源,使用环境变量引用格式
name: ...
image: ...
env:name: <string> #变量名,其值来自于某Secret对象上的指定键的值;
valueFrom: #键值引用;
secretkeyRef:name: <string> #引用的Secret对象的名称,需要与该Pod位于同一名称空间; key: <string> #引用的Secret对象上的键,其值将传递给环境变量; optional: <boolean> #是否为可选引用;envFrom: #整体引用指定的Secret对象的全部键名和键值;
- prefix: <string> #将所有键名引用为环境变量时统一添加的前缀;
secretRef:
name: <string> #引用的Secret对象名称;
optional: <boolean> #是否为可选引用;
示例1: 创建通用型Secret、MySQL引用Secret
[root@k8s-master secret]# kubectl create secret --help
Create a secret using specified subcommand.
Available Commands: #3种类型Secret说明
docker-registry Create a secret for use with a Docker registry
generic Create a secret from a local file, directory or literal value
tls Create a TLS secret
#创造generi类型 Secret 用户:root 密码:userpassword
[root@k8s-master secret]# kubectl create secret generic mysql-root-authn --from-literal=username=root --from-literal=password=userpassword
secret/mysql-root-authn created
[root@k8s-master secret]# kubectl get secret
NAME TYPE DATA AGE
default-token-fsshk kubernetes.io/service-account-token 3 39d
my-grafana Opaque 3 36d
my-grafana-test-token-87856 kubernetes.io/service-account-token 3 36d
my-grafana-token-gh765 kubernetes.io/service-account-token 3 36d
mysql-root-authn Opaque(模糊类型) 2 25s
sh.helm.release.v1.my-grafana.v1 helm.sh/release.v1 1 36d
#详细描述信息
[root@k8s-master secret]# kubectl describe secret mysql-root-authn
Name: mysql-root-authn
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
password: 12 bytes
username: 4 bytes
[root@k8s-master secret]# kubectl get secret mysql-root-authn
NAME TYPE DATA AGE
mysql-root-authn Opaque 2 64s
[root@k8s-master secret]# kubectl get secret mysql-root-authn -o yaml
apiVersion: v1
data:
password: dXNlcnBhc3N3b3Jk #通过base64格式加密
username: cm9vdA==
kind: Secret
metadata:
creationTimestamp: "2021-08-07T07:03:31Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:password: {}
f:username: {}
f:type: {}
manager: kubectl-create
operation: Update
time: "2021-08-07T07:03:31Z"
name: mysql-root-authn
namespace: default
resourceVersion: "7454439"
selfLink: /api/v1/namespaces/default/secrets/mysql-root-authn
uid: 5743f6a0-1f02-445c-87e5-ae9819d77811
type: Opaque
[root@k8s-master secret]# echo dXNlcnBhc3N3b3Jk|base64 -d #通过base64格式解密
userpassword[root@k8s-master secret]#
#创建basic-authn认证
[root@k8s-master secret]# kubectl create secret generic web-basic-authn --from-literal=username=devopser --from-literal=password=userpassword --type="kubenetes.io/basic-auth"
secret/web-basic-authn created
[root@k8s-master secret]# kubectl get secret
NAME TYPE DATA AGE
default-token-fsshk kubernetes.io/service-account-token 3 39d
my-grafana Opaque 3 36d
my-grafana-test-token-87856 kubernetes.io/service-account-token 3 36d
my-grafana-token-gh765 kubernetes.io/service-account-token 3 36d
mysql-root-authn Opaque 2 8m2s
sh.helm.release.v1.my-grafana.v1 helm.sh/release.v1 1 36d
web-basic-authn kubenetes.io/basic-auth(认证类型) 2 21s
[root@k8s-master secret]# kubectl get secret -n kube-system #kube-system名称空间下常用的secret类型
NAME TYPE DATA AGE
attachdetach-controller-token-bpprw kubernetes.io/service-account-token 3 39d
bootstrap-signer-token-69hd8 kubernetes.io/service-account-token 3 39d
bootstrap-token-hbjzpz bootstrap.kubernetes.io/token 5 3d
certificate-controller-token-26sn8 kubernetes.io/service-account-token 3 39d
clusterrole-aggregation-controller-token-hlb6c kubernetes.io/service-account-token 3 39d
coredns-token-k6swp kubernetes.io/service-account-token 3 39d
cronjob-controller-token-449ng kubernetes.io/service-account-token 3 39d
daemon-set-controller-token-qb22n kubernetes.io/service-account-token 3 39d
default-token-xjfpp kubernetes.io/service-account-token 3 39d
deployment-controller-token-tb84w kubernetes.io/service-account-token 3 39d
disruption-controller-token-cqzdt kubernetes.io/service-account-token 3 39d
endpoint-controller-token-ptsp4 kubernetes.io/service-account-token 3 39d
[root@k8s-master secret]# kubectl get secret node-controller-token-rv7zt -n kube-system -o yaml
MySQL 引用Secret
[root@k8s-master secret]# cat secrets-env-demo.yaml apiVersion: v1 kind: Pod metadata: name: secrets-env-demo namespace: default spec: containers: - name: mariadb image: mariadb imagePullPolicy: IfNotPresent env: #使用环境变量,容器在启动时加载 无法实时加载更新 - name: MYSQL_ROOT_PASSWORD valueFrom: secretKeyRef: name: mysql-root-authn #引用之前的secret key: password [root@k8s-master secret]# kubectl apply -f secrets-env-demo.yaml [root@k8s-master secret]# kubectl get pod NAME READY STATUS RESTARTS AGE centos-deployment-66d8cd5f8b-95brg 1/1 Running 0 2d22h configmap-volume-demo3 1/1 Running 0 4h36m configmaps-env-demo 1/1 Running 0 24h configmaps-volume-demo 1/1 Running 0 24h configmaps-volume-demo2 2/2 Running 0 17h my-grafana-7d788c5479-bpztz 1/1 Running 3 2d22h secrets-env-demo 1/1 Running 0 6m38s volumes-pvc-longhorn-demo 1/1 Running 0 2d4h #使用Secret帐号密码登录 [root@k8s-master secret]# kubectl exec secrets-env-demo -it -- /bin/bash root@secrets-env-demo:/# mysql -uroot -puserpassword Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 3 Server version: 10.6.3-MariaDB-1:10.6.3+maria~focal mariadb.org binary distribution Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> exit Bye root@secrets-env-demo:/# exit exit示例2: 创TLS类型Secret HTTPS引用自签证书
#创建TLS证书 [root@k8s-master secret]# (umask 007; openssl genrsa -out nginx.key 2048) #创建Key Generating RSA private key, 2048 bit long modulus ................................................................................................+++ .................+++ e is 65537 (0x10001) [root@k8s-master secret]# ls nginx.key #创建自签证书 [root@k8s-master secret]# openssl req -new -x509 -key nginx.key -out nginx.crt -subj /C=CN/ST=Hz/O=DevOps/CN=www.test.com [root@k8s-master secret]# ls nginx.crt nginx.key #创建Secret [root@k8s-master secret]# kubectl create secret tls nginx-ssl-secret --key=./nginx.key --cert=./nginx.crt secret/nginx-ssl-secret created [root@k8s-master secret]# kubectl get secret NAME TYPE DATA AGE default-token-fsshk kubernetes.io/service-account-token 3 39d my-grafana Opaque 3 36d my-grafana-test-token-87856 kubernetes.io/service-account-token 3 36d my-grafana-token-gh765 kubernetes.io/service-account-token 3 36d mysql-root-authn Opaque 2 32m nginx-ssl-secret kubernetes.io/tls 2 15s sh.helm.release.v1.my-grafana.v1 helm.sh/release.v1 1 36d web-basic-authn kubenetes.io/basic-auth 2 24m [root@k8s-master secret]# kubectl describe secret nginx-ssl-secret Name: nginx-ssl-secret Namespace: default Labels: <none> Annotations: <none> Type: kubernetes.io/tls Data ==== tls.crt: 1220 bytes tls.key: 1675 bytes [root@k8s-master secret]# kubectl get secret nginx-ssl-secret -o yaml apiVersion: v1 data: tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURWekNDQWorZ0F3SUJBZ0lKQUpsZGlNMGIvTTRFTUEwR0NTcUdTSWIzRFFFQkN3VUFNRUl4Q3pBSkJnTlYKQkFZVEFrTk9NUXN3Q1FZRFZRUUlEQUpJ1ekhVSkNyc3AxQjkyZGhuCktEZGt0ZWFGVWw5eXFiYzFHeHVwRG15b0lUUjJQUnZzTkREeUl5OGtnOHB6NVlkL2VHRldYUlh0d2w5emtmUHYKMCtDOTd1bWJIdVZ5VlRsdkloU2ltZU5pcnhtdXExUTh5VVNSR0NzaFk3Zmx4TXNTS3FQbWZDWnhNMEZWN090VAorZ0VNdnRUNUlPbkkvTmQ1OFVpVDFveFBIWlVGZ1B2Q2Q4bU9PYkwyU2w4a2JZNVRLcFJFK0dtSXd3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBcUl6Nk9yVFYxWENPYWJiZERDaVdFd0ZOcnlwQ2JHby9kYXlqYmc2eUUvcFJsYzFiCnJ5QWJSOFJhZmh3aCtiWXdUMC9qMG1NQXkyRG4rRStnVXczVXhKTjg1YzFvUjVWeEs3MlBVeTV4dXZkQWRvTUIKOVFKcmpjTS9HMkgzUjY0SUViUkVERTVrMWprbVZNbVRhVGJnYVNLYzZ6Umg3ZUZ0S1VnQVlJdE1GMUtFbXpqQwpiS1owY3ZnUE5vV0J5TnJ3WFBRT1FURXFJVGFoaURWRVFBYlJFL2FIS1VWd2RXK0Y3dklpYzVjMEkzaDQxOFRuCjNhd3FpVE1LbitlTyt3ME1XUU52ZEpsaFdrREoyOG00ZUZUZ0xqTkFvRnFPb2ZtWWhFREFWbnFPWFZlVXJYRzEKa0pTTjJTa2pZVE9vSU5Ya0JaMTllTDVRMEpwSDRNMmZOZzR3VFFJREFRQUJBb0lCQVFDWFAxSjRCYmZ3dlB6KwpmZnBqbzdQdnYvYXUzYlFYUjB4RTB6TWdXbzJRQWNyZUt4WS8wd2JINHJuMWVsYytsaTlKckgzYVY3N3B3YjdICkF1VHlRbklRSiswbTVhalN1NVovVXEzZlRjaitwa3F4VGlRZWNScUVicFVkaEU1Nmd2OTRxNU40bTR3Kzg2K2kKMi9Pc3NYSzB4VHVja0Rma1Y2bzJKZ2M0bXljZnNSYTRIUVg0cmZVUzVBc0NMWnhuVGV4by9qeU13Sm02d1VKdApUTFdzQjN2ZlpVOW04c1NZRlN0TlA4dFBiZmZPa0x6SXVGWHVId0Y0OFVqc2dCaHM3b3FWZWMwZmhxZUxLZE5NCmFIRlZzbDNXL2dCbE5LUW9XL3VGT1pUVWhJNUdzS2ZHQUtOY1lLSnpINmxWOVRUdFFkMHdWQUpOY3NkcEJSOU0KYTJ4VEN0dzlBb0dCQU5LL2VDNmh2VENnMWUwTFRWdmpISUI5M25uakhvbjRaSkYzcFVnZGJhbGMwYlZwQmc3bQpJcUZQdW96SEtiRGxXT0J3NTZBRHB2TkhaMFlkWlNRanIzZEdKOU9rU1JJYk92NlZUSHNETERhZFo1Qjh5QVEzCnZnYjdVeUtlaXVuMGhXVHRFVE4vV2c2MlJ5U2xIZDV0TDg5d2NVazFGeWZsSVo0ZHQ2Vk5Cb21UQW9HQkFNeTkKKzVIZnpDeWxUZ3NhOHY0WDRaWEFrenVxTjFIb012OEpraUJ4L2twaVFoQnVCWWZjOWROVmhPYkw1amp3RFpGVgp0RHVSMHl5MnpzUjR1Q09UczVWeXJSSll0c1NBWEZYa3h1QzRHTzJTZDhvZkhudFU0VmZEcWU0TXVseUtBM2MyCmloZG5ZVmNCbmJsSmt6b0RiK3JoSU8xTVp2ekh6d0praFZaelJRcWZBb0dBSFd1blhuTXIweWNRMWtlMm8vWS8KbTF4MiszTU9aMXBxeDdmNU5la056dy9ySXJVbnFGck9TTkMxalVPY2VWcDdIdElFTTkxdXFCVzJ3QjRJYVpRbAp3YlBraVhJczFUOUI3QnB4azlhc2pHOUs3dXZNakhJdnNBL1Qya2hod2lsbG1lSlNmV3J3Nm83ZHZhcmpVWkxTCmt0WHlxcktqcWVrZDJWSHl1anZYaHNzQ2dZQTZBZm1zc3NPZVFwZUIvZmlxbFFtTTdDcksxTWNucGFvTktDRUcKb0VWenZiTUtCS0g4aEZZQnNsRWRNdGZmZWVQZU1YSUhEcUhPSVYwanZUQXVwRUpWTFZCcnlrYStGY0FUZGVZQwo5U1hhNll5Vzc0b3JWemtoTElhUXMzcDVqWUM5M2UzeUE1QklubVNaZ29iOEFNMU10c3dsYjJnZVpsMzRSNUtmCms3a1Q4UUtCZ0Z3RkxudHlmR2x5VW9pRVllZTFGSTQvZVB4VU9TZXJUQzRvMnRkakwwQmJKbGllVStXYWlOcEEKeXZ1eHE4VEhuVDBRLytyTHp1ZzkvdlhWQ01ycmliZk92bHZMMjBDclpkNVd0a205TXdYQklQR1B3cHpQZXJldwp3RFV2VG9hb21sQnVXRVpFc1V3eGYyK3hzc042MFp6OThRSVRTU2R3TmFSSm55ZzJHUk5mCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== kind: Secret metadata: creationTimestamp: "2021-08-07T07:35:35Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:tls.crt: {} f:tls.key: {} f:type: {} manager: kubectl-create operation: Update time: "2021-08-07T07:35:35Z" name: nginx-ssl-secret namespace: default resourceVersion: "7460794" selfLink: /api/v1/namespaces/default/secrets/nginx-ssl-secret uid: 72bdf764-cd58-4be4-b93c-c9e7bd83713e type: kubernetes.io/tls #解密key [root@k8s-master secret]# echo LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBcUl6Nk9yVFYxWENPYWJiZERDaVdFd0ZOcnlwQ2JHby9kYXlqYmc2eUUvcFJsYzFiCnJ5QWJSOFJhZmh3aCtiWXdUMC9qMG1NQXkyRG4rRStnVXczVXhKTjg1YzFvUjVWeEs3MlBVeTV4dXZkQWRvTUIKOVFKcmpjTS9HMkgzUjY0SUViUkVERTVrMWprbVZNbVRhVGJnYVNLYzZ6Umg3ZUZ0S1VnQVlJdE1GMUtFbXpqQwpiS1owY3ZnUE5vV0J5TnJ3WFBRT1FURXFJVGFoaURWRVFBYlJFL2FIS1VWd2RXK0Y3dklpYzVjMEkzaDQxOFRuCjNhd3FpVE1LbitlTyt3ME1XUU52ZEpsaFdrREoyOG00ZUZUZ0xqTkFvRnFPb2ZtWWhFREFWbnFPWFZlVXJYRzEKa0pTTjJTa2pZVE9vSU5Ya0JaMTllTDVRMEpwSDRNMmZOZzR3VFFJREFRQUJBb0lCQVFDWFAxSjRCYmZ3dlB6KwpmZnBqbzdQdnYvYXUzYlFYUjB4RTB6TWdXbzJRQWNyZUt4WS8wd2JINHJuMWVsYytsaTlKckgzYVY3N3B3YjdICkF1VHlRbklRSiswbTVhalN1NVovVXEzZlRjaitwa3F4VGlRZWNScUVicFVkaEU1Nmd2OTRxNU40bTR3Kzg2K2kKMi9Pc3NYSzB4VHVja0Rma1Y2bzJKZ2M0bXljZnNSYTRIUVg0cmZVUzVBc0NMWnhuVGV4by9qeU13Sm02d1VKdApUTFdzQjN2ZlpVOW04c1NZRlN0TlA4dFBiZmZPa0x6SXVGWHVId0Y0OFVqc2dCaHM3b3FWZWMwZmhxZUxLZE5NCmFIRlZzbDNXL2dCbE5LUW9XL3VGT1pUVWhJNUdzS2ZHQUtOY1lLSnpINmxWOVRUdFFkMHdWQUpOY3NkcEJSOU0KYTJ4VEN0dzlBb0dCQU5LL2VDNmh2VENnMWUwTFRWdmpISUI5M25uakhvbjRaSkYzcFVnZGJhbGMwYlZwQmc3bQpJcUZQdW96SEtiRGxXT0J3NTZBRHB2TkhaMFlkWlNRanIzZEdKOU9rU1JJYk92NlZUSHNETERhZFo1Qjh5QVEzCnZnYjdVeUtlaXVuMGhXVHRFVE4vV2c2MlJ5U2xIZDV0TDg5d2NVazFGeWZsSVo0ZHQ2Vk5Cb21UQW9HQkFNeTkKKzVIZnpDeWxUZ3NhOHY0WDRaWEFrenVxTjFIb012OEpraUJ4L2twaVFoQnVCWWZjOWROVmhPYkw1amp3RFpGVgp0RHVSMHl5MnpzUjR1Q09UczVWeXJSSll0c1NBWEZYa3h1QzRHTzJTZDhvZkhudFU0VmZEcWU0TXVseUtBM2MyCmloZG5ZVmNCbmJsSmt6b0RiK3JoSU8xTVp2ekh6d0praFZaelJRcWZBb0dBSFd1blhuTXIweWNRMWtlMm8vWS8KbTF4MiszTU9aMXBxeDdmNU5la056dy9ySXJVbnFGck9TTkMxalVPY2VWcDdIdElFTTkxdXFCVzJ3QjRJYVpRbAp3YlBraVhJczFUOUI3QnB4azlhc2pHOUs3dXZNakhJdnNBL1Qya2hod2lsbG1lSlNmV3J3Nm83ZHZhcmpVWkxTCmt0WHlxcktqcWVrZDJWSHl1anZYaHNzQ2dZQTZBZm1zc3NPZVFwZUIvZmlxbFFtTTdDcksxTWNucGFvTktDRUcKb0VWenZiTUtCS0g4aEZZQnNsRWRNdGZmZWVQZU1YSUhEcUhPSVYwanZUQXVwRUpWTFZCcnlrYStGY0FUZGVZQwo5U1hhNll5Vzc0b3JWemtoTElhUXMzcDVqWUM5M2UzeUE1QklubVNaZ29iOEFNMU10c3dsYjJnZVpsMzRSNUtmCms3a1Q4UUtCZ0Z3RkxudHlmR2x5VW9pRVllZTFGSTQvZVB4VU9TZXJUQzRvMnRkakwwQmJKbGllVStXYWlOcEEKeXZ1eHE4VEhuVDBRLytyTHp1ZzkvdlhWQ01ycmliZk92bHZMMjBDclpkNVd0a205TXdYQklQR1B3cHpQZXJldwp3RFV2VG9hb21sQnVXRVpFc1V3eGYyK3hzc042MFp6OThRSVRTU2R3TmFSSm55ZzJHUk5mCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==| base64 -d -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAqIz6OrTV1XCOabbdDCiWEwFNrypCbGo/dayjbg6yE/pRlc1b ryAbR8Rafhwh+bYwT0/j0mMAy2Dn+E+gUw3UxJN85c1oR5VxK72PUy5xuvdAdoMB 9QJrjcM/G2H3R64IEbREDE5k1jkmVMmTaTbgaSKc6zRh7eFtKUgAYItMF1KEmzjC bKZ0cvgPNoWByNrwXPQOQTEqITahiDVEQAbRE/aHKUVwdW+F7vIic5c0I3h418Tn 3awqiTMKn+eO+w0MWQNvdJlhWkDJ28m4eFTgLjNAoFqOofmYhEDAVnqOXVeUrXG1 kJSN2SkjYTOoINXkBZ19eL5Q0JpH4M2fNg4wTQIDAQABAoIBAQCXP1J4BbfwvPz+ ffpjo7Pvv/au3bQXR0xE0zMgWo2QAcreKxY/0wbH4rn1elc+li9JrH3aV77pwb7H AuTyQnIQJ+0m5ajSu5Z/Uq3fTcj+pkqxTiQecRqEbpUdhE56gv94q5N4m4w+86+i 2/OssXK0xTuckDfkV6o2Jgc4mycfsRa4HQX4rfUS5AsCLZxnTexo/jyMwJm6wUJt TLWsB3vfZU9m8sSYFStNP8tPbffOkLzIuFXuHwF48UjsgBhs7oqVec0fhqeLKdNM aHFVsl3W/gBlNKQoW/uFOZTUhI5GsKfGAKNcYKJzH6lV9TTtQd0wVAJNcsdpBR9M a2xTCtw9AoGBANK/eC6hvTCg1e0LTVvjHIB93nnjHon4ZJF3pUgdbalc0bVpBg7m IqFPuozHKbDlWOBw56ADpvNHZ0YdZSQjr3dGJ9OkSRIbOv6VTHsDLDadZ5B8yAQ3 vgb7UyKeiun0hWTtETN/Wg62RySlHd5tL89wcUk1FyflIZ4dt6VNBomTAoGBAMy9 +5HfzCylTgsa8v4X4ZXAkzuqN1HoMv8JkiBx/kpiQhBuBYfc9dNVhObL5jjwDZFV tDuR0yy2zsR4uCOTs5VyrRJYtsSAXFXkxuC4GO2Sd8ofHntU4VfDqe4MulyKA3c2 ihdnYVcBnblJkzoDb+rhIO1MZvzHzwJkhVZzRQqfAoGAHWunXnMr0ycQ1ke2o/Y/ m1x2+3MOZ1pqx7f5NekNzw/rIrUnqFrOSNC1jUOceVp7HtIEM91uqBW2wB4IaZQl wbPkiXIs1T9B7Bpxk9asjG9K7uvMjHIvsA/T2khhwillmeJSfWrw6o7dvarjUZLS ktXyqrKjqekd2VHyujvXhssCgYA6AfmsssOeQpeB/fiqlQmM7CrK1McnpaoNKCEG oEVzvbMKBKH8hFYBslEdMtffeePeMXIHDqHOIV0jvTAupEJVLVBryka+FcATdeYC 9SXa6YyW74orVzkhLIaQs3p5jYC93e3yA5BInmSZgob8AM1Mtswlb2geZl34R5Kf k7kT8QKBgFwFLntyfGlyUoiEYee1FI4/ePxUOSerTC4o2tdjL0BbJlieU+WaiNpA yvuxq8THnT0Q/+rLzug9/vXVCMrribfOvlvL20CrZd5Wtkm9MwXBIPGPwpzPerew wDUvToaomlBuWEZEsUwxf2+xssN60Zz98QITSSdwNaRJnyg2GRNf -----END RSA PRIVATE KEY----- [root@k8s-master secret]#HTTPS自签证书引用TLS Secret
[root@k8s-master secret]# cat secrets-volume-demo.yaml apiVersion: v1 kind: Pod metadata: name: secrets-volume-demo namespace: default spec: containers: - image: nginx:alpine name: ngxserver volumeMounts: - name: nginxcerts mountPath: /etc/nginx/certs/ readOnly: true - name: nginxconfs mountPath: /etc/nginx/conf.d/ readOnly: true volumes: - name: nginxcerts secret: secretName: nginx-ssl-secret #引用之前的secret自签证 - name: nginxconfs configMap: name: nginx-sslvhosts-confs #引用configMap optional: false [root@k8s-master secret]# cat nginx-config.d/myserver myserver.conf myserver-gzip.cfg myserver-status.cfg [root@k8s-master secret]# cat nginx-config.d/myserver.conf server { listen 443 ssl; server_name www.test.com; ssl_certificate /etc/nginx/certs/tls.crt; ssl_certificate_key /etc/nginx/certs/tls.key; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; ssl_prefer_server_ciphers on; include /etc/nginx/conf.d/myserver-*.cfg; location / { root /usr/share/nginx/html; } } server { listen 80; server_name www.ilinux.io; return 301 https://$host$request_uri; } #创建comfigMap [root@k8s-master secret]# kubectl create configmap nginx-sslvhosts-confs --fromonfs --from-file=./nginx-config.d configmap/nginx-sslvhosts-confs created [root@k8s-master secret]# kubectl get cm NAME DATA AGE demoapp-config 4 47h demoapp-confs 4 18h nginx-config 2 26h nginx-config-files 3 24h nginx-sslvhosts-confs 3 12s [root@k8s-master secret]# kubectl apply -f secrets-volume-demo.yaml pod/secrets-volume-demo created [root@k8s-master secret]# kubectl get pod NAME READY STATUS RESTARTS AGE secrets-volume-demo 1/1 Running 0 14m volumes-pvc-longhorn-demo 1/1 Running 0 2d5h #查看Pod配置 [root@k8s-master secret]# kubectl exec secrets-volume-demo -it -- /bin/sh / # cd /etc/nginx/conf.d/ /etc/nginx/conf.d # ls myserver-gzip.cfg myserver-status.cfg myserver.conf /etc/nginx/conf.d # cat myserver.conf server { listen 443 ssl; server_name www.test.com; ssl_certificate /etc/nginx/certs/tls.crt; ssl_certificate_key /etc/nginx/certs/tls.key; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; ssl_prefer_server_ciphers on; include /etc/nginx/conf.d/myserver-*.cfg; location / { root /usr/share/nginx/html; } } server { listen 80; server_name www.ilinux.io; return 301 https://$host$request_uri; } /etc/nginx/conf.d # netstat -nlt Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN /etc/nginx/conf.d # curl -H "Host:www.test.com" https://127.0.0.1:443 #警告自签证书风险 curl: (60) SSL certificate problem: self signed certificate More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. /etc/nginx/conf.d # curl -k -H "Host:www.test.com" https://127.0.0.1:443 # -k忽略风险 访问成功 <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> <style> body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> <h1>Welcome to nginx!</h1> <p>If you see this page, the nginx web server is successfully installed and working. Further configuration is required.</p> <p>For online documentation and support please refer to <a href="http://nginx.org/">nginx.org</a>.<br/> Commercial support is available at <a href="http://nginx.com/">nginx.com</a>.</p> <p><em>Thank you for using nginx.</em></p> </body> </html> /etc/nginx/conf.d # exit [root@k8s-master secret]#示例3: 创建docker-registry类型secret用于私有仓库的认证
[root@k8s-master secret]# kubectl create secret docker-registry harbor-tom --docker-username=tom --docker-password=userpassword --docker-email=tom@test.com --docker-server=https://registry.test.com/v2/ secret/harbor-tom created [root@k8s-master secret]# kubectl get secret NAME TYPE DATA AGE default-token-fsshk kubernetes.io/service-account-token 3 39d harbor-tom kubernetes.io/dockerconfigjson 1 50s mysql-root-authn Opaque 2 45m nginx-ssl-secret kubernetes.io/tls 2 13m sh.helm.release.v1.my-grafana.v1 helm.sh/release.v1 1 36d web-basic-authn kubenetes.io/basic-auth 2 37m [root@k8s-master secret]# kubectl get secret harbor-tom -o yaml apiVersion: v1 data: .dockerconfigjson: eyJhdXRocyI6eyJodHRwczovL3JlZ2lzdHJ5LnRlc3QuY29tL3YyLyI6eyJ1c2VybmFtZSI6InRvbSIsInBhc3N3b3JkIjoidXNlcnBhc3N3b3JkIiwiZW1haWwiOiJ0b21AdGVzdC5jb20iLCJhdXRoIjoiZEc5dE9uVnpaWEp3WVhOemQyOXlaQT09In19fQ== kind: Secret metadata: creationTimestamp: "2021-08-07T07:48:15Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:.dockerconfigjson: {} f:type: {} manager: kubectl-create operation: Update time: "2021-08-07T07:48:15Z" name: harbor-tom namespace: default resourceVersion: "7463303" selfLink: /api/v1/namespaces/default/secrets/harbor-tom uid: 461547f3-4286-4377-9220-130231041908 type: kubernetes.io/dockerconfigjson [root@k8s-master secret]# [root@k8s-master secret]# echo eyJhdXRocyI6eyJodHRwczovL3JlZ2lzdHJ5LnRlc3QuY29tL3YyLyI6eyJ1c2VybmFtZSI6InRvbSIsInBhc3N3b3JkIjoidXNlcnBhc3N3b3JkIiwiZW1haWwiOiJ0b21AdGVzdC5jb20iLCJhdXRoIjoiZEc5dE9uVnpaWEp3WVhOemQyOXlaQT09In19fQ==|base64 -d {"auths":{"https://registry.test.com/v2/":{"username":"tom","password":"userpassword","email":"tom@test.com","auth":"dG9tOnVzZXJwYXNzd29yZA=="}}}[root@k8s-master secret]#
downwardAPI
- downwardAPI存储卷类型,从严格意义上来说,downwardAPI不是存储卷,它自身就存在,原因在于,它引用的是Pod自身的运行环境信息,这些信息在Pod启动手就存在。
类似于ConfigMap或Secret资源,容器能够在环境变量中在valueFrom字段中嵌套fieldRef或resourceFieldRef字段来引用其所属Pod对象的元数据信息。不过,通常只有常量类型的属性才能够通过环境变量,注入到容器中,毕竟,在进程启动完成后无法再向其告知变量值的变动,于是,环境变量也就不支持中途的更新操作。容器规范中可在环境变量配置中的valueFrom通过内嵌字段fieldRef引用的信息包括如下这些
- metadata.name: Pod对象的名称;
- metadata.namespace: Pod对象隶属的名称空间;
- metadata.uid: Pod对象的UID;
- metadata.labels['<KEY>']: Pod对象标签中的指定键的值,例如metadata.labels['mylabel'],仅Kubernetes 1.9及之后的版本才支持;
metadata.annotations['<KEY>']: Pod对象注解信息中的指定键的值,仅Kubernetes 1.9及之后的版本才支持。
容器上的计算资源需求和资源限制相关的信息,以及临时存储资源需求和资源限制相关的信息可通过容器规范中的resourceFieldRef字段引用,相关字段包括requests.cpu、limits.cpu、requests.memory和limits.memory等。另外,可通过环境变量引用的信息有如下几个:
- status.podIP: Pod对象的IP地址
- spec.serviceAccountName: Pod对象使用的ServiceAccount资源名称
- spec.nodeName: 节点名称
status.hostIP: 节点IP地址
- 另外,还可以通过resoqurceFieldRef字段引用当前容器的资源请求及资源限额的定义,因此它们包括requests.cpu、requests.memory、requests.ephemeral-storage、limits.cpu、limits.memory和limits.ephemeral storage这6项。
示例4:downwardAPI 通过环境变量env:引用
[root@k8s-master secret]# cat downwardapi-env-demo.yaml
apiVersion: v1
kind: Pod
metadata:
name: downwardapi-env-demo
labels:
app: demoapp
spec:
containers:
- name: demoapp
image: ikubernetes/demoapp:v1.0
# command: ["/bin/sh","-c","env"]
resources:
requests:
memory: "32Mi"
cpu: "250m"
limits:
memory: "64Mi"
cpu: "500m"
env:
- name: THIS_POD_NAME #变量名
valueFrom:
fieldRef:
fieldPath: metadata.name #获取POD对象名称
- name: THIS_POD_NAMESPACE
valueFrom:
fieldRef :
fieldPath: metadata.namespace #所在名称空间
- name: THIS_APP_LABEL
valueFrom:
fieldRef:
fieldPath: metadata.labels['app']
- name: THIS_CPU_LIMIT
valueFrom:
resourceFieldRef:
resource: limits.cpu #获取CPU限制 只显示整数1核 2核......
- name: THIS_MEM_REQUEST
valueFrom :
resourceFieldRef:
resource: requests.memory
divisor: 1Mi #默认为K 单位换算为M
#restartPolicy: Never
[root@k8s-master secret]# kubectl get pod
NAME READY STATUS RESTARTS AGE
configmap-volume-demo3 1/1 Running 0 29h
configmaps-env-demo 1/1 Running 0 2d1h
configmaps-volume-demo 1/1 Running 0 2d1h
configmaps-volume-demo2 2/2 Running 0 43h
downwardapi-env-demo 1/1 Running 0 8m52s
[root@k8s-master secret]# kubectl exec downwardapi-env-demo -it -- /bin/sh
[root@downwardapi-env-demo /]# env #查看相关变量
...
THIS_APP_LABEL=demoapp
...
THIS_MEM_REQUEST=32
...
THIS_POD_NAME=downwardapi-env-demo
...
THIS_POD_NAMESPACE=default
...
THIS_CPU_LIMIT=1 #以核心数为单位
[root@downwardapi-env-demo /]# echo $THIS_POD_NAME #直接引用
downwardapi-env-demo
示例5:downwardAPI 通过volumeMounts挂载
[root@k8s-master secret]# cat downwardapi-volume-demo.yaml
apiVersion: v1
kind: Pod
metadata:
name: downwardapi-volume-demo
labels:
zone: zone1
rack: rack100
app: demoapp
annotations:
region: ease-cn
spec:
containers:
- name: demoapp
image: ikubernetes/demoapp:v1.0
resources:
requests:
memory: "32Mi"
cpu: "250m"
limits:
memory: "64Mi"
cpu: "500m"
volumeMounts:
- name: podinfo
mountPath: /etc/podinfo #键值的存放路径
readOnly: false
volumes:
- name: podinfo
downwardAPI:
defaultMode: 420
items: #和configMap引用类似 默认只输出哪个变量给存储卷
- fieldRef:
fieldPath: metadata.namespace
path: pod_namespace #被引用的键名
- fieldRef:
fieldPath: metadata.labels
path: pod_labels
- fieldRef:
fieldPath: metadata.annotations
path: pod_annotations
- resourceFieldRef:
containerName: demoapp
resource: limits.cpu
path: "cpu_limit"
- resourceFieldRef:
containerName: demoapp
resource: requests.memory
divisor: "1Mi"
path: "mem_request"
[root@k8s-master secret]# kubectl get pod
NAME READY STATUS RESTARTS AGE
downwardapi-env-demo 1/1 Running 0 36m
downwardapi-volume-demo 1/1 Running 0 2m11s
#进入到容器查看配置
[root@k8s-master secret]# kubectl exec downwardapi-volume-demo -it -- /bin/sh
[root@downwardapi-volume-demo /]# cd /etc/podinfo/
[root@downwardapi-volume-demo /etc/podinfo]# ls
cpu_limit mem_request pod_annotations pod_labels pod_namespace
[root@downwardapi-volume-demo /etc/podinfo]# cat cpu_limit
1
[root@downwardapi-volume-demo /etc/podinfo]# cat pod_namespace
default
[root@downwardapi-volume-demo /etc/podinfo]# cat pod_labels
app="demoapp"
rack="rack100"
zone="zone1"
[root@downwardapi-volume-demo /etc/podinfo]# exit
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。