Shulou(Shulou.com)06/03 Report--

1. Secret

Secret: used to store sensitive information, such as the user name, password or secret key of the database.

Overview

Secret is a K8s resource used to store small pieces of sensitive data, such as passwords, token, or keys. Of course, this kind of data can also be stored in Pod or images, but it is placed in Secret to make it easier to control how the data is used and to reduce the risk of exposure.

Users can create their own secret, and the system will have its own secret.

Pod needs to be referenced before you can use a secret,Pod. There are two ways to use secret: it is mounted as a domain of volume by one or more containers, and it is referenced by kubelet when pulling the image.

Built-in Secrets

The secret key attached to the API certificate created by ServiceAccount

Secret automatically generated by K8s to access apiserver, and all Pod will use this Secret to communicate with apiserver by default

1. Secret type

There are three types of Secret:

* Opaque: base64 encoding is used to store information, and the original data can be obtained by base64-decode decoding, so the security is weak.

Kubernetes.io/dockerconfigjson: used to store authentication information for docker registry. Kubernetes.io/service-account-token: used to be referenced by serviceaccount. When a serviceaccout is created, the Kubernetes creates the corresponding secret by default. If serviceaccount is used in Pod, the corresponding secret will be automatically mounted to the / run/secrets/kubernetes.io/serviceaccount directory of Pod. * * example: save the user name and password of the database

User name: root

Password: 123.com

1. Through-- from-literal (text) [root@master secret] # kubectl create secret generic mysecret1-- from-literal=username=root-- from-literal=pasword=123.com

Generic: general, general encryption

Check [root@master secret] # kubectl get secrets

Type is Opaque (opaque)

2. Create two new files through from-file (file) and write the user name and password [root@master secret] # echo root > username [root@master secret] # echo 123.com > password to create a secret [root@master secret] # kubectl create secret generic mysecret2-- from-file=username-- from-file=password to view [root@master secret] # kubectl get secrets.

3. Use-- from-env-file: create a file to write the user name and password [root@master secret] # vim env.txt username=rootpassword=123.com to create a secret [root@master secret] # kubectl create secret generic mysecret3-- from-env-file=env.txt to check [root@master secret] # kubectl get secrets

4. Encrypt the data to be saved through the yaml configuration file ("base64") [root@master secret] # echo root | base64cm9vdAo= [root@master secret] # echo 123.com | base64MTIzLmNvbQo=

Decode:

[root@master secret] # echo-n cm9vdAo | base64-- decode root [root@master secret] # echo-n MTIzLmNvbQo | base64-- decode 123.com (2) write the yaml file of secre4 [root@master secret] # vim secret4.yamlapiVersion: Secretmetadata: name: mysecret4data: username: cm9vdAo= password: MTIzLmNvbQo= execute [root@master secret] # kubectl apply-f secret4.yaml (3) check [root@master secret] # kubectl get secrets

If you use the Secret resource 1. Using Secret as a Volume mount

Secret can be mounted as a data volume or exposed to a container in Pod as an environment variable, or it can be used by other resources in the system. For example, you can use secret to import certificate files needed to interact with external systems.

Using secret as a file in Pod

Create a Secret, and multiple Pod can refer to the same Secret to modify the definition of Pod, add a volume to spec.volumes [], and give the volume a name. Spec.volumes [] .secret.secretName records the Secret name to be referenced by adding a spec.containers [] .volumeMounts [] to each container that needs to use Secret, specifying that spec.containers [] .volumeMounts [] .readOnly = true,spec.containers [] .volumeMounts [] .mountPath points to an unused system path. Modify the mirror or the command execution system to find the path specified in the previous step. At this point, each key in the data field in Secret is a file name under the specified path in the yaml file [root@master secret] # vim pod.yaml apiVersion: Podmetadata: name: mypodspec: containers:-name: mypod image: busybox args:-/ bin/sh-- c-sleep 300000 volumeMounts:-name: secret-test mountPath: "/ etc/secret-test" # pod Whether the path readOnly: true # is read-only volumes:-name: secret-test secret: secretName: mysecret1

Each referenced Secret is defined in the spec.volumes

If multiple containers in Pod refer to this Secret, then each container definition should specify its own volumeMounts, but it would be nice to declare spec.volumes once in the Pod definition.

Map secret key to the specified path

You can control the path where secret key is mapped to the container, and use spec.volumes [] .secret.items to modify the specific path to be mapped.

Execute [root@master secret] # kubectl apply-f pod.yaml Secret file permissions

You can specify the permissions for secret files, similar to those for linux system files. If you do not specify a default permission of 0644, it is equivalent to the-rw-r--r-- permission for linux files.

Enter the container to view the saved data [root@master secret] # kubectl exec-it mypod / bin/sh/ # cd / etc/secret-test//etc/secret-test # lspasword username/etc/secret-test # cat username root/etc/secret-test # cat pasword 123.com test whether there is read-only permission 123.com/etc/secret-test # echo admin > username/bin/sh: can't create username: Read-only file system1.1 custom text for storing data Yaml file [root@master yaml] # vim pod.yaml apiVersion: v1kind: Podmetadata: mypodspec: containers:-name: mypod image: busybox args:-/ bin/sh-- c-sleep 300000 volumeMounts:-name: secret-test mountPath: "/ etc/secret-test" # whether the path readOnly: true # in the file name is read-only volumes: -name: secret-test secret: secretName: mysecret1 items:-key: username path: my-group/my-username # directories in custom containers-key: password path: my-group/my-password # directories in custom containers execute [root@master yaml] # kubectl apply-f pod.yaml to check [root@master secret] # kubectl exec-it mypod / bin/sh/ / enter the container to view cat / etc/secret-test/my-group/my-password 123.com cat / etc/secret-test/my-group/my-username root1.2 if Now update the data saved in the secret resources. Will the data be updated in the applications that use this data?

Will be updated in real time (here the data is referenced in the way that volumes mounts the usage data).

Update mysecret1 data: password-> admin YWRtaW4K (base64)

You can modify it directly through the edit command.

[root@master secret] # kubectl edit secrets mysecret1

Check [root@master secret] # kubectl exec-it mypod / bin/sh// enter the container to view cat / etc/secret-test/my-group/my-password admin cat / etc/secret-test/my-group/my-username root

The data has been successfully updated.

2. In the form of environmental variables

Create a Secret. Multiple Pod can refer to the same Secret.

Modify the definition of pod, define environment variables and specify secret and corresponding key using env [] .valueFrom.secretKeyRef

Modify the image or command line so that they can read environment variables

Write the yaml file of pod

[root@master secret] # vim pod-env.yaml apiVersion: v1kind: Podmetadata: name: mypod2spec: containers:-name: mypod image: busybox args:-/ bin/sh-- c-sleep 300000 env:-name: SECRET_USERNAME valueFrom: secretKeyRef: name: mysecret2 key: username-name: SECRET_PASSWORD valueFrom: SecretKeyRef: name: mysecret2 key: password execute [root@master secret] # kubectl apply-f pod-env.yaml check [root@master secret] # kubectl get pod

Enter the container to view the saved data [root@master secret] # kubectl exec-it mypod2 / bin/sh/ # echo $SECRET_USERNAMEroot/ # echo $SECRET_PASSWORD123.com2.1 update the contents of the sevret file [root@master yaml] # kubectl edit secrets mysecret2 / / modify the contents of the saved file

Check out [root@master secret] # kubectl exec-it mypod2 / bin/sh/ # echo $SECRET_USERNAMEroot/ # echo $SECRET_PASSWORD123.com

After waiting for a certain amount of time, we can see that the data has not changed.

Summary

If the application of referencing secret data is required to update in real time with the update of the data stored in the secret resource object, then you should use volumes mount to reference the resource because referencing with environment variables will not update the data in real time.

II. ConfigMap

The Secret mentioned above can provide storage of confidential data for Pod, while for some non-confidential and sensitive data, such as the configuration information of some applications, you can use Configmap.

Configmap is created and used in a very similar way to Secret, except that the data is stored in clear text (however, I think the ciphertext form of Secret is not ciphertext, it can only be regarded as simple coding).

Similar to Secret resources, except that secret resources store sensitive information, while Configmap stores data stored in clear text.

Username:adam

Age:18

There are four ways to create: 1. Check [root@master yaml] # kubectl get cm via-- from-literal (text): [root@master yaml] # kubectl create configmap myconfigmap1-- from-literal=username=adam-- from-literal=age=18.

[root@master yaml] # kubectl describe cm

2. Use-- from-file (file): [root@master yaml] # echo adam > username [root@master yaml] # echo 18 > age to create [root@master yaml] # kubectl create configmap myconfigmap2-- from-file=username-- from-file=age to see [root@master yaml] # kubectl describe cm

3. Use-- from-env-file: [root@master yaml] # vim env.txt username=adamage=18 to create [root@master yaml] # kubectl create configmap myconfigmap3-- from-env-file=env.txt to check [root@master configmap] # kubectl describe cm

4. Through the yaml configuration file: [root@master yaml] # vim configmap.yamlapiVersion: v1kind: name: myconfigmap4data: username: 'adam' age:' 18' create [root@master yaml] # kubectl apply-f configmap.yaml to see [root@master yaml] # kubectl describe cm

How to use configmap resources 1. Mount it with Volume [root@master yaml] # vim v-pod.yaml apiVersion: v1kind: Podmetadata: name: pod1spec: containers:-name: mypod image: busybox args:-/ bin/sh-- c-sleep 300000 volumeMounts:-name: cmp-test mountPath: "/ etc/cmp-test" readOnly: true volumes:-name: cmp-test configMap: name: myconfigmap1 [root@master configmap] # kubectl apply-f v-pod.yaml check [root@master configmap] # kubectl exec-it pod1 / bin/sh// enter the container to view > cat / etc/cmp-test/age 18 / > cat / etc/cmp-test/username adam/ 1.1 customize the yaml file name of the file where the data is stored [root@master configmap] # vim v-pod2.yaml apiVersion: Podmetadata: name: pod3spec: containers:-name: Mypod image: busybox args:-/ bin/sh-- c-sleep 300000 volumeMounts:-name: cmp-test mountPath: "/ etc/cmp-test" readOnly: true volumes:-name: cmp-test configMap: name: myconfigmap1 items:-key: username path: my-group/my-username # directories in custom containers-key: age Path: my-group/my-age # directories in custom containers execute [root@master configmap] # kubectl apply-f v-pod2.yaml to check [root@master configmap] # kubectl exec-it pod3 / bin/sh// enter the container > cat / etc/cmp-test/my-group/my-username adam/ > cat / etc/cmp-test/my-group/my-age 18 / 1.2 if Now update the data saved in the secret resource. Will the data be updated in the application that uses this data? [root@master configmap] # kubectl edit cm myconfigmap1

Check [root@master configmap] # kubectl exec-it pod3 / bin/sh// enter the container to view > cat / etc/cmp-test/my-group/my-username adam/ > cat / etc/cmp-test/my-group/my-age 10

You can see that the update is successful

two。 In the form of environment variables [root@master configmap] # vim e-pod.yaml apiVersion: v1kind: Podmetadata: name: pod2spec: containers:-name: mypod image: busybox args:-/ bin/sh-- c-sleep 300000 env:-name: CONFIGMAP_NAME valueFrom: configMapKeyRef: name: myconfigmap2 key: username-name: CONFIGMAP_AGE ValueFrom: configMapKeyRef: name: myconfigmap2 key: age execute [root@master configmap] # kubectl apply-f e-pod.yaml to check [root@master configmap] # kubectl exec-it pod2 / bin/sh// enter the container to check > echo $CONFIGMAP_NAMEadam > echo $CONFIGMAP_AGE182.1 update the contents of the sevret file [root@master configmap] # kubectl edit cm myconfigmap2 / / modify the contents of the saved file

Check [root@master configmap] # kubectl exec-it pod2 / bin/sh// enter the container to see > echo $CONFIGMAP_NAMEadam > echo $CONFIGMAP_AGE18

After waiting for a certain amount of time, we can see that the data has not changed.

You can see that the update effect of this configmap is basically the same as that of secret.

Summarize the similarities and differences between configmap and secret resources. Comparison between Secret and ConfigMap

Similarities:

The form of key/value

Belong to a specific namespace

Can be exported to environment variables

Can be mounted in the form of directory / file

Configuration information mounted through volume can be hot updated.

Differences:

Secret can be associated with ServerAccount

Secret can store the authentication information of docker register, which is used in the parameter ImagePullSecret to pull the image of a private repository.

Secret supports Base64 encryption

Secret can be divided into three types: kubernetes.io/service-account-token, kubernetes.io/dockerconfigjson and Opaque, while Configmap does not distinguish between types.

Summarizes the similarities and differences in referencing resources in the form of volumes mounts and environment variables.

Volumes mount (which can be updated according to the changed data): refer to the secret (ciphertext) or configmap (plaintext) that you created and mount it to the directory specified in the container. When you view a saved file, view it according to the path you filled in and the file created by secret or configmap.

Environment variable (no data update due to change): refer to the self-created secret (ciphertext) or configmap (plaintext) and mount it to the directory specified in the container. When viewing the saved file, view it according to your own environment variables.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.