一,前言
上一篇,介绍了 docker 私有镜像仓库的安装和使用;
本篇,介绍 Secret 对象的创建;
二,k8s Secret 简介
Secret 是 Kubernetes 中的一种资源类型,可以用来储存机密信息,如:密码,token,密钥等;
信息被存入 Secret 后,可以通过挂载卷的方式挂载到 Pod 内;
也可以用于存放 docker 私有镜像库的登录名和密码,用于拉取私有镜像使用;
- Opaque 类型;
三,Opaque 类型
Opaque 类型,一般用于存放密码,密钥等信息,存储格式为 base64;
1,通过命令行方式创建
- account 为自定义名称
- –from-literal key=value
// 创建一个通用的秘钥对象,包含两个值:username、password
[root@k8s-master ~]# kubectl create secret generic secret-opaque --from-literal=username=admin --from-literal=password=123456
secret/secret-opaque created
查看secret 列表
kubectl get secret
// 实际执行
[root@k8s-master ~]# kubectl get secret
NAME TYPE DATA AGE
default-token-q4qxd kubernetes.io/service-account-token 3 8d
secret-opaque Opaque 2 43s
字段 | 含义 |
---|---|
NAME | Secret的名称 |
TYPE | Secret的类型 |
DATA | 存储内容的数量 |
AGE | 创建到现在的时间 |
查看指定 secret
//输出yaml格式
kubectl get secret secret-opaque -o yaml
//输出json格式
kubectl get secret secret-opaque -o json
// 实际执行
[root@k8s-master ~]# kubectl get secret secret-opaque -o yaml
apiVersion: v1
data:
password: MTIzNDU2
username: YWRtaW4=
kind: Secret
metadata:
creationTimestamp: "2021-12-30T05:38:01Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:password: {}
f:username: {}
f:type: {}
manager: kubectl-create
operation: Update
time: "2021-12-30T05:38:01Z"
name: secret-opaque
namespace: default
resourceVersion: "1042792"
uid: 23fc82eb-9c31-41d2-8e08-d85bd6267cf9
type: Opaque
发现密码 username、password 是 MTIzNDU2,是被 base64 加密了:
// 对 Base64 进行解码
echo MTIzNDU2 | base64 -d
// 实际执行
[root@k8s-master ~]# echo MTIzNDU2 | base64 -d
123456
secret 编辑值
// 编辑值
kubectl edit secret secret-opaque
2,配置文件创建
secret-opaque-flie.yaml
[root@k8s-master ~]# cd deployment/
[root@k8s-master deployment]# vi secret-opaque-flie.yaml
apiVersion: v1
kind: Secret
metadata:
name: secret-opaque-flie
stringData:
username: root
password: root
type: Opaque
应用配置文件
[root@k8s-master deployment]# kubectl apply -f secret-opaque-flie.yaml
secret/secret-opaque-flie created
[root@k8s-master deployment]# kubectl get secret secret-opaque-flie -o yaml
apiVersion: v1
data:
password: cm9vdA==
username: cm9vdA==
kind: Secret
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","kind":"Secret","metadata":{"annotations":{},"name":"secret-opaque-flie","namespace":"default"},"stringData":{"password":"root","username":"root"},"type":"Opaque"}
creationTimestamp: "2021-12-30T05:45:44Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:password: {}
f:username: {}
f:metadata:
f:annotations:
.: {}
f:kubectl.kubernetes.io/last-applied-configuration: {}
f:type: {}
manager: kubectl-client-side-apply
operation: Update
time: "2021-12-30T05:45:44Z"
name: secret-opaque-flie
namespace: default
resourceVersion: "1043462"
uid: 815da8ac-662c-44c4-930b-b11d1cfdf509
type: Opaque
四、私有镜像库认证
私有镜像库认证类型,一般用于拉取私有库镜像时使用;
1,通过命令行创建
// 创建 secret,类型是 docker-registry,名字是 registry-auth
kubectl create secret docker-registry registry-auth \
--docker-username=admin \
--docker-password=Wz@19880818 \
--docker-email=admin@example.org \
--docker-server=39.105.212.14:8082
// 实际执行
[root@k8s-master deployment]# kubectl create secret docker-registry registry-auth \
> --docker-username=admin \
> --docker-password=Wz@19880818 \
> --docker-email=admin@example.org \
> --docker-server=39.105.212.14:8082
secret/registry-auth created
备注:docker-registry 是关键字, 表示类型;
查看私有库密钥组
//查看私有库密钥组
kubectl get secret registry-auth -o yaml
// 实际执行
[root@k8s-master deployment]# kubectl get secret registry-auth -o yaml
apiVersion: v1
data:
.dockerconfigjson: eyJhdXRocyI6eyIzOS4xMDUuMjEyLjE0OjgwODIiOnsidXNlcm5hbWUiOiJhZG1pbiIsInBhc3N3b3JkIjoiV3pAMTk4ODA4MTgiLCJlbWFpbCI6ImFkbWluQGV4YW1wbGUub3JnIiwiYXV0aCI6IllXUnRhVzQ2VjNwQU1UazRPREE0TVRnPSJ9fX0=
kind: Secret
metadata:
creationTimestamp: "2021-12-30T05:52:35Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:.dockerconfigjson: {}
f:type: {}
manager: kubectl-create
operation: Update
time: "2021-12-30T05:52:35Z"
name: registry-auth
namespace: default
resourceVersion: "1044058"
uid: 4e0d8412-e6a2-4edb-80a7-23128687c42c
type: kubernetes.io/dockerconfigjson
// base64 解密
echo [value] | base64 -d
// 实际执行
[root@k8s-master deployment]# echo eyJhdXRocyI6eyIzOS4xMDUuMjEyLjE0OjgwODIiOnsidXNlcm5hbWUiOiJhZG1pbiIsInBhc3N3b3JkIjoiV3pAMTk4ODA4MTgiLCJlbWFpbCI6ImFkbWluQGV4YW1wbGUub3JnIiwiYXV0aCI6IllXUnRhVzQ2VjNwQU1UazRPREE0TVRnPSJ9fX0= | base64 -d
{"auths":{"39.105.212.14:8082":{"username":"admin","password":"Wz@19880818","email":"admin@example.org","auth":"YWRtaW46V3pAMTk4ODA4MTg="}}}
[root@k8s-master deployment]# echo YWRtaW46V3pAMTk4ODA4MTg= | base64 -d
admin:Wz@19880818
2,通过文件创建
registry-auth-file.yaml
vi registry-auth-file.yaml
apiVersion: v1
kind: Secret
metadata:
name: registry-auth-file
data:
.dockerconfigjson: eyJhdXRocyI6eyIzOS4xMDUuMjEyLjE0OjgwODIiOnsidXNlcm5hbWUiOiJhZG1pbiIsInBhc3N3b3JkIjoiV3pAMTk4ODA4MTgiLCJlbWFpbCI6ImFkbWluQGV4YW1wbGUub3JnIiwiYXV0aCI6IllXUnRhVzQ2VjNwQU1UazRPREE0TVRnPSJ9fX0=
type: kubernetes.io/dockerconfigjson
应用配置
kubectl apply -f ./registry-auth-file.yaml
// 实际执行
[root@k8s-master deployment]# kubectl apply -f ./registry-auth-file.yaml
secret/registry-auth-file created
查看指定 secret
kubectl get secret registry-auth-file -o yaml
// 实际执行
[root@k8s-master deployment]# kubectl get secret registry-auth-file -o yaml
apiVersion: v1
data:
.dockerconfigjson: eyJhdXRocyI6eyIzOS4xMDUuMjEyLjE0OjgwODIiOnsidXNlcm5hbWUiOiJhZG1pbiIsInBhc3N3b3JkIjoiV3pAMTk4ODA4MTgiLCJlbWFpbCI6ImFkbWluQGV4YW1wbGUub3JnIiwiYXV0aCI6IllXUnRhVzQ2VjNwQU1UazRPREE0TVRnPSJ9fX0=
kind: Secret
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","data":{".dockerconfigjson":"eyJhdXRocyI6eyIzOS4xMDUuMjEyLjE0OjgwODIiOnsidXNlcm5hbWUiOiJhZG1pbiIsInBhc3N3b3JkIjoiV3pAMTk4ODA4MTgiLCJlbWFpbCI6ImFkbWluQGV4YW1wbGUub3JnIiwiYXV0aCI6IllXUnRhVzQ2VjNwQU1UazRPREE0TVRnPSJ9fX0="},"kind":"Secret","metadata":{"annotations":{},"name":"registry-auth-file","namespace":"default"},"type":"kubernetes.io/dockerconfigjson"}
creationTimestamp: "2021-12-30T05:58:33Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:.dockerconfigjson: {}
f:metadata:
f:annotations:
.: {}
f:kubectl.kubernetes.io/last-applied-configuration: {}
f:type: {}
manager: kubectl-client-side-apply
operation: Update
time: "2021-12-30T05:58:33Z"
name: registry-auth-file
namespace: default
resourceVersion: "1044577"
uid: c865aeac-daa1-425a-90d3-cfd70446ccb9
type: kubernetes.io/dockerconfigjson
查看全部 secret 列表
[root@k8s-master deployment]# kubectl get secret
NAME TYPE DATA AGE
default-token-q4qxd kubernetes.io/service-account-token 3 8d
registry-auth kubernetes.io/dockerconfigjson 1 8m12s
registry-auth-file kubernetes.io/dockerconfigjson 1 2m14s
secret-opaque Opaque 2 22m
secret-opaque-flie Opaque 2 15m
可以看到 registry-auth、 registry-auth-file 是私有镜像仓库类型 kubernetes.io/dockerconfigjson
五,结尾
本篇,介绍了两种 Secret 对象的创建;
下一篇,介绍 Secret 对象的使用;