kubectl get --help|grep api
Use "kubectl api-resources" for a complete list of supported resources.
kubectl get pod -n defaultNAME READY STATUS RESTARTS AGEpython-app-596cfbb748-pxd44 1/1 Running 4 363dpython-app-596cfbb748-v2qn5 1/1 Running 4 363dkubectl api-resources|grep sec
secrets true Secret
podsecuritypolicies psp policy false PodSecurityPolicy
Secret 解决了密码、token、密钥等敏感数据的配置问题,而不需要把这些敏感数据暴露到镜像或者 Pod Spec 中。Secret 可以以 Volume 或者以环境变量的方式使用。
Secret 类型:
1 kubernetes.io/service-account-token
Service Account :用来访问 Kubernetes API,由 Kubernetes 自动创建,
并且会自动挂载到 Pod 的 /var/run/secrets/kubernetes.io/serviceaccount 目录中;
eg: kubectl get pod python-app-596cfbb748-v2qn5 -o yaml|grep serviceMounts:/var/run/secrets/kubernetes.io/serviceaccount from default-token-7zvdf (ro)2 Opaque :base64 编码格式的 Secret,用来存储密码、密钥等;
今天说下第二个这种有坑,base64加密的时候结尾换行问题
Opaque 类型的数据是一个 map 类型,要求 value 是 base64 编码格式
➜ ~ echo admin|base64YWRtaW4K➜ ~ echo -n admin|base64YWRtaW4=➜ ~ pwd/Users/lex➜ ~ echo admin > a.txt 这里应该是有了换行符号➜ ~ cat a.txtadmin➜ ~ base64 -w 0 a.txtYWRtaW4K%➜ ~ cat a.txtadmin➜ ~ echo -n `cat a.txt`|base64YWRtaW4=查看下
kubectl get secretsNAME TYPE DATA AGEdefault-token-zdf98 kubernetes.io/service-account-token 3 363dkubectl get secrets default-token-zdf98 -o yamlkubectl get secrets -n alexNAME TYPE DATA AGEdefault-token-kr9z5 kubernetes.io/service-account-token 3 40mmy-secret Opaque 2 10skubectl get secrets my-secret -n alex -o yaml
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","data":{"test-pw.p12":"YWRtaW4=","test-pw.p12.pwd":"cGFzc3dvcmQ="},"kind":"Secret","metadata":{"annotations":{},"name":"my-secret","namespace":"alex"},"type":"Opaque"}
Mandatory arguments to long options are mandatory for short options too.
-d, --decode decode data➜ shell echo -n "YWRtaW4="|base64 -dadmin➜ shell echo -n "cGFzc3dvcmQ="|base64 -dpassword➜ shell kubectl get cm -n alex
NAME DATA AGE
test-common-sb-conf 1 8m32s
➜ kubectl get cm test-common-sb-conf -n alex -o yamlapiVersion: v1data:server-conf.properties: server.port=443 server.ssl.enabled=true server.ssl.key-store=/opt/keystore/test-pw.p12server.ssl.key-store-type=PKCS12 server.ssl.key-store-password=${KEY_STORE_PWD}server.servlet.context-path=/$(apiName}/v${minorVersion}kind: ConfigMapmetadata:annotations:kubectl.kubernetes.io/last-applied-configuration: |{"apiVersion":"v1","data":{"server-conf.properties":"server.port=443 server.ssl.enabled=true server.ssl.key-store=/opt/keystore/test-pw.p12 server.ssl.key-store-type=PKCS12 server.ssl.key-store-password=${KEY_STORE_PWD} server.servlet.context-path=/$(apiName}/v${minorVersion}"},"kind":"ConfigMap","metadata":{"annotations":{},"name":"test-common-sb-conf","namespace":"alex"}}creationTimestamp: "2022-03-05T04:00:29Z"managedFields:- apiVersion: v1fieldsType: FieldsV1fieldsV1:f:data:.: {}f:server-conf.properties: {}f:metadata:f:annotations:.: {}f:kubectl.kubernetes.io/last-applied-configuration: {}manager: kubectl-client-side-applyoperation: Updatetime: "2022-03-05T04:00:29Z"name: test-common-sb-confnamespace: alexresourceVersion: "337473"selfLink: /api/v1/namespaces/alex/configmaps/test-common-sb-confuid: daba06d7-6b76-415b-887d-2800f75c04aa3
kubernetes.io/dockerconfigjson :用来存储私有 docker registry 的认证
详细可以参考
https://docs.docker.com/registry/introduction/
我推送的的测试脚本
#!/bin/bashsecret_name="my-secret"p12Encode=$(echo -n admin|base64)pwdEncode=$(echo -n password|base64)echo "p12Encode is $p12Encode"echo "pwdEncode is $pwdEncode"echo "Now will checking namespace"awk 'BEGIN{while (a++<50) s=s "-"; print s,"splite line",s}'kubectl get ns|grep -E "lextest|alex"|awk '{print$1}'| while IFS='' read -r linedo echo "starting=======›create secret in namespace: ""$line"" " kubectl apply -f - <<EOFapiVersion: v1kind: Secretmetadata: name: $secret_name namespace: ${line}type: Opaquedata: test-pw.p12: $p12Encode test-pw.p12.pwd: $pwdEncodeEOF kubectl apply -f - <<EOFapiVersion: v1kind: ConfigMapmetadata: namespace: ${line} name: test-common-sb-confdata: server-conf.properties: server.port=443 server.ssl.enabled=true server.ssl.key-store=/opt/keystore/test-pw.p12 server.ssl.key-store-type=PKCS12 server.ssl.key-store-password=\${KEY_STORE_PWD} server.servlet.context-path=/\$(apiName}/v\${minorVersion}EOFdone版权声明:内容来源于互联网和用户投稿 如有侵权请联系删除