14.kubernetes笔记 Volume存储卷(五) Sec
2021-12-23 本文已影响0人
Bigyong
目录
Secret简介
TLS类型Secret
Docker Registry类型Secret
Secret资源,使用环境变量引用格式
示例1: 创建通用型Secret、MySQL引用Secret
示例2: 创TLS类型Secret HTTPS引用自签证书
示例3: 创建docker-registry类型secret用于私有仓库的认证
downwardAPI
示例4:downwardAPI 通过环境变量env:引用
示例5:downwardAPI 通过volumeMounts挂载
Secret简介
ConfigMap的配置信息基本没有类别之分,但Secret有所不同,根据其用户存在类型的概念;
- docker-registry:专用于让kubelet启动Pod时从私有镜像仓库pull镜像时,首先认证到Registry时使用;
- TLS:专门用于保存tls/ssl用到的证书和配对的私钥;
- generic:余下的为通用类型;在通用型中又存在多个子类型
- 子类型中系统默认的几个常用类型 都是用于系统组件通信时用到的认证
--type="kubernetes.io/basic-auth"
--type="kubernetes.io/rbd"
--type="kubernetes.io/ssh-auth"
- 另外,保存有专用于ServiceAccount的相关的token信息的Secret资源会使用资源注解annotations来保存其使用场景。
kind: Secret
metadata:
annotations:
kubernetes.io/service-account.name: node-controller
kubernetes.io/service-account.uid: 5c7b00cc-8fae-48f7-9069-8efce3681f4d
- 资源的元数据:除了name,namespace之外,常用的还有labels, annotations;
- annotation的名称遵循类似于labels的名称命名格式,但其数据长度不受限制;
- 它不能用于被标签选择器作为筛选条件;但常用于为那些仍处于Beta阶段的应用程序提供临时的配置接口;
- 管理命令:kubectl annotate TYPE/NANE KEY=VALUE,kubectl annotate TYPE/NAME KEY-
- 还有一种由kubeadm的bootstrap所使用的token专用的类型,它通常保存于kube-system名称空间,以bootstrap-token-为前缀.
--type="bootstrap. kubernetes.io/token"
TLS类型Secret
TLS类型是一种独特的类型,在创建secret的命令行中,除了类型标识的不同之外,它还需要使用专用的选项--cert和--key
无论证书和私钥文件名是什么,它们会统一为:
tls.crt
tls.key
Docker Registry类型Secret
[root@k8s-master ~]# kubectl create secret docker-registry --help #查看帮助 提示提供的信息
......
Options:
--allow-missing-template-keys=true: If true, ignore any errors in templates when a field or map key is missing in
the template. Only applies to golang and jsonpath output formats.
--append-hash=false: Append a hash of the secret to its name.
--docker-email='': Email for Docker registry
--docker-password='': Password for Docker registry authentication
--docker-server='https://index.docker.io/v1/': Server location for Docker registry
--docker-username='': Username 为 Docker registry authentication
- 也能够从docker的认证文件中加载信息,这时使用--from-file选项;
$HOME/.dockercfg, ~/.docker/config.json
- 何时引用,以及如何引用 通过以下字段在Pod中引用
pod.spec.imagePullSecrets
Secret资源,使用环境变量引用格式
containers:
- name: ...
image: ...
env:
- name: <string> #变量名,其值来自于某Secret对象上的指定键的值;
valueFrom: #键值引用;
secretkeyRef:
name: <string> #引用的Secret对象的名称,需要与该Pod位于同一名称空间;
key: <string> #引用的Secret对象上的键,其值将传递给环境变量;
optional: <boolean> #是否为可选引用;
envFrom: #整体引用指定的Secret对象的全部键名和键值;
- prefix: <string> #将所有键名引用为环境变量时统一添加的前缀;
secretRef:
name: <string> #引用的Secret对象名称;
optional: <boolean> #是否为可选引用;
示例1: 创建通用型Secret、MySQL引用Secret
[root@k8s-master secret]# kubectl create secret --help
Create a secret using specified subcommand.
Available Commands: #3种类型Secret说明
docker-registry Create a secret for use with a Docker registry
generic Create a secret from a local file, directory or literal value
tls Create a TLS secret
#创造generi类型 Secret 用户:root 密码:userpassword
[root@k8s-master secret]# kubectl create secret generic mysql-root-authn --from-literal=username=root --from-literal=password=userpassword
secret/mysql-root-authn created
[root@k8s-master secret]# kubectl get secret
NAME TYPE DATA AGE
default-token-fsshk kubernetes.io/service-account-token 3 39d
my-grafana Opaque 3 36d
my-grafana-test-token-87856 kubernetes.io/service-account-token 3 36d
my-grafana-token-gh765 kubernetes.io/service-account-token 3 36d
mysql-root-authn Opaque(模糊类型) 2 25s
sh.helm.release.v1.my-grafana.v1 helm.sh/release.v1 1 36d
#详细描述信息
[root@k8s-master secret]# kubectl describe secret mysql-root-authn
Name: mysql-root-authn
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
password: 12 bytes
username: 4 bytes
[root@k8s-master secret]# kubectl get secret mysql-root-authn
NAME TYPE DATA AGE
mysql-root-authn Opaque 2 64s
[root@k8s-master secret]# kubectl get secret mysql-root-authn -o yaml
apiVersion: v1
data:
password: dXNlcnBhc3N3b3Jk #通过base64格式加密
username: cm9vdA==
kind: Secret
metadata:
creationTimestamp: "2021-08-07T07:03:31Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:password: {}
f:username: {}
f:type: {}
manager: kubectl-create
operation: Update
time: "2021-08-07T07:03:31Z"
name: mysql-root-authn
namespace: default
resourceVersion: "7454439"
selfLink: /api/v1/namespaces/default/secrets/mysql-root-authn
uid: 5743f6a0-1f02-445c-87e5-ae9819d77811
type: Opaque
[root@k8s-master secret]# echo dXNlcnBhc3N3b3Jk|base64 -d #通过base64格式解密
userpassword[root@k8s-master secret]#
#创建basic-authn认证
[root@k8s-master secret]# kubectl create secret generic web-basic-authn --from-literal=username=devopser --from-literal=password=userpassword --type="kubenetes.io/basic-auth"
secret/web-basic-authn created
[root@k8s-master secret]# kubectl get secret
NAME TYPE DATA AGE
default-token-fsshk kubernetes.io/service-account-token 3 39d
my-grafana Opaque 3 36d
my-grafana-test-token-87856 kubernetes.io/service-account-token 3 36d
my-grafana-token-gh765 kubernetes.io/service-account-token 3 36d
mysql-root-authn Opaque 2 8m2s
sh.helm.release.v1.my-grafana.v1 helm.sh/release.v1 1 36d
web-basic-authn kubenetes.io/basic-auth(认证类型) 2 21s
[root@k8s-master secret]# kubectl get secret -n kube-system #kube-system名称空间下常用的secret类型
NAME TYPE DATA AGE
attachdetach-controller-token-bpprw kubernetes.io/service-account-token 3 39d
bootstrap-signer-token-69hd8 kubernetes.io/service-account-token 3 39d
bootstrap-token-hbjzpz bootstrap.kubernetes.io/token 5 3d
certificate-controller-token-26sn8 kubernetes.io/service-account-token 3 39d
clusterrole-aggregation-controller-token-hlb6c kubernetes.io/service-account-token 3 39d
coredns-token-k6swp kubernetes.io/service-account-token 3 39d
cronjob-controller-token-449ng kubernetes.io/service-account-token 3 39d
daemon-set-controller-token-qb22n kubernetes.io/service-account-token 3 39d
default-token-xjfpp kubernetes.io/service-account-token 3 39d
deployment-controller-token-tb84w kubernetes.io/service-account-token 3 39d
disruption-controller-token-cqzdt kubernetes.io/service-account-token 3 39d
endpoint-controller-token-ptsp4 kubernetes.io/service-account-token 3 39d
[root@k8s-master secret]# kubectl get secret node-controller-token-rv7zt -n kube-system -o yaml
- MySQL 引用Secret
[root@k8s-master secret]# cat secrets-env-demo.yaml
apiVersion: v1
kind: Pod
metadata:
name: secrets-env-demo
namespace: default
spec:
containers:
- name: mariadb
image: mariadb
imagePullPolicy: IfNotPresent
env: #使用环境变量,容器在启动时加载 无法实时加载更新
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mysql-root-authn #引用之前的secret
key: password
[root@k8s-master secret]# kubectl apply -f secrets-env-demo.yaml
[root@k8s-master secret]# kubectl get pod
NAME READY STATUS RESTARTS AGE
centos-deployment-66d8cd5f8b-95brg 1/1 Running 0 2d22h
configmap-volume-demo3 1/1 Running 0 4h36m
configmaps-env-demo 1/1 Running 0 24h
configmaps-volume-demo 1/1 Running 0 24h
configmaps-volume-demo2 2/2 Running 0 17h
my-grafana-7d788c5479-bpztz 1/1 Running 3 2d22h
secrets-env-demo 1/1 Running 0 6m38s
volumes-pvc-longhorn-demo 1/1 Running 0 2d4h
#使用Secret帐号密码登录
[root@k8s-master secret]# kubectl exec secrets-env-demo -it -- /bin/bash
root@secrets-env-demo:/# mysql -uroot -puserpassword
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 10.6.3-MariaDB-1:10.6.3+maria~focal mariadb.org binary distribution
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> exit
Bye
root@secrets-env-demo:/# exit
exit
示例2: 创TLS类型Secret HTTPS引用自签证书
#创建TLS证书
[root@k8s-master secret]# (umask 007; openssl genrsa -out nginx.key 2048) #创建Key
Generating RSA private key, 2048 bit long modulus
................................................................................................+++
.................+++
e is 65537 (0x10001)
[root@k8s-master secret]# ls
nginx.key
#创建自签证书
[root@k8s-master secret]# openssl req -new -x509 -key nginx.key -out nginx.crt -subj /C=CN/ST=Hz/O=DevOps/CN=www.test.com
[root@k8s-master secret]# ls
nginx.crt nginx.key
#创建Secret
[root@k8s-master secret]# kubectl create secret tls nginx-ssl-secret --key=./nginx.key --cert=./nginx.crt
secret/nginx-ssl-secret created
[root@k8s-master secret]# kubectl get secret
NAME TYPE DATA AGE
default-token-fsshk kubernetes.io/service-account-token 3 39d
my-grafana Opaque 3 36d
my-grafana-test-token-87856 kubernetes.io/service-account-token 3 36d
my-grafana-token-gh765 kubernetes.io/service-account-token 3 36d
mysql-root-authn Opaque 2 32m
nginx-ssl-secret kubernetes.io/tls 2 15s
sh.helm.release.v1.my-grafana.v1 helm.sh/release.v1 1 36d
web-basic-authn kubenetes.io/basic-auth 2 24m
[root@k8s-master secret]# kubectl describe secret nginx-ssl-secret
Name: nginx-ssl-secret
Namespace: default
Labels: <none>
Annotations: <none>
Type: kubernetes.io/tls
Data
====
tls.crt: 1220 bytes
tls.key: 1675 bytes
[root@k8s-master secret]# kubectl get secret nginx-ssl-secret -o yaml
apiVersion: v1
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURWekNDQWorZ0F3SUJBZ0lKQUpsZGlNMGIvTTRFTUEwR0NTcUdTSWIzRFFFQkN3VUFNRUl4Q3pBSkJnTlYKQkFZVEFrTk9NUXN3Q1FZRFZRUUlEQUpJ1ekhVSkNyc3AxQjkyZGhuCktEZGt0ZWFGVWw5eXFiYzFHeHVwRG15b0lUUjJQUnZzTkREeUl5OGtnOHB6NVlkL2VHRldYUlh0d2w5emtmUHYKMCtDOTd1bWJIdVZ5VlRsdkloU2ltZU5pcnhtdXExUTh5VVNSR0NzaFk3Zmx4TXNTS3FQbWZDWnhNMEZWN090VAorZ0VNdnRUNUlPbkkvTmQ1OFVpVDFveFBIWlVGZ1B2Q2Q4bU9PYkwyU2w4a2JZNVRLcFJFK0dtSXd3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBcUl6Nk9yVFYxWENPYWJiZERDaVdFd0ZOcnlwQ2JHby9kYXlqYmc2eUUvcFJsYzFiCnJ5QWJSOFJhZmh3aCtiWXdUMC9qMG1NQXkyRG4rRStnVXczVXhKTjg1YzFvUjVWeEs3MlBVeTV4dXZkQWRvTUIKOVFKcmpjTS9HMkgzUjY0SUViUkVERTVrMWprbVZNbVRhVGJnYVNLYzZ6Umg3ZUZ0S1VnQVlJdE1GMUtFbXpqQwpiS1owY3ZnUE5vV0J5TnJ3WFBRT1FURXFJVGFoaURWRVFBYlJFL2FIS1VWd2RXK0Y3dklpYzVjMEkzaDQxOFRuCjNhd3FpVE1LbitlTyt3ME1XUU52ZEpsaFdrREoyOG00ZUZUZ0xqTkFvRnFPb2ZtWWhFREFWbnFPWFZlVXJYRzEKa0pTTjJTa2pZVE9vSU5Ya0JaMTllTDVRMEpwSDRNMmZOZzR3VFFJREFRQUJBb0lCQVFDWFAxSjRCYmZ3dlB6KwpmZnBqbzdQdnYvYXUzYlFYUjB4RTB6TWdXbzJRQWNyZUt4WS8wd2JINHJuMWVsYytsaTlKckgzYVY3N3B3YjdICkF1VHlRbklRSiswbTVhalN1NVovVXEzZlRjaitwa3F4VGlRZWNScUVicFVkaEU1Nmd2OTRxNU40bTR3Kzg2K2kKMi9Pc3NYSzB4VHVja0Rma1Y2bzJKZ2M0bXljZnNSYTRIUVg0cmZVUzVBc0NMWnhuVGV4by9qeU13Sm02d1VKdApUTFdzQjN2ZlpVOW04c1NZRlN0TlA4dFBiZmZPa0x6SXVGWHVId0Y0OFVqc2dCaHM3b3FWZWMwZmhxZUxLZE5NCmFIRlZzbDNXL2dCbE5LUW9XL3VGT1pUVWhJNUdzS2ZHQUtOY1lLSnpINmxWOVRUdFFkMHdWQUpOY3NkcEJSOU0KYTJ4VEN0dzlBb0dCQU5LL2VDNmh2VENnMWUwTFRWdmpISUI5M25uakhvbjRaSkYzcFVnZGJhbGMwYlZwQmc3bQpJcUZQdW96SEtiRGxXT0J3NTZBRHB2TkhaMFlkWlNRanIzZEdKOU9rU1JJYk92NlZUSHNETERhZFo1Qjh5QVEzCnZnYjdVeUtlaXVuMGhXVHRFVE4vV2c2MlJ5U2xIZDV0TDg5d2NVazFGeWZsSVo0ZHQ2Vk5Cb21UQW9HQkFNeTkKKzVIZnpDeWxUZ3NhOHY0WDRaWEFrenVxTjFIb012OEpraUJ4L2twaVFoQnVCWWZjOWROVmhPYkw1amp3RFpGVgp0RHVSMHl5MnpzUjR1Q09UczVWeXJSSll0c1NBWEZYa3h1QzRHTzJTZDhvZkhudFU0VmZEcWU0TXVseUtBM2MyCmloZG5ZVmNCbmJsSmt6b0RiK3JoSU8xTVp2ekh6d0praFZaelJRcWZBb0dBSFd1blhuTXIweWNRMWtlMm8vWS8KbTF4MiszTU9aMXBxeDdmNU5la056dy9ySXJVbnFGck9TTkMxalVPY2VWcDdIdElFTTkxdXFCVzJ3QjRJYVpRbAp3YlBraVhJczFUOUI3QnB4azlhc2pHOUs3dXZNakhJdnNBL1Qya2hod2lsbG1lSlNmV3J3Nm83ZHZhcmpVWkxTCmt0WHlxcktqcWVrZDJWSHl1anZYaHNzQ2dZQTZBZm1zc3NPZVFwZUIvZmlxbFFtTTdDcksxTWNucGFvTktDRUcKb0VWenZiTUtCS0g4aEZZQnNsRWRNdGZmZWVQZU1YSUhEcUhPSVYwanZUQXVwRUpWTFZCcnlrYStGY0FUZGVZQwo5U1hhNll5Vzc0b3JWemtoTElhUXMzcDVqWUM5M2UzeUE1QklubVNaZ29iOEFNMU10c3dsYjJnZVpsMzRSNUtmCms3a1Q4UUtCZ0Z3RkxudHlmR2x5VW9pRVllZTFGSTQvZVB4VU9TZXJUQzRvMnRkakwwQmJKbGllVStXYWlOcEEKeXZ1eHE4VEhuVDBRLytyTHp1ZzkvdlhWQ01ycmliZk92bHZMMjBDclpkNVd0a205TXdYQklQR1B3cHpQZXJldwp3RFV2VG9hb21sQnVXRVpFc1V3eGYyK3hzc042MFp6OThRSVRTU2R3TmFSSm55ZzJHUk5mCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
kind: Secret
metadata:
creationTimestamp: "2021-08-07T07:35:35Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:tls.crt: {}
f:tls.key: {}
f:type: {}
manager: kubectl-create
operation: Update
time: "2021-08-07T07:35:35Z"
name: nginx-ssl-secret
namespace: default
resourceVersion: "7460794"
selfLink: /api/v1/namespaces/default/secrets/nginx-ssl-secret
uid: 72bdf764-cd58-4be4-b93c-c9e7bd83713e
type: kubernetes.io/tls
#解密key
[root@k8s-master secret]# echo LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBcUl6Nk9yVFYxWENPYWJiZERDaVdFd0ZOcnlwQ2JHby9kYXlqYmc2eUUvcFJsYzFiCnJ5QWJSOFJhZmh3aCtiWXdUMC9qMG1NQXkyRG4rRStnVXczVXhKTjg1YzFvUjVWeEs3MlBVeTV4dXZkQWRvTUIKOVFKcmpjTS9HMkgzUjY0SUViUkVERTVrMWprbVZNbVRhVGJnYVNLYzZ6Umg3ZUZ0S1VnQVlJdE1GMUtFbXpqQwpiS1owY3ZnUE5vV0J5TnJ3WFBRT1FURXFJVGFoaURWRVFBYlJFL2FIS1VWd2RXK0Y3dklpYzVjMEkzaDQxOFRuCjNhd3FpVE1LbitlTyt3ME1XUU52ZEpsaFdrREoyOG00ZUZUZ0xqTkFvRnFPb2ZtWWhFREFWbnFPWFZlVXJYRzEKa0pTTjJTa2pZVE9vSU5Ya0JaMTllTDVRMEpwSDRNMmZOZzR3VFFJREFRQUJBb0lCQVFDWFAxSjRCYmZ3dlB6KwpmZnBqbzdQdnYvYXUzYlFYUjB4RTB6TWdXbzJRQWNyZUt4WS8wd2JINHJuMWVsYytsaTlKckgzYVY3N3B3YjdICkF1VHlRbklRSiswbTVhalN1NVovVXEzZlRjaitwa3F4VGlRZWNScUVicFVkaEU1Nmd2OTRxNU40bTR3Kzg2K2kKMi9Pc3NYSzB4VHVja0Rma1Y2bzJKZ2M0bXljZnNSYTRIUVg0cmZVUzVBc0NMWnhuVGV4by9qeU13Sm02d1VKdApUTFdzQjN2ZlpVOW04c1NZRlN0TlA4dFBiZmZPa0x6SXVGWHVId0Y0OFVqc2dCaHM3b3FWZWMwZmhxZUxLZE5NCmFIRlZzbDNXL2dCbE5LUW9XL3VGT1pUVWhJNUdzS2ZHQUtOY1lLSnpINmxWOVRUdFFkMHdWQUpOY3NkcEJSOU0KYTJ4VEN0dzlBb0dCQU5LL2VDNmh2VENnMWUwTFRWdmpISUI5M25uakhvbjRaSkYzcFVnZGJhbGMwYlZwQmc3bQpJcUZQdW96SEtiRGxXT0J3NTZBRHB2TkhaMFlkWlNRanIzZEdKOU9rU1JJYk92NlZUSHNETERhZFo1Qjh5QVEzCnZnYjdVeUtlaXVuMGhXVHRFVE4vV2c2MlJ5U2xIZDV0TDg5d2NVazFGeWZsSVo0ZHQ2Vk5Cb21UQW9HQkFNeTkKKzVIZnpDeWxUZ3NhOHY0WDRaWEFrenVxTjFIb012OEpraUJ4L2twaVFoQnVCWWZjOWROVmhPYkw1amp3RFpGVgp0RHVSMHl5MnpzUjR1Q09UczVWeXJSSll0c1NBWEZYa3h1QzRHTzJTZDhvZkhudFU0VmZEcWU0TXVseUtBM2MyCmloZG5ZVmNCbmJsSmt6b0RiK3JoSU8xTVp2ekh6d0praFZaelJRcWZBb0dBSFd1blhuTXIweWNRMWtlMm8vWS8KbTF4MiszTU9aMXBxeDdmNU5la056dy9ySXJVbnFGck9TTkMxalVPY2VWcDdIdElFTTkxdXFCVzJ3QjRJYVpRbAp3YlBraVhJczFUOUI3QnB4azlhc2pHOUs3dXZNakhJdnNBL1Qya2hod2lsbG1lSlNmV3J3Nm83ZHZhcmpVWkxTCmt0WHlxcktqcWVrZDJWSHl1anZYaHNzQ2dZQTZBZm1zc3NPZVFwZUIvZmlxbFFtTTdDcksxTWNucGFvTktDRUcKb0VWenZiTUtCS0g4aEZZQnNsRWRNdGZmZWVQZU1YSUhEcUhPSVYwanZUQXVwRUpWTFZCcnlrYStGY0FUZGVZQwo5U1hhNll5Vzc0b3JWemtoTElhUXMzcDVqWUM5M2UzeUE1QklubVNaZ29iOEFNMU10c3dsYjJnZVpsMzRSNUtmCms3a1Q4UUtCZ0Z3RkxudHlmR2x5VW9pRVllZTFGSTQvZVB4VU9TZXJUQzRvMnRkakwwQmJKbGllVStXYWlOcEEKeXZ1eHE4VEhuVDBRLytyTHp1ZzkvdlhWQ01ycmliZk92bHZMMjBDclpkNVd0a205TXdYQklQR1B3cHpQZXJldwp3RFV2VG9hb21sQnVXRVpFc1V3eGYyK3hzc042MFp6OThRSVRTU2R3TmFSSm55ZzJHUk5mCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==|
base64 -d
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAqIz6OrTV1XCOabbdDCiWEwFNrypCbGo/dayjbg6yE/pRlc1b
ryAbR8Rafhwh+bYwT0/j0mMAy2Dn+E+gUw3UxJN85c1oR5VxK72PUy5xuvdAdoMB
9QJrjcM/G2H3R64IEbREDE5k1jkmVMmTaTbgaSKc6zRh7eFtKUgAYItMF1KEmzjC
bKZ0cvgPNoWByNrwXPQOQTEqITahiDVEQAbRE/aHKUVwdW+F7vIic5c0I3h418Tn
3awqiTMKn+eO+w0MWQNvdJlhWkDJ28m4eFTgLjNAoFqOofmYhEDAVnqOXVeUrXG1
kJSN2SkjYTOoINXkBZ19eL5Q0JpH4M2fNg4wTQIDAQABAoIBAQCXP1J4BbfwvPz+
ffpjo7Pvv/au3bQXR0xE0zMgWo2QAcreKxY/0wbH4rn1elc+li9JrH3aV77pwb7H
AuTyQnIQJ+0m5ajSu5Z/Uq3fTcj+pkqxTiQecRqEbpUdhE56gv94q5N4m4w+86+i
2/OssXK0xTuckDfkV6o2Jgc4mycfsRa4HQX4rfUS5AsCLZxnTexo/jyMwJm6wUJt
TLWsB3vfZU9m8sSYFStNP8tPbffOkLzIuFXuHwF48UjsgBhs7oqVec0fhqeLKdNM
aHFVsl3W/gBlNKQoW/uFOZTUhI5GsKfGAKNcYKJzH6lV9TTtQd0wVAJNcsdpBR9M
a2xTCtw9AoGBANK/eC6hvTCg1e0LTVvjHIB93nnjHon4ZJF3pUgdbalc0bVpBg7m
IqFPuozHKbDlWOBw56ADpvNHZ0YdZSQjr3dGJ9OkSRIbOv6VTHsDLDadZ5B8yAQ3
vgb7UyKeiun0hWTtETN/Wg62RySlHd5tL89wcUk1FyflIZ4dt6VNBomTAoGBAMy9
+5HfzCylTgsa8v4X4ZXAkzuqN1HoMv8JkiBx/kpiQhBuBYfc9dNVhObL5jjwDZFV
tDuR0yy2zsR4uCOTs5VyrRJYtsSAXFXkxuC4GO2Sd8ofHntU4VfDqe4MulyKA3c2
ihdnYVcBnblJkzoDb+rhIO1MZvzHzwJkhVZzRQqfAoGAHWunXnMr0ycQ1ke2o/Y/
m1x2+3MOZ1pqx7f5NekNzw/rIrUnqFrOSNC1jUOceVp7HtIEM91uqBW2wB4IaZQl
wbPkiXIs1T9B7Bpxk9asjG9K7uvMjHIvsA/T2khhwillmeJSfWrw6o7dvarjUZLS
ktXyqrKjqekd2VHyujvXhssCgYA6AfmsssOeQpeB/fiqlQmM7CrK1McnpaoNKCEG
oEVzvbMKBKH8hFYBslEdMtffeePeMXIHDqHOIV0jvTAupEJVLVBryka+FcATdeYC
9SXa6YyW74orVzkhLIaQs3p5jYC93e3yA5BInmSZgob8AM1Mtswlb2geZl34R5Kf
k7kT8QKBgFwFLntyfGlyUoiEYee1FI4/ePxUOSerTC4o2tdjL0BbJlieU+WaiNpA
yvuxq8THnT0Q/+rLzug9/vXVCMrribfOvlvL20CrZd5Wtkm9MwXBIPGPwpzPerew
wDUvToaomlBuWEZEsUwxf2+xssN60Zz98QITSSdwNaRJnyg2GRNf
-----END RSA PRIVATE KEY-----
[root@k8s-master secret]#
- HTTPS自签证书引用TLS Secret
[root@k8s-master secret]# cat secrets-volume-demo.yaml
apiVersion: v1
kind: Pod
metadata:
name: secrets-volume-demo
namespace: default
spec:
containers:
- image: nginx:alpine
name: ngxserver
volumeMounts:
- name: nginxcerts
mountPath: /etc/nginx/certs/
readOnly: true
- name: nginxconfs
mountPath: /etc/nginx/conf.d/
readOnly: true
volumes:
- name: nginxcerts
secret:
secretName: nginx-ssl-secret #引用之前的secret自签证
- name: nginxconfs
configMap:
name: nginx-sslvhosts-confs #引用configMap
optional: false
[root@k8s-master secret]# cat nginx-config.d/myserver
myserver.conf myserver-gzip.cfg myserver-status.cfg
[root@k8s-master secret]# cat nginx-config.d/myserver.conf
server {
listen 443 ssl;
server_name www.test.com;
ssl_certificate /etc/nginx/certs/tls.crt;
ssl_certificate_key /etc/nginx/certs/tls.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
include /etc/nginx/conf.d/myserver-*.cfg;
location / {
root /usr/share/nginx/html;
}
}
server {
listen 80;
server_name www.ilinux.io;
return 301 https://$host$request_uri;
}
#创建comfigMap
[root@k8s-master secret]# kubectl create configmap nginx-sslvhosts-confs --fromonfs --from-file=./nginx-config.d
configmap/nginx-sslvhosts-confs created
[root@k8s-master secret]# kubectl get cm
NAME DATA AGE
demoapp-config 4 47h
demoapp-confs 4 18h
nginx-config 2 26h
nginx-config-files 3 24h
nginx-sslvhosts-confs 3 12s
[root@k8s-master secret]# kubectl apply -f secrets-volume-demo.yaml pod/secrets-volume-demo created
[root@k8s-master secret]# kubectl get pod
NAME READY STATUS RESTARTS AGE
secrets-volume-demo 1/1 Running 0 14m
volumes-pvc-longhorn-demo 1/1 Running 0 2d5h
#查看Pod配置
[root@k8s-master secret]# kubectl exec secrets-volume-demo -it -- /bin/sh
/ # cd /etc/nginx/conf.d/
/etc/nginx/conf.d # ls
myserver-gzip.cfg myserver-status.cfg myserver.conf
/etc/nginx/conf.d # cat myserver.conf
server {
listen 443 ssl;
server_name www.test.com;
ssl_certificate /etc/nginx/certs/tls.crt;
ssl_certificate_key /etc/nginx/certs/tls.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
include /etc/nginx/conf.d/myserver-*.cfg;
location / {
root /usr/share/nginx/html;
}
}
server {
listen 80;
server_name www.ilinux.io;
return 301 https://$host$request_uri;
}
/etc/nginx/conf.d # netstat -nlt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
/etc/nginx/conf.d # curl -H "Host:www.test.com" https://127.0.0.1:443 #警告自签证书风险
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
/etc/nginx/conf.d # curl -k -H "Host:www.test.com" https://127.0.0.1:443 # -k忽略风险 访问成功
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
/etc/nginx/conf.d # exit
[root@k8s-master secret]#
示例3: 创建docker-registry类型secret用于私有仓库的认证
[root@k8s-master secret]# kubectl create secret docker-registry harbor-tom --docker-username=tom --docker-password=userpassword --docker-email=tom@test.com --docker-server=https://registry.test.com/v2/
secret/harbor-tom created
[root@k8s-master secret]# kubectl get secret
NAME TYPE DATA AGE
default-token-fsshk kubernetes.io/service-account-token 3 39d
harbor-tom kubernetes.io/dockerconfigjson 1 50s
mysql-root-authn Opaque 2 45m
nginx-ssl-secret kubernetes.io/tls 2 13m
sh.helm.release.v1.my-grafana.v1 helm.sh/release.v1 1 36d
web-basic-authn kubenetes.io/basic-auth 2 37m
[root@k8s-master secret]# kubectl get secret harbor-tom -o yaml
apiVersion: v1
data:
.dockerconfigjson: eyJhdXRocyI6eyJodHRwczovL3JlZ2lzdHJ5LnRlc3QuY29tL3YyLyI6eyJ1c2VybmFtZSI6InRvbSIsInBhc3N3b3JkIjoidXNlcnBhc3N3b3JkIiwiZW1haWwiOiJ0b21AdGVzdC5jb20iLCJhdXRoIjoiZEc5dE9uVnpaWEp3WVhOemQyOXlaQT09In19fQ==
kind: Secret
metadata:
creationTimestamp: "2021-08-07T07:48:15Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:.dockerconfigjson: {}
f:type: {}
manager: kubectl-create
operation: Update
time: "2021-08-07T07:48:15Z"
name: harbor-tom
namespace: default
resourceVersion: "7463303"
selfLink: /api/v1/namespaces/default/secrets/harbor-tom
uid: 461547f3-4286-4377-9220-130231041908
type: kubernetes.io/dockerconfigjson
[root@k8s-master secret]#
[root@k8s-master secret]# echo eyJhdXRocyI6eyJodHRwczovL3JlZ2lzdHJ5LnRlc3QuY29tL3YyLyI6eyJ1c2VybmFtZSI6InRvbSIsInBhc3N3b3JkIjoidXNlcnBhc3N3b3JkIiwiZW1haWwiOiJ0b21AdGVzdC5jb20iLCJhdXRoIjoiZEc5dE9uVnpaWEp3WVhOemQyOXlaQT09In19fQ==|base64 -d
{"auths":{"https://registry.test.com/v2/":{"username":"tom","password":"userpassword","email":"tom@test.com","auth":"dG9tOnVzZXJwYXNzd29yZA=="}}}[root@k8s-master secret]#
downwardAPI
-
downwardAPI存储卷类型,从严格意义上来说,downwardAPI不是存储卷,它自身就存在,原因在于,它引用的是Pod自身的运行环境信息,这些信息在Pod启动手就存在。
-
类似于ConfigMap或Secret资源,容器能够在环境变量中在valueFrom字段中嵌套fieldRef或resourceFieldRef字段来引用其所属Pod对象的元数据信息。不过,通常只有常量类型的属性才能够通过环境变量,注入到容器中,毕竟,在进程启动完成后无法再向其告知变量值的变动,于是,环境变量也就不支持中途的更新操作。容器规范中可在环境变量配置中的valueFrom通过内嵌字段fieldRef引用的信息包括如下这些
- metadata.name: Pod对象的名称;
- metadata.namespace: Pod对象隶属的名称空间;
- metadata.uid: Pod对象的UID;
- metadata.labels['<KEY>']: Pod对象标签中的指定键的值,例如metadata.labels['mylabel'],仅Kubernetes 1.9及之后的版本才支持;
- metadata.annotations['<KEY>']: Pod对象注解信息中的指定键的值,仅Kubernetes 1.9及之后的版本才支持。
- 容器上的计算资源需求和资源限制相关的信息,以及临时存储资源需求和资源限制相关的信息可通过容器规范中的resourceFieldRef字段引用,相关字段包括requests.cpu、limits.cpu、requests.memory和limits.memory等。另外,可通过环境变量引用的信息有如下几个:
- status.podIP: Pod对象的IP地址
- spec.serviceAccountName: Pod对象使用的ServiceAccount资源名称
- spec.nodeName: 节点名称
- status.hostIP: 节点IP地址
- 另外,还可以通过resoqurceFieldRef字段引用当前容器的资源请求及资源限额的定义,因此它们包括requests.cpu、requests.memory、requests.ephemeral-storage、limits.cpu、limits.memory和limits.ephemeral storage这6项。
示例4:downwardAPI 通过环境变量env:引用
[root@k8s-master secret]# cat downwardapi-env-demo.yaml
apiVersion: v1
kind: Pod
metadata:
name: downwardapi-env-demo
labels:
app: demoapp
spec:
containers:
- name: demoapp
image: ikubernetes/demoapp:v1.0
# command: ["/bin/sh","-c","env"]
resources:
requests:
memory: "32Mi"
cpu: "250m"
limits:
memory: "64Mi"
cpu: "500m"
env:
- name: THIS_POD_NAME #变量名
valueFrom:
fieldRef:
fieldPath: metadata.name #获取POD对象名称
- name: THIS_POD_NAMESPACE
valueFrom:
fieldRef :
fieldPath: metadata.namespace #所在名称空间
- name: THIS_APP_LABEL
valueFrom:
fieldRef:
fieldPath: metadata.labels['app']
- name: THIS_CPU_LIMIT
valueFrom:
resourceFieldRef:
resource: limits.cpu #获取CPU限制 只显示整数1核 2核......
- name: THIS_MEM_REQUEST
valueFrom :
resourceFieldRef:
resource: requests.memory
divisor: 1Mi #默认为K 单位换算为M
#restartPolicy: Never
[root@k8s-master secret]# kubectl get pod
NAME READY STATUS RESTARTS AGE
configmap-volume-demo3 1/1 Running 0 29h
configmaps-env-demo 1/1 Running 0 2d1h
configmaps-volume-demo 1/1 Running 0 2d1h
configmaps-volume-demo2 2/2 Running 0 43h
downwardapi-env-demo 1/1 Running 0 8m52s
[root@k8s-master secret]# kubectl exec downwardapi-env-demo -it -- /bin/sh
[root@downwardapi-env-demo /]# env #查看相关变量
...
THIS_APP_LABEL=demoapp
...
THIS_MEM_REQUEST=32
...
THIS_POD_NAME=downwardapi-env-demo
...
THIS_POD_NAMESPACE=default
...
THIS_CPU_LIMIT=1 #以核心数为单位
[root@downwardapi-env-demo /]# echo $THIS_POD_NAME #直接引用
downwardapi-env-demo
示例5:downwardAPI 通过volumeMounts挂载
[root@k8s-master secret]# cat downwardapi-volume-demo.yaml
apiVersion: v1
kind: Pod
metadata:
name: downwardapi-volume-demo
labels:
zone: zone1
rack: rack100
app: demoapp
annotations:
region: ease-cn
spec:
containers:
- name: demoapp
image: ikubernetes/demoapp:v1.0
resources:
requests:
memory: "32Mi"
cpu: "250m"
limits:
memory: "64Mi"
cpu: "500m"
volumeMounts:
- name: podinfo
mountPath: /etc/podinfo #键值的存放路径
readOnly: false
volumes:
- name: podinfo
downwardAPI:
defaultMode: 420
items: #和configMap引用类似 默认只输出哪个变量给存储卷
- fieldRef:
fieldPath: metadata.namespace
path: pod_namespace #被引用的键名
- fieldRef:
fieldPath: metadata.labels
path: pod_labels
- fieldRef:
fieldPath: metadata.annotations
path: pod_annotations
- resourceFieldRef:
containerName: demoapp
resource: limits.cpu
path: "cpu_limit"
- resourceFieldRef:
containerName: demoapp
resource: requests.memory
divisor: "1Mi"
path: "mem_request"
[root@k8s-master secret]# kubectl get pod
NAME READY STATUS RESTARTS AGE
downwardapi-env-demo 1/1 Running 0 36m
downwardapi-volume-demo 1/1 Running 0 2m11s
#进入到容器查看配置
[root@k8s-master secret]# kubectl exec downwardapi-volume-demo -it -- /bin/sh
[root@downwardapi-volume-demo /]# cd /etc/podinfo/
[root@downwardapi-volume-demo /etc/podinfo]# ls
cpu_limit mem_request pod_annotations pod_labels pod_namespace
[root@downwardapi-volume-demo /etc/podinfo]# cat cpu_limit
1
[root@downwardapi-volume-demo /etc/podinfo]# cat pod_namespace
default
[root@downwardapi-volume-demo /etc/podinfo]# cat pod_labels
app="demoapp"
rack="rack100"
zone="zone1"
[root@downwardapi-volume-demo /etc/podinfo]# exit
