같이 배우다configmap 및 secret

29308 단어 kubernetes

ConfigMap 및 Secret


컨디션

192.168.48.101 master01
192.168.48.201 node01
192.168.48.202 node02

ConfigMap


많은 응용 프로그램들이 자주 프로필, 명령행 파라미터, 환경 변수에서 설정 정보를 읽는다. ConfigMap 매우 중요한 자원 대상이다.

명령으로 생성

Examples:
  # Create a new configmap named my-config based on folder bar
  kubectl create configmap my-config --from-file=path/to/bar

  # Create a new configmap named my-config with specified keys instead of file basenames on disk
  kubectl create configmap my-config --from-file=key1=/path/to/bar/file1.txt --from-file=key2=/path/to/bar/file2.txt

  # Create a new configmap named my-config with key1=config1 and key2=config2
  kubectl create configmap my-config --from-literal=key1=config1 --from-literal=key2=config2

키 값 형식

[root@master ~]# kubectl create configmap  nginx-config --from-literal=nginx_port=80 --from-literal=server_name=myapp.magedu.com
configmap/nginx-config created
[root@master ~]# kubectl get cm
NAME           DATA   AGE
demo-config    3      13d
nginx-config   2      7s
[root@master ~]# kubectl describe cm nginx-config 
Name:         nginx-config
Namespace:    default
Labels:       
Annotations:  

Data
====
nginx_port:
----
80
server_name:
----
myapp.magedu.com
Events:  


파일 형식

[root@master ~]# vim www.conf
server {
        server_name myapp.magedu.com;
        listen 80;
        root /usr/share/nginx/html;
 }

[root@master ~]# kubectl create configmap nginx-www --from-file=www.conf 
configmap/nginx-www created
[root@master ~]# kubectl get cm
NAME           DATA   AGE
demo-config    3      13d
nginx-config   2      3m38s
nginx-www      1      5s
[root@master ~]# kubectl describe cm nginx-www 
Name:         nginx-www
Namespace:    default
Labels:       
Annotations:  

Data
====
www.conf:
----
server {
        server_name myapp.magedu.com;
        listen 80;
        root /usr/share/nginx/html;
 }

Events:  



yaml 파일 생성

kind: ConfigMap
apiVersion: v1
metadata:
  name: cm-demo
  namespace: default
data:
  data.1: hello
  data.2: world
  config: |
    property.1=value-1
    property.2=value-2
    property.3=value-3

env 마운트configmap

vim myapp-pod-cm.yaml 

apiVersion: v1
kind: Pod
metadata:
  name: myapp-pod-cm
  namespace: default
  labels:
    app: myapp
    type: pod
spec:
  containers:
  - name: myapp
    image: ikubernetes/myapp:v1
    ports:
    - name: http
      containerPort: 80
    env:
    - name: NGINX_SERVER_PORT
      valueFrom:
        configMapKeyRef:
          name: nginx-config
          key: nginx_port
    - name: NGINX_SERVER_NAME
      valueFrom:
        configMapKeyRef:
          name: nginx-config
          key: server_name



테스트
[root@master pod_yaml]# kubectl apply -f myapp-pod-cm.yaml 
pod/myapp-pod-cm created

[root@master pod_yaml]# kubectl get pod -o wide
NAME                                      READY   STATUS    RESTARTS   AGE     IP            NODE     NOMINATED NODE   READINESS GATES
demo-deploy-8675c97685-vhncn              1/1     Running   0          13d     10.244.2.5    node02              
demo-deploy-8675c97685-w7md2              1/1     Running   0          13d     10.244.1.5    node01              
demo-pod                                  1/2     Running   9          13d     10.244.2.4    node02              
myapp-nfs-pvc                             1/1     Running   0          7h7m    10.244.1.11   node01              
myapp-pod-cm                              1/1     Running   0          15s     10.244.1.14   node01              
nfs-client-provisioner-7fbb54945f-8rbcb   1/1     Running   0          5h17m   10.244.2.7    node02              
nfs-web-0                                 1/1     Running   0          4h58m   10.244.1.13   node01              
nfs-web-1                                 1/1     Running   0          4h58m   10.244.2.8    node02              
nfs-web-2                                 1/1     Running   0          4h57m   10.244.2.9    node02              
test-pod                                  1/1     Running   0          5h10m   10.244.1.12   node01              

[root@master pod_yaml]# kubectl exec  myapp-pod-cm -it -- /bin/sh
/ # printenv 
MYAPP_SVC_NODEPORT_SERVICE_HOST=10.106.106.242
MYAPP_SVC_PORT_80_TCP_ADDR=10.98.57.156
KUBERNETES_PORT=tcp://10.96.0.1:443
KUBERNETES_SERVICE_PORT=443
MYAPP_SVC_CLUSTERIP_SERVICE_HOST=10.98.148.121
MYAPP_SVC_PORT_80_TCP_PORT=80
HOSTNAME=myapp-pod-cm
SHLVL=1
MYAPP_SVC_PORT_80_TCP_PROTO=tcp
HOME=/root
MYAPP_SVC_NODEPORT_PORT=tcp://10.106.106.242:80
MYAPP_SVC_NODEPORT_SERVICE_PORT=80
MYAPP_SVC_CLUSTERIP_SERVICE_PORT=80
MYAPP_SVC_CLUSTERIP_PORT=tcp://10.98.148.121:80
NGINX_SERVER_PORT=80
NGINX_SERVER_NAME=myapp.magedu.com
MYAPP_SVC_PORT_80_TCP=tcp://10.98.57.156:80
MYAPP_SVC_NODEPORT_PORT_80_TCP_ADDR=10.106.106.242
MYAPP_SVC_CLUSTERIP_PORT_80_TCP_ADDR=10.98.148.121
MYAPP_SVC_NODEPORT_PORT_80_TCP_PORT=80
MYAPP_SVC_NODEPORT_PORT_80_TCP_PROTO=tcp
MYAPP_SVC_CLUSTERIP_PORT_80_TCP_PORT=80
TERM=xterm
NGINX_VERSION=1.12.2
MYAPP_SVC_CLUSTERIP_PORT_80_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_PROTO=tcp
MYAPP_SVC_NODEPORT_PORT_80_TCP=tcp://10.106.106.242:80
MYAPP_SVC_SERVICE_HOST=10.98.57.156
MYAPP_SVC_CLUSTERIP_PORT_80_TCP=tcp://10.98.148.121:80
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
KUBERNETES_SERVICE_PORT_HTTPS=443
PWD=/
KUBERNETES_SERVICE_HOST=10.96.0.1
MYAPP_SVC_SERVICE_PORT=80
MYAPP_SVC_PORT=tcp://10.98.57.156:80

configmap을 저장소 볼륨으로 마운트

vim myapp-pod-cm-volume.yaml 

apiVersion: v1
kind: Pod
metadata:
  name: myapp-pod-cm-volume
  namespace: default
  labels:
    app: myapp
    type: pod
spec:
  containers:
  - name: myapp
    image: ikubernetes/myapp:v1
    ports:
    - name: http
      containerPort: 80
    volumeMounts:
    - name: nginxconf
      mountPath: /etc/nginx/config.d
      readOnly: true
  volumes:
  - name: nginxconf
    configMap:
      name: nginx-config

[root@master pod_yaml]# kubectl apply -f myapp-pod-cm-volume.yaml 
pod/myapp-pod-cm-volume created
[root@master pod_yaml]# kubectl get pod -o wide
NAME                                      READY   STATUS    RESTARTS   AGE     IP            NODE     NOMINATED NODE   READINESS GATES
demo-deploy-8675c97685-vhncn              1/1     Running   0          13d     10.244.2.5    node02              
demo-deploy-8675c97685-w7md2              1/1     Running   0          13d     10.244.1.5    node01              
demo-pod                                  1/2     Running   9          13d     10.244.2.4    node02              
myapp-nfs-pvc                             1/1     Running   0          7h16m   10.244.1.11   node01              
myapp-pod-cm                              1/1     Running   0          8m41s   10.244.1.14   node01              
myapp-pod-cm-volume                       1/1     Running   0          7s      10.244.1.15   node01              
nfs-client-provisioner-7fbb54945f-8rbcb   1/1     Running   0          5h26m   10.244.2.7    node02              
nfs-web-0                                 1/1     Running   0          5h6m    10.244.1.13   node01              
nfs-web-1                                 1/1     Running   0          5h6m    10.244.2.8    node02              
nfs-web-2                                 1/1     Running   0          5h6m    10.244.2.9    node02              
test-pod                                  1/1     Running   0          5h18m   10.244.1.12   node01              

[root@master pod_yaml]# kubectl exec myapp-pod-cm-volume -it -- /bin/sh
/ # cd /etc/nginx/config.d/
/etc/nginx/config.d # ls
nginx_port   server_name
/etc/nginx/config.d # cat nginx_port 
80
/etc/nginx/config.d # cat server_name 
myapp.magedu.com


Secret


일반적인 경우ConfigMap는 일부 안전하지 않은 설정 정보를 저장하는 데 쓰인다. 만약에 안전과 관련된 데이터가 관련된다면 ConfigMap를 사용하는 것은 매우 부적절하다. ConfigMap는 저장이라고 하기 때문에 우리는 이때 다른 자원 대상을 사용해야 한다고 말한다. Secret, Secret는 민감한 정보를 저장하는 데 사용한다. 예를 들어 비밀번호, OAuth 영패와 ssh 키 등이다.이 정보를 Secret에 놓는 것이 Pod의 정의에 놓는 것보다 docker 거울에 놓는 것이 더 안전하고 유연하다.Secret에는 세 가지 유형이 있습니다.
  • Opaque:base64 인코딩 형식의 시크릿으로 암호, 키 등을 저장합니다.그러나 데이터도base64-decode 디코딩을 통해 원시 데이터를 얻을 수 있어 모든 암호성이 약하다.
  • kubernetes.io/dockerconfigjson: 개인 docker registry의 인증 정보를 저장합니다.
  • kubernetes.io/service-account-token: serviceaccount 인용에 사용되며, 서비스accout이 생성될 때 Kubernetes는 기본적으로 대응하는 시크릿을 생성합니다.Pod에서 서비스 계정을 사용하면 해당 시크릿이 Pod 디렉토리/run/secrets/kubernetes.io/serviceaccount에 자동으로 마운트됩니다.

  • Opaque Secret


    Opaque 형식의 데이터는 맵 형식입니다.value는base64 인코딩 형식을 요구합니다. 예를 들어 사용자 이름은admin이고 비밀번호는admin321의 시크릿 대상을 만듭니다. 우선 이 사용자 이름과 비밀번호를base64 인코딩으로 만듭니다.

    명령 생성

    [root@master ~]# kubectl create secret generic mysql-root   --from-literal=username=admin --from-literal=password=admin321
    secret/mysql-root created
    [root@master ~]# kubectl get secret
    NAME                                 TYPE                                  DATA   AGE
    default-token-f9699                  kubernetes.io/service-account-token   3      13d
    demo-secret                          Opaque                                1      13d
    mysql-root                           Opaque                                2      14s
    nfs-client-provisioner-token-q5h6t   kubernetes.io/service-account-token   3      5h51m
    [root@master ~]# kubectl describe secrets mysql-root 
    Name:         mysql-root
    Namespace:    default
    Labels:       
    Annotations:  
    
    Type:  Opaque
    
    Data
    ====
    password:  8 bytes
    username:  5 bytes
    
    

    yaml 파일 생성

    [root@master ~]# echo -n "admin321" | base64 
    YWRtaW4zMjE=
    [root@master ~]# echo -n "admin" | base64 
    YWRtaW4=
    
    [root@master ~]# vim mysql-root-secret.yaml
    
    apiVersion: v1
    kind: Secret
    metadata:
      name: mysecret
    type: Opaque
    data:
      username: YWRtaW4=
      password: YWRtaW4zMjE=
    
    
    [root@master ~]# kubectl get secrets 
    NAME                                 TYPE                                  DATA   AGE
    default-token-f9699                  kubernetes.io/service-account-token   3      13d
    demo-secret                          Opaque                                1      13d
    mysecret                             Opaque                                2      4m46s
    mysql-root                           Opaque                                2      9m51s
    nfs-client-provisioner-token-q5h6t   kubernetes.io/service-account-token   3      6h
    [root@master ~]# kubectl describe secrets  mysecret 
    Name:         mysecret
    Namespace:    default
    Labels:       
    Annotations:  
    Type:         Opaque
    
    Data
    ====
    password:  8 bytes
    username:  5 bytes
    [root@master ~]# kubectl get secrets  mysecret  -o yaml
    apiVersion: v1
    data:
      password: YWRtaW4zMjE=
      username: YWRtaW4=
    kind: Secret
    metadata:
      annotations:
        kubectl.kubernetes.io/last-applied-configuration: |
          {"apiVersion":"v1","data":{"password":"YWRtaW4zMjE=","username":"YWRtaW4="},"kind":"Secret","metadata":{"annotations":{},"name":"mysecret","namespace":"default"},"type":"Opaque"}
      creationTimestamp: "2019-04-13T14:36:50Z"
      name: mysecret
      namespace: default
      resourceVersion: "93037"
      selfLink: /api/v1/namespaces/default/secrets/mysecret
      uid: 92c96158-5df9-11e9-8bc6-000c296cdc6e
    type: Opaque
    
    [root@master ~]# echo "YWRtaW4zMjE=" | base64 -d
    admin321[root@master ~]# echo "YWRtaW4=" | base64 -d
    admin[root@master ~]# 
    
    

    env 마운트

    vim secret1-pod.yaml
    
    apiVersion: v1
    kind: Pod
    metadata:
      name: secret1-pod
    spec:
      containers:
      - name: secret1
        image: busybox:latest
        imagePullPolicy: IfNotPresent
        command: [ "/bin/sh", "-c", "env" ]
        env:
        - name: USERNAME
          valueFrom:
            secretKeyRef:
              name: mysecret
              key: username
        - name: PASSWORD
          valueFrom:
            secretKeyRef:
              name: mysecret
              key: password
    
    [root@master ~]# kubectl apply -f secret1-pod.yaml
    
    [root@master ~]# kubectl get pod -o wide
    NAME                                      READY   STATUS      RESTARTS   AGE     IP            NODE     NOMINATED NODE   READINESS GATES
    demo-deploy-8675c97685-vhncn              1/1     Running     0          13d     10.244.2.5    node02              
    demo-deploy-8675c97685-w7md2              1/1     Running     0          13d     10.244.1.5    node01              
    demo-pod                                  1/2     Running     9          13d     10.244.2.4    node02              
    myapp-nfs-pvc                             1/1     Running     0          7h58m   10.244.1.11   node01              
    myapp-pod-cm                              1/1     Running     0          51m     10.244.1.14   node01              
    myapp-pod-cm-volume                       1/1     Running     0          42m     10.244.1.15   node01              
    nfs-client-provisioner-7fbb54945f-8rbcb   1/1     Running     0          6h8m    10.244.2.7    node02              
    nfs-web-0                                 1/1     Running     0          5h49m   10.244.1.13   node01              
    nfs-web-1                                 1/1     Running     0          5h49m   10.244.2.8    node02              
    nfs-web-2                                 1/1     Running     0          5h48m   10.244.2.9    node02              
    secret1-pod                               0/1     Completed   2          26s     10.244.2.10   node02              
    test-pod                                  1/1     Running     0          6h1m    10.244.1.12   node01              
    
    
    [root@master ~]# kubectl logs secret1-pod
    MYAPP_SVC_NODEPORT_SERVICE_HOST=10.106.106.242
    KUBERNETES_SERVICE_PORT=443
    KUBERNETES_PORT=tcp://10.96.0.1:443
    MYAPP_SVC_CLUSTERIP_SERVICE_HOST=10.98.148.121
    HOSTNAME=secret1-pod
    SHLVL=1
    HOME=/root
    MYAPP_SVC_NODEPORT_PORT=tcp://10.106.106.242:80
    MYAPP_SVC_NODEPORT_SERVICE_PORT=80
    MYAPP_SVC_CLUSTERIP_PORT=tcp://10.98.148.121:80
    MYAPP_SVC_CLUSTERIP_SERVICE_PORT=80
    MYAPP_SVC_NODEPORT_PORT_80_TCP_ADDR=10.106.106.242
    MYAPP_SVC_CLUSTERIP_PORT_80_TCP_ADDR=10.98.148.121
    MYAPP_SVC_NODEPORT_PORT_80_TCP_PORT=80
    MYAPP_SVC_NODEPORT_PORT_80_TCP_PROTO=tcp
    USERNAME=admin
    MYAPP_SVC_CLUSTERIP_PORT_80_TCP_PORT=80
    KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
    MYAPP_SVC_CLUSTERIP_PORT_80_TCP_PROTO=tcp
    PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    KUBERNETES_PORT_443_TCP_PORT=443
    KUBERNETES_PORT_443_TCP_PROTO=tcp
    MYAPP_SVC_NODEPORT_PORT_80_TCP=tcp://10.106.106.242:80
    MYAPP_SVC_CLUSTERIP_PORT_80_TCP=tcp://10.98.148.121:80
    KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
    KUBERNETES_SERVICE_PORT_HTTPS=443
    KUBERNETES_SERVICE_HOST=10.96.0.1
    PWD=/
    PASSWORD=admin321
    
    

    Volume 마운트

    vim secret2-pod.yaml
    
    apiVersion: v1
    kind: Pod
    metadata:
      name: secret2-pod
    spec:
      containers:
      - name: secret2
    	image: busybox:latest
        imagePullPolicy: IfNotPresent
        command: ["/bin/sh", "-c", "ls /etc/secrets"]
        volumeMounts:
        - name: secrets
          mountPath: /etc/secrets
      volumes:
      - name: secrets
        secret:
         secretName: mysecret
    
    [root@master01 ~]# kubectl get pod
    NAME                                      READY   STATUS             RESTARTS   AGE
    demo-deploy-8675c97685-vhncn              1/1     Running            0          13d
    demo-deploy-8675c97685-w7md2              1/1     Running            0          13d
    demo-pod                                  1/2     Running            9          13d
    myapp-nfs-pvc                             1/1     Running            0          8h
    myapp-pod-cm                              1/1     Running            0          56m
    myapp-pod-cm-volume                       1/1     Running            0          47m
    nfs-client-provisioner-7fbb54945f-8rbcb   1/1     Running            0          6h13m
    nfs-web-0                                 1/1     Running            0          5h54m
    nfs-web-1                                 1/1     Running            0          5h54m
    nfs-web-2                                 1/1     Running            0          5h53m
    secret1-pod                               0/1     CrashLoopBackOff   5          5m22s
    secret2-pod                               0/1     Completed          2          18s
    test-pod                                  1/1     Running            0          6h6m
    
    
    
    [root@master01 ~]# kubectl logs secret2-pod
    password
    username
    
    
    

    kubernetes.io/service-account-token


    또 다른 유형Secretkubernetes.io/service-account-token으로 serviceaccount에 인용된다.서비스 계정을 만들 때 Kubernetes는 기본적으로 대응하는 시크릿을 만듭니다.Pod에서 서비스 계정을 사용하면 해당 시크릿은 자동으로 Pod/var/run/secrets/kubernetes.io/serviceaccount 디렉토리에 마운트됩니다.
    [root@master01 ~]# kubectl get  pod
    NAME                                      READY   STATUS             RESTARTS   AGE
    demo-deploy-8675c97685-vhncn              1/1     Running            0          13d
    demo-deploy-8675c97685-w7md2              1/1     Running            0          13d
    demo-pod                                  1/2     Running            9          13d
    myapp-nfs-pvc                             1/1     Running            0          8h
    myapp-pod-cm                              1/1     Running            0          60m
    myapp-pod-cm-volume                       1/1     Running            0          52m
    nfs-client-provisioner-7fbb54945f-8rbcb   1/1     Running            0          6h18m
    nfs-web-0                                 1/1     Running            0          5h58m
    nfs-web-1                                 1/1     Running            0          5h58m
    nfs-web-2                                 1/1     Running            0          5h58m
    secret1-pod                               0/1     CrashLoopBackOff   6          9m47s
    secret2-pod                               0/1     CrashLoopBackOff   5          4m43s
    test-pod                                  1/1     Running            0          6h10m
    [root@master01 ~]# kubectl describe pod demo-pod 
    Name:               demo-pod
    Namespace:          default
    Priority:           0
    PriorityClassName:  
    Node:               node02/192.168.48.202
    Start Time:         Sun, 31 Mar 2019 12:53:32 +0800
    Labels:             app=myapp
                        type=pod
    Annotations:        kubectl.kubernetes.io/last-applied-configuration:
                          {"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{},"labels":{"app":"myapp","type":"pod"},"name":"demo-pod","namespace":"default"...
    Status:             Running
    IP:                 10.244.2.4
    Containers:
      myapp:
        Container ID:   docker://83ae7929a8c83e907a8d445a44d4bc254942b83332cdc63044b2793f85a6658d
        Image:          ikubernetes/myapp:v1
        Image ID:       docker-pullable://ikubernetes/myapp@sha256:9c3dc30b5219788b2b8a4b065f548b922a34479577befb54b03330999d30d513
        Port:           80/TCP
        Host Port:      0/TCP
        State:          Running
          Started:      Sun, 31 Mar 2019 12:53:33 +0800
        Ready:          True
        Restart Count:  0
        Environment:    
        Mounts:
          /var/run/secrets/kubernetes.io/serviceaccount from default-token-f9699 (ro)
      busybox:
        Container ID:  docker://75a994741b6583346519394a01701f9a444cfe5283ff78da2b818cf22c54cab3
        Image:         busybox:latest
        Image ID:      docker-pullable://busybox@sha256:954e1f01e80ce09d0887ff6ea10b13a812cb01932a0781d6b0cc23f743a874fd
        Port:          
        Host Port:     
        Command:
          /bin/sh
          -c
          mkdir -p /usr/share/nginx/html; echo $(date) >> /usr/share/nginx/html/test.html;sleep 3600
        State:          Terminated
          Reason:       Completed
          Exit Code:    0
          Started:      Sat, 13 Apr 2019 18:54:24 +0800
          Finished:     Sat, 13 Apr 2019 19:54:24 +0800
        Last State:     Terminated
          Reason:       Completed
          Exit Code:    0
          Started:      Sat, 13 Apr 2019 17:54:02 +0800
          Finished:     Sat, 13 Apr 2019 18:54:02 +0800
        Ready:          False
        Restart Count:  9
        Environment:    
        Mounts:
          /var/run/secrets/kubernetes.io/serviceaccount from default-token-f9699 (ro)
    Conditions:
      Type              Status
      Initialized       True 
      Ready             False 
      ContainersReady   False 
      PodScheduled      True 
    Volumes:
      default-token-f9699:
        Type:        Secret (a volume populated by a Secret)
        SecretName:  default-token-f9699
        Optional:    false
    QoS Class:       BestEffort
    Node-Selectors:  
    Tolerations:     node.kubernetes.io/not-ready:NoExecute for 300s
                     node.kubernetes.io/unreachable:NoExecute for 300s
    Events:          
    
    
    
    [root@master01 ~]# kubectl exec  demo-pod ls /var/run/secrets/kubernetes.io/serviceaccount
    ca.crt
    namespace
    token
    [root@master01 ~]# kubectl exec  demo-pod cat /var/run/secrets/kubernetes.io/serviceaccount/token
    eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9rZW4tZjk2OTkiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjhkN2RhOWMwLTUzMWQtMTFlOS04NmVhLTAwMGMyOTZjZGM2ZSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.VwxzFq7N1UHBDaPxkrELrnnUYsMvFbQIaz18XdYlryYWGIMAvQ3NzSKqrNka2Ydk1joh9RLA-XIyCa1I2jREpkcKZqeVjE5KQ9wURbjRQEhVTfUG3tw8NQomO_f41M5c1TGq5OrD7AvBfeS96OQnArEdzJwNQCK1guhp2jhoyiHQBdRCoYvjlOnHkUznZ2VT8_IQ7D7cVbkSNvneHqXcCYhpdtGa
    
    
    

    kubernetes.io/dockerconfigjson


    위의 Opaque 유형을 제외하고 우리는 사용자docker registry 인증Secret을 만들 수 있다. 직접 kubectl create 명령으로 만들면 다음과 같다.
    $ kubectl create secret docker-registry myregistry --docker-server=DOCKER_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL
    secret "myregistry" created
    

    그런 다음 Secret 목록을 확인합니다.
    $ kubectl get secret
    NAME                  TYPE                                  DATA      AGE
    default-token-n9w2d   kubernetes.io/service-account-token   3         33d
    myregistry            kubernetes.io/dockerconfigjson        1         15s
    mysecret              Opaque                                2         34m
    

    위의 TYPE 유형을 살펴보면 myregistry 해당 유형이 맞는지 kubernetes.io/dockerconfigjson 같은 명령을 사용하여 상세한 정보를 볼 수 있습니다.
    $ kubectl describe secret myregistry
    Name:         myregistry
    Namespace:    default
    Labels:       <none>
    Annotations:  <none>
    
    Type:  kubernetes.io/dockerconfigjson
    
    Data
    ====
    .dockerconfigjson:  152 bytes
    

    같은 볼수describe구역이 직접 전시되지 않았습니다. 보고 싶으면 Data로 전시를 출력할 수 있습니다.
    $ kubectl get secret myregistry -o yaml
    apiVersion: v1
    data:
      .dockerconfigjson: eyJhdXRocyI6eyJET0NLRVJfU0VSVkVSIjp7InVzZXJuYW1lIjoiRE9DS0VSX1VTRVIiLCJwYXNzd29yZCI6IkRPQ0tFUl9QQVNTV09SRCIsImVtYWlsIjoiRE9DS0VSX0VNQUlMIiwiYXV0aCI6IlJFOURTMFZTWDFWVFJWSTZSRTlEUzBWU1gxQkJVMU5YVDFKRSJ9fX0=
    kind: Secret
    metadata:
      creationTimestamp: 2018-06-19T16:01:05Z
      name: myregistry
      namespace: default
      resourceVersion: "3696966"
      selfLink: /api/v1/namespaces/default/secrets/myregistry
      uid: f91db707-73d9-11e8-a101-525400db4df7
    type: kubernetes.io/dockerconfigjson
    

    위의-o yaml 아래 데이터를 data.dockerconfigjson 디코딩해서 안에 있는 데이터가 어떤지 볼 수 있을까요?
    $ echo eyJhdXRocyI6eyJET0NLRVJfU0VSVkVSIjp7InVzZXJuYW1lIjoiRE9DS0VSX1VTRVIiLCJwYXNzd29yZCI6IkRPQ0tFUl9QQVNTV09SRCIsImVtYWlsIjoiRE9DS0VSX0VNQUlMIiwiYXV0aCI6IlJFOURTMFZTWDFWVFJWSTZSRTlEUzBWU1gxQkJVMU5YVDFKRSJ9fX0= | base64 -d
    {"auths":{"DOCKER_SERVER":{"username":"DOCKER_USER","password":"DOCKER_PASSWORD","email":"DOCKER_EMAIL","auth":"RE9DS0VSX1VTRVI6RE9DS0VSX1BBU1NXT1JE"}}}
    

    만약 우리가 사유창고의 base64 거울을 끌어내려면 위의 docker 이것myregistry을 사용해야 한다.
    apiVersion: v1
    kind: Pod
    metadata:
      name: foo
    spec:
      containers:
      - name: foo
        image: 192.168.1.100:5000/test:v1
      imagePullSecrets:
      - name: myregistrykey
    

    우리는 사유창고 렌즈Secret를 가져와야 한다. 우리는 이 사유창고를 대상으로 위와 같은 192.168.1.100:5000/test:v1를 만들어야 한다. 그리고 Secret의 YAML 파일에서 지정Pod해야 한다. 우리는 뒤의 사유창고를 구축하는 과정에서 여러분에게 상세하게 설명할 것이다.

    시크릿과 ConfigMap 비교


    마지막으로 imagePullSecretsSecret 두 자원 대상의 공통점과 차이점을 비교해 보겠습니다.
    공통점:
  • key/value의 형식
  • 특정한 Namespace
  • 에 속한다.
  • 환경 변수로 내보낼 수 있음
  • 디렉토리/파일로 마운트할 수 있음
  • volume를 통해 마운트된 설정 정보를 핫 업데이트할 수 있음
  • 차이점:
  • Secret은 ServerAccount에 연결될 수 있음
  • 시크릿은 docker register의 감권 정보를 저장할 수 있으며, ImagePull 시크릿 매개 변수에서 개인 창고의 거울을 가져오는 데 사용
  • Secret은 Base64 암호화 지원
  • 시크릿은kubernetes로 나뉜다.io/service-account-token、kubernetes.io/dockerconfigjson, Opaque 세 종류,Configmap은 종류를 구분하지 않음
  • 좋은 웹페이지 즐겨찾기