标签:lock lines metadata == creat default config saving json
https://www.kubernetes.org.cn/secret
secret 主要解决密码、token、密钥等敏感数据的配置问题,而不需要把这些敏感数据暴露到镜像或者Pod Spec中
Secret可以以Volume或者环境变量的方式使用(共两种方式)
Secret有三种类型:
第一步:加密用户及密码
╭─root@node1 ~
╰─? echo "123" | base64
MTIzCg==
╭─root@node1 ~
╰─? echo "node1" | base64
bm9kZTEK
第二步:编写secret的yml文件
apiVersion: v1
kind: Secret
metadata:
name: mysecret
data:
hostname: bm9kZTEK
password: MTIzCg==
第三步:执行secret文件
╭─root@node1 ~
╰─? kubectl apply -f secret.yml
secret/mysecret created
第四步:查看
╭─root@node1 ~
╰─? kubectl get secret
NAME TYPE DATA AGE
default-token-ngn4n kubernetes.io/service-account-token 3 10d
mysecret Opaque 2 2m4s
╭─root@node1 ~
╰─? kubectl describe secret mysecret
Name: mysecret
Namespace: default
Labels: <none>
Annotations:
Type: Opaque
Data
====
hostname: 6 bytes
password: 4 bytes
第五步:获取加密数据
╭─root@node1 ~
╰─? kubectl edit secret mysecret
# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
hostname: bm9kZTEK # 加密数据
password: MTIzCg== # 加密数据
kind: Secret
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","data":{"hostname":"bm9kZTEK","password":"MTIzCg=="},"kind":"Secret","metadata":{"annotations":{},"name":"mysecret","namespace":"default"}}
creationTimestamp: "2019-08-30T08:00:24Z"
name: mysecret
namespace: default
resourceVersion: "244709"
selfLink: /api/v1/namespaces/default/secrets/mysecret
uid: f8a21f4c-18ce-4b13-814a-c20ee5efbe23
type: Opaque
第六步:解码
╭─root@node1 ~
╰─? echo "MTIzCg==" | base64 --decode
123
╭─root@node1 ~
╰─? echo "bm9kZTEK" | base64 --decode
node1
第一步:编写pod的yml文件
apiVersion: v1
kind: Pod
metadata:
name: pod-secret
spec:
containers:
- name: busybox
image: busybox
imagePullPolicy: IfNotPresent
command: ["/bin/sh","-c","touch test;sleep 60000"]
volumeMounts:
- name: du
mountPath: /tmp
volumes:
- name: du
secret:
secretName: mysecret
第二步:执行
╭─root@node1 ~
╰─? kubectl apply -f busybox-secret.yml
pod/pod-secret created
第三步:进入pod查看
╭─root@node1 ~
╰─? kubectl exec -it pod-secret /bin/sh
/ # ls
bin dev etc home proc root sys test tmp usr var
/ # cd tmp
/tmp # ls
hostname password
/tmp # cat hostname
node1
/tmp # cat password
123
/tmp #
第四步:动态更新密码
1、生成新密码
╭─root@node1 ~
╰─? echo 1234 | base64
MTIzNAo=
2、修改secret文件
apiVersion: v1
kind: Secret
metadata:
name: mysecret
data:
hostname: bm9kZTEK
password: MTIzNAo=
3、重新执行secret的yml文件
╭─root@node1 ~
╰─? kubectl apply -f secret.yml
secret/mysecret configured
第五步:查看密码
╭─root@node1 ~
╰─? kubectl exec -it pod-secret /bin/sh
/ # cd tmp
/tmp # ls
hostname password
/tmp # cat password
1234
第一步:编写yml文件
标签:lock lines metadata == creat default config saving json
原文地址:https://www.cnblogs.com/du-z/p/11436420.html