目录
前提:敏感数据,不保存在yaml中。敏感数据保存k8s集群中,将用户定义的密码保存在secret和configmap中
secret将明文进行base64编码
- 问题
trnuser@k8s:~/pod$ cat wordpress-mysql.yml
---
apiVersion: v1
kind: Service
metadata:
name: wordpress-mysql
labels:
app: wordpress
spec:
ports:
- port: 3306
selector:
app: wordpress
tier: mysql
clusterIP: None
---
apiVersion: apps/v1 # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1
kind: Deployment
metadata:
name: wordpress-mysql
labels:
app: wordpress
spec:
replicas: 2
selector:
matchLabels:
app: wordpress
tier: mysql
strategy:
type: Recreate
template:
metadata:
labels:
app: wordpress
tier: mysql
spec:
containers:
- image: mysql:5.7
name: mysql
env:
- name: MYSQL_ROOT_PASSWORD
value: redhat #明文密码
#valueFrom:
# secretKeyRef:
# name: mysql
# key: mysql-password
livenessProbe:
tcpSocket:
port: 3306
ports:
- containerPort: 3306
name: mysql
volumeMounts:
- name: mysql-persistent-storage
mountPath: /var/lib/mysql
volumes:
- name: mysql-persistent-storage
persistentVolumeClaim:
claimName: mysql-pv-claim
- 解决方案: 将密码保存到secret中
trnuser@k8s:~/pod$ kubectl api-resources | grep secret
secrets true Secret
trnuser@k8s:~/pod$ kubectl api-resources | grep configmap
configmaps cm true ConfigMap
trnuser@k8s:~/pod$
- secret
kubectl create secret generic mysql --from-literal=mysql-password=redhat
- 查看密码
trnuser@k8s:~/pod$ kubectl describe secrets mysql -n secret
Name: mysql
Namespace: secret
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
mysql-password: 6 bytes
-----------------
trnuser@k8s:~/pod$ kubectl get secrets mysql -n secret -o yaml
apiVersion: v1
data:
mysql-password: cmVkaGF0
kind: Secret
metadata:
creationTimestamp: "2021-03-01T07:00:49Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:mysql-password: {}
f:type: {}
manager: kubectl
operation: Update
time: "2021-03-01T07:00:49Z"
name: mysql
namespace: secret
resourceVersion: "1304905"
selfLink: /api/v1/namespaces/secret/secrets/mysql
uid: ce213f79-3759-4d38-9c7d-da41f8fe1d83
type: Opaque
- 解码secret
echo -n 'cmVkaGF0' | base64 --decode
- 部署pod调用secrets
trnuser@k8s:~/pod$ cat wordpress-mysql.yml
---
apiVersion: v1
kind: Service
metadata:
name: wordpress-mysql
labels:
app: wordpress
spec:
ports:
- port: 3306
selector:
app: wordpress
tier: mysql
clusterIP: None
---
apiVersion: apps/v1 # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1
kind: Deployment
metadata:
name: wordpress-mysql
labels:
app: wordpress
spec:
replicas: 2
selector:
matchLabels:
app: wordpress
tier: mysql
strategy:
type: Recreate
template:
metadata:
labels:
app: wordpress
tier: mysql
spec:
containers:
- image: mysql:5.7
name: mysql
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mysql
key: mysql-password
#value: redhat
livenessProbe:
tcpSocket:
port: 3306
ports:
- containerPort: 3306
name: mysql
# volumeMounts:
# - name: mysql-persistent-storage
# mountPath: /var/lib/mysql
# volumes:
# - name: mysql-persistent-storage
# persistentVolumeClaim:
# claimName: mysql-pv-claim
读取文件中内容
echo -n 'zhangsan' > username
- 创建secret
kubectl create secret generic users --from-file=username
- 文件中创建多个变量
[root@master ~]# vim secret.txt
[root@master ~]# cat secret.txt
user1=zhangsan
password1=redhat
user2=lisi
password2=redha
kubectl create secret generic users-2 --from-env-file=secret.txt
- configmap
kubectl create configmap cmap1 --from-literal=user1=zhangsan --from-literal=user2=lisi
trnuser@k8s:~/pod$ kubectl get configmap cmap1 -o yaml -n secret
apiVersion: v1
data:
user1: zhangsan
user2: lisi
kind: ConfigMap
metadata:
creationTimestamp: "2021-03-02T02:36:23Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:user1: {}
f:user2: {}
manager: kubectl
operation: Update
time: "2021-03-02T02:36:23Z"
name: cmap1
namespace: secret
resourceVersion: "1482007"
selfLink: /api/v1/namespaces/secret/configmaps/cmap1
uid: 81158352-60c2-4706-b384-f3efe88bcadc