k8s secret

secret
?
第一步：加密用户名及密码
[root@ken1 ~]# echo "123" | base64
MTIzCg==
[root@ken1 ~]# echo ken | base64
a2VuCg==
?
第二步：编写secret的yaml文件
apiVersion: v1
kind: Secret
metadata:
name: mysecret
data:
name: a2VuCg==
mima: MTIzCg==
?
第三步：执行yml文件
[root@ken1 ~]# kubectl apply -f secret.yml
?
第四步：查看secret
[root@ken1 ~]# kubectl get secret
NAME TYPE DATA AGE
default-token-wc4hc kubernetes.io/service-account-token 3 7d15h
mysecret Opaque 2 19h
?
第五步：查看secret信息
[root@ken1 ~]# kubectl describe secret mysecret
Name: mysecret
Namespace: default
Labels: <none>
Annotations:
Type: Opaque
Data
====
mima: 5 bytes
name: 4 bytes
?
第六步：编辑secret获取加密数据
[root@ken1 ~]# kubectl edit secret mysecret
# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
mima: MTIzNAo=
name: a2VuCg==
kind: Secret
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","data":{"mima":"MTIzNAo=","name":"a2VuCg=="},"kind":"Secret","metadata":{"annotations":{},"name":"mysecret","namespace":"default"}}
creationTimestamp: "2019-08-22T06:26:46Z"
name: mysecret
namespace: default
resourceVersion: "111906"
selfLink: /api/v1/namespaces/default/secrets/mysecret
uid: c3d1aa93-bc53-4a97-a9cf-e1a9e1fcdadf
?
第七步：解码
[root@ken1 ~]# echo "a2VuCg==" | base64 --decode
ken
[root@ken1 ~]# echo "MTIzNAo=" | base64 --decode
1234
?
使用secret
有两种方式
1. 以volume的形式挂载到pod
2. 以环境变量的方式使用
?
?
以volume的形式挂载到pod
?
第一步：创建pod并编写yml文件
apiVersion: v1
kind: Pod
metadata:
name: pod-secret
spec:
containers:
- name: busybox
image: busybox
imagePullPolicy: IfNotPresent
args:
- /bin/sh
- -c
- touch test; sleep 60000
volumeMounts:
- name: ken
mountPath: /ken
volumes:
- name: ken
secret:
secretName: mysecret
?
第二步：执行yaml文件
[root@ken1 ~]# kubectl apply -f pod-secret.yml
?
第三步：进入pod查看secret
?
[root@ken1 ~]# kubectl exec -it pod-secret1 /bin/sh
/ # ls
bin dev etc home ken proc root sys test tmp usr var
/ # cd kne
/bin/sh: cd: can't cd to kne: No such file or directory
/ # cd ken
/ken # ls
mima name
/ken # cat mima
1234
/ken # cat name
ken
?
第四步：动态更新密码
一、生成加密密码
[root@ken1 ~]# echo 12345 | base64
MTIzNDUK
?
二、修改secret文件
apiVersion: v1
kind: Secret
metadata:
name: mysecret
data:
name: a2VuCg==
mima: MTIzNDUK
?
三、执行yml文件
[root@ken1 ~]# kubectl apply -f secret.yml
?
第五步：查看密码
[root@ken1 ~]# kubectl exec -it pod-secret1 /bin/sh
/ # ls
bin dev etc home ken proc root sys test tmp usr var
/ # cd ken
/ken # ls
mima name
/ken # cat mima
12345
?
注意：secret只有在以volume形式使用的时候才支持动态更新，环境变量的方式不知道动态更新密码！
?
二、以环境变量的方式使用secret
?
第一步：编写yaml文件
apiVersion: v1
kind: Pod
metadata:
name: pod-secret2
spec:
containers:
- name: busybox
image: busybox
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: mima
args:
- /bin/sh
- -c
- touch test; sleep 6000
?
第二步：执行yml文件
[root@ken1 ~]# kubectl apply -f pod-secret2.yml
?
第三步：查看pod
[root@ken1 ~]# kubectl get po
NAME READY STATUS RESTARTS AGE
nginx-hostp 1/1 Running 1 23h
pod-cm 1/1 Running 1 19h
pod-secret1 1/1 Running 0 9m38s
pod-secret2 1/1 Running 0 22s
?
第四步：进入pod
[root@ken1 ~]# kubectl exec -it pod-secret2 /bin/sh
/ # ls
bin dev etc home proc root sys test tmp usr var
/ # printenv
KUBERNETES_SERVICE_PORT=443
KUBERNETES_PORT=tcp://10.96.0.1:443
HOSTNAME=pod-secret2
SHLVL=1
HOME=/root
MYSQL_ROOT_PASSWORD=12345
TERM=xterm
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
KUBERNETES_SERVICE_HOST=10.96.0.1
PWD=/
?
注意：这种方式不支持密码动态更新
?
?
?
configMap
?
创建configMap
?
第一步：编写yml文件
apiVersion: v1
kind: ConfigMap
metadata:
name: mycm
data:
name: ken
mima: ken123
?
第二步：执行yml文件
[root@ken1 ~]# kubectl apply -f cm.yml
?
第三步：查看cm
[root@ken1 ~]# kubectl get cm
NAME DATA AGE
mycm 2 19s
?
第四步：查看具体指
[root@ken1 ~]# kubectl describe cm mycm
Name: mycm
Namespace: default
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"v1","data":{"mima":"ken123","name":"ken"},"kind":"ConfigMap","metadata":{"annotations":{},"name":"mycm","namespace":"defaul...
Data
====
mima:
----
ken123
name:
----
ken
?
?
?
有两种方式使用cm
1.以volume形式
2.以环境变量的形式
?
演示以环境变量的方式使用cm
?
第一步：编写yml文件
apiVersion: v1
kind: Pod
metadata:
name: pod-cm
spec:
containers:
- name: busybox
image: busybox
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
configMapKeyRef:
name: mycm
key: mima
args:
- /bin/sh
- -c
- touch test; sleep 6000
?
第二步：执行该yml文件
[root@ken1 ~]# kubectl apply -f pod-cm.yml
?
第三步：查看容器
[root@ken1 ~]# kubectl get po
NAME READY STATUS RESTARTS AGE
nginx-hostp 1/1 Running 1 24h
pod-cm 1/1 Running 1 19h
pod-cm1 1/1 Running 0 25s
pod-secret1 1/1 Running 0 44m
pod-secret2 1/1 Running 0 34m
?
第四步：进入容器
[root@ken1 ~]# kubectl exec -it pod-cm1 sh
/ # ls
bin dev etc home proc root sys test tmp usr var
/ # printenv
KUBERNETES_SERVICE_PORT=443
KUBERNETES_PORT=tcp://10.96.0.1:443
HOSTNAME=pod-cm1
SHLVL=1
HOME=/root
MYSQL_ROOT_PASSWORD=ken123
TERM=xterm
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
KUBERNETES_SERVICE_HOST=10.96.0.1
Continue Reading