Secret
Secret 是包含少量敏感数据(例如密码、令牌或密钥)的对象。
- 允许客户集中存储secrets,以降低暴露风险。
- 数据存储在ETCD数据库中。
语法
kubectl create secret [TYPE] [NAME] [DATA]
三种secret类型
i) Generic:
- File ( –from-file )
- directory
- literal value
ii) Docker Registry
iii) TLS
创建secret
from-literal
kubectl create secret generic firstsecret --from-literal dbpass=admin123
创建完成后,需要使用kubectl get secret xxx -o yaml查看密码。
[@BDSZYF000132741:demo]$ kubectl describe secret firstsecret
Name: firstsecret
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
dbpass: 8 bytes
[@BDSZYF000132741:demo]$ kubectl get secret firstsecret -o yaml
apiVersion: v1
data:
dbpass: YWRtaW4xMjM=
kind: Secret
metadata:
creationTimestamp: "2020-01-24T14:34:57Z"
name: firstsecret
namespace: default
resourceVersion: "19884987"
selfLink: /api/v1/namespaces/default/secrets/firstsecret
uid: b1894772-3eb6-11ea-8d48-06a014a4eb80
type: Opaque
from-file
创建一个password.txt,里面只存储密码。
[@:demo]$ kubectl create secret generic secondsecret --from-file=./password.txt
secret/secondsecret created
[@:demo]$ kubectl get secret secondsecret -o yaml
apiVersion: v1
data:
password.txt: ZmRzc2xsa2sK
kind: Secret
metadata:
creationTimestamp: "2020-01-24T14:40:25Z"
name: secondsecret
namespace: default
resourceVersion: "19885592"
selfLink: /api/v1/namespaces/default/secrets/secondsecret
uid: 756cb383-3eb7-11ea-8d48-06a014a4eb80
type: Opaque
使用yaml创建secret
Secret.yaml:
apiVersion: v1
kind: Secret
metadata:
name: thirdsecret
type: Opaque
data:
username: YWRtaW4K
password: QWRtaW5AMTIzMzQK
[@root:pod]$ kubectl get secret thirdsecret -o yaml
apiVersion: v1
data:
password: QWRtaW5AMTIzMzQK
username: YWRtaW4K
kind: Secret
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","data":{"password":"QWRtaW5AMTIzMzQK","username":"YWRtaW4K"},"kind":"Secret","metadata":{"annotations":{},"name":"thirdsecret","namespace":"default"},"type":"Opaque"}
creationTimestamp: "2020-01-24T14:53:09Z"
name: thirdsecret
namespace: default
resourceVersion: "19886989"
selfLink: /api/v1/namespaces/default/secrets/thirdsecret
uid: 3cdaa27e-3eb9-11ea-8103-02c2b593c912
type: Opaque
stringData
如果不使用base64,可以使用stringData明文写:
apiVersion: v1
kind: Secret
metadata:
name: stringdata
type: Opaque
stringData:
config.yaml: |-
username: admin
password: mysecretpassword
[@root:pod]$ kubectl get secret stringdata -o yaml
apiVersion: v1
data:
config.yaml: dXNlcm5hbWU6IGFkbWluCnBhc3N3b3JkOiBteXNlY3JldHBhc3N3b3Jk
kind: Secret
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","kind":"Secret","metadata":{"annotations":{},"name":"stringdata","namespace":"default"},"stringData":{"config.yaml":"username: admin\npassword: mysecretpassword"},"type":"Opaque"}
creationTimestamp: "2020-01-24T15:02:01Z"
name: stringdata
namespace: default
resourceVersion: "19887964"
selfLink: /api/v1/namespaces/default/secrets/stringdata
uid: 79bacb76-3eba-11ea-8103-02c2b593c912
type: Opaque
使用secret
使用secret方式和configMap完全一致。
例如:
apiVersion: v1
kind: Pod
metadata:
name: dapi-test-pod
spec:
containers:
- name: test-container
image: k8s.gcr.io/busybox
command: [ "/bin/sh", "-c", "env" ]
envFrom:
- secretRef:
name: special-config
restartPolicy: Never
总结
请记住,secret以 Base64 格式对数据进行编码, 可以轻松解码它。因此,这些secret可以被认为不安全。
Secret没有加密,因此从这个意义上来说并不安全。