Giriş
Açıklaması şöyle. Gizli veri Base64 olarak yaml dosyasına yazılır.
Secrets are the same as ConfigMaps but they are for credentials such as usernames, passwords, and tokens.Secrets in Kubernetes are not secure by nature. The applications have to see the decoded version of the Secrets, so they are not encoded in the network. Further, they are only encoded with the basic base64 encoder. So it is very easy to decode them. To secure Secrets, it is recommended to use EncryptionConfiguration or 3rd party tools such as Hashicorp’s Vault.
Secret'i secretKeyRef Olarak Kullanma
Genellikle secret bir ortam değişkeni (environment variable) haline getirilir.
Örnek
Şöyle yaparız
env: - name: MYSQL_ROOT_PASSWORD valueFrom: secretKeyRef: name: db-root-credentials key: password
Secret'i Volume Olarak Kullanma
1. volume ile Secret volume haline getirilir
2. Pod volumeMounts ile bu volume'u yükler.Örnek
Şöyle yaparız
# Pod-definition with secret mounted as a volume into the pod apiVersion: v1 kind: Pod metadata: name: frontend spec: containers: - name: wordpress image: wordpress volumeMounts: - name: secret-vol01 mountPath: /etc/secret # files - mounted in this location readOnly: true volumes: - name: secret-vol01 secret: secretName: app-secret
data Alanı
Gizli veri Key/Value şeklindedir ve Base64 ile kodeklenir. Base64 çıktı almak için base64 komutu kullanılabilir. Şöyle yaparız
echo -n '{plaintext}' | base64
data Alanı ve secretKeyRef Kullanımı
Örnek
Şöyle yaparız
apiVersion: v1 kind: Secret metadata: name: db-root-credentials data: password: cm9vdA==
Kullanmak için şöyle yaparız
apiVersion: apps/v1 kind: Deployment metadata: name: mysql labels: app: mysql tier: database spec: selector: matchLabels: app: mysql tier: database strategy: type: Recreate template: metadata: labels: app: mysql tier: database spec: containers: - image: mysql:5.7 args: - "--ignore-db-dir=lost+found" name: mysql env: - name: MYSQL_ROOT_PASSWORD valueFrom: secretKeyRef: name: db-root-credentials key: password - name: MYSQL_USER valueFrom: secretKeyRef: name: db-credentials key: username - name: MYSQL_PASSWORD valueFrom: secretKeyRef: name: db-credentials key: password - name: MYSQL_DATABASE configMapKeyRef: name: db-conf key: name ports: - containerPort: 3306 name: mysql volumeMounts: - name: mysql-persistent-storage mountPath: /var/lib/mysql volumes: - name: mysql-persistent-storage persistentVolumeClaim: claimName: mysql-pv-claim
Örnek
Şöyle yaparız. secretKeyRef alaındanki değer secret name ile aynı olmalıdır.
Erişmek için şöyle yaparız. Erişen taraf otomatik olarak Base64 veriyi açar.apiVersion: v1kind: Secretmetadata:name: spring-keycloak-secretsnamespace: spring-keycloak-demotype: Opaquedata:# You can include additional key value pairs as you do with Opaque Secretskeycloak-pass: YWRtaW4Kpostgres-pass: ZXhhbXBsZQo=
apiVersion: apps/v1 kind: Deployment metadata: name: postgres namespace: spring-keycloak-demo spec: selector: matchLabels: app: postgres replicas: 1 template: metadata: labels: app: postgres spec: containers: - name: postgres image: postgres:latest ports: - containerPort: 5432 env: - name: POSTGRES_DB value: postgres - name: POSTGRES_USER value: postgres - name: POSTGRES_PASSWORD valueFrom: secretKeyRef: name: spring-keycloak-secrets key: postgres-pass
data Alanı ve secretName İle Volume Mount Kullanımı
Örnek
Şöyle yaparız. Burada secret veri bir volume'a yükleniyor. Her Key/Value çifti ayrı bir dosya
apiVersion: v1 kind: Secret metadata: name: my-secret type: Opaque data: username: YWRtaW4= password: MTIzNDU2 -- apiVersion: v1 kind: Pod metadata: name: basic-app spec: volumes: - name: my-volume-for-secret secret: secretName: my-secret containers: - name: basic-app image: nginx volumeMounts: - name: my-volume-for-secret mountPath: /etc/my-secret-vol readOnly: true
Secret veriye erişmek için şöyle yaparız
> kubectl exec basic-app -- ls /etc/my-secret-vol password username > kubectl exec basic-app — cat /etc/my-secret-vol/username admin > kubectl exec basic-app — cat /etc/my-secret-vol/password 123456
stringData Alanı
Gizli veri String şeklindedir
Örnek
Şöyle yaparız
apiVersion: v1
kind: Secret
metadata:
name: example-cluster-config
type: Opaque
stringData:
users.json: |
{
"user": [{
"UserData": "user",
"Password": ""
}]
}
init_db.sql: |
# Disable remote root access (only allow UNIX socket).
DELETE FROM mysql.user WHERE User = 'root' AND Host != 'localhost';
...
Hiç yorum yok:
Yorum Gönder