Shulou(Shulou.com)06/03 Report--

I.

Secret resource object: solves the configuration problem of sensitive data such as password, token, key and so on, without exposing these sensitive data to mirror or Pod Spec. Secret can be used as Volume or environment variables.

It is used to store sensitive information, such as the user name, password or key of the database.

There are three types of Secret:

1.Service Account: used to access Kubernetes API, automatically created by Kubernetes, and automatically mounted to the / run/secrets/kubernetes.io/serviceaccount directory of Pod.

Secret in 2.Opaque:base64 format, which is used to store passwords, keys, etc.

3.Kubernetes.io/dockerconfigjson: used to store authentication information for private docker registry.

Second, create four kinds of secret resources by the way of experimental testing.

Name: class=lbs

Password: password=www.com

Create 2 Pod to use, secret2, and secret4, respectively, by mounting Volume and using the environment variable env.

1) through-- from-literal (literal): kubectl create secret generic * * lbssecret1 (the name of the created secret resource) * *-- from-literal=class=lbs-- from-literal=password=www.comww.comGeneric: generic and generic. Encryption. View secret resources 5. Kubectl get secrets 6.NAME TYPE DATA AGE 7.lbssecret1 Opaque 2 24s use describe to view the details of secret resources. * * (it can be seen that it is stored in ciphertext) * * 1kubectl describe secrets lbssecret1 2.Name: lbssecret1 3.Namespace: default 4.Labels: 5.Annotations: 6. 7.Type: Opaque 8. 9.Data 10.encrypted data = 11.class: 3 bytes # you can only see the size of the data, but not the data content. 12.password: 7 bytes 2) through-- from-file (file): (* * this method is not recommended. You need to write the stored data to a file. Note that only one data can be stored in each file. ) * * echo lbs > class echo www.com > password kubectl create secret generic lbssecret2-- from-file=class-- from-file=password View: 1.kubectl describe secrets lbssecret2 2.Name: lbssecret2 3.Namespace: default 4.Labels: 5.Annotations: 6. 7.Type: Opaque 8. 9.Data 10.4 bytes 12.password: 8 bytes 3) through-- from-env-file:** You can write multiple data in the same file. ) * * vim lbs.txtclass=lbspassword=www.com (save and exit) kubectl create secret generic mysecret3-- from-env-file=lbs.txt view: 1.kubectl describe secrets lbssecret3 2.Name: lbssecret3 3.Namespace: default 4.Labels: 5.Annotations: 6. 7.Type: Opaque 8. 9.Data 10.exit configuration = 11.class: 3 bytes 12.password: 7 bytes 4) through the yaml configuration file. (encrypt the data to be saved) echo lbs | base64echo www.com | base64 vim lbssecret4.yamlapiVersion: v1kind: Secretmetadata: name: mysecret4data: class: # compiled lbs password: # compiled www.com execution file: kubectl apply-f lbssecret4.yaml 1.kubectl describe secrets lbhsecret4 2.Name: lbhsecret4 3.Namespace: default 4.Labels: 5.Annotations: 6.Type: Opaque 7. 8.Data 9.3 bytes = 10.password: 8 bytes 11.class: 4 bytes

Create 2 Pod, which are mounted and used as environment variables, secret2, and secret4.

1) Mount to Volume: use lbssecret2.vim pod1.yamlapiVersion: v1kind: Podmetadata: name: lbspod1spec: containers:-name: lbspod image: busybox args:-/ bin/sh-- c-sleep 300000 volumeMounts:-name: secret-lbs mountPath: "/ etc/secret-lbs" in the path readOnly: true volumes:-name: secret-lbs secret: secretName: lbssecret2 "in the pod container

Execute the yaml file and view the Pod status: 1. [root@master lbhsecret] # kubectl apply-f pod1.yamlbr/ > 1. [root@master lbhsecret] # kubectl apply-f pod1.yaml

View:

3. Kubectl get pod

4.NAME READY STATUS RESTARTS AGE

5.lbspod1 1/1 Running 0 26s

Enter the mount path in the pod. Use cat to check the class name and password (cat class) to see if the data is mounted successfully. (it can be found that it will automatically help decrypt)

2) in the form of environment variables: using lbssecret4.

Vim pod2.yamlapiVersion: v1kind: Podmetadata: name: lbspod2spec: containers:-name: lbspod image: busybox args:-/ bin/sh-- c-sleep 300000 env:-name: variable name in the SECRET_CLASS# container valueFrom: secretKeyRef:# extracts the value of the environment variable name: lbssecret4# calls lbssecret4 key: class# of the secret resource Use lbssecret4 to correspond to the value of class-name: SECRET_PASSWORD valueFrom: secretKeyRef: name: lbssecret2 key: password

Execute the yaml file and view the Pod status: 1. [root@master lbhsecret] # kubectl apply-f pod2.yamlbr/ > 1. [root@master lbhsecret] # kubectl apply-f pod2.yaml

View:

3. Kubectl get pod

4.NAME READY STATUS RESTARTS AGE

5.lbspod1 1/1 Running 0 10m

6.lbspod2 1/1 Running 0 39s

Go to pod to view the data. You can use echo (variable names in the echo container)

For example: echo $SECRET_CLASS to see the saved name and password.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.