参考文档：https://feisky.xyz/kubernetes-handbook/concepts/secret.html **** Secret 共有如下三种类型： [TOC] # 1. Opaque base64 编码格式的 Secret，用来存储密码、密钥等。 **1. 创建 Opaque Secret** ```shell 【1】将用户名和密码进行 Base64 编码 $ echo -n "admin" | base64 YWRtaW4= $ echo -n "1f2d1e2e67df" | base64 MWYyZDFlMmU2N2Rm 【2】编写文件 secrets-demo.yml apiVersion: v1 kind: Secret metadata: name: mysecret type: Opaque data: password: MWYyZDFlMmU2N2Rm username: YWRtaW4= 【3】创建 Secrets $ kubectl create -f secrets-demo.yml secret/mysecret created 【4】查看所有的 Secrets $ kubectl get secret NAME TYPE DATA AGE default-token-br2cp kubernetes.io/service-account-token 3 81d mysecret Opaque 2 14s ``` >[info]其中 default-token-br2cp 为创建集群时默认创建的 secret，被 serviceacount/default 引用。 **2. Secret 有如下两种使用方式** 1. 第一种使用方式：将 Secret 挂载到容器内部的 Volume 中。 ```yaml # vim secret-to-volume.yaml apiVersion: v1 kind: Pod metadata: labels: name: secret-test name: secret-test spec: volumes: - name: secrets secret: secretName: mysecret containers: - image: nginx name: nginx volumeMounts: - name: secrets mountPath: "/etc/secrets" readOnly: true # kubectl get pods NAME READY STATUS RESTARTS AGE secret-test 0/1 Running 0 10s --进入容器 # kubectl exec -it secret-test bash root@secret-test:/# root@secret-test:/# ls /etc/secrets password username root@secret-test:/# cat /etc/secrets/username admin root@secret-test:/# cat /etc/secrets/password 1f2d1e2e67df ``` 2. 第二种使用方式：将 Secret 导出到环境变量中。 ```yaml # vim secret-to-environment.yaml apiVersion: extensions/v1beta1 kind: Deployment metadata: name: wordpress-deployment spec: replicas: 2 strategy: type: RollingUpdate template: metadata: labels: app: wordpress visualize: "true" spec: containers: - name: "wordpress" image: "wordpress" ports: - containerPort: 80 env: - name: WORDPRESS_DB_USER valueFrom: secretKeyRef: name: mysecret key: username - name: WORDPRESS_DB_PASSWORD valueFrom: secretKeyRef: name: mysecret key: password ``` <br/> # 2. `kubernetes.io/dockerconfigjson` 用来存储私有 docker registry 的认证信息。常用操作如下： **1. 创建 docker registry 认证的 secret** ```shell # kubectl create secret docker-registry myregistrykey --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL secret/myregistrykey created ``` **2. 查看 secret 的内容** ```shell # kubectl get secret myregistrykey -o yaml apiVersion: v1 data: .dockerconfigjson: eyJhdXRocyI6eyJET0NLRVJfUkVHSVNUUllfU0VSVkVSIjp7InVzZXJuYW1lIjoiRE9DS0VSX1VTRVIiLCJwYXNzd29yZCI6IkRPQ0tFUl9QQVNTV09SRCIsImVtYWlsIjoiRE9DS0VSX0VNQUlMIiwiYXV0aCI6IlJFOURTMFZTWDFWVFJWSTZSRTlEUzBWU1gxQkJVMU5YVDFKRSJ9fX0= kind: Secret metadata: creationTimestamp: "2022-02-19T10:38:36Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:.dockerconfigjson: {} f:type: {} manager: kubectl operation: Update time: "2022-02-19T10:38:36Z" name: myregistrykey namespace: default resourceVersion: "112757" selfLink: /api/v1/namespaces/default/secrets/myregistrykey uid: 414ee664-794a-433d-889f-4ce65fa2c972 type: kubernetes.io/dockerconfigjson ``` **3. 在创建 Pod 的时候，通过`imagePullSecrets`来引用刚创建的`myregistrykey`** ```yaml apiVersion: v1 kind: Pod metadata: name: foo spec: containers: - name: foo image: janedoe/awesomeapp:v1 imagePullSecrets: - name: myregistrykey ``` <br/> # 3. `kubernetes.io/service-account-token` 用来访问 Kubernetes API，由 Kubernetes 自动创建，并且会自动挂载到 Pod 的 /run/secrets/kubernetes.io/serviceaccount 目录中。 ```shell -- 启动nginx实例 # kubectl run nginx --image nginx pod/nginx created # kubectl get pods NAME READY STATUS RESTARTS AGE nginx-f89759699-pxqgq 1/1 Running 5 81d # kubectl exec nginx-f89759699-pxqgq ls /run/secrets/kubernetes.io/serviceaccount ca.crt namespace token ```