laitimes
return

Kubernetes Basic Self-Study Series | Secret exists meaningfully

author:A communicator who loves programming

Video source: Station B "Trying to build Kubernetes at the end of 2021 to mastery - Happy Appetizers in 2022"

While learning, I sorted out the teacher's course content and test notes, and shared with you, infringement is deleted, thank you for your support!

Attached is a summary of the Kubernetes Basic Self-Study Series | A blog that summarizes _COCOgsta - the CSDN blog

Secret solves the configuration problem of sensitive data such as passwords, tokens, keys, etc., without exposing these sensitive data to images or Pod Specs. Secret can be used as Volume or as an environment variable

There are three types of Secret:

Service Account : Used to access the Kubernetes API, created automatically by Kubernetes and automatically mounted to the Pod's /run/secrets/kubernetes.io/serviceaccount directory

Opaque: Secret in base64 encoding format to store passwords, keys, etc

kubernetes.io/dockerconfigjson: Used to store authentication information for private docker repositories

Service Account

Service Account is used to access the Kubernetes API, which is automatically created by Kubernetes and automatically mounted to the Pod's /run/secrets/kubernetes.io/serviceaccount directory

$ kubectl run nginx --image nginx
deployment "nginx" created
$ kubectl get pods
NAME                     READY     STATUS    RESTARTS   AGE
nginx-3137573019-md1u2   1/1       Running   0          13s
$ kubectl exec nginx-3137573019-md1u2 ls /run/secrets/kubernetes.io/serviceaccount
ca.crt
namespace
token

Opaque Secret

I. Create a description

Data of type Opaque is a map type and requires value to be in base64 encoding format:

$ echo -n "admin" | base64
YWRtaW4=
$ echo -n "1f2d1e2e67df" | base64
MWYyZDFlMmU2N2Rm

secrets.yml

apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  password: MWYyZDFlMmU2N2Rm
  username: YWRtaW4=

II. How to use it

1. Attach Secret to Volume

apiVersion: v1
kind: Pod
metadata:
  labels:
    name: seret-test
  name: seret-test
spec:
  volumes:
  - name: volumes12
    secret:
      secretName: mysecret
  containers:
  - image: wangyanglinux/myapp:v1
    name: db
    volumeMounts:
    - name: volumes12
      mountPath: "/data"

2. Export Secret to environment variables

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: pod-deployment
spec:
  replicas: 2
  template:
    metadata:
      labels:
        app: pod-deployment
    spec:
      containers:
      - name: pod-1
        image: wangyanglinux/myapp:v1
        ports:
        - containerPort: 80
        env:
        - name: TEST_USER
          valueFrom:
            secretKeyRef:
              name: mysecret
              key: username
        - name: TEST_PASSWORD
          valueFrom:
            secretKeyRef:
              name: mysecret
              key: password

kubernetes.io/dockerconfigjson

Use Kuberctl to create a secret for docker repository certifications

$ kubectl create secret docker-registry hongfureg --docker-server=hub.hongfu.com --docker-username=admin --docker-password=Harbor12345 [email protected]
secret "myregistrykey" created.

When creating a Pod, reference the newly created myregistrykey through imagePullSecrets

apiVersion: v1
kind: Pod
metadata:
  name: foo
spec:
  containers:
    - name: foo
      image: hub.hongfu.com/wangyang/myapp:v1
  imagePullSecrets:
    - name: hongfureg
Previous: Mijia fresh air conditioner vertical 3 horses for sale; the news said that the Hongmeng 3.0 user version of the May internal test
Next: Ye Yunyi "dreamed of being a broad wife, and finally was punched in the face", is her husband not good, or is she greedy?