k8s- Storage -secret

One secret Three types of

  • Service Account : To access Kubernetes API, from Kubernetes Automatically create , And will automatically mount to Pod Of /run/secrets/kubernetes.io/serviceaccount Directory

  • Opaque :base64 coded Secret, Used to store passwords 、 Key, etc

  • kubernetes.io/dockerconfigjson : Used to store private docker registry Authentication information

 

1 Service Account

Service Account To access Kubernetes API, from Kubernetes Automatically create , And will automatically mount to Pod Of /run/secrets/kubernetes.io/serviceaccount Directory

 

 kubectl run nginx --image nginx
deployment "nginx" created
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
nginx-3137573019-md1u2 1/1 Running 0 13s
$ kubectl exec nginx-3137573019-md1u2 ls /run/secrets/kubernetes.io/serviceaccount
ca.crt
namespace
token

2 Opaque Secret

 

2.1 Create and reference

Opaque Type data is a map type , requirement value yes base64 Coding format

 

$ echo -n "admin" | base64
YWRtaW4=
$ echo -n "1f2d1e2e67df" | base64
MWYyZDFlMmU2N2Rm
  • establish secret

 

[[email protected] secret]# cat secrets.yaml 
apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  password: MWYyZDFlMmU2N2Rm
  username: YWRtaW4=

pod quote

 

[[email protected] secret]# cat pod1.yaml 
apiVersion: v1
kind: Pod
metadata:
  labels:
    name: seret-test # The tag name
  name: seret-test #pod name
spec:
  volumes:
  - name: secrets
    secret:
      secretName: mysecret
  containers:
  - image: wangyanglinux/myapp:v1
    name: db1
    volumeMounts:
    - name: secrets
      mountPath: "/etc/secret"
      readOnly: true

 

  • verification

 

[[email protected] secret]# kubectl exec seret-test -it /bin/sh
/ # cd /etc/secret/
/etc/secret # ls
password  username
/etc/secret # cat password 
/etc/secret # cat username 
admin/etc/secret #

2.2 Mount reference secret

 

[[email protected] secret]# cat env.yaml 
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: pod-deployment
spec:
  replicas: 2
  template:
    metadata:
      labels:
        app: pod-deployment
    spec:
      containers:
      - name: pod-1
        image: wangyanglinux/myapp:v1
        ports:
        - containerPort: 80
        env:
        - name: TEST_USER
          valueFrom:
            secretKeyRef:
              name: mysecret
              key: username
        - name: TEST_PASSWORD
          valueFrom:
            secretKeyRef:
              name: mysecret
              key: password

 

 

 

  • verification

 

3 Use when pulling the mirror image (kubernetes.io/dockerconfigjson)

When pod When you pull the mirror inside , To create a secret, To pull , Otherwise, it will fail to pull

 

First Self registered dockerhub , stay linux Log on to

 

docker login -u huningfei -p password
docker logout # sign out 

3.1 Create connection docker Username and password

This is for private warehouses --docker-server=hub.docker.com You need to add the address

kubectl create secret docker-registry myregistrykey --docker-server=hub.docker.com --docker-username=huningfei --docker-password=password [email protected]

 

This is for public warehouses , No address

 

kubectl create secret docker-registry  registry-pull-secret --docker-username=huningfei --docker-password=password [email protected]

View the name of the key created

demonstration pod How to pull the private warehouse image

 

apiVersion: v1
kind: Pod
metadata:
  name: foo
spec:
  containers:
  - name: foo
    image: huningfei/demo-test:31
  imagePullSecrets:
    - name: registry-pull-secret # Match the name above