Kubernetes's Secret

Source: Internet
Author: User
Tags docker registry

Kubernetes's Secret

        kubectl Create secret

  1. Secret Introduction
    Secret solves the problem of configuration of sensitive data such as passwords, tokens, and keys, kubectl update secret without exposing these sensitive data to mirrors or pod spec. Secret can be used in the form of volume or environment variables.
  2. kubectl delete secret
  3. Secret type
    There are currently 3 types of secret:kubectl get secrets
    (1) Opaque (default): arbitrary string, base64 encoding format of secret,kubectl get secret value  used to store passwords, keys, etc.;
    (2) Kubernetes.io/service-account-token: Acting on ServiceAccount, is what the service account of Kubernetes said. This is used to access the Kubernetes API, kubectl get secret which is automatically created by Kubernetes and is automatically mounted to the/run/secrets/kubernetes.io/serviceaccount directory of the pod;kubectl create secret from file
    (3) Kubernetes.io/dockercfg: Action on Docker registry, user download Docker image authentication use. The authentication information used to store the private Docker registry.
  4. Opaque Secret Type
    #Opaque类型的数据是一个map类型,要求value是base64编码格式:##创建admin账户echo -n "admin" | base64YWRtaW4=echo -n "1f2d1e2e67df" | base64MWYyZDFlMmU2N2Rm
    #创建secret.yamlcat >> secrets.yml << EOFapiVersion: v1kind: Secretmetadata:    name: mysecrettype: Opaquedata:    password: MWYyZDFlMmU2N2Rm    username: YWRtaW4=
    #创建secretkubectl create -f secrets.yml
    #查看secret运行状态kubectl get secret --all-namespacesNAMESPACE     NAME                                             TYPE                                  DATA      AGEdefault       mysecret                                         Opaque                                2         10m
  5. Mount the secret to the volume
    #创建nginx.yamlapiVersion: v1kind: Podmetadata:    labels:        name: wtf    name: mypodspec:    volumes:    - name: secrets        secret:            secretName: mysecret    containers:    - image: nginx:1.7.9        name: nginx        volumeMounts:        - name: secrets            mountPath: "/etc/secrets"            readOnly: true        ports:        - name: cp           containerPort: 5432
    #查看Pod运行状态kubectl get podNAME      READY     STATUS    RESTARTS   AGEmypod     1/1       Running   0          12s
    #进入容器内部查看/etc/secrets目录下文件kubectl exec -it mypod /bin/bash[email protected]:/# cd /etc/secrets[email protected]:/etc/secrets# ls -ltotal 0lrwxrwxrwx 1 root root 15 Jun  1 07:25 password -> ..data/passwordlrwxrwxrwx 1 root root 15 Jun  1 07:25 username -> ..data/usernamecat usernameadmincat password 1f2d1e2e67df
  6. Export secret to an environment variable
     #创建wordpress. Yamlapiversion:extensions/v1beta1kind:deploymentmetadata:name:wordpress-deploymentspec : Replicas:2 template:metadata:labels:app:wordpress Spec:co Ntainers:-Name: "WordPress" Image: "Wordpress:latest" ports:-C                        ONTAINERPORT:80 env:-Name:wordpress_db_user Valuefrom:  SecretKeyRef:name:mysecret Key:username-                            Name:wordpress_db_password Valuefrom:secretkeyref: Name:mysecret Key:password
    #查看Pod运行状态kubectl get poNAME                                    READY     STATUS    RESTARTS   AGEwordpress-deployment-6b569fbb7d-8qcpg   1/1       Running   0          2mwordpress-deployment-6b569fbb7d-xwwkg   1/1       Running   0          2m##说明:进入容器通过env命令,你将可以看到这两个环境变量被注入到容器内。
    #进入容器内部查看环境变量kubectl exec -it wordpress-deployment-694f4c79b4-cpsxw  /bin/bash[email protected]:/var/www/html# envWORDPRESS_DB_USER=adminWORDPRESS_DB_PASSWORD=1f2d1e2e67df
  7. Kubernetes.io/dockerconfigjson
     #可以直接用kubectl命令来创建用于docker Registry-certified Secret:kubectl Create secret Docker-registry Myregistrykey--docker-server=docker_registry_server--docker-username=docker_user-- Docker-password=docker_password--docker-email=docker_emailsecret "Myregistrykey" created
     #也可以直接读取 ~/.docker/config.json content to create: Cat ~/.docker/config.json | Base64cat > Myregistrykey.yaml << EOFapiVersion:v1kind:Secretmetadata:name:myregistrykeydata:. Dockerco Nfigjson: Umvhbgx5ihjlywxsesbyzwvlzwvlzwvlzwfhywfhywfhywfhywfhywfhywfhywfhywfhywxsbgxsbgxsbgxsbgxsbgxsbgxsbgxsbgxsbgxsbgx5exl5exl5e Xl5exl5exl5exl5esbsbgxsbgxsbgxsbgxsbg9vb29vb29vb29vb29vb29vb29vb29vb29vb25ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubmdnz2dnz2dnz2dnz2 dnz2dnz2cgyxv0acbrzxlzcg==type:kubernetes.io/dockerconfigjsoneof
     #创建kubectl create-f Myregistrykey.yaml
  8. The application of actual combat Kubernetes.io/dockerconfigjson
    #在创建Pod的时候,通过imagePullSecrets来引用刚创建的myregistrykey:apiVersion: v1kind: Podmetadata:    name: foospec:    containers:        - name: foo            image: janedoe/awesomeapp:v1    imagePullSecrets:        - name: myregistrykey
  9. Service Account Type
    #Service Account用来访问Kubernetes API,由Kubernetes自动创建,并且会自动挂载到Pod的/run/secrets/kubernetes.io/serviceaccount目录中。kubectl run nginx --image nginxdeployment "nginx" createdkubectl get podsNAME                     READY     STATUS    RESTARTS   AGEnginx-3137573019-md1u2   1/1       Running   0          13skubectl exec nginx-3137573019-md1u2 ls /run/secrets/kubernetes.io/serviceaccountca.crtnamespacetoken

Kubernetes's Secret

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.