标签:kubectl name Kubernetes 管理 密码 secret wordpress mysql k8s
目录
前提:敏感数据,不保存在yaml中。敏感数据保存k8s集群中,将用户定义的密码保存在secret和configmap中
secret将明文进行base64编码
- 问题
trnuser@k8s:~/pod$ cat wordpress-mysql.yml
---
apiVersion: v1
kind: Service
metadata:
name: wordpress-mysql
labels:
app: wordpress
spec:
ports:
- port: 3306
selector:
app: wordpress
tier: mysql
clusterIP: None
---
apiVersion: apps/v1 # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1
kind: Deployment
metadata:
name: wordpress-mysql
labels:
app: wordpress
spec:
replicas: 2
selector:
matchLabels:
app: wordpress
tier: mysql
strategy:
type: Recreate
template:
metadata:
labels:
app: wordpress
tier: mysql
spec:
containers:
- image: mysql:5.7
name: mysql
env:
- name: MYSQL_ROOT_PASSWORD
value: redhat #明文密码
#valueFrom:
# secretKeyRef:
# name: mysql
# key: mysql-password
livenessProbe:
tcpSocket:
port: 3306
ports:
- containerPort: 3306
name: mysql
volumeMounts:
- name: mysql-persistent-storage
mountPath: /var/lib/mysql
volumes:
- name: mysql-persistent-storage
persistentVolumeClaim:
claimName: mysql-pv-claim
- 解决方案: 将密码保存到secret中
trnuser@k8s:~/pod$ kubectl api-resources | grep secret
secrets true Secret
trnuser@k8s:~/pod$ kubectl api-resources | grep configmap
configmaps cm true ConfigMap
trnuser@k8s:~/pod$
- secret
kubectl create secret generic mysql --from-literal=mysql-password=redhat
- 查看密码
trnuser@k8s:~/pod$ kubectl describe secrets mysql -n secret
Name: mysql
Namespace: secret
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
mysql-password: 6 bytes
-----------------
trnuser@k8s:~/pod$ kubectl get secrets mysql -n secret -o yaml
apiVersion: v1
data:
mysql-password: cmVkaGF0
kind: Secret
metadata:
creationTimestamp: "2021-03-01T07:00:49Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:mysql-password: {}
f:type: {}
manager: kubectl
operation: Update
time: "2021-03-01T07:00:49Z"
name: mysql
namespace: secret
resourceVersion: "1304905"
selfLink: /api/v1/namespaces/secret/secrets/mysql
uid: ce213f79-3759-4d38-9c7d-da41f8fe1d83
type: Opaque
- 解码secret
echo -n 'cmVkaGF0' | base64 --decode
- 部署pod调用secrets
trnuser@k8s:~/pod$ cat wordpress-mysql.yml
---
apiVersion: v1
kind: Service
metadata:
name: wordpress-mysql
labels:
app: wordpress
spec:
ports:
- port: 3306
selector:
app: wordpress
tier: mysql
clusterIP: None
---
apiVersion: apps/v1 # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1
kind: Deployment
metadata:
name: wordpress-mysql
labels:
app: wordpress
spec:
replicas: 2
selector:
matchLabels:
app: wordpress
tier: mysql
strategy:
type: Recreate
template:
metadata:
labels:
app: wordpress
tier: mysql
spec:
containers:
- image: mysql:5.7
name: mysql
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mysql
key: mysql-password
#value: redhat
livenessProbe:
tcpSocket:
port: 3306
ports:
- containerPort: 3306
name: mysql
# volumeMounts:
# - name: mysql-persistent-storage
# mountPath: /var/lib/mysql
# volumes:
# - name: mysql-persistent-storage
# persistentVolumeClaim:
# claimName: mysql-pv-claim
读取文件中内容
echo -n 'zhangsan' > username
- 创建secret
kubectl create secret generic users --from-file=username
- 文件中创建多个变量
[root@master ~]# vim secret.txt
[root@master ~]# cat secret.txt
user1=zhangsan
password1=redhat
user2=lisi
password2=redha
kubectl create secret generic users-2 --from-env-file=secret.txt
- configmap
kubectl create configmap cmap1 --from-literal=user1=zhangsan --from-literal=user2=lisi
trnuser@k8s:~/pod$ kubectl get configmap cmap1 -o yaml -n secret
apiVersion: v1
data:
user1: zhangsan
user2: lisi
kind: ConfigMap
metadata:
creationTimestamp: "2021-03-02T02:36:23Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:user1: {}
f:user2: {}
manager: kubectl
operation: Update
time: "2021-03-02T02:36:23Z"
name: cmap1
namespace: secret
resourceVersion: "1482007"
selfLink: /api/v1/namespaces/secret/configmaps/cmap1
uid: 81158352-60c2-4706-b384-f3efe88bcadc
标签:kubectl,name,Kubernetes,管理,密码,secret,wordpress,mysql,k8s 来源: https://www.cnblogs.com/bigdad/p/14523029.html
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。