[root@vms20 ~]# docker pull hub.c.163.com/library/mysql
[root@vms10 chap5-secrets]# cat mysql.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: mysql
name: mysql
spec:
containers:
- image: hub.c.163.com/library/mysql
imagePullPolicy: IfNotPresent
name: mysql
env:
- name: MYSQL_ROOT_PASSWORD
value: root123
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
[root@vms10 chap5-secrets]# kubectl apply -f mysql.yaml
pod/mysql created
[root@vms10 chap5-secrets]# kubectl get node
NAME STATUS ROLES AGE VERSION
vms10.rhce.cc Ready control-plane,master 12d v1.22.4
vms20.rhce.cc Ready 12d v1.22.4
vms30.rhce.cc Ready 12d v1.22.4
[root@vms10 chap5-secrets]# kubectl get pod -owide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
mysql 1/1 Running 0 9s 10.244.71.151 vms20.rhce.cc
pod1 2/2 Running 1 (6m3s ago) 89m 10.244.126.50 vms30.rhce.cc
[root@vms10 chap5-secrets]# mysql -uroot -proot123 -h10.244.71.151
Welcome to the MariaDB monitor. Commands end with ; or g.
Your MySQL connection id is 3
Server version: 5.7.18 MySQL Community Server (GPL)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.
MySQL [(none)]>
2、三种secret类型
kubernetes.io/service-account-token
[root@vms10 chap5-secrets]# kubectl create sa sa1 serviceaccount/sa1 created [root@vms10 chap5-secrets]# kubectl get secret NAME TYPE DATA AGE default-token-t48tw kubernetes.io/service-account-token 3 24h sa1-token-x8c8w kubernetes.io/service-account-token 3 2s [root@vms10 chap5-secrets]# kubectl delete sa sa1 serviceaccount "sa1" deleted
kubernetes.io/dockerconfigjson:用来存储私有docker registry的认 证信息。 创建harbor秘钥假设创建了一个pod,使用了harbor里面的镜像,但是harbor没有开启匿名(不能匿名拉取)
这时就需要创建secret,里面包括harbor用户和密码
[root@vms10 ~]# kubectl create secret docker-registry mydocker-secret --docker-server=192.168.26.10 --docker-username=admin --docker-password=Harbor12345
secret/mydocker-secret created
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: pod1
name: pod1
spec:
imagePullSecrets:
name: mydocker-secret
containers:
- image: nginx
imagePullPolicy: IfNotPresent
name: nginx1
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
Opaque:base64编码格式的Secret,用来存储密码、密钥等;但数据也通过base64 –decode解码得到原始数据,所有加密性很弱
1、命令行创建secret
[root@vms10 chap5-secrets]# kubectl create secret generic mysec1 --from-literal=myuser=admin --from-literal=mypass=Harbor12345 secret/mysec1 created [root@vms10 chap5-secrets]# kubectl get secret NAME TYPE DATA AGE default-token-t48tw kubernetes.io/service-account-token 3 25h mydocker-secret kubernetes.io/dockerconfigjson 1 11m mysec1 Opaque 2 6s [root@vms10 chap5-secrets]# kubectl describe secret mysec1 Name: mysec1 Namespace: chap4-volume Labels:2、file创建secret(键=文件的basename)Annotations: Type: Opaque Data ==== myuser: 5 bytes mypass: 11 bytes # 编码后 [root@vms10 chap5-secrets]# kubectl get secrets mysec1 -o yaml apiVersion: v1 data: mypass: SGFyYm9yMTIzNDU= myuser: YWRtaW4= kind: Secret metadata: creationTimestamp: "2022-03-22T11:52:19Z" name: mysec1 namespace: chap4-volume resourceVersion: "235456" selflink: /api/v1/namespaces/chap4-volume/secrets/mysec1 uid: 261a5f7a-debd-444c-a465-9e0652c6ffd7 type: Opaque # 解码 [root@vms10 chap5-secrets]# echo SGFyYm9yMTIzNDU= | base64 -d Harbor12345 [root@vms10 chap5-secrets]# kubectl get secret mysec1 -o jsonpath='{.data.mypass}' |base64 -d Harbor12345
[root@vms10 chap5-secrets]# kubectl create secret generic mysec2 --from-file=/etc/hosts --from-file=/etc/issue secret/mysec2 created [root@vms10 chap5-secrets]# kubectl describe secret mysec2 Name: mysec2 Namespace: chap4-volume Labels:Annotations: Type: Opaque Data ==== hosts: 260 bytes issue: 37 bytes [root@vms10 chap5-secrets]# kubectl get secret mysec2 -o jsonpath='{.data.hosts}' | base64 -d 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.26.10 vms10.rhce.cc vms10 192.168.26.20 vms10.rhce.cc vms20 192.168.26.30 vms10.rhce.cc vms30
[root@vms10 chap5-secrets]# cat env.txt user=root password=root123 [root@vms10 chap5-secrets]# kubectl create secret generic mysecret3 --from-env-file=env.txt [root@vms10 chap5-secrets]# kubectl get secret mysecret3 Opaque 2 2m38s [root@vms10 chap5-secrets]# kubectl get secret mysecret3 -o yaml apiVersion: v1 data: password: cm9vdDEyMw== user: cm9vdA== kind: Secret metadata: creationTimestamp: "2022-03-22T11:59:09Z" name: mysecret3 namespace: chap4-volume resourceVersion: "236259" selflink: /api/v1/namespaces/chap4-volume/secrets/mysecret3 uid: 6a333929-3ecf-4fc2-821a-f00e1ec3e87b type: Opaque [root@vms10 chap5-secrets]# echo cm9vdDEyMw== | base64 -d root1233、使用secret 以变量的方式
[root@vms10 chap5-secrets]# kubectl create secret generic mysec --from-literal=mysql_root_password=root123
secret/mysec created
[root@vms10 chap5-secrets]# vim mysqlBySecret.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: mysql
name: mysql
spec:
containers:
- image: hub.c.163.com/library/mysql
imagePullPolicy: IfNotPresent
name: mysql
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mysec
key: mysql_root_password
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
[root@vms10 chap5-secrets]# kubectl apply -f mysqlBySecret.yaml
[root@vms10 chap5-secrets]# kubectl get pod -owide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
mysql 1/1 Running 0 5m14s 10.244.126.51 vms30.rhce.cc
[root@vms10 chap5-secrets]# mysql -h 10.244.126.51 -uroot -proot123
Welcome to the MariaDB monitor. Commands end with ; or g.
Your MySQL connection id is 3
Server version: 5.7.18 MySQL Community Server (GPL)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.
MySQL [(none)]>
以卷的方式
[root@vms10 chap5-secrets]# kubectl describe secrets mysec Name: mysec Namespace: chap4-volume Labels:3、configMap 创建configMapAnnotations: Type: Opaque Data ==== mysql_root_password: 7 bytes [root@vms10 chap5-secrets]# cat mysqlBySecret2.yaml apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: nginx name: nginx spec: volumes: - name: v1 secret: secretName: mysec containers: - image: nginx imagePullPolicy: IfNotPresent name: c1 resources: {} volumeMounts: - name: v1 mountPath: /data dnsPolicy: ClusterFirst restartPolicy: Always status: {} [root@vms10 chap5-secrets]# kubectl exec -it nginx -- bash root@nginx:/# cat /data/mysql_root_password root123
[root@vms10 chap5-secrets]# kubectl get configmap NAME DATA AGE kube-root-ca.crt 1 44h # 根据变量创建 [root@vms10 chap5-secrets]# kubectl create cm mycm1 --from-literal=user=root --from-literal=password=root123 configmap/mycm1 created # 根据文件创建 [root@vms10 chap5-secrets]# kubectl create cm mycm2 --from-file=/etc/hosts --from-file=/etc/issue configmap/mycm2 created # 插卡configMap [root@vms10 chap5-secrets]# kubectl describe cm mycm1 Name: mycm1 Namespace: chap4-volume Labels:使用configMap(常用于映射配置文件) 变量Annotations: Data ==== password: ---- root123 user: ---- root BinaryData ==== Events: [root@vms10 chap5-secrets]# kubectl describe cm mycm2 Name: mycm2 Namespace: chap4-volume Labels: Annotations: Data ==== hosts: ---- 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.26.10 vms10.rhce.cc vms10 192.168.26.20 vms10.rhce.cc vms20 192.168.26.30 vms10.rhce.cc vms30 issue: ---- S Kernel r on an m 192.168.26.10 BinaryData ==== Events:
[root@vms10 chap5-secrets]# cat configMap.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: mysql
name: mysql
spec:
containers:
- image: hub.c.163.com/library/mysql
imagePullPolicy: IfNotPresent
name: mysql
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
configMapKeyRef:
name: mycm1
key: password
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
[root@vms10 chap5-secrets]# kubectl get pod -owide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
mysql 1/1 Running 0 53s 10.244.71.156 vms20.rhce.cc
[root@vms10 chap5-secrets]# mysql -h10.244.71.156 -uroot -proot123
Welcome to the MariaDB monitor. Commands end with ; or g.
Your MySQL connection id is 3
Server version: 5.7.18 MySQL Community Server (GPL)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.
MySQL [(none)]>
挂载卷
[root@vms10 chap5-secrets]# cat configMap2.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: nginx
name: nginx
spec:
volumes:
- name: v1
configMap:
name: mycm2
containers:
- image: nginx
imagePullPolicy: IfNotPresent
name: c1
resources: {}
volumeMounts:
- name: v1
mountPath: /data
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
[root@vms10 chap5-secrets]# kubectl exec -it nginx -- bash
root@nginx:/# ls /data/
hosts issue
root@nginx:/# cat /data/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.26.10 vms10.rhce.cc vms10
192.168.26.20 vms10.rhce.cc vms20
192.168.26.30 vms10.rhce.cc vms30
常见用法:以变量的方式引用secret,以卷的方式引用configMap
将nginx配置文件设置成configMap,在pod中引用该配置文件
[root@vms10 chap5-secrets]# kubectl create cm nginx.conf --from-file=nginx.conf
configmap/nginx.conf created
[root@vms10 chap5-secrets]# kubectl get cm
NAME DATA AGE
kube-root-ca.crt 1 45h
mycm1 2 35m
mycm2 2 33m
nginx.conf 1 20s
[root@vms10 chap5-secrets]# cat configMap3.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: nginx
name: nginx
spec:
volumes:
- name: v1
configMap:
name: nginx.conf
containers:
- image: nginx
imagePullPolicy: IfNotPresent
name: c1
resources: {}
volumeMounts:
- name: v1
mountPath: /etc/nginx/nginx.conf
# 没有subPath,会认为nginx.conf是文件夹
subPath: nginx.conf
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
修改配置文件,并使pod生效
[root@vms10 chap5-secrets]# kubectl edit cm nginx.conf configmap/nginx.conf edited # 删除pod再重新创建 [root@vms10 chap5-secrets]# kubectl delete pod nginx --force pod "nginx" force deleted [root@vms10 chap5-secrets]# kubectl apply -f configMap3.yaml pod/nginx created
