Shulou(Shulou.com)06/02 Report--

Secret

Secret is also a resource object in K8s, which is mainly used to store lightweight and sensitive information, such as database usernames and passwords, tokens, authentication keys, etc.

We can put this kind of sensitive information in the secret object, and if it is slightly inappropriate to expose it to the mirror or pod spec, putting it in the secret object can better control and use it, and reduce the risk of accidental exposure.

Secret can use these lightweight data as volume or environment variables.

There are three types of Secret:

Service Account: used to access kubernetes API, automatically created by K8s, and automatically mounted to the / run/secrets/kubernetes.io/serviceaccount directory of pod. Secret in Opaque:base64 format, which is used to store passwords, keys, etc. Kubernetes.io/dockerconfigjson: used to store authentication information for private docker registry.

Secret can be created from the command line or a YAML file, assuming that we need the information that is stored in the secret object:

1, user name: root

2, password: 123456

1, create Secret

There are four ways to create a Secret:

1.1 through-- from-literal (created as text)

[root@master] # kubectl create secret generic mysecret-- from-literal=username=root-- from-literal=password=123456secret/mysecret created

/ / View the created secret:

/ / View the details of the secret:

Features: each-- from-literal can only correspond to one message. It's cumbersome.

1.2 through-- from-file (created as a file)

[root@master] # echo root > username [root@master ~] # echo 123456 > password [root@master ~] # kubectl create secret generic newsecret-- from-file=username-- from-file=passwordsecret/newsecret created

/ / View the created secret:

[root@master ~] # kubectl get secrets | grep newsecretnewsecret Opaque 264s

Features: each file also corresponds to a piece of information. Only one file can be saved in each file. In order to ensure confidentiality, it is necessary to delete the local file after import.

1.3 through-- from-env-file (created as a variable)

[root@master ~] # cat > env.txt password=123456 > EOF [root@master ~] # kubectl create secret generic env-secret-- from-env-file=env.txtsecret/env-secret created

Features: multiple pieces of information can be saved in the file, and each key=value in the file env.txt corresponds to an information entry.

1.4 through the yaml configuration file:

The sensitive data in the # file must be the result of being encoded by base64.

[root@master ~] # echo root | base64cm9vdAo= [root@master ~] # echo 123456 | base64MTIzNDU2Cg==

# write yaml files:

ApiVersion: v1kind: Secretmetadata: name: secret-appdata: # this field is the field where the data is stored. Unlike other resource objects, there is no spec field. Username: cm9vdAo= password: MTIzNDU2Cg==

/ / create a secert:

[root@master] # kubectl apply-f secret.yaml secret/secret-app created

/ / reverse parsing encrypted data:

[root@master ~] # echo-n cm9vdAo= | base64-- decoderoot [root@master ~] # echo-n MTIzNDU2Cg== | base64-- decode123456

Features: easy to save, cross-host will be very convenient to use.

2, how to use secret

First, use secret as volume:

Pod uses secret through volume:

The configuration file for pod is as follows:

ApiVersion: v1kind: Podmetadata: name: secret-podspec: containers:-name: secret-pod image: busybox args:-/ bin/sh-- c-sleep 10; touch / tmp/healthy; sleep 3000 volumeMounts:-name: foo mountPath: / etc/foo readOnly: true volumes:-name: foo secret: secretName: secret-app

(1) define volume foo, whose source is secret (secret-app)

(2) foo mount to the container path / etc/foo, and the read and write permission can be specified as readOnly.

/ / create a pod and read the secret in the container:

[root@master secret] # kubectl apply-f secret-pod.yaml pod/secret-pod created [root@master secret] # kubectl exec-it secret-pod / bin/sh/ # cd / etc/foo//etc/foo # lspassword username/etc/foo # cat password 123456/etc/foo # cat username root

As you can see, K8s creates a file for each sensitive data under the specified path / etc/foo. The file name is the key of the data entry. Here, / etc/foo/username and / etc/foo/password,value are stored in the file with an inscription.

(2) We can also customize the file name for storing data. The complete configuration file is as follows:

ApiVersion: v1kind: Podmetadata: name: secret-podspec: containers:-name: secret-pod image: busybox args:-/ bin/sh-- c-sleep 10; touch / tmp/healthy Sleep 3000 volumeMounts:-name: foo mountPath: / etc/foo readOnly: true volumes:-name: foo secret: secretName: secret-app items:-key: username: path: my-group/my-username-key: password path: my-group/my-password

The data is then stored in / etc/foo/my-group/my-username and / etc/foo/my-group/my-password, respectively.

/ / verify the location of the data:

[root@master secret] # kubectl delete-f secret-pod.yaml pod "secret-pod" deleted [root@master secret] # kubectl apply-f secret-pod.yaml pod/secret-pod created [root@master secret] # kubectl exec-it secret-pod / bin/sh/ # cd / etc/foo//etc/foo # lsmy-group/etc/foo # cd my-group//etc/foo/..2020_02_03_05_37_09.892671465/my-group # cat my-password 123456/etc/foo/..2020_02_03_05_37_09.892671465/my-group # cat my-username root

(3) use secret in volume mode to support dynamic update: after the secret is updated, the data in the container will also be updated.

/ / We have a need to update password to "123456.com"

[root@master secret] # echo 123456.com | base64MTIzNDU2LmNvbQo=

Modify the secret configuration file:

ApiVersion: v1kind: Secretmetadata: name: secret-appdata: username: cm9vdAo= password: MTIzNDU2LmNvbQo=

/ / Update secret:

[root@master secret] # kubectl apply-f secret.yaml secret/secret-app configured

/ / verify whether the password is updated successfully:

[root@master secret] # kubectl exec-it secret-pod / bin/sh/ # cd / etc/foo/my-group//etc/foo/..2020_02_03_05_40_42.995350019/my-group # cat my-password 123456.com

Features: if the data in secert changes, the data in the resource object that references the data will also change, and when secret updates-pod will also be updated.

Second: use it in the form of environmental variables

When using secret through volume, the container must read data from a file, which is a bit cumbersome, and K8s also supports the use of secret through environment variables.

An example of a pod configuration file is as follows:

ApiVersion: v1kind: Podmetadata: name: secret-podspec: containers:-name: secret-pod image: busybox args:-/ bin/sh-- c-sleep 10; touch / tmp/healthy Sleep 3000 env:-name: SECRET_USERNAME valueFrom: secretKeyRef: name: secret-app key: username-name: SECRET_PASSWORD valueFrom: secretKeyRef: name: secret-app key: password

/ / create pod and read secret:

[root@master secret] # kubectl apply-f secret-pod.yaml pod/secret-pod created [root@master secret] # kubectl exec-it secret-pod / bin/sh/ # echo $SECRET_USERNAMEroot/ # echo $SECRET_PASSWORD123456.com

(2) Verification: next, we modify the value of password in secret to see if the data in pod will change?

After testing, it is found that the value in pod will not change.

Features: it is very convenient for environment variables to read secret, but it can not support secret dynamic update.

ConfigMapSecret can provide pod with sensitive data such as password, Token, private key and so on. For some non-sensitive data, such as application configuration information, you can use ConfigMap. ConfigMap is very similar to secret, except that the data he saves is stored in clear text.

Suppose we need the information stored in the ConfigMap object:

Config1=xxx

Config2=yyy

1, create ConfigMap

There are also the following four methods:

1.1Create through-- from-literal:

[root@master configMap] # kubectl create configmap configmap1-from-literal=config1=xxx-from-literal=config2=yyyconfigmap/configmap1 created

/ / View configmap information:

You can see that the saved data is stored in clear text.

Features: each-- from-literal corresponds to a message.

1.2 create through-- from-file:

[root@master configMap] # echo xxx > config1 [root@master configMap] # echo yyy > config2// create configmap: [root@master configMap] # kubectl create configmap configmap2-- from-file=config1-- from-file=config2configmap/configmap2 created

Features: each file corresponds to a piece of information, and only one can be saved in each file. For the sake of confidentiality, the local file needs to be deleted after import.

1.3Create by-- from-env-file:

[root@master configMap] # cat > env.txt config2=yyy > EOF

/ / create a configmap:

[root@master configMap] # kubectl create configmap configmap3-- from-env-file=env.txt configmap/configmap3 created

Features: multiple pieces of information can be saved in the file, and each key=value in the file env.txt corresponds to an information entry.

1.4 through the yaml configuration file:

The sensitive data in the # file must be the result of being encoded by base64.

The configmap configuration file is as follows:

The data in the apiVersion: v1kind: ConfigMapmetadata: name: configmap-appdata: config1: xxx # file can be directly entered in plaintext config2: yyy

/ / create a configmap:

[root@master configMap] # kubectl apply-f configmap.yaml configmap/configmap-app created

Features: easy to save, cross-host will be very convenient to use.

2, reference to data

Like Secret, pod can also use secret through volume or environment variables.

One: volume mode

The yaml configuration file is as follows:

ApiVersion: v1kind: Podmetadata: name: configmap-podspec: containers:-name: configmap-pod image: busybox args:-/ bin/sh-- c-sleep 10; touch / tmp/healthy; sleep 3000 volumeMounts:-name: foo mountPath: / etc/foo volumes:-name: foo configMap: name: configmap-app

/ / create pod and read data in pod:

[root@master configMap] # kubectl apply-f configmap-pod.yaml pod/configmap-pod created [root@master configMap] # kubectl exec-it configmap-pod / bin/sh/ # cd / etc/foo//etc/foo # lsconfig1 config2/etc/test # cat config1xxx/etc/test # cat config2yyy

Second: env environment variable mode

The contents of the yaml configuration file are as follows:

ApiVersion: v1kind: Podmetadata: name: configmap-podspec: containers:-name: configmap-pod image: busybox args:-/ bin/sh-- c-sleep 10; touch / tmp/healthy Sleep 3000 env:-name: CONFIG1 valueFrom: configMapKeyRef: name: configmap-app key: config1-name: CONFIG2 valueFrom: configMapKeyRef: name: configmap-app key: config2

/ / create a pod and view the data in the pod:

[root@master configMap] # kubectl delete-f configmap-pod.yaml pod "configmap-pod" deleted [root@master configMap] # kubectl apply-f configmap-pod.yaml pod/configmap-pod created [root@master configMap] # kubectl exec-it configmap-pod / bin/sh/ # echo $CONFIG1xxx/ # echo $CONFIG2yyy

After testing: the two reference methods of configmap and secret are the same, volume mount way, if the data of configmap is updated, the data in the referenced resource object will also be updated, but in the way of env environment variable, dynamic update is not supported (you can test and verify it yourself).

Note: the above are just examples. You should know that in most cases, configuration information is provided as a file, so ConfigMap is generally created in-from-file or YAML mode, while ConfigMap is usually read in volume mode.

Summary:

Pass configuration information to pod. If the information needs to be encrypted, you can use Secret;. If it is general configuration information, you can use ConfigMap.

Secret and ConfigMap support four definition methods. Pod can choose either volume mode or environment variable mode when using them, but only volume mode supports dynamic updates.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.