1. secret

Secret有三种类型:

  1. Opaque:base64编码格式的Secret,用来存储密码、密钥等;但 数据也通过base64 –decode解码得到原始数据,所有加密性很弱。
  2. kubernetes.io-dockerconfigjson:用来存储私有docker registry的认 证信息。
  3. kubernetes.io-service-account-token: 用于被serviceaccount引用。 serviceaccout创建时Kubernetes会默认创建对应的secret。Pod如果 使用了serviceaccount,对应的secret会自动挂载到Pod目录 /run/secrets/ kubernetes.io-serviceaccount中。

1.1 创建generic类型

通过键值对方式创建

1
kubectl create secret generic mysec1 --from-literal xx=haha001 --from-literal yy=haha002

通过文件方式创建

1
kubectl create secret generic mysec2 --from-file /etc/hosts --from-file /etc/issue

1.2 创建harbor-registory类型

1
kubectl create secret docker-registry myxx --docker-server 192.168.10.31 --docker-username admin --docker-password harbor001

1.3 查看secret

1
2
[root@node001 chap5-secret]# kubectl get secrets mysec1  -o yaml
[root@node001 chap5-secret]# kubectl get secrets mysec1 -o jsonpath='{.data.xx}'|base64 -d

secret使用base64进行存储,使用base64 -d进行转换

1.4 使用secret

1.4.1 以环境变量方式引用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: dbpod
name: dbpod
spec:
containers:
- image: hub.c.163.com/library/mysql
imagePullPolicy: IfNotPresent
name: dbpod
resources: {}
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mysec1
key: xx
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}

1.4.2 以卷的形式挂在

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: pod1
name: pod1
spec:
volumes:
- name: v1
secret:
secretName: mysec1
containers:
- image: nginx
imagePullPolicy: IfNotPresent
name: pod1
resources: {}
volumeMounts:
- name: v1
mountPath: /data
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}

secret不方便修改,所以一般情况下不会使用卷的方式引用secret

2. configmap

2.1 创建变量类型

1
kubectl create cm mycm1 --from-literal xx=haha001 --from-literal yy=haha002

2.2 创建文件类型

1
kubectl create cm mycm2 --from-file /etc/hosts --from-file /etc/issue

2.3 以变量的方式引用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: dbpod
name: dbpod
spec:
containers:
- image: hub.c.163.com/library/mysql
imagePullPolicy: IfNotPresent
name: dbpod
resources: {}
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
configMapKeyRef:
name: mycm1
key: xx
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}

2.4 以卷的方式引用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: pod1
name: pod1
spec:
volumes:
- name: v1
configMap:
name: mycm2
containers:
- image: nginx
imagePullPolicy: IfNotPresent
name: pod1
resources: {}
volumeMounts:
- name: v1
mountPath: /data
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}

2.5 以文件方式引用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: pod1
name: pod1
spec:
volumes:
- name: v1
configMap:
name: nginx.conf
containers:
- image: nginx
imagePullPolicy: IfNotPresent
name: pod1
resources: {}
volumeMounts:
- name: v1
mountPath: /etc/nginx/nginx.conf
subPath: nginx.conf
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}