14.kubernetes笔记|14.kubernetes笔记 Volume存储卷(五) Secret、downwardAPI 14.kubernetes笔记Volume存储卷(五

Secret简介 ConfigMap的配置信息基本没有类别之分，但Secret有所不同，根据其用户存在类型的概念;

docker-registry:专用于让kubelet启动Pod时从私有镜像仓库pull镜像时，首先认证到Registry时使用;
TLS:专门用于保存tls/ssl用到的证书和配对的私钥;
generic:余下的为通用类型; 在通用型中又存在多个子类型
子类型中系统默认的几个常用类型都是用于系统组件通信时用到的认证

--type="kubernetes.io/basic-auth" --type="kubernetes.io/rbd" --type="kubernetes.io/ssh-auth"
另外，保存有专用于ServiceAccount的相关的token信息的Secret资源会使用资源注解annotations来保存其使用场景。

kind: Secret metadata: annotations: kubernetes.io/service-account.name: node-controller kubernetes.io/service-account.uid: 5c7b00cc-8fae-48f7-9069-8efce3681f4d
资源的元数据:除了name，namespace之外，常用的还有labels, annotations;
annotation的名称遵循类似于labels的名称命名格式，但其数据长度不受限制;
它不能用于被标签选择器作为筛选条件; 但常用于为那些仍处于Beta阶段的应用程序提供临时的配置接口;
管理命令:kubectl annotate TYPE/NANE KEY=VALUE,kubectl annotate TYPE/NAME KEY-

还有一种由kubeadm的bootstrap所使用的token专用的类型，它通常保存于kube-system名称空间，以bootstrap-token-为前缀.

--type="bootstrap. kubernetes.io/token"

TLS类型Secret TLS类型是一种独特的类型，在创建secret的命令行中，除了类型标识的不同之外，它还需要使用专用的选项--cert和--key
无论证书和私钥文件名是什么，它们会统一为:
tls.crt
tls.key
Docker Registry类型Secret

[root@k8s-master ~]# kubectl create secret docker-registry --help#查看帮助提示提供的信息 ...... Options: --allow-missing-template-keys=true: If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. --append-hash=false: Append a hash of the secret to its name. --docker-email='': Email for Docker registry --docker-password='': Password for Docker registry authentication --docker-server='https://index.docker.io/v1/': Server location for Docker registry --docker-username='': Username 为 Docker registry authentication

也能够从docker的认证文件中加载信息，这时使用--from-file选项;

$HOME/.dockercfg, ~/.docker/config.json
何时引用，以及如何引用通过以下字段在Pod中引用

pod.spec.imagePullSecrets

Secret资源，使用环境变量引用格式
name: ...
image: ...
env:
- name:#变量名,其值来自于某Secret对象上的指定键的值;
  valueFrom: #键值引用;
  secretkeyRef:
  
  name:#引用的Secret对象的名称,需要与该Pod位于同一名称空间; key:#引用的Secret对象上的键,其值将传递给环境变量; optional: #是否为可选引用;
  
  envFrom: #整体引用指定的Secret对象的全部键名和键值;
- prefix:#将所有键名引用为环境变量时统一添加的前缀;
  secretRef:
  name:#引用的Secret对象名称;
  optional: #是否为可选引用;

示例1: 创建通用型Secret、MySQL引用Secret

[root@k8s-master secret]# kubectl create secret --help Create a secret using specified subcommand.Available Commands:#3种类型Secret说明 docker-registry Create a secret for use with a Docker registry genericCreate a secret from a local file, directory or literal value tlsCreate a TLS secret#创造generi类型 Secret用户:root 密码:userpassword [root@k8s-master secret]# kubectl create secret generic mysql-root-authn --from-literal=username=root --from-literal=password=userpassword secret/mysql-root-authn created[root@k8s-master secret]# kubectl get secret NAMETYPEDATAAGE default-token-fsshkkubernetes.io/service-account-token339d my-grafanaOpaque336d my-grafana-test-token-87856kubernetes.io/service-account-token336d my-grafana-token-gh765kubernetes.io/service-account-token336d mysql-root-authnOpaque（模糊类型）225s sh.helm.release.v1.my-grafana.v1helm.sh/release.v1136d#详细描述信息 [root@k8s-master secret]# kubectl describe secret mysql-root-authn Name:mysql-root-authn Namespace:default Labels: Annotations:Type:OpaqueData ==== password:12 bytes username:4 bytes [root@k8s-master secret]# kubectl get secret mysql-root-authn NAMETYPEDATAAGE mysql-root-authnOpaque264s [root@k8s-master secret]# kubectl get secret mysql-root-authn -o yaml apiVersion: v1 data: password: dXNlcnBhc3N3b3Jk #通过base64格式加密 username: cm9vdA== kind: Secret metadata: creationTimestamp: "2021-08-07T07:03:31Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:password: {} f:username: {} f:type: {} manager: kubectl-create operation: Update time: "2021-08-07T07:03:31Z" name: mysql-root-authn namespace: default resourceVersion: "7454439" selfLink: /api/v1/namespaces/default/secrets/mysql-root-authn uid: 5743f6a0-1f02-445c-87e5-ae9819d77811 type: Opaque[root@k8s-master secret]# echo dXNlcnBhc3N3b3Jk|base64 -d#通过base64格式解密 userpassword[root@k8s-master secret]# #创建basic-authn认证 [root@k8s-master secret]# kubectl create secret generic web-basic-authn --from-literal=username=devopser --from-literal=password=userpassword --type="kubenetes.io/basic-auth" secret/web-basic-authn created [root@k8s-master secret]# kubectl get secret NAMETYPEDATAAGE default-token-fsshkkubernetes.io/service-account-token339d my-grafanaOpaque336d my-grafana-test-token-87856kubernetes.io/service-account-token336d my-grafana-token-gh765kubernetes.io/service-account-token336d mysql-root-authnOpaque28m2s sh.helm.release.v1.my-grafana.v1helm.sh/release.v1136d web-basic-authnkubenetes.io/basic-auth（认证类型）221s[root@k8s-master secret]# kubectl get secret -n kube-system#kube-system名称空间下常用的secret类型 NAMETYPEDATAAGE attachdetach-controller-token-bpprwkubernetes.io/service-account-token339d bootstrap-signer-token-69hd8kubernetes.io/service-account-token339d bootstrap-token-hbjzpzbootstrap.kubernetes.io/token53d certificate-controller-token-26sn8kubernetes.io/service-account-token339d clusterrole-aggregation-controller-token-hlb6ckubernetes.io/service-account-token339d coredns-token-k6swpkubernetes.io/service-account-token339d cronjob-controller-token-449ngkubernetes.io/service-account-token339d daemon-set-controller-token-qb22nkubernetes.io/service-account-token339d default-token-xjfppkubernetes.io/service-account-token339d deployment-controller-token-tb84wkubernetes.io/service-account-token339d disruption-controller-token-cqzdtkubernetes.io/service-account-token339d endpoint-controller-token-ptsp4kubernetes.io/service-account-token339d[root@k8s-master secret]# kubectl get secret node-controller-token-rv7zt -n kube-system -o yaml

MySQL 引用Secret

[root@k8s-master secret]# cat secrets-env-demo.yaml apiVersion: v1 kind: Pod metadata: name: secrets-env-demo namespace: default spec: containers: - name: mariadb image: mariadb imagePullPolicy: IfNotPresent env: #使用环境变量，容器在启动时加载无法实时加载更新 - name: MYSQL_ROOT_PASSWORD valueFrom: secretKeyRef: name: mysql-root-authn#引用之前的secret key: password [root@k8s-master secret]# kubectl apply -f secrets-env-demo.yaml[root@k8s-master secret]# kubectl get pod NAMEREADYSTATUSRESTARTSAGE centos-deployment-66d8cd5f8b-95brg1/1Running02d22h configmap-volume-demo31/1Running04h36m configmaps-env-demo1/1Running024h configmaps-volume-demo1/1Running024h configmaps-volume-demo22/2Running017h my-grafana-7d788c5479-bpztz1/1Running32d22h secrets-env-demo1/1Running06m38s volumes-pvc-longhorn-demo1/1Running02d4h#使用Secret帐号密码登录 [root@k8s-master secret]# kubectl exec secrets-env-demo -it -- /bin/bash root@secrets-env-demo:/# mysql -uroot -puserpassword Welcome to the MariaDB monitor.Commands end with ; or \g. Your MariaDB connection id is 3 Server version: 10.6.3-MariaDB-1:10.6.3+maria~focal mariadb.org binary distributionCopyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.Type 'help; ' or '\h' for help. Type '\c' to clear the current input statement.MariaDB [(none)]> exit Byeroot@secrets-env-demo:/# exit exit

示例2: 创TLS类型Secret HTTPS引用自签证书

#创建TLS证书 [root@k8s-master secret]# (umask 007; openssl genrsa -out nginx.key 2048)#创建Key Generating RSA private key, 2048 bit long modulus ................................................................................................+++ .................+++ e is 65537 (0x10001) [root@k8s-master secret]# ls nginx.key #创建自签证书 [root@k8s-master secret]# openssl req -new -x509 -key nginx.key -out nginx.crt -subj /C=CN/ST=Hz/O=DevOps/CN=www.test.com [root@k8s-master secret]# ls nginx.crtnginx.key #创建Secret [root@k8s-master secret]# kubectl create secret tls nginx-ssl-secret --key=./nginx.key --cert=./nginx.crt secret/nginx-ssl-secret created[root@k8s-master secret]# kubectl get secret NAMETYPEDATAAGE default-token-fsshkkubernetes.io/service-account-token339d my-grafanaOpaque336d my-grafana-test-token-87856kubernetes.io/service-account-token336d my-grafana-token-gh765kubernetes.io/service-account-token336d mysql-root-authnOpaque232m nginx-ssl-secretkubernetes.io/tls215s sh.helm.release.v1.my-grafana.v1helm.sh/release.v1136d web-basic-authnkubenetes.io/basic-auth224m [root@k8s-master secret]# kubectl describe secret nginx-ssl-secret Name:nginx-ssl-secret Namespace:default Labels: Annotations:Type:kubernetes.io/tlsData ==== tls.crt:1220 bytes tls.key:1675 bytes [root@k8s-master secret]# kubectl getsecret nginx-ssl-secret -o yaml apiVersion: v1 data: tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURWekNDQWorZ0F3SUJBZ0lKQUpsZGlNMGIvTTRFTUEwR0NTcUdTSWIzRFFFQkN3VUFNRUl4Q3pBSkJnTlYKQkFZVEFrTk9NUXN3Q1FZRFZRUUlEQUpJ1ekhVSkNyc3AxQjkyZGhuCktEZGt0ZWFGVWw5eXFiYzFHeHVwRG15b0lUUjJQUnZzTkREeUl5OGtnOHB6NVlkL2VHRldYUlh0d2w5emtmUHYKMCtDOTd1bWJIdVZ5VlRsdkloU2ltZU5pcnhtdXExUTh5VVNSR0NzaFk3Zmx4TXNTS3FQbWZDWnhNMEZWN090VAorZ0VNdnRUNUlPbkkvTmQ1OFVpVDFveFBIWlVGZ1B2Q2Q4bU9PYkwyU2w4a2JZNVRLcFJFK0dtSXd3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBcUl6Nk9yVFYxWENPYWJiZERDaVdFd0ZOcnlwQ2JHby9kYXlqYmc2eUUvcFJsYzFiCnJ5QWJSOFJhZmh3aCtiWXdUMC9qMG1NQXkyRG4rRStnVXczVXhKTjg1YzFvUjVWeEs3MlBVeTV4dXZkQWRvTUIKOVFKcmpjTS9HMkgzUjY0SUViUkVERTVrMWprbVZNbVRhVGJnYVNLYzZ6Umg3ZUZ0S1VnQVlJdE1GMUtFbXpqQwpiS1owY3ZnUE5vV0J5TnJ3WFBRT1FURXFJVGFoaURWRVFBYlJFL2FIS1VWd2RXK0Y3dklpYzVjMEkzaDQxOFRuCjNhd3FpVE1LbitlTyt3ME1XUU52ZEpsaFdrREoyOG00ZUZUZ0xqTkFvRnFPb2ZtWWhFREFWbnFPWFZlVXJYRzEKa0pTTjJTa2pZVE9vSU5Ya0JaMTllTDVRMEpwSDRNMmZOZzR3VFFJREFRQUJBb0lCQVFDWFAxSjRCYmZ3dlB6KwpmZnBqbzdQdnYvYXUzYlFYUjB4RTB6TWdXbzJRQWNyZUt4WS8wd2JINHJuMWVsYytsaTlKckgzYVY3N3B3YjdICkF1VHlRbklRSiswbTVhalN1NVovVXEzZlRjaitwa3F4VGlRZWNScUVicFVkaEU1Nmd2OTRxNU40bTR3Kzg2K2kKMi9Pc3NYSzB4VHVja0Rma1Y2bzJKZ2M0bXljZnNSYTRIUVg0cmZVUzVBc0NMWnhuVGV4by9qeU13Sm02d1VKdApUTFdzQjN2ZlpVOW04c1NZRlN0TlA4dFBiZmZPa0x6SXVGWHVId0Y0OFVqc2dCaHM3b3FWZWMwZmhxZUxLZE5NCmFIRlZzbDNXL2dCbE5LUW9XL3VGT1pUVWhJNUdzS2ZHQUtOY1lLSnpINmxWOVRUdFFkMHdWQUpOY3NkcEJSOU0KYTJ4VEN0dzlBb0dCQU5LL2VDNmh2VENnMWUwTFRWdmpISUI5M25uakhvbjRaSkYzcFVnZGJhbGMwYlZwQmc3bQpJcUZQdW96SEtiRGxXT0J3NTZBRHB2TkhaMFlkWlNRanIzZEdKOU9rU1JJYk92NlZUSHNETERhZFo1Qjh5QVEzCnZnYjdVeUtlaXVuMGhXVHRFVE4vV2c2MlJ5U2xIZDV0TDg5d2NVazFGeWZsSVo0ZHQ2Vk5Cb21UQW9HQkFNeTkKKzVIZnpDeWxUZ3NhOHY0WDRaWEFrenVxTjFIb012OEpraUJ4L2twaVFoQnVCWWZjOWROVmhPYkw1amp3RFpGVgp0RHVSMHl5MnpzUjR1Q09UczVWeXJSSll0c1NBWEZYa3h1QzRHTzJTZDhvZkhudFU0VmZEcWU0TXVseUtBM2MyCmloZG5ZVmNCbmJsSmt6b0RiK3JoSU8xTVp2ekh6d0praFZaelJRcWZBb0dBSFd1blhuTXIweWNRMWtlMm8vWS8KbTF4MiszTU9aMXBxeDdmNU5la056dy9ySXJVbnFGck9TTkMxalVPY2VWcDdIdElFTTkxdXFCVzJ3QjRJYVpRbAp3YlBraVhJczFUOUI3QnB4azlhc2pHOUs3dXZNakhJdnNBL1Qya2hod2lsbG1lSlNmV3J3Nm83ZHZhcmpVWkxTCmt0WHlxcktqcWVrZDJWSHl1anZYaHNzQ2dZQTZBZm1zc3NPZVFwZUIvZmlxbFFtTTdDcksxTWNucGFvTktDRUcKb0VWenZiTUtCS0g4aEZZQnNsRWRNdGZmZWVQZU1YSUhEcUhPSVYwanZUQXVwRUpWTFZCcnlrYStGY0FUZGVZQwo5U1hhNll5Vzc0b3JWemtoTElhUXMzcDVqWUM5M2UzeUE1QklubVNaZ29iOEFNMU10c3dsYjJnZVpsMzRSNUtmCms3a1Q4UUtCZ0Z3RkxudHlmR2x5VW9pRVllZTFGSTQvZVB4VU9TZXJUQzRvMnRkakwwQmJKbGllVStXYWlOcEEKeXZ1eHE4VEhuVDBRLytyTHp1ZzkvdlhWQ01ycmliZk92bHZMMjBDclpkNVd0a205TXdYQklQR1B3cHpQZXJldwp3RFV2VG9hb21sQnVXRVpFc1V3eGYyK3hzc042MFp6OThRSVRTU2R3TmFSSm55ZzJHUk5mCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== kind: Secret metadata: creationTimestamp: "2021-08-07T07:35:35Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:tls.crt: {} f:tls.key: {} f:type: {} manager: kubectl-create operation: Update time: "2021-08-07T07:35:35Z" name: nginx-ssl-secret namespace: default resourceVersion: "7460794" selfLink: /api/v1/namespaces/default/secrets/nginx-ssl-secret uid: 72bdf764-cd58-4be4-b93c-c9e7bd83713e type: kubernetes.io/tls#解密key [root@k8s-master secret]# echo LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBcUl6Nk9yVFYxWENPYWJiZERDaVdFd0ZOcnlwQ2JHby9kYXlqYmc2eUUvcFJsYzFiCnJ5QWJSOFJhZmh3aCtiWXdUMC9qMG1NQXkyRG4rRStnVXczVXhKTjg1YzFvUjVWeEs3MlBVeTV4dXZkQWRvTUIKOVFKcmpjTS9HMkgzUjY0SUViUkVERTVrMWprbVZNbVRhVGJnYVNLYzZ6Umg3ZUZ0S1VnQVlJdE1GMUtFbXpqQwpiS1owY3ZnUE5vV0J5TnJ3WFBRT1FURXFJVGFoaURWRVFBYlJFL2FIS1VWd2RXK0Y3dklpYzVjMEkzaDQxOFRuCjNhd3FpVE1LbitlTyt3ME1XUU52ZEpsaFdrREoyOG00ZUZUZ0xqTkFvRnFPb2ZtWWhFREFWbnFPWFZlVXJYRzEKa0pTTjJTa2pZVE9vSU5Ya0JaMTllTDVRMEpwSDRNMmZOZzR3VFFJREFRQUJBb0lCQVFDWFAxSjRCYmZ3dlB6KwpmZnBqbzdQdnYvYXUzYlFYUjB4RTB6TWdXbzJRQWNyZUt4WS8wd2JINHJuMWVsYytsaTlKckgzYVY3N3B3YjdICkF1VHlRbklRSiswbTVhalN1NVovVXEzZlRjaitwa3F4VGlRZWNScUVicFVkaEU1Nmd2OTRxNU40bTR3Kzg2K2kKMi9Pc3NYSzB4VHVja0Rma1Y2bzJKZ2M0bXljZnNSYTRIUVg0cmZVUzVBc0NMWnhuVGV4by9qeU13Sm02d1VKdApUTFdzQjN2ZlpVOW04c1NZRlN0TlA4dFBiZmZPa0x6SXVGWHVId0Y0OFVqc2dCaHM3b3FWZWMwZmhxZUxLZE5NCmFIRlZzbDNXL2dCbE5LUW9XL3VGT1pUVWhJNUdzS2ZHQUtOY1lLSnpINmxWOVRUdFFkMHdWQUpOY3NkcEJSOU0KYTJ4VEN0dzlBb0dCQU5LL2VDNmh2VENnMWUwTFRWdmpISUI5M25uakhvbjRaSkYzcFVnZGJhbGMwYlZwQmc3bQpJcUZQdW96SEtiRGxXT0J3NTZBRHB2TkhaMFlkWlNRanIzZEdKOU9rU1JJYk92NlZUSHNETERhZFo1Qjh5QVEzCnZnYjdVeUtlaXVuMGhXVHRFVE4vV2c2MlJ5U2xIZDV0TDg5d2NVazFGeWZsSVo0ZHQ2Vk5Cb21UQW9HQkFNeTkKKzVIZnpDeWxUZ3NhOHY0WDRaWEFrenVxTjFIb012OEpraUJ4L2twaVFoQnVCWWZjOWROVmhPYkw1amp3RFpGVgp0RHVSMHl5MnpzUjR1Q09UczVWeXJSSll0c1NBWEZYa3h1QzRHTzJTZDhvZkhudFU0VmZEcWU0TXVseUtBM2MyCmloZG5ZVmNCbmJsSmt6b0RiK3JoSU8xTVp2ekh6d0praFZaelJRcWZBb0dBSFd1blhuTXIweWNRMWtlMm8vWS8KbTF4MiszTU9aMXBxeDdmNU5la056dy9ySXJVbnFGck9TTkMxalVPY2VWcDdIdElFTTkxdXFCVzJ3QjRJYVpRbAp3YlBraVhJczFUOUI3QnB4azlhc2pHOUs3dXZNakhJdnNBL1Qya2hod2lsbG1lSlNmV3J3Nm83ZHZhcmpVWkxTCmt0WHlxcktqcWVrZDJWSHl1anZYaHNzQ2dZQTZBZm1zc3NPZVFwZUIvZmlxbFFtTTdDcksxTWNucGFvTktDRUcKb0VWenZiTUtCS0g4aEZZQnNsRWRNdGZmZWVQZU1YSUhEcUhPSVYwanZUQXVwRUpWTFZCcnlrYStGY0FUZGVZQwo5U1hhNll5Vzc0b3JWemtoTElhUXMzcDVqWUM5M2UzeUE1QklubVNaZ29iOEFNMU10c3dsYjJnZVpsMzRSNUtmCms3a1Q4UUtCZ0Z3RkxudHlmR2x5VW9pRVllZTFGSTQvZVB4VU9TZXJUQzRvMnRkakwwQmJKbGllVStXYWlOcEEKeXZ1eHE4VEhuVDBRLytyTHp1ZzkvdlhWQ01ycmliZk92bHZMMjBDclpkNVd0a205TXdYQklQR1B3cHpQZXJldwp3RFV2VG9hb21sQnVXRVpFc1V3eGYyK3hzc042MFp6OThRSVRTU2R3TmFSSm55ZzJHUk5mCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==| base64 -d -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAqIz6OrTV1XCOabbdDCiWEwFNrypCbGo/dayjbg6yE/pRlc1b ryAbR8Rafhwh+bYwT0/j0mMAy2Dn+E+gUw3UxJN85c1oR5VxK72PUy5xuvdAdoMB 9QJrjcM/G2H3R64IEbREDE5k1jkmVMmTaTbgaSKc6zRh7eFtKUgAYItMF1KEmzjC bKZ0cvgPNoWByNrwXPQOQTEqITahiDVEQAbRE/aHKUVwdW+F7vIic5c0I3h418Tn 3awqiTMKn+eO+w0MWQNvdJlhWkDJ28m4eFTgLjNAoFqOofmYhEDAVnqOXVeUrXG1 kJSN2SkjYTOoINXkBZ19eL5Q0JpH4M2fNg4wTQIDAQABAoIBAQCXP1J4BbfwvPz+ ffpjo7Pvv/au3bQXR0xE0zMgWo2QAcreKxY/0wbH4rn1elc+li9JrH3aV77pwb7H AuTyQnIQJ+0m5ajSu5Z/Uq3fTcj+pkqxTiQecRqEbpUdhE56gv94q5N4m4w+86+i 2/OssXK0xTuckDfkV6o2Jgc4mycfsRa4HQX4rfUS5AsCLZxnTexo/jyMwJm6wUJt TLWsB3vfZU9m8sSYFStNP8tPbffOkLzIuFXuHwF48UjsgBhs7oqVec0fhqeLKdNM aHFVsl3W/gBlNKQoW/uFOZTUhI5GsKfGAKNcYKJzH6lV9TTtQd0wVAJNcsdpBR9M a2xTCtw9AoGBANK/eC6hvTCg1e0LTVvjHIB93nnjHon4ZJF3pUgdbalc0bVpBg7m IqFPuozHKbDlWOBw56ADpvNHZ0YdZSQjr3dGJ9OkSRIbOv6VTHsDLDadZ5B8yAQ3 vgb7UyKeiun0hWTtETN/Wg62RySlHd5tL89wcUk1FyflIZ4dt6VNBomTAoGBAMy9 +5HfzCylTgsa8v4X4ZXAkzuqN1HoMv8JkiBx/kpiQhBuBYfc9dNVhObL5jjwDZFV tDuR0yy2zsR4uCOTs5VyrRJYtsSAXFXkxuC4GO2Sd8ofHntU4VfDqe4MulyKA3c2 ihdnYVcBnblJkzoDb+rhIO1MZvzHzwJkhVZzRQqfAoGAHWunXnMr0ycQ1ke2o/Y/ m1x2+3MOZ1pqx7f5NekNzw/rIrUnqFrOSNC1jUOceVp7HtIEM91uqBW2wB4IaZQl wbPkiXIs1T9B7Bpxk9asjG9K7uvMjHIvsA/T2khhwillmeJSfWrw6o7dvarjUZLS ktXyqrKjqekd2VHyujvXhssCgYA6AfmsssOeQpeB/fiqlQmM7CrK1McnpaoNKCEG oEVzvbMKBKH8hFYBslEdMtffeePeMXIHDqHOIV0jvTAupEJVLVBryka+FcATdeYC 9SXa6YyW74orVzkhLIaQs3p5jYC93e3yA5BInmSZgob8AM1Mtswlb2geZl34R5Kf k7kT8QKBgFwFLntyfGlyUoiEYee1FI4/ePxUOSerTC4o2tdjL0BbJlieU+WaiNpA yvuxq8THnT0Q/+rLzug9/vXVCMrribfOvlvL20CrZd5Wtkm9MwXBIPGPwpzPerew wDUvToaomlBuWEZEsUwxf2+xssN60Zz98QITSSdwNaRJnyg2GRNf -----END RSA PRIVATE KEY-----[root@k8s-master secret]#
HTTPS自签证书引用TLS Secret

[root@k8s-master secret]# cat secrets-volume-demo.yaml apiVersion: v1 kind: Pod metadata: name: secrets-volume-demo namespace: default spec: containers: - image: nginx:alpine name: ngxserver volumeMounts: - name: nginxcerts mountPath: /etc/nginx/certs/ readOnly: true - name: nginxconfs mountPath: /etc/nginx/conf.d/ readOnly: true volumes: - name: nginxcerts secret: secretName: nginx-ssl-secret#引用之前的secret自签证 - name: nginxconfs configMap: name: nginx-sslvhosts-confs#引用configMap optional: false[root@k8s-master secret]# cat nginx-config.d/myserver myserver.confmyserver-gzip.cfgmyserver-status.cfg [root@k8s-master secret]# cat nginx-config.d/myserver.conf server { listen 443 ssl; server_name www.test.com; ssl_certificate /etc/nginx/certs/tls.crt; ssl_certificate_key /etc/nginx/certs/tls.key; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; ssl_prefer_server_ciphers on; include /etc/nginx/conf.d/myserver-*.cfg; location / { root /usr/share/nginx/html; } }server { listen 80; server_name www.ilinux.io; return 301 https://$host$request_uri; }#创建comfigMap [root@k8s-master secret]# kubectl create configmap nginx-sslvhosts-confs --fromonfs --from-file=./nginx-config.d configmap/nginx-sslvhosts-confs created [root@k8s-master secret]# kubectl get cm NAMEDATAAGE demoapp-config447h demoapp-confs418h nginx-config226h nginx-config-files324h nginx-sslvhosts-confs312s[root@k8s-master secret]# kubectl apply -f secrets-volume-demo.yaml pod/secrets-volume-demo created[root@k8s-master secret]# kubectl get pod NAMEREADYSTATUSRESTARTSAGE secrets-volume-demo1/1Running014m volumes-pvc-longhorn-demo1/1Running02d5h#查看Pod配置 [root@k8s-master secret]# kubectl exec secrets-volume-demo -it -- /bin/sh / # cd /etc/nginx/conf.d/ /etc/nginx/conf.d # ls myserver-gzip.cfgmyserver-status.cfgmyserver.conf /etc/nginx/conf.d # cat myserver.conf server { listen 443 ssl; server_name www.test.com; ssl_certificate /etc/nginx/certs/tls.crt; ssl_certificate_key /etc/nginx/certs/tls.key; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; ssl_prefer_server_ciphers on; include /etc/nginx/conf.d/myserver-*.cfg; location / { root /usr/share/nginx/html; } }server { listen 80; server_name www.ilinux.io; return 301 https://$host$request_uri; } /etc/nginx/conf.d # netstat -nlt Active Internet connections (only servers) Proto Recv-Q Send-Q Local AddressForeign AddressState tcp00 0.0.0.0:4430.0.0.0:*LISTEN tcp00 0.0.0.0:800.0.0.0:*LISTEN/etc/nginx/conf.d # curl-H "Host:www.test.com"https://127.0.0.1:443#警告自签证书风险 curl: (60) SSL certificate problem: self signed certificate More details here: https://curl.se/docs/sslcerts.htmlcurl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above./etc/nginx/conf.d # curl -k -H "Host:www.test.com"https://127.0.0.1:443# -k忽略风险访问成功 Welcome to nginx!body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } Welcome to nginx!If you see this page, the nginx web server is successfully installed and working. Further configuration is required. For online documentation and support please refer to nginx.org. Commercial support is available at nginx.com. Thank you for using nginx. /etc/nginx/conf.d # exit [root@k8s-master secret]#

示例3: 创建docker-registry类型secret用于私有仓库的认证

[root@k8s-master secret]# kubectl create secret docker-registry harbor-tom --docker-username=tom --docker-password=userpassword --docker-email=tom@test.com --docker-server=https://registry.test.com/v2/ secret/harbor-tom created [root@k8s-master secret]# kubectl get secret NAMETYPEDATAAGE default-token-fsshkkubernetes.io/service-account-token339d harbor-tomkubernetes.io/dockerconfigjson150s mysql-root-authnOpaque245m nginx-ssl-secretkubernetes.io/tls213m sh.helm.release.v1.my-grafana.v1helm.sh/release.v1136d web-basic-authnkubenetes.io/basic-auth237m [root@k8s-master secret]# kubectl get secret harbor-tom-o yaml apiVersion: v1 data: .dockerconfigjson: eyJhdXRocyI6eyJodHRwczovL3JlZ2lzdHJ5LnRlc3QuY29tL3YyLyI6eyJ1c2VybmFtZSI6InRvbSIsInBhc3N3b3JkIjoidXNlcnBhc3N3b3JkIiwiZW1haWwiOiJ0b21AdGVzdC5jb20iLCJhdXRoIjoiZEc5dE9uVnpaWEp3WVhOemQyOXlaQT09In19fQ== kind: Secret metadata: creationTimestamp: "2021-08-07T07:48:15Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:.dockerconfigjson: {} f:type: {} manager: kubectl-create operation: Update time: "2021-08-07T07:48:15Z" name: harbor-tom namespace: default resourceVersion: "7463303" selfLink: /api/v1/namespaces/default/secrets/harbor-tom uid: 461547f3-4286-4377-9220-130231041908 type: kubernetes.io/dockerconfigjson [root@k8s-master secret]# [root@k8s-master secret]# echo eyJhdXRocyI6eyJodHRwczovL3JlZ2lzdHJ5LnRlc3QuY29tL3YyLyI6eyJ1c2VybmFtZSI6InRvbSIsInBhc3N3b3JkIjoidXNlcnBhc3N3b3JkIiwiZW1haWwiOiJ0b21AdGVzdC5jb20iLCJhdXRoIjoiZEc5dE9uVnpaWEp3WVhOemQyOXlaQT09In19fQ==|base64 -d {"auths":{"https://registry.test.com/v2/":{"username":"tom","password":"userpassword","email":"tom@test.com","auth":"dG9tOnVzZXJwYXNzd29yZA=="}}}[root@k8s-master secret]#

downwardAPI

downwardAPI存储卷类型，从严格意义上来说，downwardAPI不是存储卷，它自身就存在，原因在于，它引用的是Pod自身的运行环境信息，这些信息在Pod启动手就存在。
类似于ConfigMap或Secret资源，容器能够在环境变量中在valueFrom字段中嵌套fieldRef或resourceFieldRef字段来引用其所属Pod对象的元数据信息。不过，通常只有常量类型的属性才能够通过环境变量，注入到容器中，毕竟，在进程启动完成后无法再向其告知变量值的变动，于是，环境变量也就不支持中途的更新操作。容器规范中可在环境变量配置中的valueFrom通过内嵌字段fieldRef引用的信息包括如下这些
metadata.name: Pod对象的名称;
metadata.namespace: Pod对象隶属的名称空间;
metadata.uid: Pod对象的UID;
metadata.labels['']: Pod对象标签中的指定键的值，例如metadata.labels['mylabel']，仅Kubernetes 1.9及之后的版本才支持;
metadata.annotations['']: Pod对象注解信息中的指定键的值，仅Kubernetes 1.9及之后的版本才支持。
容器上的计算资源需求和资源限制相关的信息，以及临时存储资源需求和资源限制相关的信息可通过容器规范中的resourceFieldRef字段引用，相关字段包括requests.cpu、limits.cpu、requests.memory和limits.memory等。另外，可通过环境变量引用的信息有如下几个:
status.podIP: Pod对象的IP地址
spec.serviceAccountName: Pod对象使用的ServiceAccount资源名称
spec.nodeName: 节点名称
【14.kubernetes笔记|14.kubernetes笔记 Volume存储卷(五) Secret、downwardAPI】status.hostIP: 节点IP地址
另外，还可以通过resoqurceFieldRef字段引用当前容器的资源请求及资源限额的定义，因此它们包括requests.cpu、requests.memory、requests.ephemeral-storage、limits.cpu、limits.memory和limits.ephemeral storage这6项。

示例4：downwardAPI 通过环境变量env:引用

[root@k8s-master secret]# cat downwardapi-env-demo.yaml apiVersion: v1 kind: Pod metadata: name: downwardapi-env-demo labels: app: demoapp spec: containers: - name: demoapp image: ikubernetes/demoapp:v1.0 #command: ["/bin/sh","-c","env"] resources: requests: memory: "32Mi" cpu: "250m" limits: memory: "64Mi" cpu: "500m" env: - name: THIS_POD_NAME#变量名 valueFrom: fieldRef: fieldPath: metadata.name#获取POD对象名称 - name: THIS_POD_NAMESPACE valueFrom: fieldRef : fieldPath: metadata.namespace#所在名称空间 - name: THIS_APP_LABEL valueFrom: fieldRef: fieldPath: metadata.labels['app'] - name: THIS_CPU_LIMIT valueFrom: resourceFieldRef: resource: limits.cpu #获取CPU限制只显示整数1核 2核...... - name: THIS_MEM_REQUEST valueFrom : resourceFieldRef: resource: requests.memory divisor: 1Mi #默认为K 单位换算为M #restartPolicy: Never[root@k8s-master secret]# kubectl get pod NAMEREADYSTATUSRESTARTSAGE configmap-volume-demo31/1Running029h configmaps-env-demo1/1Running02d1h configmaps-volume-demo1/1Running02d1h configmaps-volume-demo22/2Running043h downwardapi-env-demo1/1Running08m52s[root@k8s-master secret]# kubectl exec downwardapi-env-demo -it -- /bin/sh [root@downwardapi-env-demo /]# env#查看相关变量 ... THIS_APP_LABEL=demoapp ... THIS_MEM_REQUEST=32 ... THIS_POD_NAME=downwardapi-env-demo ... THIS_POD_NAMESPACE=default ... THIS_CPU_LIMIT=1#以核心数为单位[root@downwardapi-env-demo /]# echo $THIS_POD_NAME#直接引用 downwardapi-env-demo

示例5：downwardAPI 通过volumeMounts挂载

[root@k8s-master secret]# cat downwardapi-volume-demo.yaml apiVersion: v1 kind: Pod metadata: name: downwardapi-volume-demo labels: zone: zone1 rack: rack100 app: demoapp annotations: region: ease-cn spec: containers: - name: demoapp image: ikubernetes/demoapp:v1.0 resources: requests: memory: "32Mi" cpu: "250m" limits: memory: "64Mi" cpu: "500m" volumeMounts: - name: podinfo mountPath: /etc/podinfo#键值的存放路径 readOnly: false volumes: - name: podinfo downwardAPI: defaultMode: 420 items:#和configMap引用类似默认只输出哪个变量给存储卷 - fieldRef: fieldPath: metadata.namespace path: pod_namespace#被引用的键名 - fieldRef: fieldPath: metadata.labels path: pod_labels - fieldRef: fieldPath: metadata.annotations path: pod_annotations - resourceFieldRef: containerName: demoapp resource: limits.cpu path: "cpu_limit" - resourceFieldRef: containerName: demoapp resource: requests.memory divisor: "1Mi" path: "mem_request"[root@k8s-master secret]# kubectl get pod NAMEREADYSTATUSRESTARTSAGE downwardapi-env-demo1/1Running036m downwardapi-volume-demo1/1Running02m11s#进入到容器查看配置 [root@k8s-master secret]# kubectl exec downwardapi-volume-demo -it-- /bin/sh[root@downwardapi-volume-demo /]# cd /etc/podinfo/ [root@downwardapi-volume-demo /etc/podinfo]# ls cpu_limitmem_requestpod_annotationspod_labelspod_namespace[root@downwardapi-volume-demo /etc/podinfo]# cat cpu_limit 1 [root@downwardapi-volume-demo /etc/podinfo]# cat pod_namespace default [root@downwardapi-volume-demo /etc/podinfo]# cat pod_labels app="demoapp" rack="rack100" zone="zone1"[root@downwardapi-volume-demo /etc/podinfo]# exit