一、secrets创建

secrets创建方法常见的有三种:

  • kubectl命令直接创建
  • kubectl命令从文件中获取
  • 通过yaml文件创建

具体如下:

 1# 方法1:
 2$ kubectl create secret generic <secret-name> --from-literal=iamAdminPasswordKey=<password> --namespace <namespace>
 3
 4$ kubectl create secret generic cncc-iam-secret --from-literal=iamAdminPasswordKey=cncciampasswordvalue --namespace cncc
 5$ kubectl describe secret cncc-iam-secret -n cncc
 6
 7# 方法2:
 8echo -n 'admin' > ./username.txt
 9echo -n '1f2d1e2e67df' > ./password.txt
10
11kubectl create secret generic db-user-pass \
12  --from-file=./username.txt \
13  --from-file=./password.txt
14
15# 方法3:
16echo -n 'admin' | base64    //YWRtaW4=
17echo -n '1f2d1e2e67df' | base64   //MWYyZDFlMmU2N2Rm
18
19apiVersion: v1
20kind: Secret
21metadata:
22  name: mysecret
23type: Opaque
24data:
25  username: YWRtaW4=
26  password: MWYyZDFlMmU2N2Rm
27
28kubectl apploy -f secrets-test.yaml
29
30</namespace></password></secret-name>

二、验证secrets的值

对于创建的secrets值,可以通过运行一个pod,调用创建的值进行确认:

 1[root@test11-41044 test]# ll
 2total 8
 3-rw------- 1 root root 273 Oct 1 06:57 pod.yaml
 4-rw------- 1 root root 125 Oct 1 06:11 sec.yaml
 5[root@test11-41044 test]# cat sec.yaml
 6apiVersion: v1
 7kind: Secret
 8metadata:
 9  name: mysecret
10type: Opaque
11data:
12  USER_NAME: YWRtaW4=
13  PASSWORD: MWYyZDFlMmU2N2Rm
14
15[root@test11-41044 test]# cat pod.yaml
16apiVersion: v1
17kind: Pod
18metadata:
19  name: secret-test-pod
20spec:
21  containers:
22    - name: test-container
23      image: registry.k8s.io/busybox
24      command: [ "/bin/sh", "-c", "env" ]
25      envFrom:
26      - secretRef:
27          name: mysecret
28  restartPolicy: Never
29
30[root@test11-41044 test]# kubectl get secrets
31NAME                  TYPE                                  DATA   AGE
32cncc-db-secret        Opaque                                1      8d
33default-secret        kubernetes.io/dockerconfigjson        1      11d
34default-token-4pxpx   kubernetes.io/service-account-token   3      11d
35mysecret              Opaque                                2      8d
36mysql-pass            Opaque                                1      8d
37paas.elb              cfe/secure-opaque                     3      11d

查看测试pod的调用日志:

 1[root@test11-41044 test]# kubectl apply -f pod.yaml
 2pod/secret-test-pod created
 3[root@test11-41044 test]# kubectl logs secret-test-pod
 4WORDPRESS_PORT_80_TCP_PROTO=tcp
 5KUBERNETES_PORT=tcp://10.247.0.1:443
 6KUBERNETES_SERVICE_PORT=443
 7HOSTNAME=secret-test-pod
 8……
 9USER_NAME=admin
10PASSWORD=1f2d1e2e67df

而如果我们想要查看其他secret对象,只需要更改secretRef对应的name值就可以了。

参考页面:
https://kubernetes.io/docs/concepts/configuration/secret/
https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/