Secret 개요

비밀번호, 토큰, ssh키 같은 민간한 정보를 저장
yaml 파일로 환경변수를 저장하기 위해서는 base64인코딩을 수동으로 해줘야 합니다.

base64 Encode, Decode

sansae@sansaeAir15m2 k8s-lab-workspace % echo -n 'password' | base64
cGFzc3dvcmQ=

sansae@sansaeAir15m2 k8s-lab-workspace % echo -n 'cGFzc3dvcmQ=' | base64 --decode
password%

password% → %는 화면에만 출력되며 실제값에는 영향을 끼치지 않습니다.

Secret Manifest

secret.yaml

apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  USER_NAME: YWRtaW4=    # admin
  PASSWORD: MWYyZDFlMmU2N2Rm  # 1f2d1e2e67df

secret-pod.yaml

apiVersion: v1
kind: Pod
metadata:
  name: secret-test-pod
spec:
  containers:
    - name: test-container
      image: registry.k8s.io/busybox
      command: [ "/bin/sh", "-c", "env" ]
      envFrom:
      - secretRef:
          name: mysecret
  restartPolicy: Never

Secret 실습

sansae@sansaeAir15m2 k8s-lab-workspace % k apply -f secret.yaml 
secret/mysecret created
sansae@sansaeAir15m2 k8s-lab-workspace % k get secret
NAME                                                   TYPE     DATA   AGE
azure-storage-account-f56171ac8d40e462f9098ef-secret   Opaque   2      24h
mysecret                                               Opaque   2      6s

sansae@sansaeAir15m2 k8s-lab-workspace % k apply -f secret-pod.yaml
pod/secret-test-pod created

sansae@sansaeAir15m2 k8s-lab-workspace % k get pod
NAME                 READY   STATUS      RESTARTS       AGE
secret-test-pod      0/1     Completed   0              4s

sansae@sansaeAir15m2 k8s-lab-workspace % k logs secret-test-pod
KUBERNETES_PORT=tcp://10.0.0.1:443
KUBERNETES_SERVICE_PORT=443
HOSTNAME=secret-test-pod
SHLVL=1
HOME=/root
KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443
KUBERNETES_SERVICE_PORT_HTTPS=443
PWD=/
KUBERNETES_SERVICE_HOST=10.0.0.1
USER_NAME=admin
PASSWORD=1f2d1e2e67df

Page tree

08-23-14. Secret

Secret 개요

base64 Encode, Decode

Secret Manifest

Secret 실습