Shulou(Shulou.com)06/03 Report--

Some sensitive information may be required during the startup process of the application, such as the user name, password or secret key to access the database. It is obviously not appropriate to store this information directly in the container image, and the solution provided by Kubernetes is Secret.

Secret stores data in ciphertext, avoiding saving sensitive information directly in the configuration file. Secret is mount to Pod in the form of Volume, and the container can use the sensitive data in Secret through files; in addition, the container can also use this data as environment variables.

Secret can be created from the command line or YAML. For example, you want the Secret to contain the following information:

User name admin password 123456 create Secret

There are four ways to create a Secret:

Through-- from-literal:

Kubectl create secret generic mysecret-from-literal=username=admin-from-literal=password=123456

Each-- from-literal corresponds to an information entry.

Through-- from-file:

Echo-n admin >. / usernameecho-n 123456 >. / passwordkubectl create secret generic mysecret-- from-file=./username-- from-file=./password

Each file content corresponds to an information entry.

Through-- from-env-file:

Cat env.txtusername=adminpassword=123456EOFkubectl create secret generic mysecret-from-env-file=env.txt

Each line of Key=Value in the file env.txt corresponds to an information entry.

Through the YAML configuration file: apiVersion: v1kind: Secretmetadata:name: mysecretdata:username: YWRtaW4=password: MTIzNDU2

The sensitive data in the file must be the result of being encoded by base64.

[root@k8s-master ~] # echo-n admin | base64YWRtaW4= [root @ k8s-master ~] # echo-n 123456 | base64MTIzNDU2

Execute kubectl apply to create Secret:

# kubectl apply-f mysecrete.ymlsecret/mysecret created uses these created Secret.

View Secre

You can view the secret that exists through kubectl get secret.

[root@k8s-master] # kubectl get secrets NAME TYPE DATA AGEdefault-token-5l66h kubernetes.io/service-account-token 3 14dmysecret Opaque 2 20s

There are two data entries displayed, and kubectl describe secret looks at the Key of the entry:

[root@k8s-master ~] # kubectl describe secrets mysecretName: mysecretNamespace: defaultLabels: Annotations: Type: OpaqueData====password: 6 bytesusername: 5 bytes [root@k8s-master ~] #

If you also want to view Value, you can use kubectl edit secret mysecret:

ApiVersion: v1data: password: MTIzNDU2 username: YWRtaW4=kind: Secretmetadata: annotations: kubectl.kubernetes.io/last-applied-configuration: {"apiVersion": "v1", "data": {"password": "MTIzNDU2", "username": "YWRtaW4="}, "kind": "Secret", "metadata": {"annotations": {}, "name": "mysecret" "namespace": "default"} creationTimestamp: "2019-10-14T08:26:43Z" name: mysecret namespace: default resourceVersion: "13845" selfLink: / api/v1/namespaces/default/secrets/mysecret uid: a713292c-6fea-4065-b5ae-239f8fe9a76ftype: Opaque~

Then reverse-encode the Value through base64:

[root@k8s-master ~] # echo-n MTIzNDU2 | base64-- decode 12345 echo-n YWRtaW4= | base64-- decode admin [root@k8s-master ~] #

How to use Secret in Pod.

Use Secret in volume mode

Pod can use Secret through Volume or environment variables.

The configuration file for Pod is as follows:

ApiVersion: v1kind: Podmetadata: name: mypodspec: containers:-name: mypod image: busybox args:-/ bin/sh-- c-sleep 10 witch touch / tmp/healthy;sleep 30000 volumeMounts:-name: foo mountPath: / etc/foo readOnly: true volumes:-name: foo secret: secretName: mysecret

① defines volume foo, and the source is secret mysecret.

② will foo mount to the container path / etc/foo, and the read and write permission can be specified as readOnly.

Create a Pod and read the Secret in the container:

[root@k8s-master ~] # kubectl apply-f mypod.ymlpod/mypod created [root@k8s-master ~] # kubectl exec-it mypod sh / # ls / etc/foo/password username/ # cat / etc/foo/username admin/ # / # cat / etc/foo/password 123456 / # exit

As you can see, Kubernetes creates a file for each sensitive data under the specified path / etc/foo. The file name is the Key of the data entry. Here, / etc/foo/username and / etc/foo/password,Value are stored in the file in clear text.

We can also customize the file name where the data is stored, such as changing the configuration file to:

ApiVersion: v1kind: Podmetadata: name: mypodspec: containers:-name: mypod image: busybox args:-/ bin/sh-- c-sleep 10 Touch / tmp/healthy Sleep 30000 volumeMounts:-name: foo mountPath: / etc/foo readOnly: true volumes:-name: foo secret: secretName: mysecret items:-key: username path: my-group/my-username-key: password path: my-group/my-password

The data will be stored in / etc/foo/my-group/my-username and / etc/foo/my-group/my-password, respectively.

Secret used in Volume supports dynamic updates: after the Secret is updated, the data in the container is also updated.

Update password to abcdef,base64 Encoding to YWJjZGVm

[root@k8s-master ~] # cat mysecrete.yml apiVersion: v1kind: Secretmetadata: name: mysecretdata: username: YWRtaW4= password: YWJjZGVm

Update Secret.

[root@k8s-master] # kubectl apply-f mysecrete.ymlsecret/mysecret configured

Wait, the new password will be synchronized to the container.

/ etc/foo/..2019_10_14_09_42_09.863448745/my-group # cat my-password abcdef/etc/foo/..2019_10_14_09_42_09.863448745/my-group # using Secret as an environment variable

Using Secret with Volume, the container must read data from a file, which can be a bit of a hassle, and Kubernetes also supports the use of Secret through environment variables.

An example of a Pod configuration file is as follows:

ApiVersion: v1kind: Podmetadata: name: mypodspec: containers:-name: mypod image: busybox args:-/ bin/sh-- c-sleep 10; touch / tmp/healthy Sleep 30000 env:-name: SECRET_USERNAME valueFrom: secretKeyRef: name: mysecret key: username-name: SECRET_PASSWORD valueFrom: secretKeyRef: name: mysecret key: password

Create the Pod and read the Secret.

[root@k8s-master ~] # kubectl apply-f mysql-env.ymlpod/mypod created [root@k8s-master ~] # kubectl exec-it mypod sh/ # echo $SECRET_USERNAMEadmin/ # echo $SECRET_PASSWORD123456/ #

The data of Secret is successfully read through the environment variables SECRET_USERNAME and SECRET_PASSWORD.

It is important to note that it is convenient for environment variables to read Secret, but it does not support Secret dynamic updates.

Secret can provide Pod with sensitive data such as password, Token, private key, etc., and ConfigMap can be used for some non-sensitive data, such as application configuration information.

Manage configuration with ConfigMap

Secret can provide Pod with sensitive data such as password, Token, private key, etc., and ConfigMap can be used for some non-sensitive data, such as application configuration information.

ConfigMap is created and used in a very similar way to Secret, except that the data is stored in clear text.

Like Secret, ConfigMap supports four creation methods:

Through-- from-literal:

Kubectl create configmap myconfigmap-from-literal=config1=xxx-from-literal=config2=yyy

Each-- from-literal corresponds to an information entry.

Through-- from-file:

Echo-n xxx >. / config1echo-n yyy >. / config2kubectl create configmap myconfigmap-- from-file=./config1-- from-file=./config2

Each file content corresponds to an information entry.

Through-- from-env-file:

Cat env.txtconfig1=xxxconfig2=yyyEOFkubectl create configmap myconfigmap-from-env-file=env.txt

Each line of Key=Value in the file env.txt corresponds to an information entry.

Through the YAML configuration file: apiVersion: v1kind: ConfigMapmetadata:name: myconfigmap1data:config1: xxxconfig2: yyy

The data in the file is entered directly in clear text.

Like Secret, Pod can also use Secret through Volume or environment variables.

Volume mode:

ApiVersion: v1kind: Podmetadata: name: mypodspec: containers:-name: mypod image: busybox args:-/ bin/sh-- c-sleep 10; touch / tmp/healthy; sleep 30000 volumeMounts:-name: foo mountPath: / etc/foo readOnly: true volumes:-name: foo configMap: name: myconfigmap

Environment variable mode:

ApiVersion: v1kind: Podmetadata: name: mypodspec: containers:-name: mypod image: busybox args:-/ bin/sh-- c-sleep 10; touch / tmp/healthy Sleep 30000 env:-name: CONFIG_1 valueFrom: configMapKeyRef: name: myconfigmap key: config1-name: CONFIG_2 valueFrom: configMapKeyRef: name: myconfigmap key: config2

In most cases, configuration information is provided as a file, so ConfigMap is usually created in-- from-file or YAML mode, and ConfigMap is usually read in Volume mode.

For example, pass the configuration information on how to log to Pod:

Class: logging.handlers.RotatingFileHandlerformatter: preciselevel: INFOfilename:% hostname-%timestamp.log

If you can take the form of-- from-file, save it in the file logging.conf and execute the command:

# kubectl create configmap myconfigmap2-from-file=./logging.conf

Kubectl create configmap myconfigmap-from-file=./logging.conf

If the YAML configuration file is adopted, its content is:

ApiVersion: v1kind: ConfigMapmetadata: name: myconfigmap3data: logging.conf: | class: logging.handlers.RotatingFileHandler formatter: precise level: INFO filename:% hostname-%timestamp.log

Be careful not to leave out the | symbol after Key logging.conf.

Create and view the ConfigMap:

[root@k8s-master ~] # kubectl apply-f myconfigmap2.ymlconfigmap/myconfigmap3 created [root@k8s-master ~] # kubectl get configmaps myconfigmap3 NAME DATA AGEmyconfigmap3 1 2m39s [root@k8s-master ~] # kubectl describe configmaps myconfigmap3Name: myconfigmap3Namespace: defaultLabels: Annotations: kubectl.kubernetes.io/last-applied-configuration: {"apiVersion": "v1" "data": {"logging.conf": "class: logging.handlers.RotatingFileHandler\ nformatter: precise\ nlevel: INFO\ nfilename:% hostna...Data====logging.conf:----class: logging.handlers.RotatingFileHandlerformatter: preciselevel: INFOfilename:% hostname-%timestamp.logEvents: [root@k8s-master ~]

To use this ConfigMap in Pod, the configuration file is:

ApiVersion: extensions/v1beta1kind: Deploymentmetadata: name: nginx-configmapspec: replicas: 1 template: metadata: labels: app: nginx-configmapspec: containers:-name: nginx-configmap image: nginx ports:-containerPort: 80 volumeMounts:-name: config-volume4 mountPath: / tmp/config4 volumes:-name: config-volume4 configMap: name: myconfigmap

① specifies in volume that the relative path of the file where the configuration information is stored is myapp/logging.conf.

② volume mount to the container's / etc directory.

Create a Pod and read the configuration information:

The configuration information has been saved to the / etc/myapp/logging.conf file. Like Secret, ConfigMap in the form of Volume also supports dynamic updates, leaving it to everyone to practice.

Summary

Pass configuration information to Pod. If the information needs to be encrypted, you can use Secret;. If it is general configuration information, you can use ConfigMap.

Secret and ConfigMap support four definition methods. When using them, Pod can choose either Volume mode or environment variable mode, but only Volume mode supports dynamic updates.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.