1、明文创建mysql pod(不安全)
[root@vms20 ~]# docker pull hub.c.163.com/library/mysql [root@vms10 chap5-secrets]# cat mysql.yaml apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: mysql name: mysql spec: containers: - image: hub.c.163.com/library/mysql imagePullPolicy: IfNotPresent name: mysql env: - name: MYSQL_ROOT_PASSWORD value: root123 resources: {} dnsPolicy: ClusterFirst restartPolicy: Always status: {} [root@vms10 chap5-secrets]# kubectl apply -f mysql.yaml pod/mysql created [root@vms10 chap5-secrets]# kubectl get node NAME STATUS ROLES AGE VERSION vms10.rhce.cc Ready control-plane,master 12d v1.22.4 vms20.rhce.cc Ready <none> 12d v1.22.4 vms30.rhce.cc Ready <none> 12d v1.22.4 [root@vms10 chap5-secrets]# kubectl get pod -owide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES mysql 1/1 Running 0 9s 10.244.71.151 vms20.rhce.cc <none> <none> pod1 2/2 Running 1 (6m3s ago) 89m 10.244.126.50 vms30.rhce.cc <none> <none> [root@vms10 chap5-secrets]# mysql -uroot -proot123 -h10.244.71.151 Welcome to the MariaDB monitor. Commands end with ; or \g. Your MySQL connection id is 3 Server version: 5.7.18 MySQL Community Server (GPL) Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MySQL [(none)]> 2、三种secret类型
kubernetes.io/service-account-token
[root@vms10 chap5-secrets]# kubectl create sa sa1 serviceaccount/sa1 created [root@vms10 chap5-secrets]# kubectl get secret NAME TYPE DATA AGE default-token-t48tw kubernetes.io/service-account-token 3 24h sa1-token-x8c8w kubernetes.io/service-account-token 3 2s [root@vms10 chap5-secrets]# kubectl delete sa sa1 serviceaccount "sa1" deleted 假设创造了一个pod,使用了harbor里面的镜像,但是harbor匿名(打开(不能匿名拉)
此时需要创建secret,里面包括harbor用户和密码
kubernetes.io/dockerconfigjson:用于存储私有docker registry的认 证信息。
创建harbor秘钥
[root@vms10 ~]# kubectl create secret docker-registry mydocker-secret --docker-server=192.168.26.10 --docker-username=admin --docker-password=Harbor12345 secret/mydocker-secret created apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: pod1 name: pod1 spec: imagePullSecrets: name: mydocker-secret containers: - image: nginx imagePullPolicy: IfNotPresent name: nginx1 resources: {} dnsPolicy: ClusterFirst restartPolicy: Always status: {} Opaque:base64编码格式的Secret,用于存储密码、密钥等;但数据也是通过base64 –decode所有的加密性都很弱
创建命令行secret
[root@vms10 chap5-secrets]# kubectl create secret generic mysec1 --from-literal=myuser=admin --from-literal=mypass=Harbor12345 secret/mysec1 created [root@vms10 chap5-secrets]# kubectl get secret NAME TYPE DATA AGE default-token-t48tw kubernetes.io/service-account-token 3 25h mydocker-secret kubernetes.io/dockerconfigjson 1 11m mysec1 Opaque 2 6s [root@vms10 chap5-secrets]# kubectl describe secret mysec1 Name: mysec1 Namespace: chap4-volume Labels: <none> Annotations: <none> Type: Opaque Data ==== myuser: 5 bytes mypass: 11 bytes # 编码后 [root@vms10 chap5-secrets]# kubectl get secrets mysec1 -o yaml apiVersion: v1 data: mypass: SGFyYm9yMTIzNDU= myuser: YWRtaW4= kind: Secret metadata: creationTimestamp: "2022-03-22T11:52:19Z" name: mysec1 namespace: chap4-volume resourceVersion: "235456" selfLink: /api/v1/namespaces/chap4-volume/secrets/mysec1 uid: 261a5f7a-debd-444c-a465-9e0652c6ffd7 type: Opaque # 解码 [root@vms10 chap5-secrets]# echo SGFyYm9yMTIzNDU= | base64 -d Harbor12345 [root@vms10 chap5-secrets]# kubectl get secret mysec1 -o jsonpath='{.data.mypass}' |base64 -d Harbor123452、file创建secret(键=文件的basename)
[root@vms10 chap5-secrets]# kubectl create secret generic mysec2 --from-file=/etc/hosts --from-file=/etc/issue secret/mysec2 created [root@vms10 chap5-secrets]# kubectl describe secret mysec2 Name: mysec2 Namespace: chap4-volume Labels: <none> Annotations: <one>
Type: Opaque
Data
====
hosts: 260 bytes
issue: 37 bytes
[root@vms10 chap5-secrets]# kubectl get secret mysec2 -o jsonpath='{.data.hosts}' | base64 -d
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.26.10 vms10.rhce.cc vms10
192.168.26.20 vms10.rhce.cc vms20
192.168.26.30 vms10.rhce.cc vms30
[root@vms10 chap5-secrets]# cat env.txt
user=root
password=root123
[root@vms10 chap5-secrets]# kubectl create secret generic mysecret3 --from-env-file=env.txt
[root@vms10 chap5-secrets]# kubectl get secret
mysecret3 Opaque 2 2m38s
[root@vms10 chap5-secrets]# kubectl get secret mysecret3 -o yaml
apiVersion: v1
data:
password: cm9vdDEyMw==
user: cm9vdA==
kind: Secret
metadata:
creationTimestamp: "2022-03-22T11:59:09Z"
name: mysecret3
namespace: chap4-volume
resourceVersion: "236259"
selfLink: /api/v1/namespaces/chap4-volume/secrets/mysecret3
uid: 6a333929-3ecf-4fc2-821a-f00e1ec3e87b
type: Opaque
[root@vms10 chap5-secrets]# echo cm9vdDEyMw== | base64 -d
root123
3、使用secret
以变量的方式
[root@vms10 chap5-secrets]# kubectl create secret generic mysec --from-literal=mysql_root_password=root123
secret/mysec created
[root@vms10 chap5-secrets]# vim mysqlBySecret.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: mysql
name: mysql
spec:
containers:
- image: hub.c.163.com/library/mysql
imagePullPolicy: IfNotPresent
name: mysql
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mysec
key: mysql_root_password
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
[root@vms10 chap5-secrets]# kubectl apply -f mysqlBySecret.yaml
[root@vms10 chap5-secrets]# kubectl get pod -owide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
mysql 1/1 Running 0 5m14s 10.244.126.51 vms30.rhce.cc <none> <none>
[root@vms10 chap5-secrets]# mysql -h 10.244.126.51 -uroot -proot123
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.7.18 MySQL Community Server (GPL)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]>
以卷的方式
[root@vms10 chap5-secrets]# kubectl describe secrets mysec
Name: mysec
Namespace: chap4-volume
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
mysql_root_password: 7 bytes
[root@vms10 chap5-secrets]# cat mysqlBySecret2.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: nginx
name: nginx
spec:
volumes:
- name: v1
secret:
secretName: mysec
containers:
- image: nginx
imagePullPolicy: IfNotPresent
name: c1
resources: {}
volumeMounts:
- name: v1
mountPath: /data
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
[root@vms10 chap5-secrets]# kubectl exec -it nginx -- bash
root@nginx:/# cat /data/mysql_root_password
root123
3、configMap
创建configMap
[root@vms10 chap5-secrets]# kubectl get configmap
NAME DATA AGE
kube-root-ca.crt 1 44h
# 根据变量创建
[root@vms10 chap5-secrets]# kubectl create cm mycm1 --from-literal=user=root --from-literal=password=root123
configmap/mycm1 created
# 根据文件创建
[root@vms10 chap5-secrets]# kubectl create cm mycm2 --from-file=/etc/hosts --from-file=/etc/issue
configmap/mycm2 created
# 插卡configMap
[root@vms10 chap5-secrets]# kubectl describe cm mycm1
Name: mycm1
Namespace: chap4-volume
Labels: <none>
Annotations: <none>
Data
====
password:
----
root123
user:
----
root
BinaryData
====
Events: <none>
[root@vms10 chap5-secrets]# kubectl describe cm mycm2
Name: mycm2
Namespace: chap4-volume
Labels: <none>
Annotations: <none>
Data
====
hosts:
----
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.26.10 vms10.rhce.cc vms10
192.168.26.20 vms10.rhce.cc vms20
192.168.26.30 vms10.rhce.cc vms30
issue:
----
\S
Kernel \r on an \m
192.168.26.10
BinaryData
====
Events: <none>
使用configMap(常用于映射配置文件)
变量
[root@vms10 chap5-secrets]# cat configMap.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: mysql
name: mysql
spec:
containers:
- image: hub.c.163.com/library/mysql
imagePullPolicy: IfNotPresent
name: mysql
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
configMapKeyRef:
name: mycm1
key: password
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
[root@vms10 chap5-secrets]# kubectl get pod -owide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
mysql 1/1 Running 0 53s 10.244.71.156 vms20.rhce.cc <none> <none>
[root@vms10 chap5-secrets]# mysql -h10.244.71.156 -uroot -proot123
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.7.18 MySQL Community Server (GPL)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]>
挂载卷
[root@vms10 chap5-secrets]# cat configMap2.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: nginx
name: nginx
spec:
volumes:
- name: v1
configMap:
name: mycm2
containers:
- image: nginx
imagePullPolicy: IfNotPresent
name: c1
resources: {}
volumeMounts:
- name: v1
mountPath: /data
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
[root@vms10 chap5-secrets]# kubectl exec -it nginx -- bash
root@nginx:/# ls /data/
hosts issue
root@nginx:/# cat /data/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.26.10 vms10.rhce.cc vms10
192.168.26.20 vms10.rhce.cc vms20
192.168.26.30 vms10.rhce.cc vms30
常见用法:以变量的方式引用secret,以卷的方式引用configMap
将nginx配置文件设置成configMap,在pod中引用该配置文件
[root@vms10 chap5-secrets]# kubectl create cm nginx.conf --from-file=nginx.conf
configmap/nginx.conf created
[root@vms10 chap5-secrets]# kubectl get cm
NAME DATA AGE
kube-root-ca.crt 1 45h
mycm1 2 35m
mycm2 2 33m
nginx.conf 1 20s
[root@vms10 chap5-secrets]# cat configMap3.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: nginx
name: nginx
spec:
volumes:
- name: v1
configMap:
name: nginx.conf
containers:
- image: nginx
imagePullPolicy: IfNotPresent
name: c1
resources: {}
volumeMounts:
- name: v1
mountPath: /etc/nginx/nginx.conf
# 没有subPath,会认为nginx.conf是文件夹
subPath: nginx.conf
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
修改配置文件,并使pod生效
[root@vms10 chap5-secrets]# kubectl edit cm nginx.conf
configmap/nginx.conf edited
# 删除pod再重新创建
[root@vms10 chap5-secrets]# kubectl delete pod nginx --force
pod "nginx" force deleted
[root@vms10 chap5-secrets]# kubectl apply -f configMap3.yaml
pod/nginx created