Shulou(Shulou.com)06/01 Report--

This article introduces you how to carry out Secret and private warehouse authentication in Kubernetes, the content is very detailed, interested friends can refer to, hope to be helpful to you.

Security is also the most important thing for a company, because once there is a security problem, the company may be finished, so password management is a constant topic for a long time. Kubernetes provides Secret components for password management, which is finally mapped to environment variables, files and other ways to provide use, unified management and change is convenient. And developers do not need to care about passwords, which reduces the audience of passwords and ensures security.

Kubernetes official document: https://kubernetes.io/docs/reference/

Official Git address of Kubernetes: https://github.com/kubernetes/kubernetes

PS: KubernetesV1.8 RancherV1.6.14 is used in this series

1. Initialize Secret

First, we need to initialize a Secret. When creating a Yaml file, we need to use the content after base64 as the Value.

$echo-n "admin" | base64YWRtaW4=$ echo-n "1f2d1e2e67df" | base64MWYyZDFlMmU2N2Rm

The old rule is to create our Secret configuration file through yaml. You can see that it has already taken effect.

> vim secret.yamlapiVersion: v1kind: Secretmetadata: name: mysecrettype: Opaquedata: username: YWRtaW4= password: MWYyZDFlMmU2N2Rm > kubectl create-f. / secret.yamlsecret "mysecret" created > kubectl get secretNAME TYPE DATA AGEdefault-token-lnftf kubernetes.io/service-account-token 3 1dmysecret Opaque 2 9s2. Environment variable

The first scenario we use Secret is as the environment variable of the container. Most containers provide the function of using environment variables to configure passwords. Your program only needs to read this environment variable and use the contents of this environment variable to link to the corresponding service. Let's initialize a Pod service and configure it with the preset information as the user name and password.

> vim secret-env.yamlapiVersion: v1kind: Podmetadata: name: secret-env-podspec: containers:-name: mycontainer image: redis env:-name: SECRET_USERNAME valueFrom: secretKeyRef: name: mysecret key: username-name: SECRET_PASSWORD valueFrom: secretKeyRef: name: mysecret key: password restartPolicy: Never > kubectl create-f secret-env.yaml

3. File (TLS Certificate)

In addition to configuring environment variables, we will also use files to store key information in many places. The most commonly used TLS certificate is HTTPS. Using a certificate program (for example, Nginx cannot use environment variables to configure a certificate) requires a fixed physical address to load the certificate. Let's configure the user name and password to hang it in a directory as a file.

> vim secret-file.yamlapiVersion: v1kind: Podmetadata: name: secret-file-podspec: containers:-name: mypod image: redis volumeMounts:-name: foo mountPath: "/ etc/foo" readOnly: true volumes:-name: foo secret: secretName: mysecret > kubectl create-f secret-file.yaml

If you need to mount the same configuration to different places separately, you can use the following configuration

ApiVersion: v1kind: Podmetadata: name: secret-file-podspec: containers:-name: mypod image: redis volumeMounts:-name: foo mountPath: "/ etc/foo" readOnly: true volumes:-name: foo secret: secretName: mysecret items:-key: username path: my-group/my-username

The username is stored in the / etc/foo/my-group/my-username file instead of / etc/foo/username.

Password will not be mounted to disk

Because it is mapped into a file, then the permissions can also be controlled.

Volumes:-name: foo secret: secretName: mysecret defaultMode: 256

Then, the secret will be mounted, / etc/foo, and all files created by the secret volume mount will have permission 0400.

The PS: the JSON specification does not support octal notation, so use a value of 0400 for permissions. If you use yaml instead of pod's json, you can use octal notation to specify permissions in a more natural way.

You can also use mapping (as shown in the example above) and specify different permissions for different files, as follows:

Volumes:-name: foo secret: secretName: mysecret items:-key: username path: my-group/my-username mode: 511

In this case, the resulting file / etc/foo/my-group/my-username will have a permission value of 0777. Due to JSON limitations, you must specify the mode in decimal notation.

4.Docker private warehouse certification

Partners who have used K8s will certainly encounter a problem. We all need to log in to the user name and password when using our own Docker repository, but how to configure the password if we use K8S? There is a type in secret that is docker-registry, and we can use the command line to create the user name and password to use when getting the Docker image.

Kubectl create secret docker-registry regsecret-docker-server=registry-vpc.cn-hangzhou.aliyuncs.com-docker-username=admin-docker-password=123456-docker-email=xxxx@qq.com

If you use an orchestration file in the following format

Kind: SecretapiVersion: v1metadata: name: regsecrettype: kubernetes.io/dockercfgdata: ".dockercfg": eyJyZWdpc3RyeS12cGMuY24taGFuZ3pob3UuYWxpeXVuY3MuY29tIjp7InVzZXJuYW1lIjoiYWRtaW4iLCJwYXNzd29yZCI6IjEyMzQ1NiIsImVtYWlsIjoieHh5eEBxcS5jb20iLCJhdXRoIjoiWVdSdGFXNDZNVEl6TkRVMiJ9fQ==# anti-base64 result: {"registry-vpc.cn-hangzhou.aliyuncs.com": {"username": "admin", "password": "123456", "email": "xxxx@qq.com", "auth": "YWRtaW46MTIzNDU2"}}

Then we can specify a Docker credential for him to obtain the image when getting the specified image.

ApiVersion: v1kind: Podmetadata: name: secret-file-podspec: containers:-name: mypod image: redis imagePullSecrets: # to obtain the username and password required for the image-name: regsecret, this is the end of how to perform Secret and private repository authentication in Kubernetes. I hope the above content can be helpful to you and learn more. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.