◆◆0

kubernetes/k8s创建Secret加密数据并挂载方法
被墙跳转TG:@qianhenetwork QQ 851617266

来源： 2023-04-01 21:05:00 Linux 1422 0

前言：今天刚好学习了k8s中创建Secret加密数据并挂载的方法, base64编码介绍Secret变量挂载以及Volume数据卷的方式挂载,本文整理一下,防止忘记,希望对大家有帮助。
更完整的k8s教程可访问：https://www.zfcdn.xyz/showinfo-3-36255-0.html
作用：加密数据存在etcd里面,让Pod容器以挂在Volume方式进行访问。
场景：存放凭证。
base64编码：

[root@master ~]# echo -n 'admin' | base64
YWRtaW4=

[root@master ~]# echo -n 'www.zfcdn.xyz' | base64
YmxvZy50YWcuZ2c=

1、创建Secret加密数据
创建文件my-secret.yaml 并写入如下规则。

apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
username: YWRtaW4=
password: YmxvZy50YWcuZ2c=

执行命令生成pod

[root@master ~]# kubectl apply -f my-secret.yaml
secret/mysecret created

查看生成的cecret

[root@master ~]# kubectl get Secret
NAME                  TYPE                                  DATA   AGE
default-token-vk75n   kubernetes.io/service-account-token   3      29d
mysecret              Opaque                                2      65s

2、以变量形式挂在到pod容器中
创建 secret-val.yaml 并写入如下代码

apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp-deploy
spec:
replicas: 2
selector:
    matchLabels:
      app: myapp
template:
    metadata:
      labels:
        app: myapp
    spec:
      containers:
      - name: nginx
        image: nginx
        ports:
        - containerPort: 80
        env:
        - name: MYSQL_SERVICE_USER
          valueFrom:
            secretKeyRef:
              name: mysecret
              key: username
        - name: MYSQL_SERVICE_PASSWORD
          valueFrom:
            secretKeyRef:
              name: mysecret
              key: password

执行如下命令生成pod。

[root@master ~]# kubectl apply -f secret-val.yaml
deployment.apps/myapp-deploy created

[root@master ~]# kubectl get pods
NAME                                READY   STATUS              RESTARTS   AGE
ds-test-crpsf                       1/1     Running             0          21d
myapp-deploy-s-s-66f44577d5-ngnfq   0/1     ContainerCreating   0          15s
myapp-deploy-s-s-66f44577d5-q9b2f   0/1     ContainerCreating   0          15s
myjob-fp4bl                         0/1     Completed           0          21d

注意：
可能报错如下：

[root@master ~]# kubectl get pods
NAME                                READY   STATUS              RESTARTS   AGE
hello-28037594-f5j4c                0/1     ContainerCreating   0          14s
myapp-deploy-s-s-66f44577d5-ngnfq   0/1     ImagePullBackOff    0          45s
myapp-deploy-s-s-66f44577d5-q9b2f   0/1     ImagePullBackOff    0          45s

解决方法。
1、查看pod错误信息：

kubectl describe pod myapp-deploy-s-s-66f44577d5-ngnfq

Normal Scheduled 14m default-scheduler Successfully assigned default/myapp-deploy-s-s-66f44577d5-ngnfq to node3
Warning Failed 14m kubelet Failed to pull image "192.168.26.160:86/xielong/myapp:v1.0": rpc error: code = Unknown desc = Error response from daemon: Get "https://192.168.26.160:86/v2/": dial tcp 192.168.26.160:86: i/o timeout (Client.Timeout exceeded while awaiting headers)

原因是yaml文件中镜像image地址为：192.168.26.160:86/xielong/myapp:v1.0 环境找不到这个地址导致。将这个镜像修改为自己的信息即可。
修改后执行命令 kubectl apply -f secret-val.yaml 即可重新生成pod。
然后执行

[root@master ~]# kubectl get pods
NAME                                READY   STATUS              RESTARTS   AGE
ds-test-crpsf                       1/1     Running             0          21d
ds-test-glnql                       1/1     Running             0          21d
hello-28037606-zzkrf                0/1     Completed           0          3m1s
hello-28037607-sshb6                0/1     Completed           0          2m1s
hello-28037608-njlr2                0/1     Completed           0          61s
hello-28037609-ztfm8                0/1     ContainerCreating   0          1s
myapp-deploy-54fd65cd-x84gx         1/1     Running             0          108s
myapp-deploy-54fd65cd-z9f2m         1/1     Running             0          2m6s

执行如下命令进入容器。

[root@master ~]# kubectl exec -it myapp-deploy-54fd65cd-x84gx bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
root@myapp-deploy-54fd65cd-x84gx:/#

执行如下命令查看变量的内容。

root@myapp-deploy-54fd65cd-x84gx:/# echo $MYSQL_SERVICE_USER
admin
root@myapp-deploy-54fd65cd-x84gx:/# echo $MYSQL_SERVICE_PASSWORD
www.zfcdn.xyz
root@myapp-deploy-54fd65cd-x84gx:/#

3、以Volume形式挂在到容器
创建my-cecret.yaml文件,写入如下规则：

apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
username: YWRtaW4=
password: YmxvZy50YWcuZ2c=

执行： kubectl apply -f my-secret.yaml 创建secret,如下。

[root@master ~]# kubectl apply -f my-secret.yaml
secret/mysecret created
[root@master ~]# kubectl get Secret
NAME                  TYPE                                  DATA   AGE
default-token-vk75n   kubernetes.io/service-account-token   3      31d
mysecret              Opaque                                2      5s

创建 secret-vol.yaml 文件并写入如下规则：
下面的secretName要和上面配置的名字一样，将其挂载到etc/foo目录下，文件类型是只读；

apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: nginx
    image: nginx
    volumeMounts:
    - name: foo
      mountPath: "/etc/foo"
      readOnly: true
volumes:
- name: foo
    secret:
      secretName: mysecret

执行如下命令创建pod。

[root@master ~]# kubectl apply -f secret-vol.yaml
pod/mypod created
[root@master ~]# kubectl get pods
NAME                                READY   STATUS             RESTARTS      AGE
ds-test-crpsf                       1/1     Running            1 (22h ago)   23d
ds-test-glnql                       1/1     Running            1 (22h ago)   23d
hello-28040454-66vt7                0/1     Completed          0             2m52s
mypod                               1/1     Running            0             34s
[root@master ~]#

进入：mypod这个pod。

[root@master ~]# kubectl exec -it mypod bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
root@mypod:/#

执行如下命令查看：