Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Info
iconfalse
title목차

Table of Contents

Secret 개요

Info
iconfalse
  • 비밀번호, 토큰, ssh키 같은 민간한 정보를 저장 
  • yaml 파일로 환경변수를 저장하기 위해서는 base64인코딩을 수동으로 해줘야 합니다.
  • secret이 업데이트된 후 Pod를 재 실행 줘야 합니다.

base64 Encode, Decode

Code Block
linenumberstrue
sansae@sansaeAir15m2 k8s-lab-workspace % echo -n 'password' | base64
cGFzc3dvcmQ=

sansae@sansaeAir15m2 k8s-lab-workspace % echo -n 'cGFzc3dvcmQ=' | base64 --decode
password%


Info

password% → %는 화면에만 출력되며 실제값에는 영향을 끼치지 않습니다.

Secret 타입

Info
iconfalse
빌트인 타입사용처
Opaque임의의 사용자 정의 데이터 (default)
kubernetes.io/service-account-token서비스 어카운트 토큰
kubernetes.io/dockercfg직렬화 된(serialized) ~/.dockercfg 파일
kubernetes.io/dockerconfigjson직렬화 된 ~/.docker/config.json 파일
kubernetes.io/basic-auth기본 인증을 위한 자격 증명(credential)
kubernetes.io/ssh-authSSH를 위한 자격 증명
kubernetes.io/tlsTLS 클라이언트나 서버를 위한 데이터
bootstrap.kubernetes.io/token부트스트랩 토큰 데이터


Secret Manifest

Info
iconfalse

https://dev-k8sref-io.web.app/docs/config-and-storage/secret-v1/

Info
iconfalse
  • apiVersion: v1
  • kind: Secret

  • metadata (ObjectMeta)

  • data (map[string][]byte)

  • immutable (boolean)

  • stringData (map[string]string)

  • type (string)


Code Block
titlesecret.yaml
linenumberstrue
apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  USER_NAME: YWRtaW4=    # admin
  PASSWORD: MWYyZDFlMmU2N2Rm  # 1f2d1e2e67df
Code Block
titlesecret-pod.yaml
linenumberstrue
apiVersion: v1
kind: Pod
metadata:
  name: secret-test-pod
spec:
  containers:
    - name: test-container
      image: registry.k8s.io/busybox
      command: [ "/bin/sh", "-c", "env" ]
      envFrom:
      - secretRef:
          name: mysecret
  restartPolicy: Never 


Secret 실습

Info
iconfalse
Code Block
linenumberstrue
sansae@sansaeAir15m2 k8s-lab-workspace % k apply -f secret.yaml 
secret/mysecret created
sansae@sansaeAir15m2 k8s-lab-workspace % k get secret
NAME                                                   TYPE     DATA   AGE
azure-storage-account-f56171ac8d40e462f9098ef-secret   Opaque   2      24h
mysecret                                               Opaque   2      6s

sansae@sansaeAir15m2 k8s-lab-workspace % k apply -f secret-pod.yaml
pod/secret-test-pod created

sansae@sansaeAir15m2 k8s-lab-workspace % k get pod
NAME                 READY   STATUS      RESTARTS       AGE
secret-test-pod      0/1     Completed   0              4s

sansae@sansaeAir15m2 k8s-lab-workspace % k logs secret-test-pod
KUBERNETES_PORT=tcp://10.0.0.1:443
KUBERNETES_SERVICE_PORT=443
HOSTNAME=secret-test-pod
SHLVL=1
HOME=/root
KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443
KUBERNETES_SERVICE_PORT_HTTPS=443
PWD=/
KUBERNETES_SERVICE_HOST=10.0.0.1
USER_NAME=admin
PASSWORD=1f2d1e2e67df