Secret有三種類型:python
Opaque:使用base64編碼存儲信息,能夠經過base64 --decode解碼得到原始數據,所以安全性弱。nginx
kubernetes.io/dockerconfigjson:用於存儲docker registry的認證信息。redis
kubernetes.io/service-account-token:用於被 serviceaccount 引用。serviceaccout 建立時 Kubernetes 會默認建立對應的 secret。Pod 若是使用了 serviceaccount,對應的 secret 會自動掛載到 Pod 的 /run/secrets/kubernetes.io/serviceaccount 目錄中。docker
指定secret的類型時,須要在metadata中聲明annotation name信息json
metadata: api
annotations:
安全
kubernetes.io/service-account.name: defaultruby
type:kubernetes.io/service-account-tokenbash
Opaque類型的Secret,其value爲base64編碼後的值。app
分別建立兩個名爲username.txt和password.txt的文件:
$ echo -n "admin" > ./username.txt $ echo -n "1f2d1e2e67df" > ./password.txt
使用kubectl create secret命令建立secret:
$ kubectl create secret generic db-user-pass --from-file=./username.txt --from-file=./password.txt secret "db-user-pass" created
首先使用base64對數據進行編碼:
$ echo -n 'admin' | base64 YWRtaW4= $ echo -n '1f2d1e2e67df' | base64 MWYyZDFlMmU2N2Rm
建立一個類型爲Secret的描述文件:
apiVersion: v1 kind: Secret metadata: name: mysecret type: Opaque data: username: YWRtaW4= password: MWYyZDFlMmU2N2Rm $ kubectl create -f ./secret.yaml secret "mysecret" created
查看此Secret:
$ kubectl get secret mysecret -o yaml apiVersion: v1 data: username: YWRtaW4= password: MWYyZDFlMmU2N2Rm kind: Secret metadata: creationTimestamp: 2016-01-22T18:41:56Z name: mysecret namespace: default resourceVersion: "164619" selfLink: /api/v1/namespaces/default/secrets/mysecret uid: cfee02d6-c137-11e5-8d73-42010af00002type: Opaque
建立好Secret以後,能夠經過兩種方式使用:
以Volume方式
以環境變量方式
apiVersion: v1 kind: Pod metadata: name: mypod spec: containers: - name: mypod image: redis volumeMounts: - name: foo mountPath: "/etc/foo" readOnly: true volumes: - name: foo secret: secretName: mysecret
進入Pod查看掛載的Secret:
# ls /etc/secrets password username # cat /etc/secrets/username admin # cat /etc/secrets/password 1f2d1e2e67df
也能夠只掛載Secret中特定的key:
apiVersion: v1 kind: Podmetadata: name: mypod spec: containers: - name: mypod image: redis volumeMounts: - name: foo mountPath: "/etc/foo" readOnly: true volumes: - name: foo secret: secretName: mysecret items: - key: username path: my-group/my-username
在這種狀況下:
username 存儲在/etc/foo/my-group/my-username中
password未被掛載
apiVersion: v1 kind: Pod metadata: name: secret-env-pod spec: containers: - name: mycontainer image: redis env: - name: SECRET_USERNAME valueFrom: secretKeyRef: name: mysecret key: username - name: SECRET_PASSWORD valueFrom: secretKeyRef: name: mysecret key: password restartPolicy: Never
須要注意的是,環境變量讀取Secret很方便,但沒法支撐Secret動態更新
kubernetes.io/dockerconfigjson用於存儲docker registry的認證信息,能夠直接使用kubectl create secret命令建立:
$ kubectl create secret docker-registry myregistrykey --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAILsecret "myregistrykey" created.#$kubectl create secret docker-registry regcred --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-pword> --docker-email=<your-email>
查看secret的內容:
$ kubectl get secret myregistrykey -o yaml apiVersion: v1 data: .dockercfg: eyJjY3IuY2NzLnRlbmNlbnR5dW4uY29tL3RlbmNlbnR5dW4iOnsidXNlcm5hbWUiOiIzMzIxMzM3OTk0IiwicGFzc3dvcmQiOiIxMjM0NTYuY29tIiwiZW1haWwiOiIzMzIxMzM3OTk0QHFxLmNvbSIsImF1dGgiOiJNek15TVRNek56azVORG94TWpNME5UWXVZMjl0In19 kind: Secret metadata: creationTimestamp: 2017-08-04T02:06:05Z name: myregistrykey namespace: default resourceVersion: "1374279324" selfLink: /api/v1/namespaces/default/secrets/myregistrykey uid: 78f6a423-78b9-11e7-a70a-525400bc11f0type: kubernetes.io/dockercfg
經過 base64 對 secret 中的內容解碼:
$ echo "eyJjY3IuY2NzLnRlbmNlbnR5dW4uY29tL3RlbmNlbnR5dW4iOnsidXNlcm5hbWUiOiIzMzIxMzM3OTk0IiwicGFzc3dvcmQiOiIxMjM0NTYuY29tIiwiZW1haWwiOiIzMzIxMzM3OTk0QHFxLmNvbSIsImF1dGgiOiJNek15TVRNek56azVORG94TWpNME5UWXVZMjl0XXXX" | base64 --decode {"ccr.ccs.tencentyun.com/XXXXXXX":{"username":"3321337XXX","password":"123456.com","email":"3321337XXX@qq.com","auth":"MzMyMTMzNzk5NDoxMjM0NTYuY29t"}}
也能夠直接讀取 ~/.dockercfg 的內容來建立:
$ kubectl create secret docker-registry myregistrykey \ --from-file="~/.dockercfg"
在建立 Pod 的時候,經過 imagePullSecrets 來引用剛建立的 myregistrykey:
apiVersion: v1 kind: Pod metadata: name: foo spec: containers: - name: foo image: janedoe/awesomeapp:v1 imagePullSecrets: - name: myregistrykey
用於被 serviceaccount 引用。serviceaccout 建立時 Kubernetes 會默認建立對應的 secret。Pod 若是使用了 serviceaccount,對應的 secret 會自動掛載到 Pod 的 /run/secrets/kubernetes.io/serviceaccount 目錄中。
$ kubectl run nginx --image nginx deployment "nginx" created $ kubectl get podsNAME READY STATUS RESTARTS AGEnginx-3137573019-md1u2 1/1 Running 0 13s $ kubectl exec nginx-3137573019-md1u2 ls /run/secrets/kubernetes.io/serviceaccount ca.crt namespace token
每一個namespace下有一個名爲default的默認的ServiceAccount對象,這個ServiceAccount裏有一個名爲Tokens的能夠做爲Volume同樣被Mount到Pod裏的Secret,當Pod啓動時這個Secret會被自動Mount到Pod的指定目錄下,用來協助完成Pod中的進程訪問API Server時的身份鑑權過程。
apiVersion: v1 kind: Podmetadata: ......spec: containers: .... volumeMounts: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: default-token-xxxx readOnly: true ...... ......
apiVersion: v1 kind: Secret data: ca.crt: xxxx namespace: xxxx service-ca.crt: xxxxx token: xxxx metadata: ......type: kubernetes.io/service-account-token
若是一個Pod在定義時沒有指定spec.service.AccountName屬性,則系統會自動爲其賦值爲「Default」,即便用同一namespace下默認的ServiceAccount,若是某個Pod須要使用非default的ServiceAccount,須要在定義時指定:
apiVersion:v1 kind:Pod metadata: name:mypod spec: containers: - name:mycontainer image: serviceAccountName:myserviceaccount