Video source: Station B "Trying to build Kubernetes at the end of 2021 to mastery - Happy Appetizers in 2022"
While learning, I sorted out the teacher's course content and test notes, and shared with you, infringement is deleted, thank you for your support!
Attached is a summary of the Kubernetes Basic Self-Study Series | A blog that summarizes _COCOgsta - the CSDN blog
Secret solves the configuration problem of sensitive data such as passwords, tokens, keys, etc., without exposing these sensitive data to images or Pod Specs. Secret can be used as Volume or as an environment variable
There are three types of Secret:
Service Account : Used to access the Kubernetes API, created automatically by Kubernetes and automatically mounted to the Pod's /run/secrets/kubernetes.io/serviceaccount directory
Opaque: Secret in base64 encoding format to store passwords, keys, etc
kubernetes.io/dockerconfigjson: Used to store authentication information for private docker repositories
Service Account
Service Account is used to access the Kubernetes API, which is automatically created by Kubernetes and automatically mounted to the Pod's /run/secrets/kubernetes.io/serviceaccount directory
$ kubectl run nginx --image nginx
deployment "nginx" created
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
nginx-3137573019-md1u2 1/1 Running 0 13s
$ kubectl exec nginx-3137573019-md1u2 ls /run/secrets/kubernetes.io/serviceaccount
ca.crt
namespace
token
Opaque Secret
I. Create a description
Data of type Opaque is a map type and requires value to be in base64 encoding format:
$ echo -n "admin" | base64
YWRtaW4=
$ echo -n "1f2d1e2e67df" | base64
MWYyZDFlMmU2N2Rm
secrets.yml
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
password: MWYyZDFlMmU2N2Rm
username: YWRtaW4=
II. How to use it
1. Attach Secret to Volume
apiVersion: v1
kind: Pod
metadata:
labels:
name: seret-test
name: seret-test
spec:
volumes:
- name: volumes12
secret:
secretName: mysecret
containers:
- image: wangyanglinux/myapp:v1
name: db
volumeMounts:
- name: volumes12
mountPath: "/data"
2. Export Secret to environment variables
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: pod-deployment
spec:
replicas: 2
template:
metadata:
labels:
app: pod-deployment
spec:
containers:
- name: pod-1
image: wangyanglinux/myapp:v1
ports:
- containerPort: 80
env:
- name: TEST_USER
valueFrom:
secretKeyRef:
name: mysecret
key: username
- name: TEST_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: password
kubernetes.io/dockerconfigjson
Use Kuberctl to create a secret for docker repository certifications
$ kubectl create secret docker-registry hongfureg --docker-server=hub.hongfu.com --docker-username=admin --docker-password=Harbor12345 [email protected]
secret "myregistrykey" created.
When creating a Pod, reference the newly created myregistrykey through imagePullSecrets
apiVersion: v1
kind: Pod
metadata:
name: foo
spec:
containers:
- name: foo
image: hub.hongfu.com/wangyang/myapp:v1
imagePullSecrets:
- name: hongfureg