Loading
0

kubernetes/k8s创建Secret加密数据并挂载方法

前言:今天刚好学习了k8s中创建Secret加密数据并挂载的方法, base64编码 介绍Secret变量挂载以及Volume数据卷的方式挂载,本文整理一下,防止忘记,希望对大家有帮助。
更完整的k8s教程可访问:https://blog.tag.gg/showinfo-3-36255-0.html
作用:加密数据存在etcd里面,让Pod容器以挂在Volume方式进行访问。
场景:存放凭证。
base64编码:

[root@master ~]# echo -n 'admin' | base64
YWRtaW4=

[root@master ~]# echo -n 'blog.tag.gg' | base64
YmxvZy50YWcuZ2c=


1、创建Secret加密数据
创建文件my-secret.yaml 并写入如下规则。

apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  username: YWRtaW4=
  password: YmxvZy50YWcuZ2c=

执行命令生成pod

[root@master ~]# kubectl apply -f my-secret.yaml
secret/mysecret created

查看生成的cecret

[root@master ~]# kubectl get Secret
NAME                  TYPE                                  DATA   AGE
default-token-vk75n   kubernetes.io/service-account-token   3      29d
mysecret              Opaque                                2      65s

2、以变量形式挂在到pod容器中
创建 secret-val.yaml 并写入如下代码

apiVersion: apps/v1
kind: Deployment
metadata:
 name: myapp-deploy
spec:
  replicas: 2
  selector:
    matchLabels:
      app: myapp
  template:
    metadata:
      labels:
        app: myapp
    spec:
      containers:
      - name: nginx
        image: nginx
        ports:
        - containerPort: 80
        env:
        - name: MYSQL_SERVICE_USER
          valueFrom:
            secretKeyRef:
              name: mysecret
              key: username

        - name: MYSQL_SERVICE_PASSWORD
          valueFrom:
            secretKeyRef:
              name: mysecret
              key: password

执行如下命令生成pod。

[root@master ~]# kubectl apply -f secret-val.yaml
deployment.apps/myapp-deploy created

[root@master ~]# kubectl get pods
NAME                                READY   STATUS              RESTARTS   AGE
ds-test-crpsf                       1/1     Running             0          21d
myapp-deploy-s-s-66f44577d5-ngnfq   0/1     ContainerCreating   0          15s
myapp-deploy-s-s-66f44577d5-q9b2f   0/1     ContainerCreating   0          15s

myjob-fp4bl                         0/1     Completed           0          21d

注意:
可能报错如下:

[root@master ~]# kubectl get pods
NAME                                READY   STATUS              RESTARTS   AGE
hello-28037594-f5j4c                0/1     ContainerCreating   0          14s
myapp-deploy-s-s-66f44577d5-ngnfq   0/1     ImagePullBackOff    0          45s
myapp-deploy-s-s-66f44577d5-q9b2f   0/1     ImagePullBackOff    0          45s

解决方法。
1、查看pod错误信息:

kubectl describe pod myapp-deploy-s-s-66f44577d5-ngnfq

Normal   Scheduled  14m                   default-scheduler  Successfully assigned default/myapp-deploy-s-s-66f44577d5-ngnfq to node3
  Warning  Failed     14m                   kubelet            Failed to pull image "192.168.26.160:86/xielong/myapp:v1.0": rpc error: code = Unknown desc = Error response from daemon: Get "https://192.168.26.160:86/v2/": dial tcp 192.168.26.160:86: i/o timeout (Client.Timeout exceeded while awaiting headers)

原因是yaml文件中镜像image地址为:192.168.26.160:86/xielong/myapp:v1.0 环境找不到这个地址导致。将这个镜像修改为自己的信息即可。
修改后执行命令 kubectl apply -f secret-val.yaml 即可重新生成pod。
然后执行

[root@master ~]# kubectl get pods
NAME                                READY   STATUS              RESTARTS   AGE
ds-test-crpsf                       1/1     Running             0          21d
ds-test-glnql                       1/1     Running             0          21d
hello-28037606-zzkrf                0/1     Completed           0          3m1s
hello-28037607-sshb6                0/1     Completed           0          2m1s
hello-28037608-njlr2                0/1     Completed           0          61s
hello-28037609-ztfm8                0/1     ContainerCreating   0          1s
myapp-deploy-54fd65cd-x84gx         1/1     Running             0          108s
myapp-deploy-54fd65cd-z9f2m         1/1     Running             0          2m6s

执行如下命令进入容器。

[root@master ~]# kubectl exec -it myapp-deploy-54fd65cd-x84gx bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
root@myapp-deploy-54fd65cd-x84gx:/#

执行如下命令查看变量的内容。

root@myapp-deploy-54fd65cd-x84gx:/# echo $MYSQL_SERVICE_USER
admin
root@myapp-deploy-54fd65cd-x84gx:/# echo $MYSQL_SERVICE_PASSWORD
blog.tag.gg
root@myapp-deploy-54fd65cd-x84gx:/#

3、以Volume形式挂在到容器
创建my-cecret.yaml文件,写入如下规则:

apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  username: YWRtaW4=
  password: YmxvZy50YWcuZ2c=

执行: kubectl apply -f my-secret.yaml 创建secret,如下。

[root@master ~]# kubectl apply -f my-secret.yaml
secret/mysecret created
[root@master ~]# kubectl get Secret
NAME                  TYPE                                  DATA   AGE
default-token-vk75n   kubernetes.io/service-account-token   3      31d
mysecret              Opaque                                2      5s

创建 secret-vol.yaml 文件并写入如下规则:
下面的secretName要和上面配置的名字一样,将其挂载到etc/foo目录下,文件类型是只读;

apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
  - name: nginx
    image: nginx
    volumeMounts:
    - name: foo
      mountPath: "/etc/foo"
      readOnly: true
  volumes:
  - name: foo
    secret:
      secretName: mysecret

执行如下命令创建pod。

[root@master ~]# kubectl apply -f secret-vol.yaml
pod/mypod created
[root@master ~]# kubectl get pods
NAME                                READY   STATUS             RESTARTS      AGE
ds-test-crpsf                       1/1     Running            1 (22h ago)   23d
ds-test-glnql                       1/1     Running            1 (22h ago)   23d
hello-28040454-66vt7                0/1     Completed          0             2m52s
mypod                               1/1     Running            0             34s
[root@master ~]#

进入:mypod这个pod。

[root@master ~]# kubectl exec -it mypod bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
root@mypod:/#

执行如下命令查看:

root@mypod:/# ls /etc/foo
password  username
root@mypod:/# cat /etc/foo/password
blog.tag.gg
root@mypod:/# cat /etc/foo/username
admin
root@mypod:/#

删除secret :
删除指定secret

kubectl delete secret  default-token-vk75n

删除所有secret(谨慎操作,确定都不需要了在删除,不然数据丢失

[root@master ~]# kubectl delete secret --all
secret "default-token-vk75n" deleted
secret "mysecret" deleted

声明:站长码字很辛苦啊,转载时请保留本声明及附带文章链接:https://blog.tag.gg/showinfo-3-36277-0.html
亲爱的:若该文章解决了您的问题,可否收藏+评论+分享呢?
上一篇:解决mac电脑报错:no matching host key type found. Their offer: ssh-rsa,ssh-dss
下一篇:kubernetes/k8s创建ConfigMap创建及挂载使用方法