从文件导入至 Secret
$ echo -n 'admin' >./username.txt
$ echo -n '1f2d1e2e67df' > ./password.txt
$ kubectl create secret generic db-user-pass --from-file=./username.txt --from-file=./password.txt
secret/db-user-pass created
$ kubectl get secret
NAME TYPE DATA AGE
db-user-pass Opaque 2 7s
default-token-58nkl kubernetes.io/service-account-token 3 13d
$ kubectl describe secrets/db-user-pass
Name: db-user-pass
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
username.txt: 5 bytes
password.txt: 12 bytes
$ kubectl get secret db-user-pass -o yaml
apiVersion: v1
data:
password.txt: MWYyZDFlMmU2N2Rm
username.txt: YWRtaW4=
kind: Secret
metadata:
creationTimestamp: "2020-08-01T13:22:42Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:password.txt: {}
f:username.txt: {}
f:type: {}
manager: kubectl
operation: Update
time: "2020-08-01T13:22:42Z"
name: db-user-pass
namespace: default
resourceVersion: "19559"
selfLink: /api/v1/namespaces/default/secrets/db-user-pass
uid: 7de7d667-9fd9-4d6e-8217-907b0715a77d
type: Opaque
通过 volume 将 Secret 挂载到文件中
$ echo -n 'admin' | base64
YWRtaW4=
$ echo -n '1f2d1e2e67df' | base64
MWYyZDFlMmU2N2Rm
$ cat secrets.yaml
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
password: MWYyZDFlMmU2N2Rm
username: YWRtaW4=
$ kubectl apply -f ./secrets.yaml
secret/mysecret created
$ kubectl get secret
NAME TYPE DATA AGE
db-user-pass Opaque 2 9m8s
default-token-58nkl kubernetes.io/service-account-token 3 13d
mysecret Opaque 2 4s
$ kubectl get secret mysecret -o yaml
apiVersion: v1
data:
password: MWYyZDFlMmU2N2Rm
username: YWRtaW4=
kind: Secret
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","data":{"password":"MWYyZDFlMmU2N2Rm","username":"YWRtaW4="},"kind":"Secret","metadata":{"annotations":{},"name":"mysecret","namespace":"default"},"type":"Opaque"}
creationTimestamp: "2020-08-01T13:31:46Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:password: {}
f:username: {}
f:metadata:
f:annotations:
.: {}
f:kubectl.kubernetes.io/last-applied-configuration: {}
f:type: {}
manager: kubectl
operation: Update
time: "2020-08-01T13:31:46Z"
name: mysecret
namespace: default
resourceVersion: "19746"
selfLink: /api/v1/namespaces/default/secrets/mysecret
uid: 9bf3cc24-a53c-4ecc-a9c3-04b03deecca2
type: Opaque
# 创立一个 Pod 来测试是否胜利挂载到文件中
$ cat secret-pod.yaml
apiVersion: v1
kind: Pod
metadata:
labels:
name: secret-test
name: secret-test
spec:
volumes:
- name: secrets
secret:
secretName: mysecret
containers:
- image: myapp:v1
name: db
volumeMounts:
- name: secrets
mountPath: "/etc/secrets"
readOnly: true
$ kubectl create -f secret-pod.yaml
pod/secret-test created
$ kubectl exec -ti secret-test -- sh
# cat /etc/secrets/username
admin#
# cat /etc/secrets/password
1f2d1e2e67df#
# exit
通过 valueFrom 将 secret 挂载到环境变量
# 创立一个 pod 测试是否能胜利从环境变量中读取
$ cat pod-secret-import-env.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: pod-deployment
spec:
replicas: 2
selector:
matchLabels:
app: myapp
template:
metadata:
labels:
app: myapp
spec:
containers:
- name: pod-1
image: myapp:v1
ports:
- containerPort: 80
env:
- name: TEST_USER
valueFrom:
secretKeyRef:
name: mysecret
key: username
- name: TEST_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: password
$ kubectl apply -f pod-secret-import-env.yaml
deployment.apps/pod-deployment created
$ kubectl get pod
NAME READY STATUS RESTARTS AGE
dapi-test-pod 0/1 Completed 0 41m
dapi-test-pod2 0/1 Completed 0 44m
dapi-test-pod3 0/1 Completed 0 40m
pod-deployment-5f5c6b6d8b-kzg7r 1/1 Running 0 16s
pod-deployment-5f5c6b6d8b-pzvc8 1/1 Running 0 16s
secret-test 1/1 Running 0 4m3s
$ kubectl exec -ti pod-deployment-5f5c6b6d8b-kzg7r env
PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=pod-deployment-5f5c6b6d8b-kzg7r
TERM=xterm
TEST_USER=admin
TEST_PASSWORD=1f2d1e2e67df
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
KUBERNETES_SERVICE_HOST=10.96.0.1
KUBERNETES_SERVICE_PORT=443
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT=tcp://10.96.0.1:443
LANG=C.UTF-8
PYTHONIOENCODING=UTF-8
GPG_KEY=C01E1CAD5EA2C4F0B8E3571504C367C218ADD4FF
PYTHON_VERSION=2.7.18
PYTHON_PIP_VERSION=20.0.2
PYTHON_GET_PIP_URL=https://github.com/pypa/get-pip/raw/d59197a3c169cef378a22428a3fa99d33e080a5d/get-pip.py
PYTHON_GET_PIP_SHA256=421ac1d44c0cf9730a088e337867d974b91bdce4ea2636099275071878cc189e
NAME=World
HOME=/root