您现在的位置是:首页 > 云原生 > Kubernetes > 正文
Kubernetes
吾八哥学k8s(八):kubernetes里Secret的用法
上一篇里学习了ConfigMap的用法,ConfigMap用于存储配置文件,那么今天这里的Secret可以理解为是存储一些密钥类型的配置文件,它的存储比较安全灵活。下面来学习一些基本用法:
创建Secret
创建secret使用kubectl create secret generic ...命令,查看帮助说明,可以通过如下方法来创建secret:
Examples: # Create a new secret named my-secret with keys for each file in folder bar kubectl create secret generic my-secret --from-file=path/to/bar # Create a new secret named my-secret with specified keys instead of names on disk kubectl create secret generic my-secret --from-file=ssh-privatekey=path/to/id_rsa --from-file=ssh-publickey=path/to/id_rsa.pub # Create a new secret named my-secret with key1=supersecret and key2=topsecret kubectl create secret generic my-secret --from-literal=key1=supersecret --from-literal=key2=topsecret # Create a new secret named my-secret using a combination of a file and a literal kubectl create secret generic my-secret --from-file=ssh-privatekey=path/to/id_rsa --from-literal=passphrase=topsecret # Create a new secret named my-secret from an env file kubectl create secret generic my-secret --from-env-file=path/to/bar.env
例如从文件创建:
5bug-MacBook:~/codes/projects/k8s-demo/secret$ echo "admin" > user.txt 5bug-MacBook:~/codes/projects/k8s-demo/secret$ echo "www.5bug.wang" > pass.txt 5bug-MacBook:~/codes/projects/k8s-demo/secret$ kubectl create secret generic account --from-file=./user.txt --from-file=pass.txt secret/account created
从变量创建:
5bug-MacBook:~/codes/projects/k8s-demo/secret$ kubectl create secret generic account --from-literal=user="admin" --from-literal=pass="www.5bug.wang" secret/account created
从变量文件创建:
5bug-MacBook:~/codes/projects/k8s-demo/secret$ cat > account.env <<EOF > user=admin > pass=www.5bug.wang > EOF 5bug-MacBook:~/codes/projects/k8s-demo/secret$ kubectl create secret generic account --from-env-file=./account.env secret/account created
删除Secret
删除secret使用kubectl delete secret ...命令,后面跟secret的名字,如果不是default的namespace,请加 -n 参数指定namespace
5bug-MacBook:~/codes/projects/k8s-demo/secret$ kubectl delete secret account secret "account" deleted
查看Secret
通过kubectl get secret xxx 命令可以查看secret,内容默认是base64编码过的,例如:
5bug-MacBook:~/codes/projects/k8s-demo/secret$ kubectl get secret account -o yaml
apiVersion: v1
data:
pass: d3d3LjVidWcud2FuZw==
user: YWRtaW4=
kind: Secret
metadata:
creationTimestamp: "2020-05-17T14:30:27Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:pass: {}
f:user: {}
f:type: {}
manager: kubectl
operation: Update
time: "2020-05-17T14:30:27Z"
name: account
namespace: default
resourceVersion: "456759"
selfLink: /api/v1/namespaces/default/secrets/account
uid: 08365b58-4c3e-49ce-9b31-5060ee098854
type: Opaque可以通过--decode来解码secret内容,例如:
5bug-MacBook:~/codes/projects/k8s-demo/secret$ echo "d3d3LjVidWcud2FuZw==" | base64 --decode www.5bug.wang
使用Secret
secret支持作如下用法:
作为数据卷挂载
作为环境变量使用
下面通过一个例子来说明具体的使用方法:
--- apiVersion: v1 kind: Pod metadata: name: k8s-demo spec: restartPolicy: Always containers: - image: www.5bug.wang/docker/k8s-demo:1.1 imagePullPolicy: IfNotPresent command: ["/bin/bash","-c","./k8s-demo"] name: k8s-demo ports: - containerPort: 8080 protocol: TCP env: - name: USER valueFrom: # 单独读取某个变量 secretKeyRef: name: account key: user envFrom: #将指定的secret里的所有键值作为容器的环境变量 - secretRef: name: account volumeMounts: #挂载配置 - name: account #挂载设备的名字,与volumes[*].name 需要对应 mountPath: /data/secret #挂载到容器的/data/secret下 readOnly: True volumes: #定义一组挂载设备 - name: account secret: secretName: account defaultMode: 400 # 指定文件权限 items: - key: user path: account/user - key: pass path: account/pass
Secret的使用场景一般有:
docker push/pull
SSH密钥
mysql/redis账户密码等
......
相关文章
- 在Kubernetes里使用openkruise实现服务原地升级功能
- 吾八哥学k8s(十一):kubernetes里Pod的调度机制
- 吾八哥学k8s(十):kubernetes里Service和Ingress
- kubernetes中服务自定义Prometheus的metrics的方法
- k8s集群安装Prometheus监控以及Grafana面板的方法
- kubernetes集群证书过期的解决方法
- kubelet启动失败报failed to find cgroups of kubelet的解决方法
- 吾八哥学k8s(九):kubernetes里持久化存储
- macOs和Linux环境下kubectl命令自动补齐的方法
- apps/v1版本下使用client-go实现kubernetes回滚的方法