Shulou(Shulou.com)06/02 Report--

ConfigMap and Secret are two special types of storage volumes in Kubernetes. ConfigMap resource objects are mainly used to provide configuration data to customize program behavior, but some sensitive configuration information, such as user names, passwords, keys, etc., are usually configured by resource objects such as Secret. They save the corresponding configuration information in the object, and then mount it in the form of a storage volume on the Pod resource and obtain the corresponding configuration. To decouple the configuration from the image file.

1. Secret Resource object 1) Overview of Secret

Secret resource object stores data in the way of key-value pairs, and Secret in Pod resources accesses data through environment variables or storage volumes, which solves the configuration problem of sensitive data such as password, token, key and so on, without exposing these sensitive data to the spec field of mirror or Pod. In addition, the data storage and printing format of Secret objects is Base64-encoded strings, so users also need to provide this type of encoded data when creating Secret objects. When accessed in the container as an environment variable or a storage volume, it is automatically decoded to plaintext format. It is important to note that if you are on the Master node, the Secret object is stored in the etcd in an unencrypted format, so the administration and permissions of the etcd need to be strictly controlled.

2) types of Secret resources

There are four types of Secret:

1) Service Account: used to access Kubernetes API, automatically created by Kubernetes, and automatically mounted to the / run/secrets/kubernetes.io/serviceaccount directory of Pod

2) Opaque: Secret in base64 format, which is used to store passwords, keys, information, certificates, etc., with a type identifier of generic

3) kubernetes.io/dockerconfigjson: used to store the authentication information of the private docker registry. The type is identified as docker-registry.

4) kubernetes.io/tls: used to store certificates and private key files for SSL communication mode, and the imperative creation type is identified as tls

3) how to create Secret

Suppose the stored data is:

Username:root

Password:123.com

The following storage methods are to store this information!

1) create a secret resource object named mysecret01 using the method of-- from-literal (text) [root@master ~] # kubectl create secret generic mysecret01-- from-literal=username=root-- from-literal=password=123.com# The encryption method used is generic (generic, General encryption) # Note: in this way, only one message can be saved in each [root@master] # kubectl get secrets mysecret01 NAME TYPE DATA AGEmysecret01 Opaque 2 25s [root@master ~] # kubectl describe secrets mysecret01 # View the details of the resource Name: mysecret01Namespace: defaultLabels: Annotations: Type: Opaque # opaque The invisible Data====password: 7 bytes # can only view the name of the key, but cannot see the corresponding value of the key username: 4 bytes [root@master ~] # kubectl get secrets mysecret01-o yaml # display the resource as a yaml file apiVersion: v1data: password: MTIzLmNvbQ== # the corresponding values are garbled Encryption uses the base64 encoding format username: cm9vdA==kind: Secretmetadata: creationTimestamp: "2020-02-14T10:08:21Z" name: mysecret01 namespace: default resourceVersion: "2474" selfLink: / api/v1/namespaces/default/secrets/mysecret01 uid: 1aee0635-7bfb-4e8a-a21e-be993e534156type: Opaque [root@master ~] # echo-n cm9vdAo= | base64-d # result of decoding garbled root [root@master ~] # echo-n MTIzLmNvbQ== | | base64-- d123.com2) uses-- from-file (file) |

This way is similar to the first way, and it may be a little more troublesome!

[root@master ~] # echo root > username [root@master ~] # echo 123.com > password# needs to write the stored key-value pairs to the file first, and each file can only write one value [root@master ~] # kubectl create secret generic mysecret02-- from-file=username-- from-file=password [root@master ~] # rm-rf username password# even after the file is deleted. The corresponding value of the resource key still exists in [root@master ~] # kubectl get secrets mysecret02NAME TYPE DATA AGEmysecret02 Opaque 258s [root@master ~] # kubectl describe secrets mysecret02Name: mysecret02Namespace: defaultLabels: Annotations: Type: OpaqueData====password: 8 bytesusername: 5 bytes3) through-- from-env-file (environment variable)

This method can write multiple key-value pairs in the same file, which is recommended!

[root@master ~] # tee env.txt

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.