Secret

Secret 创立

从文件导入至Secret

$ echo -n 'admin' >./username.txt$ echo -n '1f2d1e2e67df' > ./password.txt$ kubectl create secret generic db-user-pass --from-file=./username.txt --from-file=./password.txtsecret/db-user-pass created$ kubectl get secretNAME                  TYPE                                  DATA   AGEdb-user-pass          Opaque                                2      7sdefault-token-58nkl   kubernetes.io/service-account-token   3      13d$ kubectl describe secrets/db-user-passName:         db-user-passNamespace:    defaultLabels:       <none>Annotations:  <none>Type:  OpaqueData====username.txt:  5 bytespassword.txt:  12 bytes

$ kubectl get secret db-user-pass -o yamlapiVersion: v1data:  password.txt: MWYyZDFlMmU2N2Rm  username.txt: YWRtaW4=kind: Secretmetadata:  creationTimestamp: "2020-08-01T13:22:42Z"  managedFields:  - apiVersion: v1    fieldsType: FieldsV1    fieldsV1:      f:data:        .: {}        f:password.txt: {}        f:username.txt: {}      f:type: {}    manager: kubectl    operation: Update    time: "2020-08-01T13:22:42Z"  name: db-user-pass  namespace: default  resourceVersion: "19559"  selfLink: /api/v1/namespaces/default/secrets/db-user-pass  uid: 7de7d667-9fd9-4d6e-8217-907b0715a77dtype: Opaque

Secret挂载

通过volume将Secret挂载到文件中

$ echo -n 'admin' | base64YWRtaW4=$ echo -n '1f2d1e2e67df' | base64MWYyZDFlMmU2N2Rm$ cat secrets.yaml apiVersion: v1kind: Secretmetadata:  name: mysecrettype: Opaquedata:  password: MWYyZDFlMmU2N2Rm  username: YWRtaW4=$ kubectl apply -f ./secrets.yamlsecret/mysecret created$ kubectl get secretNAME                  TYPE                                  DATA   AGEdb-user-pass          Opaque                                2      9m8sdefault-token-58nkl   kubernetes.io/service-account-token   3      13dmysecret              Opaque                                2      4s

$ kubectl get secret mysecret -o yamlapiVersion: v1data:  password: MWYyZDFlMmU2N2Rm  username: YWRtaW4=kind: Secretmetadata:  annotations:    kubectl.kubernetes.io/last-applied-configuration: |      {"apiVersion":"v1","data":{"password":"MWYyZDFlMmU2N2Rm","username":"YWRtaW4="},"kind":"Secret","metadata":{"annotations":{},"name":"mysecret","namespace":"default"},"type":"Opaque"}  creationTimestamp: "2020-08-01T13:31:46Z"  managedFields:  - apiVersion: v1    fieldsType: FieldsV1    fieldsV1:      f:data:        .: {}        f:password: {}        f:username: {}      f:metadata:        f:annotations:          .: {}          f:kubectl.kubernetes.io/last-applied-configuration: {}      f:type: {}    manager: kubectl    operation: Update    time: "2020-08-01T13:31:46Z"  name: mysecret  namespace: default  resourceVersion: "19746"  selfLink: /api/v1/namespaces/default/secrets/mysecret  uid: 9bf3cc24-a53c-4ecc-a9c3-04b03deecca2type: Opaque

# 创立一个Pod来测试是否胜利挂载到文件中$ cat secret-pod.yaml apiVersion: v1kind: Podmetadata:  labels:    name: secret-test  name: secret-testspec:  volumes:  - name: secrets    secret:      secretName: mysecret  containers:  - image: myapp:v1    name: db    volumeMounts:    - name: secrets      mountPath: "/etc/secrets"      readOnly: true

$ kubectl create -f secret-pod.yamlpod/secret-test created$ kubectl exec -ti secret-test -- sh# cat /etc/secrets/usernameadmin# # cat /etc/secrets/password1f2d1e2e67df# # exit

通过valueFrom将secret挂载到环境变量

# 创立一个pod测试是否能胜利从环境变量中读取$ cat pod-secret-import-env.yaml apiVersion: apps/v1kind: Deploymentmetadata:  name: pod-deploymentspec:  replicas: 2  selector:    matchLabels:      app: myapp  template:    metadata:      labels:        app: myapp    spec:      containers:      - name: pod-1        image: myapp:v1        ports:        - containerPort: 80        env:        - name: TEST_USER          valueFrom:            secretKeyRef:              name: mysecret              key: username        - name: TEST_PASSWORD          valueFrom:            secretKeyRef:              name: mysecret              key: password

$ kubectl apply -f pod-secret-import-env.yamldeployment.apps/pod-deployment created$ kubectl get podNAME                              READY   STATUS      RESTARTS   AGEdapi-test-pod                     0/1     Completed   0          41mdapi-test-pod2                    0/1     Completed   0          44mdapi-test-pod3                    0/1     Completed   0          40mpod-deployment-5f5c6b6d8b-kzg7r   1/1     Running     0          16spod-deployment-5f5c6b6d8b-pzvc8   1/1     Running     0          16ssecret-test                       1/1     Running     0          4m3s

$ kubectl exec -ti pod-deployment-5f5c6b6d8b-kzg7r envPATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binHOSTNAME=pod-deployment-5f5c6b6d8b-kzg7rTERM=xtermTEST_USER=adminTEST_PASSWORD=1f2d1e2e67dfKUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443KUBERNETES_PORT_443_TCP_PROTO=tcpKUBERNETES_PORT_443_TCP_PORT=443KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1KUBERNETES_SERVICE_HOST=10.96.0.1KUBERNETES_SERVICE_PORT=443KUBERNETES_SERVICE_PORT_HTTPS=443KUBERNETES_PORT=tcp://10.96.0.1:443LANG=C.UTF-8PYTHONIOENCODING=UTF-8GPG_KEY=C01E1CAD5EA2C4F0B8E3571504C367C218ADD4FFPYTHON_VERSION=2.7.18PYTHON_PIP_VERSION=20.0.2PYTHON_GET_PIP_URL=https://github.com/pypa/get-pip/raw/d59197a3c169cef378a22428a3fa99d33e080a5d/get-pip.pyPYTHON_GET_PIP_SHA256=421ac1d44c0cf9730a088e337867d974b91bdce4ea2636099275071878cc189eNAME=WorldHOME=/root

关于kubernetes:KubernetesSecret创建与挂载

Secret

Secret 创立

从文件导入至Secret

Secret挂载

通过volume将Secret挂载到文件中

通过valueFrom将secret挂载到环境变量

【完结】