{"id":1085,"date":"2021-07-05T10:31:57","date_gmt":"2021-07-05T02:31:57","guid":{"rendered":"https:\/\/www.linuxdevops.cn\/?p=1085"},"modified":"2023-04-07T09:56:36","modified_gmt":"2023-04-07T01:56:36","slug":"kubernetes-secret-concept-configuration","status":"publish","type":"post","link":"https:\/\/www.linuxdevops.cn\/2021\/07\/kubernetes-secret-concept-configuration\/","title":{"rendered":"kubernetes Secret \u6982\u5ff5\u914d\u7f6e\u3002"},"content":{"rendered":"<h1>Secret<\/h1>\n<p><code>Secret<\/code> \u5bf9\u8c61\u7c7b\u578b\u7528\u6765\u4fdd\u5b58\u654f\u611f\u4fe1\u606f\uff0c\u4f8b\u5982\u5bc6\u7801\u3001OAuth \u4ee4\u724c\u548c SSH \u5bc6\u94a5\u3002 \u5c06\u8fd9\u4e9b\u4fe1\u606f\u653e\u5728 <code>secret<\/code> \u4e2d\u6bd4\u653e\u5728 <a href=\"https:\/\/kubernetes.io\/docs\/concepts\/workloads\/pods\/pod-overview\/\">Pod<\/a> \u7684\u5b9a\u4e49\u6216\u8005 <a href=\"https:\/\/kubernetes.io\/zh\/docs\/reference\/glossary\/?all=true#term-image\">\u5bb9\u5668\u955c\u50cf<\/a> \u4e2d\u6765\u8bf4\u66f4\u52a0\u5b89\u5168\u548c\u7075\u6d3b\u3002 \u53c2\u9605 <a href=\"https:\/\/git.k8s.io\/community\/contributors\/design-proposals\/auth\/secrets.md\">Secret \u8bbe\u8ba1\u6587\u6863<\/a> \u83b7\u53d6\u66f4\u591a\u8be6\u7ec6\u4fe1\u606f\u3002<\/p>\n<p>Secret \u662f\u4e00\u79cd\u5305\u542b\u5c11\u91cf\u654f\u611f\u4fe1\u606f\u4f8b\u5982\u5bc6\u7801\u3001\u4ee4\u724c\u6216\u5bc6\u94a5\u7684\u5bf9\u8c61\u3002 \u8fd9\u6837\u7684\u4fe1\u606f\u53ef\u80fd\u4f1a\u88ab\u653e\u5728 Pod \u89c4\u7ea6\u4e2d\u6216\u8005\u955c\u50cf\u4e2d\u3002 \u7528\u6237\u53ef\u4ee5\u521b\u5efa Secret\uff0c\u540c\u65f6\u7cfb\u7edf\u4e5f\u521b\u5efa\u4e86\u4e00\u4e9b Secret\u3002<\/p>\n<blockquote>\n<p><strong>\u6ce8\u610f\uff1a<\/strong><\/p>\n<p>Kubernetes Secret \u9ed8\u8ba4\u60c5\u51b5\u4e0b\u5b58\u50a8\u4e3a base64-\u7f16\u7801\u7684\u3001\u975e\u52a0\u5bc6\u7684\u5b57\u7b26\u4e32\u3002 \u9ed8\u8ba4\u60c5\u51b5\u4e0b\uff0c\u80fd\u591f\u8bbf\u95ee API \u7684\u4efb\u4f55\u4eba\uff0c\u6216\u8005\u80fd\u591f\u8bbf\u95ee Kubernetes \u4e0b\u5c42\u6570\u636e\u5b58\u50a8\uff08etcd\uff09 \u7684\u4efb\u4f55\u4eba\u90fd\u53ef\u4ee5\u4ee5\u660e\u6587\u5f62\u5f0f\u8bfb\u53d6\u8fd9\u4e9b\u6570\u636e\u3002 \u4e3a\u4e86\u80fd\u591f\u5b89\u5168\u5730\u4f7f\u7528 Secret\uff0c\u6211\u4eec\u5efa\u8bae\u4f60\uff08\u81f3\u5c11\uff09\uff1a<\/p>\n<ol>\n<li>\u4e3a Secret <a href=\"https:\/\/kubernetes.io\/zh\/docs\/tasks\/administer-cluster\/encrypt-data\/\">\u542f\u7528\u9759\u6001\u52a0\u5bc6<\/a>\uff1b<\/li>\n<li><a href=\"https:\/\/kubernetes.io\/zh\/docs\/reference\/access-authn-authz\/authorization\/\">\u542f\u7528 \u6216\u914d\u7f6e RBAC \u89c4\u5219<\/a>\u6765\u9650\u5236\u5bf9 Secret \u7684\u8bfb\u5199\u64cd\u4f5c\u3002 \u8981\u6ce8\u610f\uff0c\u4efb\u4f55\u88ab\u5141\u8bb8\u521b\u5efa Pod \u7684\u4eba\u90fd\u9ed8\u8ba4\u5730\u5177\u6709\u8bfb\u53d6 Secret \u7684\u6743\u9650\u3002<\/li>\n<\/ol>\n<\/blockquote>\n<h2>Secret \u6982\u89c8<\/h2>\n<p>\u8981\u4f7f\u7528 Secret\uff0cPod \u9700\u8981\u5f15\u7528 Secret\u3002 Pod \u53ef\u4ee5\u7528\u4e09\u79cd\u65b9\u5f0f\u4e4b\u4e00\u6765\u4f7f\u7528 Secret\uff1a<\/p>\n<ul>\n<li>\u4f5c\u4e3a\u6302\u8f7d\u5230\u4e00\u4e2a\u6216\u591a\u4e2a\u5bb9\u5668\u4e0a\u7684 <a href=\"https:\/\/kubernetes.io\/zh\/docs\/concepts\/storage\/volumes\/\">\u5377<\/a> \u4e2d\u7684<a href=\"https:\/\/kubernetes.io\/zh\/docs\/concepts\/configuration\/secret\/#using-secrets-as-files-from-a-pod\">\u6587\u4ef6<\/a>\u3002<\/li>\n<li>\u4f5c\u4e3a<a href=\"https:\/\/kubernetes.io\/zh\/docs\/concepts\/configuration\/secret\/#using-secrets-as-environment-variables\">\u5bb9\u5668\u7684\u73af\u5883\u53d8\u91cf<\/a><\/li>\n<li>\u7531 <a href=\"https:\/\/kubernetes.io\/zh\/docs\/concepts\/configuration\/secret\/#using-imagepullsecrets\">kubelet \u5728\u4e3a Pod \u62c9\u53d6\u955c\u50cf\u65f6\u4f7f\u7528<\/a><\/li>\n<\/ul>\n<p>Secret \u5bf9\u8c61\u7684\u540d\u79f0\u5fc5\u987b\u662f\u5408\u6cd5\u7684 <a href=\"https:\/\/kubernetes.io\/zh\/docs\/concepts\/overview\/working-with-objects\/names#dns-subdomain-names\">DNS \u5b50\u57df\u540d<\/a>\u3002 \u5728\u4e3a\u521b\u5efa Secret \u7f16\u5199\u914d\u7f6e\u6587\u4ef6\u65f6\uff0c\u4f60\u53ef\u4ee5\u8bbe\u7f6e <code>data<\/code> \u4e0e\/\u6216 <code>stringData<\/code> \u5b57\u6bb5\u3002 <code>data<\/code> \u548c <code>stringData<\/code> \u5b57\u6bb5\u90fd\u662f\u53ef\u9009\u7684\u3002<code>data<\/code> \u5b57\u6bb5\u4e2d\u6240\u6709\u952e\u503c\u90fd\u5fc5\u987b\u662f base64 \u7f16\u7801\u7684\u5b57\u7b26\u4e32\u3002\u5982\u679c\u4e0d\u5e0c\u671b\u6267\u884c\u8fd9\u79cd base64 \u5b57\u7b26\u4e32\u7684\u8f6c\u6362\u64cd\u4f5c\uff0c\u4f60\u53ef\u4ee5\u9009\u62e9\u8bbe\u7f6e <code>stringData<\/code> \u5b57\u6bb5\uff0c\u5176\u4e2d\u53ef\u4ee5\u4f7f\u7528\u4efb\u4f55\u5b57\u7b26\u4e32\u4f5c\u4e3a\u5176\u53d6\u503c\u3002<\/p>\n<h2>Secret \u7684\u7c7b\u578b<\/h2>\n<p>\u5728\u521b\u5efa Secret \u5bf9\u8c61\u65f6\uff0c\u4f60\u53ef\u4ee5\u4f7f\u7528 <a href=\"https:\/\/kubernetes.io\/docs\/reference\/generated\/kubernetes-api\/v1.21\/#secret-v1-core\"><code>Secret<\/code><\/a> \u8d44\u6e90\u7684 <code>type<\/code> \u5b57\u6bb5\uff0c\u6216\u8005\u4e0e\u5176\u7b49\u4ef7\u7684 <code>kubectl<\/code> \u547d\u4ee4\u884c\u53c2\u6570\uff08\u5982\u679c\u6709\u7684\u8bdd\uff09\u4e3a\u5176\u8bbe\u7f6e\u7c7b\u578b\u3002 Secret \u7684\u7c7b\u578b\u7528\u6765\u5e2e\u52a9\u7f16\u5199\u7a0b\u5e8f\u5904\u7406 Secret \u6570\u636e\u3002<\/p>\n<p>Kubernetes \u63d0\u4f9b\u82e5\u5e72\u79cd\u5185\u7f6e\u7684\u7c7b\u578b\uff0c\u7528\u4e8e\u4e00\u4e9b\u5e38\u89c1\u7684\u4f7f\u7528\u573a\u666f\u3002 \u9488\u5bf9\u8fd9\u4e9b\u7c7b\u578b\uff0cKubernetes \u6240\u6267\u884c\u7684\u5408\u6cd5\u6027\u68c0\u67e5\u64cd\u4f5c\u4ee5\u53ca\u5bf9\u5176\u6240\u5b9e\u65bd\u7684\u9650\u5236\u5404\u4e0d\u76f8\u540c\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th>\u5185\u7f6e\u7c7b\u578b<\/th>\n<th>\u7528\u6cd5<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><code>Opaque<\/code><\/td>\n<td>\u7528\u6237\u5b9a\u4e49\u7684\u4efb\u610f\u6570\u636e<\/td>\n<\/tr>\n<tr>\n<td><code>kubernetes.io\/service-account-token<\/code><\/td>\n<td>\u670d\u52a1\u8d26\u53f7\u4ee4\u724c<\/td>\n<\/tr>\n<tr>\n<td><code>kubernetes.io\/dockercfg<\/code><\/td>\n<td><code>~\/.dockercfg<\/code> \u6587\u4ef6\u7684\u5e8f\u5217\u5316\u5f62\u5f0f<\/td>\n<\/tr>\n<tr>\n<td><code>kubernetes.io\/dockerconfigjson<\/code><\/td>\n<td><code>~\/.docker\/config.json<\/code> \u6587\u4ef6\u7684\u5e8f\u5217\u5316\u5f62\u5f0f<\/td>\n<\/tr>\n<tr>\n<td><code>kubernetes.io\/basic-auth<\/code><\/td>\n<td>\u7528\u4e8e\u57fa\u672c\u8eab\u4efd\u8ba4\u8bc1\u7684\u51ed\u636e<\/td>\n<\/tr>\n<tr>\n<td><code>kubernetes.io\/ssh-auth<\/code><\/td>\n<td>\u7528\u4e8e SSH \u8eab\u4efd\u8ba4\u8bc1\u7684\u51ed\u636e<\/td>\n<\/tr>\n<tr>\n<td><code>kubernetes.io\/tls<\/code><\/td>\n<td>\u7528\u4e8e TLS \u5ba2\u6237\u7aef\u6216\u8005\u670d\u52a1\u5668\u7aef\u7684\u6570\u636e<\/td>\n<\/tr>\n<tr>\n<td><code>bootstrap.kubernetes.io\/token<\/code><\/td>\n<td>\u542f\u52a8\u5f15\u5bfc\u4ee4\u724c\u6570\u636e<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u901a\u8fc7\u4e3a Secret \u5bf9\u8c61\u7684 <code>type<\/code> \u5b57\u6bb5\u8bbe\u7f6e\u4e00\u4e2a\u975e\u7a7a\u7684\u5b57\u7b26\u4e32\u503c\uff0c\u4f60\u4e5f\u53ef\u4ee5\u5b9a\u4e49\u5e76\u4f7f\u7528\u81ea\u5df1 Secret \u7c7b\u578b\u3002\u5982\u679c <code>type<\/code> \u503c\u4e3a\u7a7a\u5b57\u7b26\u4e32\uff0c\u5219\u88ab\u89c6\u4e3a <code>Opaque<\/code> \u7c7b\u578b\u3002 Kubernetes \u5e76\u4e0d\u5bf9\u7c7b\u578b\u7684\u540d\u79f0\u4f5c\u4efb\u4f55\u9650\u5236\u3002\u4e0d\u8fc7\uff0c\u5982\u679c\u4f60\u8981\u4f7f\u7528\u5185\u7f6e\u7c7b\u578b\u4e4b\u4e00\uff0c \u5219\u4f60\u5fc5\u987b\u6ee1\u8db3\u4e3a\u8be5\u7c7b\u578b\u6240\u5b9a\u4e49\u7684\u6240\u6709\u8981\u6c42\u3002<\/p>\n<h3>Opaque Secret<\/h3>\n<p>\u5f53 Secret \u914d\u7f6e\u6587\u4ef6\u4e2d\u672a\u4f5c\u663e\u5f0f\u8bbe\u5b9a\u65f6\uff0c\u9ed8\u8ba4\u7684 Secret \u7c7b\u578b\u662f <code>Opaque<\/code>\u3002 \u5f53\u4f60\u4f7f\u7528 <code>kubectl<\/code> \u6765\u521b\u5efa\u4e00\u4e2a Secret \u65f6\uff0c\u4f60\u4f1a\u4f7f\u7528 <code>generic<\/code> \u5b50\u547d\u4ee4\u6765\u6807\u660e \u8981\u521b\u5efa\u7684\u662f\u4e00\u4e2a <code>Opaque<\/code> \u7c7b\u578b Secret\u3002 \u4f8b\u5982\uff0c\u4e0b\u9762\u7684\u547d\u4ee4\u4f1a\u521b\u5efa\u4e00\u4e2a\u7a7a\u7684 <code>Opaque<\/code> \u7c7b\u578b Secret \u5bf9\u8c61\uff1a<\/p>\n<pre><code class=\"language-shell\">kubectl create secret generic empty-secret\nkubectl get secret empty-secret<\/code><\/pre>\n<p>\u8f93\u51fa\u7c7b\u4f3c\u4e8e<\/p>\n<pre><code>NAME           TYPE     DATA   AGE\nempty-secret   Opaque   0      2m6s<\/code><\/pre>\n<p><code>DATA<\/code> \u5217\u663e\u793a Secret \u4e2d\u4fdd\u5b58\u7684\u6570\u636e\u6761\u76ee\u4e2a\u6570\u3002 \u5728\u8fd9\u4e2a\u4f8b\u5b50\u79cd\uff0c<code>0<\/code> \u610f\u5473\u7740\u6211\u4eec\u521a\u521a\u521b\u5efa\u4e86\u4e00\u4e2a\u7a7a\u7684 Secret\u3002<\/p>\n<h3>\u670d\u52a1\u8d26\u53f7\u4ee4\u724c Secret<\/h3>\n<p>\u7c7b\u578b\u4e3a <code>kubernetes.io\/service-account-token<\/code> \u7684 Secret \u7528\u6765\u5b58\u653e\u6807\u8bc6\u67d0 \u670d\u52a1\u8d26\u53f7\u7684\u4ee4\u724c\u3002\u4f7f\u7528\u8fd9\u79cd Secret \u7c7b\u578b\u65f6\uff0c\u4f60\u9700\u8981\u786e\u4fdd\u5bf9\u8c61\u7684\u6ce8\u89e3 <code>kubernetes.io\/service-account-name<\/code> \u88ab\u8bbe\u7f6e\u4e3a\u67d0\u4e2a\u5df2\u6709\u7684\u670d\u52a1\u8d26\u53f7\u540d\u79f0\u3002 \u67d0\u4e2a Kubernetes \u63a7\u5236\u5668\u4f1a\u586b\u5199 Secret \u7684\u5176\u5b83\u5b57\u6bb5\uff0c\u4f8b\u5982 <code>kubernetes.io\/service-account.uid<\/code> \u6ce8\u89e3\u4ee5\u53ca <code>data<\/code> \u5b57\u6bb5\u4e2d\u7684 <code>token<\/code> \u952e\u503c\uff0c\u4f7f\u4e4b\u5305\u542b\u5b9e\u9645\u7684\u4ee4\u724c\u5185\u5bb9\u3002<\/p>\n<p>\u4e0b\u9762\u7684\u914d\u7f6e\u5b9e\u4f8b\u58f0\u660e\u4e86\u4e00\u4e2a\u670d\u52a1\u8d26\u53f7\u4ee4\u724c Secret\uff1a<\/p>\n<pre><code class=\"language-yaml\">apiVersion: v1\nkind: Secret\nmetadata:\n  name: secret-sa-sample\n  annotations:\n    kubernetes.io\/service-account.name: &quot;sa-name&quot;\ntype: kubernetes.io\/service-account-token\ndata:\n  # \u4f60\u53ef\u4ee5\u50cf Opaque Secret \u4e00\u6837\u5728\u8fd9\u91cc\u6dfb\u52a0\u989d\u5916\u7684\u952e\/\u503c\u5076\u5bf9\n  extra: YmFyCg==<\/code><\/pre>\n<p>Kubernetes \u5728\u521b\u5efa Pod \u65f6\u4f1a\u81ea\u52a8\u521b\u5efa\u4e00\u4e2a\u670d\u52a1\u8d26\u53f7 Secret \u5e76\u81ea\u52a8\u4fee\u6539\u4f60\u7684 Pod \u4ee5\u4f7f\u7528\u8be5 Secret\u3002\u8be5\u670d\u52a1\u8d26\u53f7\u4ee4\u724c Secret \u4e2d\u5305\u542b\u4e86\u8bbf\u95ee Kubernetes API \u6240\u9700\u8981\u7684\u51ed\u636e\u3002<\/p>\n<p>\u5982\u679c\u9700\u8981\uff0c\u53ef\u4ee5\u7981\u6b62\u6216\u8005\u91cd\u8f7d\u8fd9\u79cd\u81ea\u52a8\u521b\u5efa\u5e76\u4f7f\u7528 API \u51ed\u636e\u7684\u64cd\u4f5c\u3002 \u4e0d\u8fc7\uff0c\u5982\u679c\u4f60\u4ec5\u4ec5\u662f\u5e0c\u671b\u80fd\u591f\u5b89\u5168\u5730\u8bbf\u95ee API \u670d\u52a1\u5668\uff0c\u8fd9\u662f\u5efa\u8bae\u7684\u5de5\u4f5c\u65b9\u5f0f\u3002<\/p>\n<p>\u53c2\u8003 <a href=\"https:\/\/kubernetes.io\/zh\/docs\/tasks\/configure-pod-container\/configure-service-account\/\">ServiceAccount<\/a> \u6587\u6863\u4e86\u89e3\u670d\u52a1\u8d26\u53f7\u7684\u5de5\u4f5c\u539f\u7406\u3002\u4f60\u4e5f\u53ef\u4ee5\u67e5\u770b <a href=\"https:\/\/kubernetes.io\/docs\/reference\/generated\/kubernetes-api\/v1.21\/#pod-v1-core\"><code>Pod<\/code><\/a> \u8d44\u6e90\u4e2d\u7684 <code>automountServiceAccountToken<\/code> \u548c <code>serviceAccountName<\/code> \u5b57\u6bb5\u6587\u6863\uff0c\u4e86\u89e3 \u4ece Pod \u4e2d\u5f15\u7528\u670d\u52a1\u8d26\u53f7\u3002<\/p>\n<h3>Docker \u914d\u7f6e Secret<\/h3>\n<p>\u4f60\u53ef\u4ee5\u4f7f\u7528\u4e0b\u9762\u4e24\u79cd <code>type<\/code> \u503c\u4e4b\u4e00\u6765\u521b\u5efa Secret\uff0c\u7528\u4ee5\u5b58\u653e\u8bbf\u95ee Docker \u4ed3\u5e93 \u6765\u4e0b\u8f7d\u955c\u50cf\u7684\u51ed\u636e\u3002<\/p>\n<ul>\n<li><code>kubernetes.io\/dockercfg<\/code><\/li>\n<li><code>kubernetes.io\/dockerconfigjson<\/code><\/li>\n<\/ul>\n<p><code>kubernetes.io\/dockercfg<\/code> \u662f\u4e00\u79cd\u4fdd\u7559\u7c7b\u578b\uff0c\u7528\u6765\u5b58\u653e <code>~\/.dockercfg<\/code> \u6587\u4ef6\u7684 \u5e8f\u5217\u5316\u5f62\u5f0f\u3002\u8be5\u6587\u4ef6\u662f\u914d\u7f6e Docker \u547d\u4ee4\u884c\u7684\u4e00\u79cd\u8001\u65e7\u5f62\u5f0f\u3002 \u4f7f\u7528\u6b64 Secret \u7c7b\u578b\u65f6\uff0c\u4f60\u9700\u8981\u786e\u4fdd Secret \u7684 <code>data<\/code> \u5b57\u6bb5\u4e2d\u5305\u542b\u540d\u4e3a <code>.dockercfg<\/code> \u7684\u4e3b\u952e\uff0c\u5176\u5bf9\u5e94\u952e\u503c\u662f\u7528 base64 \u7f16\u7801\u7684\u67d0 <code>~\/.dockercfg<\/code> \u6587\u4ef6\u7684\u5185\u5bb9\u3002<\/p>\n<p>\u7c7b\u578b <code>kubernetes.io\/dockerconfigjson<\/code> \u88ab\u8bbe\u8ba1\u7528\u6765\u4fdd\u5b58 JSON \u6570\u636e\u7684\u5e8f\u5217\u5316\u5f62\u5f0f\uff0c \u8be5 JSON \u4e5f\u9075\u4ece <code>~\/.docker\/config.json<\/code> \u6587\u4ef6\u7684\u683c\u5f0f\u89c4\u5219\uff0c\u800c\u540e\u8005\u662f <code>~\/.dockercfg<\/code> \u7684\u65b0\u7248\u672c\u683c\u5f0f\u3002 \u4f7f\u7528\u6b64 Secret \u7c7b\u578b\u65f6\uff0cSecret \u5bf9\u8c61\u7684 <code>data<\/code> \u5b57\u6bb5\u5fc5\u987b\u5305\u542b <code>.dockerconfigjson<\/code> \u952e\uff0c\u5176\u952e\u503c\u4e3a base64 \u7f16\u7801\u7684\u5b57\u7b26\u4e32\u5305\u542b <code>~\/.docker\/config.json<\/code> \u6587\u4ef6\u7684\u5185\u5bb9\u3002<\/p>\n<p>\u4e0b\u9762\u662f\u4e00\u4e2a <code>kubernetes.io\/dockercfg<\/code> \u7c7b\u578b Secret \u7684\u793a\u4f8b\uff1a<\/p>\n<pre><code class=\"language-yaml\">apiVersion: v1\nkind: Secret\nmetadata:\n  name: secret-dockercfg\ntype: kubernetes.io\/dockercfg\ndata:\n  .dockercfg: |\n        &quot;&lt;base64 encoded ~\/.dockercfg file&gt;&quot;<\/code><\/pre>\n<blockquote>\n<p><strong>\u8bf4\u660e\uff1a<\/strong><\/p>\n<p>\u5982\u679c\u4f60\u4e0d\u5e0c\u671b\u6267\u884c base64 \u7f16\u7801\u8f6c\u6362\uff0c\u53ef\u4ee5\u4f7f\u7528 <code>stringData<\/code> \u5b57\u6bb5\u4ee3\u66ff\u3002<\/p>\n<\/blockquote>\n<p>\u5f53\u4f60\u4f7f\u7528\u6e05\u5355\u6587\u4ef6\u6765\u521b\u5efa\u8fd9\u4e24\u7c7b Secret \u65f6\uff0cAPI \u670d\u52a1\u5668\u4f1a\u68c0\u67e5 <code>data<\/code> \u5b57\u6bb5\u4e2d\u662f\u5426 \u5b58\u5728\u6240\u671f\u671b\u7684\u4e3b\u952e\uff0c\u5e76\u4e14\u9a8c\u8bc1\u5176\u4e2d\u6240\u63d0\u4f9b\u7684\u952e\u503c\u662f\u5426\u662f\u5408\u6cd5\u7684 JSON \u6570\u636e\u3002 \u4e0d\u8fc7\uff0cAPI \u670d\u52a1\u5668\u4e0d\u4f1a\u68c0\u67e5 JSON \u6570\u636e\u672c\u8eab\u662f\u5426\u662f\u4e00\u4e2a\u5408\u6cd5\u7684 Docker \u914d\u7f6e\u6587\u4ef6\u5185\u5bb9\u3002<\/p>\n<pre><code class=\"language-shell\">kubectl create secret docker-registry secret-tiger-docker \\\n  --docker-username=tiger \\\n  --docker-password=pass113 \\\n  --docker-email=tiger@acme.com<\/code><\/pre>\n<p>\u4e0a\u9762\u7684\u547d\u4ee4\u521b\u5efa\u4e00\u4e2a\u7c7b\u578b\u4e3a <code>kubernetes.io\/dockerconfigjson<\/code> \u7684 Secret\u3002 \u5982\u679c\u4f60\u5bf9 <code>data<\/code> \u5b57\u6bb5\u4e2d\u7684 <code>.dockerconfigjson<\/code> \u5185\u5bb9\u8fdb\u884c\u8f6c\u50a8\uff0c\u4f60\u4f1a\u5f97\u5230\u4e0b\u9762\u7684 JSON \u5185\u5bb9\uff0c\u800c\u8fd9\u4e00\u5185\u5bb9\u662f\u4e00\u4e2a\u5408\u6cd5\u7684 Docker \u914d\u7f6e\u6587\u4ef6\u3002<\/p>\n<pre><code class=\"language-json\">{\n  &quot;auths&quot;: {\n    &quot;https:\/\/index.docker.io\/v1\/&quot;: {\n      &quot;username&quot;: &quot;tiger&quot;,\n      &quot;password&quot;: &quot;pass113&quot;,\n      &quot;email&quot;: &quot;tiger@acme.com&quot;,\n      &quot;auth&quot;: &quot;dGlnZXI6cGFzczExMw==&quot;\n    }\n  }\n}<\/code><\/pre>\n<h3>\u57fa\u672c\u8eab\u4efd\u8ba4\u8bc1 Secret<\/h3>\n<p><code>kubernetes.io\/basic-auth<\/code> \u7c7b\u578b\u7528\u6765\u5b58\u653e\u7528\u4e8e\u57fa\u672c\u8eab\u4efd\u8ba4\u8bc1\u6240\u9700\u7684\u51ed\u636e\u4fe1\u606f\u3002 \u4f7f\u7528\u8fd9\u79cd Secret \u7c7b\u578b\u65f6\uff0cSecret \u7684 <code>data<\/code> \u5b57\u6bb5\u5fc5\u987b\u5305\u542b\u4ee5\u4e0b\u4e24\u4e2a\u952e\uff1a<\/p>\n<ul>\n<li><code>username<\/code>: \u7528\u4e8e\u8eab\u4efd\u8ba4\u8bc1\u7684\u7528\u6237\u540d\uff1b<\/li>\n<li><code>password<\/code>: \u7528\u4e8e\u8eab\u4efd\u8ba4\u8bc1\u7684\u5bc6\u7801\u6216\u4ee4\u724c\u3002<\/li>\n<\/ul>\n<p>\u4ee5\u4e0a\u4e24\u4e2a\u952e\u7684\u952e\u503c\u90fd\u662f base64 \u7f16\u7801\u7684\u5b57\u7b26\u4e32\u3002 \u5f53\u7136\u4f60\u4e5f\u53ef\u4ee5\u5728\u521b\u5efa Secret \u65f6\u4f7f\u7528 <code>stringData<\/code> \u5b57\u6bb5\u6765\u63d0\u4f9b\u660e\u6587\u5f62\u5f0f\u7684\u5185\u5bb9\u3002 \u4e0b\u9762\u7684 YAML \u662f\u57fa\u672c\u8eab\u4efd\u8ba4\u8bc1 Secret \u7684\u4e00\u4e2a\u793a\u4f8b\u6e05\u5355\uff1a<\/p>\n<pre><code class=\"language-yaml\">apiVersion: v1\nkind: Secret\nmetadata:\n  name: secret-basic-auth\ntype: kubernetes.io\/basic-auth\nstringData:\n  username: admin\n  password: t0p-Secret<\/code><\/pre>\n<p>\u63d0\u4f9b\u57fa\u672c\u8eab\u4efd\u8ba4\u8bc1\u7c7b\u578b\u7684 Secret \u4ec5\u4ec5\u662f\u51fa\u4e8e\u7528\u6237\u65b9\u4fbf\u6027\u8003\u8651\u3002 \u4f60\u4e5f\u53ef\u4ee5\u4f7f\u7528 <code>Opaque<\/code> \u7c7b\u578b\u6765\u4fdd\u5b58\u7528\u4e8e\u57fa\u672c\u8eab\u4efd\u8ba4\u8bc1\u7684\u51ed\u636e\u3002 \u4e0d\u8fc7\uff0c\u4f7f\u7528\u5185\u7f6e\u7684 Secret \u7c7b\u578b\u7684\u6709\u52a9\u4e8e\u5bf9\u51ed\u636e\u683c\u5f0f\u8fdb\u884c\u5f52\u4e00\u5316\u5904\u7406\uff0c\u5e76\u4e14 API \u670d\u52a1\u5668\u786e\u5b9e\u4f1a\u68c0\u67e5 Secret \u914d\u7f6e\u4e2d\u662f\u5426\u63d0\u4f9b\u4e86\u6240\u9700\u8981\u7684\u4e3b\u952e\u3002<\/p>\n<h3>SSH \u8eab\u4efd\u8ba4\u8bc1 Secret<\/h3>\n<p>Kubernetes \u6240\u63d0\u4f9b\u7684\u5185\u7f6e\u7c7b\u578b <code>kubernetes.io\/ssh-auth<\/code> \u7528\u6765\u5b58\u653e SSH \u8eab\u4efd\u8ba4\u8bc1\u4e2d \u6240\u9700\u8981\u7684\u51ed\u636e\u3002\u4f7f\u7528\u8fd9\u79cd Secret \u7c7b\u578b\u65f6\uff0c\u4f60\u5c31\u5fc5\u987b\u5728\u5176 <code>data<\/code> \uff08\u6216 <code>stringData<\/code>\uff09 \u5b57\u6bb5\u4e2d\u63d0\u4f9b\u4e00\u4e2a <code>ssh-privatekey<\/code> \u952e\u503c\u5bf9\uff0c\u4f5c\u4e3a\u8981\u4f7f\u7528\u7684 SSH \u51ed\u636e\u3002<\/p>\n<p>\u4e0b\u9762\u7684 YAML \u662f\u4e00\u4e2a SSH \u8eab\u4efd\u8ba4\u8bc1 Secret \u7684\u914d\u7f6e\u793a\u4f8b\uff1a<\/p>\n<pre><code class=\"language-yaml\">apiVersion: v1\nkind: Secret\nmetadata:\n  name: secret-ssh-auth\ntype: kubernetes.io\/ssh-auth\ndata:\n  # \u6b64\u4f8b\u4e2d\u7684\u5b9e\u9645\u6570\u636e\u88ab\u622a\u65ad\n  ssh-privatekey: |\n          MIIEpQIBAAKCAQEAulqb\/Y ...<\/code><\/pre>\n<p>\u63d0\u4f9b SSH \u8eab\u4efd\u8ba4\u8bc1\u7c7b\u578b\u7684 Secret \u4ec5\u4ec5\u662f\u51fa\u4e8e\u7528\u6237\u65b9\u4fbf\u6027\u8003\u8651\u3002 \u4f60\u4e5f\u53ef\u4ee5\u4f7f\u7528 <code>Opaque<\/code> \u7c7b\u578b\u6765\u4fdd\u5b58\u7528\u4e8e SSH \u8eab\u4efd\u8ba4\u8bc1\u7684\u51ed\u636e\u3002 \u4e0d\u8fc7\uff0c\u4f7f\u7528\u5185\u7f6e\u7684 Secret \u7c7b\u578b\u7684\u6709\u52a9\u4e8e\u5bf9\u51ed\u636e\u683c\u5f0f\u8fdb\u884c\u5f52\u4e00\u5316\u5904\u7406\uff0c\u5e76\u4e14 API \u670d\u52a1\u5668\u786e\u5b9e\u4f1a\u68c0\u67e5 Secret \u914d\u7f6e\u4e2d\u662f\u5426\u63d0\u4f9b\u4e86\u6240\u9700\u8981\u7684\u4e3b\u952e\u3002<\/p>\n<blockquote>\n<p><strong>\u6ce8\u610f\uff1a<\/strong> SSH \u79c1\u94a5\u81ea\u8eab\u65e0\u6cd5\u5efa\u7acb SSH \u5ba2\u6237\u7aef\u4e0e\u670d\u52a1\u5668\u7aef\u4e4b\u95f4\u7684\u53ef\u4fe1\u8fde\u63a5\u3002 \u9700\u8981\u5176\u5b83\u65b9\u5f0f\u6765\u5efa\u7acb\u8fd9\u79cd\u4fe1\u4efb\u5173\u7cfb\uff0c\u4ee5\u7f13\u89e3\u201c\u4e2d\u95f4\u4eba\uff08Man In The Middle\uff09\u201d \u653b\u51fb\uff0c\u4f8b\u5982\u5411 ConfigMap \u4e2d\u6dfb\u52a0\u4e00\u4e2a <code>known_hosts<\/code> \u6587\u4ef6\u3002<\/p>\n<\/blockquote>\n<h3>TLS Secret<\/h3>\n<p>Kubernetes \u63d0\u4f9b\u4e00\u79cd\u5185\u7f6e\u7684 <code>kubernetes.io\/tls<\/code> Secret \u7c7b\u578b\uff0c\u7528\u6765\u5b58\u653e\u8bc1\u4e66 \u53ca\u5176\u76f8\u5173\u5bc6\u94a5\uff08\u901a\u5e38\u7528\u5728 TLS \u573a\u5408\uff09\u3002 \u6b64\u7c7b\u6570\u636e\u4e3b\u8981\u63d0\u4f9b\u7ed9 Ingress \u8d44\u6e90\uff0c\u7528\u4ee5\u7ec8\u7ed3 TLS \u94fe\u63a5\uff0c\u4e0d\u8fc7\u4e5f\u53ef\u4ee5\u7528\u4e8e\u5176\u4ed6 \u8d44\u6e90\u6216\u8005\u8d1f\u8f7d\u3002\u5f53\u4f7f\u7528\u6b64\u7c7b\u578b\u7684 Secret \u65f6\uff0cSecret \u914d\u7f6e\u4e2d\u7684 <code>data<\/code> \uff08\u6216 <code>stringData<\/code>\uff09\u5b57\u6bb5\u5fc5\u987b\u5305\u542b <code>tls.key<\/code> \u548c <code>tls.crt<\/code> \u4e3b\u952e\uff0c\u5c3d\u7ba1 API \u670d\u52a1\u5668 \u5b9e\u9645\u4e0a\u5e76\u4e0d\u4f1a\u5bf9\u6bcf\u4e2a\u952e\u7684\u53d6\u503c\u4f5c\u8fdb\u4e00\u6b65\u7684\u5408\u6cd5\u6027\u68c0\u67e5\u3002<\/p>\n<p>\u4e0b\u9762\u7684 YAML \u5305\u542b\u4e00\u4e2a TLS Secret \u7684\u914d\u7f6e\u793a\u4f8b\uff1a<\/p>\n<pre><code class=\"language-yaml\">apiVersion: v1\nkind: Secret\nmetadata:\n  name: secret-tls\ntype: kubernetes.io\/tls\ndata:\n  # \u6b64\u4f8b\u4e2d\u7684\u6570\u636e\u88ab\u622a\u65ad\n  tls.crt: |\n        MIIC2DCCAcCgAwIBAgIBATANBgkqh ...\n  tls.key: |\n        MIIEpgIBAAKCAQEA7yn3bRHQ5FHMQ ...<\/code><\/pre>\n<p>\u63d0\u4f9b TLS \u7c7b\u578b\u7684 Secret \u4ec5\u4ec5\u662f\u51fa\u4e8e\u7528\u6237\u65b9\u4fbf\u6027\u8003\u8651\u3002 \u4f60\u4e5f\u53ef\u4ee5\u4f7f\u7528 <code>Opaque<\/code> \u7c7b\u578b\u6765\u4fdd\u5b58\u7528\u4e8e TLS \u670d\u52a1\u5668\u4e0e\/\u6216\u5ba2\u6237\u7aef\u7684\u51ed\u636e\u3002 \u4e0d\u8fc7\uff0c\u4f7f\u7528\u5185\u7f6e\u7684 Secret \u7c7b\u578b\u7684\u6709\u52a9\u4e8e\u5bf9\u51ed\u636e\u683c\u5f0f\u8fdb\u884c\u5f52\u4e00\u5316\u5904\u7406\uff0c\u5e76\u4e14 API \u670d\u52a1\u5668\u786e\u5b9e\u4f1a\u68c0\u67e5 Secret \u914d\u7f6e\u4e2d\u662f\u5426\u63d0\u4f9b\u4e86\u6240\u9700\u8981\u7684\u4e3b\u952e\u3002<\/p>\n<p>\u5f53\u4f7f\u7528 <code>kubectl<\/code> \u6765\u521b\u5efa TLS Secret \u65f6\uff0c\u4f60\u53ef\u4ee5\u50cf\u4e0b\u9762\u7684\u4f8b\u5b50\u4e00\u6837\u4f7f\u7528 <code>tls<\/code> \u5b50\u547d\u4ee4\uff1a<\/p>\n<pre><code class=\"language-shell\">kubectl create secret tls my-tls-secret \\\n  --cert=path\/to\/cert\/file \\\n  --key=path\/to\/key\/file<\/code><\/pre>\n<p>\u8fd9\u91cc\u7684\u516c\u94a5\/\u79c1\u94a5\u5bf9\u90fd\u5fc5\u987b\u4e8b\u5148\u5df2\u5b58\u5728\u3002\u7528\u4e8e <code>--cert<\/code> \u7684\u516c\u94a5\u8bc1\u4e66\u5fc5\u987b\u662f .PEM \u7f16\u7801\u7684 \uff08Base64 \u7f16\u7801\u7684 DER \u683c\u5f0f\uff09\uff0c\u4e14\u4e0e <code>--key<\/code> \u6240\u7ed9\u5b9a\u7684\u79c1\u94a5\u5339\u914d\u3002 \u79c1\u94a5\u5fc5\u987b\u662f\u901a\u5e38\u6240\u8bf4\u7684 PEM \u79c1\u94a5\u683c\u5f0f\uff0c\u4e14\u672a\u52a0\u5bc6\u3002\u5bf9\u8fd9\u4e24\u4e2a\u6587\u4ef6\u800c\u8a00\uff0cPEM \u683c\u5f0f\u6570\u636e \u7684\u7b2c\u4e00\u884c\u548c\u6700\u540e\u4e00\u884c\uff08\u4f8b\u5982\uff0c\u8bc1\u4e66\u6240\u5bf9\u5e94\u7684 <code>--------BEGIN CERTIFICATE-----<\/code> \u548c <code>-------END CERTIFICATE----<\/code>\uff09\u90fd\u4e0d\u4f1a\u5305\u542b\u5728\u5176\u4e2d\u3002<\/p>\n<h3>\u542f\u52a8\u5f15\u5bfc\u4ee4\u724c Secret<\/h3>\n<p>\u901a\u8fc7\u5c06 Secret \u7684 <code>type<\/code> \u8bbe\u7f6e\u4e3a <code>bootstrap.kubernetes.io\/token<\/code> \u53ef\u4ee5\u521b\u5efa \u542f\u52a8\u5f15\u5bfc\u4ee4\u724c\u7c7b\u578b\u7684 Secret\u3002\u8fd9\u79cd\u7c7b\u578b\u7684 Secret \u88ab\u8bbe\u8ba1\u7528\u6765\u652f\u6301\u8282\u70b9\u7684\u542f\u52a8\u5f15\u5bfc\u8fc7\u7a0b\u3002 \u5176\u4e2d\u5305\u542b\u7528\u6765\u4e3a\u5468\u77e5\u7684 ConfigMap \u7b7e\u540d\u7684\u4ee4\u724c\u3002<\/p>\n<p>\u542f\u52a8\u5f15\u5bfc\u4ee4\u724c Secret \u901a\u5e38\u521b\u5efa\u4e8e <code>kube-system<\/code> \u540d\u5b57\u7a7a\u95f4\u5185\uff0c\u5e76\u4ee5 <code>bootstrap-token-&lt;\u4ee4\u724c ID&gt;<\/code> \u7684\u5f62\u5f0f\u547d\u540d\uff1b\u5176\u4e2d <code>&lt;\u4ee4\u724c ID&gt;<\/code> \u662f\u4e00\u4e2a\u7531 6 \u4e2a\u5b57\u7b26\u7ec4\u6210 \u7684\u5b57\u7b26\u4e32\uff0c\u7528\u4f5c\u4ee4\u724c\u7684\u6807\u8bc6\u3002<\/p>\n<p>\u4ee5 Kubernetes \u6e05\u5355\u6587\u4ef6\u7684\u5f62\u5f0f\uff0c\u67d0\u542f\u52a8\u5f15\u5bfc\u4ee4\u724c Secret \u53ef\u80fd\u770b\u8d77\u6765\u50cf\u4e0b\u9762\u8fd9\u6837\uff1a<\/p>\n<pre><code class=\"language-yaml\">apiVersion: v1\nkind: Secret\nmetadata:\n  name: bootstrap-token-5emitj\n  namespace: kube-system\ntype: bootstrap.kubernetes.io\/token\ndata:\n  auth-extra-groups: c3lzdGVtOmJvb3RzdHJhcHBlcnM6a3ViZWFkbTpkZWZhdWx0LW5vZGUtdG9rZW4=\n  expiration: MjAyMC0wOS0xM1QwNDozOToxMFo=\n  token-id: NWVtaXRq\n  token-secret: a3E0Z2lodnN6emduMXAwcg==\n  usage-bootstrap-authentication: dHJ1ZQ==\n  usage-bootstrap-signing: dHJ1ZQ==<\/code><\/pre>\n<p>\u542f\u52a8\u5f15\u5bfc\u4ee4\u724c\u7c7b\u578b\u7684 Secret \u4f1a\u5728 <code>data<\/code> \u5b57\u6bb5\u4e2d\u5305\u542b\u5982\u4e0b\u4e3b\u952e\uff1a<\/p>\n<ul>\n<li><code>token-id<\/code>\uff1a\u7531 6 \u4e2a\u968f\u673a\u5b57\u7b26\u7ec4\u6210\u7684\u5b57\u7b26\u4e32\uff0c\u4f5c\u4e3a\u4ee4\u724c\u7684\u6807\u8bc6\u7b26\u3002\u5fc5\u9700\u3002<\/li>\n<li><code>token-secret<\/code>\uff1a\u7531 16 \u4e2a\u968f\u673a\u5b57\u7b26\u7ec4\u6210\u7684\u5b57\u7b26\u4e32\uff0c\u5305\u542b\u5b9e\u9645\u7684\u4ee4\u724c\u673a\u5bc6\u3002\u5fc5\u9700\u3002<\/li>\n<li><code>description<\/code>\uff1a\u4f9b\u7528\u6237\u9605\u8bfb\u7684\u5b57\u7b26\u4e32\uff0c\u63cf\u8ff0\u4ee4\u724c\u7684\u7528\u9014\u3002\u53ef\u9009\u3002<\/li>\n<li><code>expiration<\/code>\uff1a\u4e00\u4e2a\u4f7f\u7528 RFC3339 \u6765\u7f16\u7801\u7684 UTC \u7edd\u5bf9\u65f6\u95f4\uff0c\u7ed9\u51fa\u4ee4\u724c\u8981\u8fc7\u671f\u7684\u65f6\u95f4\u3002\u53ef\u9009\u3002<\/li>\n<li><code>usage-bootstrap-&lt;usage&gt;<\/code>\uff1a\u5e03\u5c14\u7c7b\u578b\u7684\u6807\u5fd7\uff0c\u7528\u6765\u6807\u660e\u542f\u52a8\u5f15\u5bfc\u4ee4\u724c\u7684\u5176\u4ed6\u7528\u9014\u3002<\/li>\n<li><code>auth-extra-groups<\/code>\uff1a\u7528\u9017\u53f7\u5206\u9694\u7684\u7ec4\u540d\u5217\u8868\uff0c\u8eab\u4efd\u8ba4\u8bc1\u65f6\u9664\u88ab\u8ba4\u8bc1\u4e3a <code>system:bootstrappers<\/code> \u7ec4\u4e4b\u5916\uff0c\u8fd8\u4f1a\u88ab\u6dfb\u52a0\u5230\u6240\u5217\u7684\u7528\u6237\u7ec4\u4e2d\u3002<\/li>\n<\/ul>\n<p>\u4e0a\u9762\u7684 YAML \u6587\u4ef6\u53ef\u80fd\u770b\u8d77\u6765\u4ee4\u4eba\u8d39\u89e3\uff0c\u56e0\u4e3a\u5176\u4e2d\u7684\u6570\u503c\u5747\u4e3a base64 \u7f16\u7801\u7684\u5b57\u7b26\u4e32\u3002 \u5b9e\u9645\u4e0a\uff0c\u4f60\u5b8c\u5168\u53ef\u4ee5\u4f7f\u7528\u4e0b\u9762\u7684 YAML \u6765\u521b\u5efa\u4e00\u4e2a\u4e00\u6a21\u4e00\u6837\u7684 Secret\uff1a<\/p>\n<pre><code class=\"language-yaml\">apiVersion: v1\nkind: Secret\nmetadata:\n  # \u6ce8\u610f Secret \u7684\u547d\u540d\u65b9\u5f0f\n  name: bootstrap-token-5emitj\n  # \u542f\u52a8\u5f15\u5bfc\u4ee4\u724c Secret \u901a\u5e38\u4f4d\u4e8e kube-system \u540d\u5b57\u7a7a\u95f4\n  namespace: kube-system\ntype: bootstrap.kubernetes.io\/token\nstringData:\n  auth-extra-groups: &quot;system:bootstrappers:kubeadm:default-node-token&quot;\n  expiration: &quot;2020-09-13T04:39:10Z&quot;\n  # \u6b64\u4ee4\u724c ID \u88ab\u7528\u4e8e\u751f\u6210 Secret \u540d\u79f0\n  token-id: &quot;5emitj&quot;\n  token-secret: &quot;kq4gihvszzgn1p0r&quot;\n  # \u6b64\u4ee4\u724c\u8fd8\u53ef\u7528\u4e8e authentication \uff08\u8eab\u4efd\u8ba4\u8bc1\uff09\n  usage-bootstrap-authentication: &quot;true&quot;\n  # \u4e14\u53ef\u7528\u4e8e signing \uff08\u8bc1\u4e66\u7b7e\u540d\uff09\n  usage-bootstrap-signing: &quot;true&quot;<\/code><\/pre>\n<h2>\u521b\u5efa Secret<\/h2>\n<p>\u6709\u51e0\u79cd\u4e0d\u540c\u7684\u65b9\u5f0f\u6765\u521b\u5efa Secret\uff1a<\/p>\n<ul>\n<li><a href=\"https:\/\/kubernetes.io\/zh\/docs\/tasks\/configmap-secret\/managing-secret-using-kubectl\/\">\u4f7f\u7528 <code>kubectl<\/code> \u547d\u4ee4\u521b\u5efa Secret<\/a><\/li>\n<li><a href=\"https:\/\/kubernetes.io\/zh\/docs\/tasks\/configmap-secret\/managing-secret-using-config-file\/\">\u4f7f\u7528\u914d\u7f6e\u6587\u4ef6\u6765\u521b\u5efa Secret<\/a><\/li>\n<li><a href=\"https:\/\/kubernetes.io\/zh\/docs\/tasks\/configmap-secret\/managing-secret-using-kustomize\/\">\u4f7f\u7528 kustomize \u6765\u521b\u5efa Secret<\/a><\/li>\n<\/ul>\n<h2>\u7f16\u8f91 Secret<\/h2>\n<p>\u4f60\u53ef\u4ee5\u901a\u8fc7\u4e0b\u9762\u7684\u547d\u4ee4\u7f16\u8f91\u73b0\u6709\u7684 Secret\uff1a<\/p>\n<pre><code class=\"language-shell\">kubectl edit secrets mysecret<\/code><\/pre>\n<p>\u8fd9\u4e00\u547d\u4ee4\u4f1a\u6253\u5f00\u9ed8\u8ba4\u7684\u7f16\u8f91\u5668\uff0c\u5141\u8bb8\u4f60\u66f4\u65b0 <code>data<\/code> \u5b57\u6bb5\u4e2d\u5305\u542b\u7684 base64 \u7f16\u7801\u7684 Secret \u503c\uff1a<\/p>\n<pre><code class=\"language-yaml\"># Please edit the object below. Lines beginning with a &#039;#&#039; will be ignored,\n# and an empty file will abort the edit. If an error occurs while saving this file will be\n# reopened with the relevant failures.\n#\napiVersion: v1\ndata:\n  username: YWRtaW4=\n  password: MWYyZDFlMmU2N2Rm\nkind: Secret\nmetadata:\n  annotations:\n    kubectl.kubernetes.io\/last-applied-configuration: { ... }\n  creationTimestamp: 2016-01-22T18:41:56Z\n  name: mysecret\n  namespace: default\n  resourceVersion: &quot;164619&quot;\n  uid: cfee02d6-c137-11e5-8d73-42010af00002\ntype: Opaque<\/code><\/pre>\n<h2>\u4f7f\u7528 Secret<\/h2>\n<p>Secret \u53ef\u4ee5\u4f5c\u4e3a\u6570\u636e\u5377\u88ab\u6302\u8f7d\uff0c\u6216\u4f5c\u4e3a<a href=\"https:\/\/kubernetes.io\/zh\/docs\/concepts\/containers\/container-environment\/\">\u73af\u5883\u53d8\u91cf<\/a> \u66b4\u9732\u51fa\u6765\u4ee5\u4f9b Pod \u4e2d\u7684\u5bb9\u5668\u4f7f\u7528\u3002\u5b83\u4eec\u4e5f\u53ef\u4ee5\u88ab\u7cfb\u7edf\u7684\u5176\u4ed6\u90e8\u5206\u4f7f\u7528\uff0c\u800c\u4e0d\u76f4\u63a5\u66b4\u9732\u5728 Pod \u5185\u3002 \u4f8b\u5982\uff0c\u5b83\u4eec\u53ef\u4ee5\u4fdd\u5b58\u51ed\u636e\uff0c\u7cfb\u7edf\u7684\u5176\u4ed6\u90e8\u5206\u5c06\u7528\u5b83\u6765\u4ee3\u8868\u4f60\u4e0e\u5916\u90e8\u7cfb\u7edf\u8fdb\u884c\u4ea4\u4e92\u3002<\/p>\n<h3>\u5728 Pod \u4e2d\u4f7f\u7528 Secret \u6587\u4ef6<\/h3>\n<p>\u5728 Pod \u4e2d\u4f7f\u7528\u5b58\u653e\u5728\u5377\u4e2d\u7684 Secret\uff1a<\/p>\n<ol>\n<li>\u521b\u5efa\u4e00\u4e2a Secret \u6216\u8005\u4f7f\u7528\u5df2\u6709\u7684 Secret\u3002\u591a\u4e2a Pod \u53ef\u4ee5\u5f15\u7528\u540c\u4e00\u4e2a Secret\u3002<\/li>\n<li>\u4fee\u6539\u4f60\u7684 Pod \u5b9a\u4e49\uff0c\u5728 <code>spec.volumes[]<\/code> \u4e0b\u589e\u52a0\u4e00\u4e2a\u5377\u3002\u53ef\u4ee5\u7ed9\u8fd9\u4e2a\u5377\u968f\u610f\u547d\u540d\uff0c \u5b83\u7684 <code>spec.volumes[].secret.secretName<\/code> \u5fc5\u987b\u662f Secret \u5bf9\u8c61\u7684\u540d\u5b57\u3002<\/li>\n<li>\u5c06 <code>spec.containers[].volumeMounts[]<\/code> \u52a0\u5230\u9700\u8981\u7528\u5230\u8be5 Secret \u7684\u5bb9\u5668\u4e2d\u3002 \u6307\u5b9a <code>spec.containers[].volumeMounts[].readOnly = true<\/code> \u548c <code>spec.containers[].volumeMounts[].mountPath<\/code> \u4e3a\u4f60\u60f3\u8981\u8be5 Secret \u51fa\u73b0\u7684\u5c1a\u672a\u4f7f\u7528\u7684\u76ee\u5f55\u3002<\/li>\n<li>\u4fee\u6539\u4f60\u7684\u955c\u50cf\u5e76\u4e14\uff0f\u6216\u8005\u547d\u4ee4\u884c\uff0c\u8ba9\u7a0b\u5e8f\u4ece\u8be5\u76ee\u5f55\u4e0b\u5bfb\u627e\u6587\u4ef6\u3002 Secret \u7684 <code>data<\/code> \u6620\u5c04\u4e2d\u7684\u6bcf\u4e00\u4e2a\u952e\u90fd\u5bf9\u5e94 <code>mountPath<\/code> \u4e0b\u7684\u4e00\u4e2a\u6587\u4ef6\u540d\u3002<\/li>\n<\/ol>\n<p>\u8fd9\u662f\u4e00\u4e2a\u5728 Pod \u4e2d\u4f7f\u7528\u5b58\u653e\u5728\u6302\u8f7d\u5377\u4e2d Secret \u7684\u4f8b\u5b50\uff1a<\/p>\n<pre><code class=\"language-yaml\">apiVersion: v1\nkind: Pod\nmetadata:\n  name: mypod\nspec:\n  containers:\n  - name: mypod\n    image: redis\n    volumeMounts:\n    - name: foo\n      mountPath: &quot;\/etc\/foo&quot;\n      readOnly: true\n  volumes:\n  - name: foo\n    secret:\n      secretName: mysecret<\/code><\/pre>\n<p>\u60a8\u60f3\u8981\u7528\u7684\u6bcf\u4e2a Secret \u90fd\u9700\u8981\u5728 <code>spec.volumes<\/code> \u4e2d\u5f15\u7528\u3002<\/p>\n<p>\u5982\u679c Pod \u4e2d\u6709\u591a\u4e2a\u5bb9\u5668\uff0c\u6bcf\u4e2a\u5bb9\u5668\u90fd\u9700\u8981\u81ea\u5df1\u7684 <code>volumeMounts<\/code> \u914d\u7f6e\u5757\uff0c \u4f46\u662f\u6bcf\u4e2a Secret \u53ea\u9700\u8981\u4e00\u4e2a <code>spec.volumes<\/code>\u3002<\/p>\n<p>\u60a8\u53ef\u4ee5\u6253\u5305\u591a\u4e2a\u6587\u4ef6\u5230\u4e00\u4e2a Secret \u4e2d\uff0c\u6216\u8005\u4f7f\u7528\u7684\u591a\u4e2a Secret\uff0c\u600e\u6837\u65b9\u4fbf\u5c31\u600e\u6837\u6765\u3002<\/p>\n<h4>\u5c06 Secret \u952e\u540d\u6620\u5c04\u5230\u7279\u5b9a\u8def\u5f84<\/h4>\n<p>\u6211\u4eec\u8fd8\u53ef\u4ee5\u63a7\u5236 Secret \u952e\u540d\u5728\u5b58\u50a8\u5377\u4e2d\u6620\u5c04\u7684\u7684\u8def\u5f84\u3002 \u4f60\u53ef\u4ee5\u4f7f\u7528 <code>spec.volumes[].secret.items<\/code> \u5b57\u6bb5\u4fee\u6539\u6bcf\u4e2a\u952e\u5bf9\u5e94\u7684\u76ee\u6807\u8def\u5f84\uff1a<\/p>\n<pre><code class=\"language-yaml\">apiVersion: v1\nkind: Pod\nmetadata:\n  name: mypod\nspec:\n  containers:\n  - name: mypod\n    image: redis\n    volumeMounts:\n    - name: foo\n      mountPath: &quot;\/etc\/foo&quot;\n      readOnly: true\n  volumes:\n  - name: foo\n    secret:\n      secretName: mysecret\n      items:\n      - key: username\n        path: my-group\/my-username<\/code><\/pre>\n<p>\u5c06\u4f1a\u53d1\u751f\u4ec0\u4e48\u5462\uff1a<\/p>\n<ul>\n<li><code>username<\/code> Secret \u5b58\u50a8\u5728 <code>\/etc\/foo\/my-group\/my-username<\/code> \u6587\u4ef6\u4e2d\u800c\u4e0d\u662f <code>\/etc\/foo\/username<\/code> \u4e2d\u3002<\/li>\n<li><code>password<\/code> Secret \u6ca1\u6709\u88ab\u6620\u5c04<\/li>\n<\/ul>\n<p>\u5982\u679c\u4f7f\u7528\u4e86 <code>spec.volumes[].secret.items<\/code>\uff0c\u53ea\u6709\u5728 <code>items<\/code> \u4e2d\u6307\u5b9a\u7684\u952e\u4f1a\u88ab\u6620\u5c04\u3002 \u8981\u4f7f\u7528 Secret \u4e2d\u6240\u6709\u952e\uff0c\u5c31\u5fc5\u987b\u5c06\u5b83\u4eec\u90fd\u5217\u5728 <code>items<\/code> \u5b57\u6bb5\u4e2d\u3002 \u6240\u6709\u5217\u51fa\u7684\u952e\u540d\u5fc5\u987b\u5b58\u5728\u4e8e\u76f8\u5e94\u7684 Secret \u4e2d\u3002\u5426\u5219\uff0c\u4e0d\u4f1a\u521b\u5efa\u5377\u3002<\/p>\n<h4>Secret \u6587\u4ef6\u6743\u9650<\/h4>\n<p>\u4f60\u8fd8\u53ef\u4ee5\u6307\u5b9a Secret \u5c06\u62e5\u6709\u7684\u6743\u9650\u6a21\u5f0f\u4f4d\u3002\u5982\u679c\u4e0d\u6307\u5b9a\uff0c\u9ed8\u8ba4\u4f7f\u7528 <code>0644<\/code>\u3002 \u4f60\u53ef\u4ee5\u4e3a\u6574\u4e2a Secret \u5377\u6307\u5b9a\u9ed8\u8ba4\u6a21\u5f0f\uff1b\u5982\u679c\u9700\u8981\uff0c\u53ef\u4ee5\u4e3a\u6bcf\u4e2a\u5bc6\u94a5\u8bbe\u5b9a\u91cd\u8f7d\u503c\u3002<\/p>\n<p>\u4f8b\u5982\uff0c\u60a8\u53ef\u4ee5\u6307\u5b9a\u5982\u4e0b\u9ed8\u8ba4\u6a21\u5f0f\uff1a<\/p>\n<pre><code class=\"language-yaml\">apiVersion: v1\nkind: Pod\nmetadata:\n  name: mypod\nspec:\n  containers:\n  - name: mypod\n    image: redis\n    volumeMounts:\n    - name: foo\n      mountPath: &quot;\/etc\/foo&quot;\n  volumes:\n  - name: foo\n    secret:\n      secretName: mysecret\n      defaultMode: 256<\/code><\/pre>\n<p>\u4e4b\u540e\uff0cSecret \u5c06\u88ab\u6302\u8f7d\u5230 <code>\/etc\/foo<\/code> \u76ee\u5f55\uff0c\u800c\u6240\u6709\u901a\u8fc7\u8be5 Secret \u5377\u6302\u8f7d \u6240\u521b\u5efa\u7684\u6587\u4ef6\u7684\u6743\u9650\u90fd\u662f <code>0400<\/code>\u3002<\/p>\n<p>\u8bf7\u6ce8\u610f\uff0cJSON \u89c4\u8303\u4e0d\u652f\u6301\u516b\u8fdb\u5236\u7b26\u53f7\uff0c\u56e0\u6b64\u4f7f\u7528 256 \u503c\u4f5c\u4e3a 0400 \u6743\u9650\u3002 \u5982\u679c\u4f60\u4f7f\u7528 YAML \u800c\u4e0d\u662f JSON\uff0c\u5219\u53ef\u4ee5\u4f7f\u7528\u516b\u8fdb\u5236\u7b26\u53f7\u4ee5\u66f4\u81ea\u7136\u7684\u65b9\u5f0f\u6307\u5b9a\u6743\u9650\u3002<\/p>\n<p>\u6ce8\u610f\uff0c\u5982\u679c\u4f60\u901a\u8fc7 <code>kubectl exec<\/code> \u8fdb\u5165\u5230 Pod \u4e2d\uff0c\u4f60\u9700\u8981\u6cbf\u7740\u7b26\u53f7\u94fe\u63a5\u6765\u627e\u5230 \u6240\u671f\u671b\u7684\u6587\u4ef6\u6a21\u5f0f\u3002\u4f8b\u5982\uff0c\u4e0b\u9762\u547d\u4ee4\u68c0\u67e5 Secret \u6587\u4ef6\u7684\u8bbf\u95ee\u6a21\u5f0f\uff1a<\/p>\n<pre><code class=\"language-shell\">kubectl exec mypod -it sh\n\ncd \/etc\/foo\nls -l<\/code><\/pre>\n<p>\u8f93\u51fa\u7c7b\u4f3c\u4e8e\uff1a<\/p>\n<pre><code>total 0\nlrwxrwxrwx 1 root root 15 May 18 00:18 password -&gt; ..data\/password\nlrwxrwxrwx 1 root root 15 May 18 00:18 username -&gt; ..data\/username<\/code><\/pre>\n<p>\u6cbf\u7740\u7b26\u53f7\u94fe\u63a5\uff0c\u53ef\u4ee5\u67e5\u770b\u6587\u4ef6\u7684\u8bbf\u95ee\u6a21\u5f0f\uff1a<\/p>\n<pre><code class=\"language-shell\">cd \/etc\/foo\/..data\nls -l<\/code><\/pre>\n<p>\u8f93\u51fa\u7c7b\u4f3c\u4e8e\uff1a<\/p>\n<pre><code>total 8\n-r-------- 1 root root 12 May 18 00:18 password\n-r-------- 1 root root  5 May 18 00:18 username<\/code><\/pre>\n<p>\u4f60\u8fd8\u53ef\u4ee5\u4f7f\u7528\u6620\u5c04\uff0c\u5982\u4e0a\u4e00\u4e2a\u793a\u4f8b\uff0c\u5e76\u4e3a\u4e0d\u540c\u7684\u6587\u4ef6\u6307\u5b9a\u4e0d\u540c\u7684\u6743\u9650\uff0c\u5982\u4e0b\u6240\u793a\uff1a<\/p>\n<pre><code class=\"language-yaml\">apiVersion: v1\nkind: Pod\nmetadata:\n  name: mypod\nspec:\n  containers:\n  - name: mypod\n    image: redis\n    volumeMounts:\n    - name: foo\n      mountPath: &quot;\/etc\/foo&quot;\n  volumes:\n  - name: foo\n    secret:\n      secretName: mysecret\n      items:\n      - key: username\n        path: my-group\/my-username\n        mode: 511<\/code><\/pre>\n<p>\u5728\u8fd9\u91cc\uff0c\u4f4d\u4e8e <code>\/etc\/foo\/my-group\/my-username<\/code> \u7684\u6587\u4ef6\u7684\u6743\u9650\u503c\u4e3a <code>0777<\/code>\u3002 \u7531\u4e8e JSON \u9650\u5236\uff0c\u5fc5\u987b\u4ee5\u5341\u8fdb\u5236\u683c\u5f0f\u6307\u5b9a\u6a21\u5f0f\uff0c\u5373 <code>511<\/code>\u3002<\/p>\n<p>\u8bf7\u6ce8\u610f\uff0c\u5982\u679c\u7a0d\u540e\u8bfb\u53d6\u6b64\u6743\u9650\u503c\uff0c\u53ef\u80fd\u4f1a\u4ee5\u5341\u8fdb\u5236\u683c\u5f0f\u663e\u793a\u3002<\/p>\n<h4>\u4f7f\u7528\u6765\u81ea\u5377\u4e2d\u7684 Secret \u503c<\/h4>\n<p>\u5728\u6302\u8f7d\u4e86 Secret \u5377\u7684\u5bb9\u5668\u5185\uff0cSecret \u952e\u540d\u663e\u793a\u4e3a\u6587\u4ef6\u540d\uff0c\u5e76\u4e14 Secret \u7684\u503c \u4f7f\u7528 base-64 \u89e3\u7801\u540e\u5b58\u50a8\u5728\u8fd9\u4e9b\u6587\u4ef6\u4e2d\u3002 \u8fd9\u662f\u5728\u4e0a\u9762\u7684\u793a\u4f8b\u5bb9\u5668\u5185\u6267\u884c\u7684\u547d\u4ee4\u7684\u7ed3\u679c\uff1a<\/p>\n<pre><code class=\"language-shell\">ls \/etc\/foo\/<\/code><\/pre>\n<p>\u8f93\u51fa\u7c7b\u4f3c\u4e8e\uff1a<\/p>\n<pre><code>username\npassword\ncat \/etc\/foo\/username<\/code><\/pre>\n<p>\u8f93\u51fa\u7c7b\u4f3c\u4e8e\uff1a<\/p>\n<pre><code>admin\ncat \/etc\/foo\/password<\/code><\/pre>\n<p>\u8f93\u51fa\u7c7b\u4f3c\u4e8e\uff1a<\/p>\n<pre><code>1f2d1e2e67df<\/code><\/pre>\n<p>\u5bb9\u5668\u4e2d\u7684\u7a0b\u5e8f\u8d1f\u8d23\u4ece\u6587\u4ef6\u4e2d\u8bfb\u53d6 secret\u3002<\/p>\n<h4>\u6302\u8f7d\u7684 Secret \u4f1a\u88ab\u81ea\u52a8\u66f4\u65b0<\/h4>\n<p>\u5f53\u5df2\u7ecf\u5b58\u50a8\u4e8e\u5377\u4e2d\u88ab\u4f7f\u7528\u7684 Secret \u88ab\u66f4\u65b0\u65f6\uff0c\u88ab\u6620\u5c04\u7684\u952e\u4e5f\u5c06\u7ec8\u5c06\u88ab\u66f4\u65b0\u3002 \u7ec4\u4ef6 kubelet \u5728\u5468\u671f\u6027\u540c\u6b65\u65f6\u68c0\u67e5\u88ab\u6302\u8f7d\u7684 Secret \u662f\u4e0d\u662f\u6700\u65b0\u7684\u3002 \u4f46\u662f\uff0c\u5b83\u4f1a\u4f7f\u7528\u5176\u672c\u5730\u7f13\u5b58\u7684\u6570\u503c\u4f5c\u4e3a Secret \u7684\u5f53\u524d\u503c\u3002<\/p>\n<p>\u7f13\u5b58\u7684\u7c7b\u578b\u53ef\u4ee5\u4f7f\u7528 <a href=\"https:\/\/kubernetes.io\/zh\/docs\/reference\/config-api\/kubelet-config.v1beta1\/\">KubeletConfiguration \u7ed3\u6784<\/a> \u4e2d\u7684 <code>ConfigMapAndSecretChangeDetectionStrategy<\/code> \u5b57\u6bb5\u6765\u914d\u7f6e\u3002 \u5b83\u53ef\u4ee5\u901a\u8fc7 watch \u64cd\u4f5c\u6765\u4f20\u64ad\uff08\u9ed8\u8ba4\uff09\uff0c\u57fa\u4e8e TTL \u6765\u5237\u65b0\uff0c\u4e5f\u53ef\u4ee5 \u5c06\u6240\u6709\u8bf7\u6c42\u76f4\u63a5\u91cd\u5b9a\u5411\u5230 API \u670d\u52a1\u5668\u3002 \u56e0\u6b64\uff0c\u4ece Secret \u88ab\u66f4\u65b0\u5230\u5c06\u65b0 Secret \u88ab\u6295\u5c04\u5230 Pod \u7684\u90a3\u4e00\u523b\u7684\u603b\u5ef6\u8fdf\u53ef\u80fd\u4e0e kubelet \u540c\u6b65\u5468\u671f + \u7f13\u5b58\u4f20\u64ad\u5ef6\u8fdf\u4e00\u6837\u957f\uff0c\u5176\u4e2d\u7f13\u5b58\u4f20\u64ad\u5ef6\u8fdf\u53d6\u51b3\u4e8e\u6240\u9009\u7684\u7f13\u5b58\u7c7b\u578b\u3002 \u5bf9\u5e94\u4e8e\u4e0d\u540c\u7684\u7f13\u5b58\u7c7b\u578b\uff0c\u8be5\u5ef6\u8fdf\u6216\u8005\u7b49\u4e8e watch \u4f20\u64ad\u5ef6\u8fdf\uff0c\u6216\u8005\u7b49\u4e8e\u7f13\u5b58\u7684 TTL\uff0c \u6216\u8005\u4e3a 0\u3002<\/p>\n<blockquote>\n<p><strong>\u8bf4\u660e\uff1a<\/strong> \u4f7f\u7528 Secret \u4f5c\u4e3a<a href=\"https:\/\/kubernetes.io\/zh\/docs\/concepts\/storage\/volumes#using-subpath\">\u5b50\u8def\u5f84<\/a>\u5377\u6302\u8f7d\u7684\u5bb9\u5668 \u4e0d\u4f1a\u6536\u5230 Secret \u66f4\u65b0\u3002<\/p>\n<\/blockquote>\n<h4>\u4ee5\u73af\u5883\u53d8\u91cf\u7684\u5f62\u5f0f\u4f7f\u7528 Secrets<\/h4>\n<p>\u5c06 Secret \u4f5c\u4e3a Pod \u4e2d\u7684<a href=\"https:\/\/kubernetes.io\/zh\/docs\/concepts\/containers\/container-environment\/\">\u73af\u5883\u53d8\u91cf<\/a>\u4f7f\u7528\uff1a<\/p>\n<ol>\n<li>\u521b\u5efa\u4e00\u4e2a Secret \u6216\u8005\u4f7f\u7528\u4e00\u4e2a\u5df2\u5b58\u5728\u7684 Secret\u3002\u591a\u4e2a Pod \u53ef\u4ee5\u5f15\u7528\u540c\u4e00\u4e2a Secret\u3002<\/li>\n<li>\u4fee\u6539 Pod \u5b9a\u4e49\uff0c\u4e3a\u6bcf\u4e2a\u8981\u4f7f\u7528 Secret \u7684\u5bb9\u5668\u6dfb\u52a0\u5bf9\u5e94 Secret \u952e\u7684\u73af\u5883\u53d8\u91cf\u3002 \u4f7f\u7528 Secret \u952e\u7684\u73af\u5883\u53d8\u91cf\u5e94\u5728 <code>env[x].valueFrom.secretKeyRef<\/code> \u4e2d\u6307\u5b9a \u8981\u5305\u542b\u7684 Secret \u540d\u79f0\u548c\u952e\u540d\u3002<\/li>\n<li>\u66f4\u6539\u955c\u50cf\u5e76\uff0f\u6216\u8005\u547d\u4ee4\u884c\uff0c\u4ee5\u4fbf\u7a0b\u5e8f\u5728\u6307\u5b9a\u7684\u73af\u5883\u53d8\u91cf\u4e2d\u67e5\u627e\u503c\u3002<\/li>\n<\/ol>\n<p>\u8fd9\u662f\u4e00\u4e2a\u4f7f\u7528\u6765\u81ea\u73af\u5883\u53d8\u91cf\u4e2d\u7684 Secret \u503c\u7684 Pod \u793a\u4f8b\uff1a<\/p>\n<pre><code class=\"language-yaml\">apiVersion: v1\nkind: Pod\nmetadata:\n  name: secret-env-pod\nspec:\n  containers:\n  - name: mycontainer\n    image: redis\n    env:\n      - name: SECRET_USERNAME\n        valueFrom:\n          secretKeyRef:\n            name: mysecret\n            key: username\n      - name: SECRET_PASSWORD\n        valueFrom:\n          secretKeyRef:\n            name: mysecret\n            key: password\n  restartPolicy: Never<\/code><\/pre>\n<h4>\u4f7f\u7528\u6765\u81ea\u73af\u5883\u53d8\u91cf\u7684 Secret \u503c<\/h4>\n<p>\u5728\u4e00\u4e2a\u4ee5\u73af\u5883\u53d8\u91cf\u5f62\u5f0f\u4f7f\u7528 Secret \u7684\u5bb9\u5668\u4e2d\uff0cSecret \u952e\u8868\u73b0\u4e3a\u5e38\u89c4\u7684\u73af\u5883\u53d8\u91cf\uff0c\u5176\u4e2d \u5305\u542b Secret \u6570\u636e\u7684 base-64 \u89e3\u7801\u503c\u3002\u8fd9\u662f\u4ece\u4e0a\u9762\u7684\u793a\u4f8b\u5728\u5bb9\u5668\u5185\u6267\u884c\u7684\u547d\u4ee4\u7684\u7ed3\u679c\uff1a<\/p>\n<pre><code class=\"language-shell\">echo $SECRET_USERNAME<\/code><\/pre>\n<p>\u8f93\u51fa\u7c7b\u4f3c\u4e8e\uff1a<\/p>\n<pre><code>admin\necho $SECRET_PASSWORD<\/code><\/pre>\n<p>\u8f93\u51fa\u7c7b\u4f3c\u4e8e\uff1a<\/p>\n<pre><code>1f2d1e2e67df<\/code><\/pre>\n<h4>Secret \u66f4\u65b0\u4e4b\u540e\u5bf9\u5e94\u7684\u73af\u5883\u53d8\u91cf\u4e0d\u4f1a\u88ab\u66f4\u65b0<\/h4>\n<p>\u5982\u679c\u67d0\u4e2a\u5bb9\u5668\u5df2\u7ecf\u5728\u901a\u8fc7\u73af\u5883\u53d8\u91cf\u4f7f\u7528\u67d0 Secret\uff0c\u5bf9\u8be5 Secret \u7684\u66f4\u65b0\u4e0d\u4f1a\u88ab \u5bb9\u5668\u9a6c\u4e0a\u770b\u89c1\uff0c\u9664\u975e\u5bb9\u5668\u88ab\u91cd\u542f\u3002\u6709\u4e00\u4e9b\u7b2c\u4e09\u65b9\u7684\u89e3\u51b3\u65b9\u6848\u80fd\u591f\u5728 Secret \u53d1\u751f \u53d8\u5316\u65f6\u89e6\u53d1\u5bb9\u5668\u91cd\u542f\u3002<\/p>\n<h2>\u4e0d\u53ef\u66f4\u6539\u7684 Secret<\/h2>\n<p><strong>FEATURE STATE:<\/strong> <code>Kubernetes v1.21 [stable]<\/code><\/p>\n<p>Kubernetes \u7684\u7279\u6027 <em>\u4e0d\u53ef\u53d8\u7684 Secret \u548c ConfigMap<\/em> \u63d0\u4f9b\u4e86\u4e00\u79cd\u53ef\u9009\u914d\u7f6e\uff0c \u53ef\u4ee5\u8bbe\u7f6e\u5404\u4e2a Secret \u548c ConfigMap \u4e3a\u4e0d\u53ef\u53d8\u7684\u3002 \u5bf9\u4e8e\u5927\u91cf\u4f7f\u7528 Secret \u7684\u96c6\u7fa4\uff08\u81f3\u5c11\u6709\u6210\u5343\u4e0a\u4e07\u5404\u4e0d\u76f8\u540c\u7684 Secret \u4f9b Pod \u6302\u8f7d\uff09\uff0c \u7981\u6b62\u53d8\u66f4\u5b83\u4eec\u7684\u6570\u636e\u6709\u4e0b\u5217\u597d\u5904\uff1a<\/p>\n<ul>\n<li>\u9632\u6b62\u610f\u5916\uff08\u6216\u975e\u9884\u671f\u7684\uff09\u66f4\u65b0\u5bfc\u81f4\u5e94\u7528\u7a0b\u5e8f\u4e2d\u65ad<\/li>\n<li>\u901a\u8fc7\u5c06 Secret \u6807\u8bb0\u4e3a\u4e0d\u53ef\u53d8\u6765\u5173\u95ed kube-apiserver \u5bf9\u5176\u7684\u76d1\u89c6\uff0c\u4ece\u800c\u663e\u8457\u964d\u4f4e kube-apiserver \u7684\u8d1f\u8f7d\uff0c\u63d0\u5347\u96c6\u7fa4\u6027\u80fd\u3002<\/li>\n<\/ul>\n<p>\u8fd9\u4e2a\u7279\u6027\u901a\u8fc7 <code>ImmutableEmphemeralVolumes<\/code> <a href=\"https:\/\/kubernetes.io\/zh\/docs\/reference\/command-line-tools-reference\/feature-gates\/\">\u7279\u6027\u95e8\u63a7<\/a> \u6765\u63a7\u5236\uff0c\u4ece v1.19 \u5f00\u59cb\u9ed8\u8ba4\u542f\u7528\u3002 \u4f60\u53ef\u4ee5\u901a\u8fc7\u5c06 Secret \u7684 <code>immutable<\/code> \u5b57\u6bb5\u8bbe\u7f6e\u4e3a <code>true<\/code> \u521b\u5efa\u4e0d\u53ef\u66f4\u6539\u7684 Secret\u3002 \u4f8b\u5982\uff1a<\/p>\n<pre><code class=\"language-yaml\">apiVersion: v1\nkind: Secret\nmetadata:\n  ...\ndata:\n  ...\nimmutable: true<\/code><\/pre>\n<blockquote>\n<p><strong>\u8bf4\u660e\uff1a<\/strong><\/p>\n<p>\u4e00\u65e6\u4e00\u4e2a Secret \u6216 ConfigMap \u88ab\u6807\u8bb0\u4e3a\u4e0d\u53ef\u66f4\u6539\uff0c\u64a4\u9500\u6b64\u64cd\u4f5c\u6216\u8005\u66f4\u6539 <code>data<\/code> \u5b57\u6bb5\u7684\u5185\u5bb9\u90fd\u662f <em>\u4e0d<\/em> \u53ef\u80fd\u7684\u3002 \u53ea\u80fd\u5220\u9664\u5e76\u91cd\u65b0\u521b\u5efa\u8fd9\u4e2a Secret\u3002\u73b0\u6709\u7684 Pod \u5c06\u7ef4\u6301\u5bf9\u5df2\u5220\u9664 Secret \u7684\u6302\u8f7d\u70b9 - \u5efa\u8bae\u91cd\u65b0\u521b\u5efa\u8fd9\u4e9b Pod\u3002<\/p>\n<\/blockquote>\n<h4>\u4f7f\u7528 imagePullSecret<\/h4>\n<p><code>imagePullSecrets<\/code> \u5b57\u6bb5\u4e2d\u5305\u542b\u4e00\u4e2a\u5217\u8868\uff0c\u5217\u4e3e\u5bf9\u540c\u4e00\u540d\u5b57\u7a7a\u95f4\u4e2d\u7684 Secret \u7684\u5f15\u7528\u3002 \u4f60\u53ef\u4ee5\u4f7f\u7528 <code>imagePullSecrets<\/code> \u5c06\u5305\u542b Docker\uff08\u6216\u5176\u4ed6\uff09\u955c\u50cf\u4ed3\u5e93\u5bc6\u7801\u7684 Secret \u4f20\u9012\u7ed9 kubelet\u3002kubelet \u4f7f\u7528\u6b64\u4fe1\u606f\u6765\u66ff\u4f60\u7684 Pod \u62c9\u53d6\u79c1\u6709\u955c\u50cf\u3002 \u5173\u4e8e <code>imagePullSecrets<\/code> \u5b57\u6bb5\u7684\u66f4\u591a\u4fe1\u606f\uff0c\u8bf7\u53c2\u8003 <a href=\"https:\/\/kubernetes.io\/docs\/reference\/generated\/kubernetes-api\/v1.21\/#podspec-v1-core\">PodSpec API<\/a> \u6587\u6863\u3002<\/p>\n<h4>\u624b\u52a8\u6307\u5b9a imagePullSecret<\/h4>\n<p>\u4f60\u53ef\u4ee5\u9605\u8bfb<a href=\"https:\/\/kubernetes.io\/zh\/docs\/concepts\/containers\/images\/#specifying-imagepullsecrets-on-a-pod\">\u5bb9\u5668\u955c\u50cf\u6587\u6863<\/a> \u4ee5\u4e86\u89e3\u5982\u4f55\u8bbe\u7f6e <code>imagePullSecrets<\/code>\u3002<\/p>\n<h4>\u8bbe\u7f6e\u81ea\u52a8\u9644\u52a0 imagePullSecrets<\/h4>\n<p>\u60a8\u53ef\u4ee5\u624b\u52a8\u521b\u5efa <code>imagePullSecret<\/code>\uff0c\u5e76\u5728 ServiceAccount \u4e2d\u5f15\u7528\u5b83\u3002 \u4f7f\u7528\u8be5 ServiceAccount \u521b\u5efa\u7684\u4efb\u4f55 Pod \u548c\u9ed8\u8ba4\u4f7f\u7528\u8be5 ServiceAccount \u7684 Pod \u5c06\u4f1a\u5c06\u5176\u7684 imagePullSecret \u5b57\u6bb5\u8bbe\u7f6e\u4e3a\u670d\u52a1\u5e10\u6237\u7684 imagePullSecret \u503c\u3002 \u6709\u5173\u8be5\u8fc7\u7a0b\u7684\u8be6\u7ec6\u8bf4\u660e\uff0c\u8bf7\u53c2\u9605 <a href=\"https:\/\/kubernetes.io\/zh\/docs\/tasks\/configure-pod-container\/configure-service-account\/#adding-imagepullsecrets-to-a-service-account\">\u5c06 ImagePullSecrets \u6dfb\u52a0\u5230\u670d\u52a1\u5e10\u6237<\/a>\u3002<\/p>\n<h2>\u8be6\u7ec6\u8bf4\u660e<\/h2>\n<h3>\u9650\u5236<\/h3>\n<p>Kubernetes \u4f1a\u9a8c\u8bc1 Secret \u4f5c\u4e3a\u5377\u6765\u6e90\u65f6\u6240\u7ed9\u7684\u5bf9\u8c61\u5f15\u7528\u786e\u5b9e\u6307\u5411\u4e00\u4e2a\u7c7b\u578b\u4e3a Secret \u7684\u5bf9\u8c61\u3002\u56e0\u6b64\uff0cSecret \u9700\u8981\u5148\u4e8e\u4efb\u4f55\u4f9d\u8d56\u4e8e\u5b83\u7684 Pod \u521b\u5efa\u3002<\/p>\n<p>Secret API \u5bf9\u8c61\u5904\u4e8e\u67d0<a href=\"https:\/\/kubernetes.io\/zh\/docs\/concepts\/overview\/working-with-objects\/namespaces\/\">\u540d\u5b57\u7a7a\u95f4<\/a> \u4e2d\u3002\u5b83\u4eec\u53ea\u80fd\u7531\u540c\u4e00\u547d\u540d\u7a7a\u95f4\u4e2d\u7684 Pod \u5f15\u7528\u3002<\/p>\n<p>\u6bcf\u4e2a Secret \u7684\u5927\u5c0f\u9650\u5236\u4e3a 1MB\u3002\u8fd9\u662f\u4e3a\u4e86\u9632\u6b62\u521b\u5efa\u975e\u5e38\u5927\u7684 Secret \u5bfc\u81f4 API \u670d\u52a1\u5668 \u548c kubelet \u7684\u5185\u5b58\u8017\u5c3d\u3002\u7136\u800c\uff0c\u521b\u5efa\u8fc7\u591a\u8f83\u5c0f\u7684 Secret \u4e5f\u53ef\u80fd\u8017\u5c3d\u5185\u5b58\u3002 \u66f4\u5168\u9762\u5f97\u9650\u5236 Secret \u5185\u5b58\u7528\u91cf\u7684\u529f\u80fd\u8fd8\u5728\u8ba1\u5212\u4e2d\u3002<\/p>\n<p>kubelet \u4ec5\u652f\u6301\u4ece API \u670d\u52a1\u5668\u83b7\u5f97\u7684 Pod \u4f7f\u7528 Secret\u3002 \u8fd9\u5305\u62ec\u4f7f\u7528 <code>kubectl<\/code> \u521b\u5efa\u7684\u6240\u6709 Pod\uff0c\u4ee5\u53ca\u95f4\u63a5\u901a\u8fc7\u526f\u672c\u63a7\u5236\u5668\u521b\u5efa\u7684 Pod\u3002 \u5b83\u4e0d\u5305\u62ec\u901a\u8fc7 kubelet <code>--manifest-url<\/code> \u6807\u5fd7\uff0c<code>--config<\/code> \u6807\u5fd7\u6216\u5176 REST API \u521b\u5efa\u7684 Pod\uff08\u8fd9\u4e9b\u4e0d\u662f\u521b\u5efa Pod \u7684\u5e38\u7528\u65b9\u6cd5\uff09\u3002<\/p>\n<p>\u4ee5\u73af\u5883\u53d8\u91cf\u5f62\u5f0f\u5728 Pod \u4e2d\u4f7f\u7528 Secret \u4e4b\u524d\u5fc5\u987b\u5148\u521b\u5efa Secret\uff0c\u9664\u975e\u8be5\u73af\u5883\u53d8\u91cf\u88ab\u6807\u8bb0\u4e3a\u53ef\u9009\u7684\u3002 Pod \u4e2d\u5f15\u7528\u4e0d\u5b58\u5728\u7684 Secret \u65f6\u5c06\u65e0\u6cd5\u542f\u52a8\u3002<\/p>\n<p>\u4f7f\u7528 <code>secretKeyRef<\/code> \u65f6\uff0c\u5982\u679c\u5f15\u7528\u4e86\u6307\u5b9a Secret \u4e0d\u5b58\u5728\u7684\u952e\uff0c\u5bf9\u5e94\u7684 Pod \u4e5f\u65e0\u6cd5\u542f\u52a8\u3002<\/p>\n<p>\u5bf9\u4e8e\u901a\u8fc7 <code>envFrom<\/code> \u586b\u5145\u73af\u5883\u53d8\u91cf\u7684 Secret\uff0c\u5982\u679c Secret \u4e2d\u5305\u542b\u7684\u952e\u540d\u65e0\u6cd5\u4f5c\u4e3a \u5408\u6cd5\u7684\u73af\u5883\u53d8\u91cf\u540d\u79f0\uff0c\u5bf9\u5e94\u7684\u952e\u4f1a\u88ab\u8df3\u8fc7\uff0c\u8be5 Pod \u5c06\u88ab\u5141\u8bb8\u542f\u52a8\u3002 \u4e0d\u8fc7\u8fd9\u65f6\u4f1a\u4ea7\u751f\u4e00\u4e2a\u4e8b\u4ef6\uff0c\u5176\u539f\u56e0\u4e3a <code>InvalidVariableNames<\/code>\uff0c\u5176\u6d88\u606f\u4e2d\u5305\u542b\u88ab\u8df3\u8fc7\u7684\u65e0\u6548\u952e\u7684\u5217\u8868\u3002 \u4e0b\u9762\u7684\u793a\u4f8b\u663e\u793a\u4e00\u4e2a Pod\uff0c\u5b83\u5f15\u7528\u4e86\u5305\u542b 2 \u4e2a\u65e0\u6548\u952e 1badkey \u548c 2alsobad\u3002<\/p>\n<pre><code class=\"language-shell\">kubectl get events<\/code><\/pre>\n<p>\u8f93\u51fa\u7c7b\u4f3c\u4e8e\uff1a<\/p>\n<pre><code>LASTSEEN   FIRSTSEEN   COUNT     NAME            KIND      SUBOBJECT                         TYPE      REASON\n0s         0s          1         dapi-test-pod   Pod                                         Warning   InvalidEnvironmentVariableNames   kubelet, 127.0.0.1      Keys [1badkey, 2alsobad] from the EnvFrom secret default\/mysecret were skipped since they are considered invalid environment variable names.<\/code><\/pre>\n<h3>Secret \u4e0e Pod \u751f\u547d\u5468\u671f\u7684\u5173\u7cfb<\/h3>\n<p>\u901a\u8fc7 API \u521b\u5efa Pod \u65f6\uff0c\u4e0d\u4f1a\u68c0\u67e5\u5f15\u7528\u7684 Secret \u662f\u5426\u5b58\u5728\u3002\u4e00\u65e6 Pod \u88ab\u8c03\u5ea6\uff0ckubelet \u5c31\u4f1a\u5c1d\u8bd5\u83b7\u53d6\u8be5 Secret \u7684\u503c\u3002\u5982\u679c\u83b7\u53d6\u4e0d\u5230\u8be5 Secret\uff0c\u6216\u8005\u6682\u65f6\u65e0\u6cd5\u4e0e API \u670d\u52a1\u5668\u5efa\u7acb\u8fde\u63a5\uff0c kubelet \u5c06\u4f1a\u5b9a\u671f\u91cd\u8bd5\u3002kubelet \u5c06\u4f1a\u62a5\u544a\u5173\u4e8e Pod \u7684\u4e8b\u4ef6\uff0c\u5e76\u89e3\u91ca\u5b83\u65e0\u6cd5\u542f\u52a8\u7684\u539f\u56e0\u3002 \u4e00\u65e6\u83b7\u53d6\u5230 Secret\uff0ckubelet \u5c06\u521b\u5efa\u5e76\u6302\u8f7d\u4e00\u4e2a\u5305\u542b\u5b83\u7684\u5377\u3002\u5728 Pod \u7684\u6240\u6709\u5377\u88ab\u6302\u8f7d\u4e4b\u524d\uff0c Pod \u4e2d\u7684\u5bb9\u5668\u4e0d\u4f1a\u542f\u52a8\u3002<\/p>\n<h2>\u4f7f\u7528\u6848\u4f8b<\/h2>\n<h3>\u6848\u4f8b\uff1a\u4ee5\u73af\u5883\u53d8\u91cf\u7684\u5f62\u5f0f\u4f7f\u7528 Secret<\/h3>\n<p>\u521b\u5efa\u4e00\u4e2a Secret \u5b9a\u4e49\uff1a<\/p>\n<pre><code class=\"language-yaml\">apiVersion: v1\nkind: Secret\nmetadata:\n  name: mysecret\ntype: Opaque\ndata:\n  USER_NAME: YWRtaW4=\n  PASSWORD: MWYyZDFlMmU2N2Rm<\/code><\/pre>\n<p>\u751f\u6210 Secret \u5bf9\u8c61\uff1a<\/p>\n<pre><code class=\"language-shell\">kubectl apply -f mysecret.yaml<\/code><\/pre>\n<p>\u4f7f\u7528 <code>envFrom<\/code> \u5c06 Secret \u7684\u6240\u6709\u6570\u636e\u5b9a\u4e49\u4e3a\u5bb9\u5668\u7684\u73af\u5883\u53d8\u91cf\u3002 Secret \u4e2d\u7684\u952e\u540d\u79f0\u4e3a Pod \u4e2d\u7684\u73af\u5883\u53d8\u91cf\u540d\u79f0\uff1a<\/p>\n<pre><code class=\"language-yaml\">apiVersion: v1\nkind: Pod\nmetadata:\n  name: secret-test-pod\nspec:\n  containers:\n    - name: test-container\n      image: k8s.gcr.io\/busybox\n      command: [ &quot;\/bin\/sh&quot;, &quot;-c&quot;, &quot;env&quot; ]\n      envFrom:\n      - secretRef:\n          name: mysecret\n  restartPolicy: Never<\/code><\/pre>\n<h3>\u6848\u4f8b\uff1a\u5305\u542b SSH \u5bc6\u94a5\u7684 Pod<\/h3>\n<p>\u521b\u5efa\u4e00\u4e2a\u5305\u542b SSH \u5bc6\u94a5\u7684 Secret\uff1a<\/p>\n<pre><code class=\"language-shell\">kubectl create secret generic ssh-key-secret \\\n  --from-file=ssh-privatekey=\/path\/to\/.ssh\/id_rsa \\\n  --from-file=ssh-publickey=\/path\/to\/.ssh\/id_rsa.pub<\/code><\/pre>\n<p>\u8f93\u51fa\u7c7b\u4f3c\u4e8e\uff1a<\/p>\n<pre><code>secret &quot;ssh-key-secret&quot; created<\/code><\/pre>\n<p>\u4f60\u4e5f\u53ef\u4ee5\u521b\u5efa\u4e00\u4e2a\u5e26\u6709\u5305\u542b SSH \u5bc6\u94a5\u7684 <code>secretGenerator<\/code> \u5b57\u6bb5\u7684 <code>kustomization.yaml<\/code> \u6587\u4ef6\u3002<\/p>\n<blockquote>\n<p><strong>\u6ce8\u610f\uff1a<\/strong> \u53d1\u9001\u81ea\u5df1\u7684 SSH \u5bc6\u94a5\u4e4b\u524d\u8981\u4ed4\u7ec6\u601d\u8003\uff1a\u96c6\u7fa4\u7684\u5176\u4ed6\u7528\u6237\u53ef\u80fd\u6709\u6743\u8bbf\u95ee\u8be5\u5bc6\u94a5\u3002 \u4f60\u53ef\u4ee5\u4f7f\u7528\u4e00\u4e2a\u670d\u52a1\u5e10\u6237\uff0c\u5206\u4eab\u7ed9 Kubernetes \u96c6\u7fa4\u4e2d\u5408\u9002\u7684\u7528\u6237\uff0c\u8fd9\u4e9b\u7528\u6237\u662f\u4f60\u8981\u5206\u4eab\u7684\u3002 \u5982\u679c\u670d\u52a1\u8d26\u53f7\u906d\u5230\u4fb5\u72af\uff0c\u53ef\u4ee5\u5c06\u5176\u6536\u56de\u3002<\/p>\n<\/blockquote>\n<p>\u73b0\u5728\u6211\u4eec\u53ef\u4ee5\u521b\u5efa\u4e00\u4e2a Pod\uff0c\u4ee4\u5176\u5f15\u7528\u5305\u542b SSH \u5bc6\u94a5\u7684 Secret\uff0c\u5e76\u901a\u8fc7\u5b58\u50a8\u5377\u6765\u4f7f\u7528\u5b83\uff1a<\/p>\n<pre><code class=\"language-yaml\">apiVersion: v1\nkind: Pod\nmetadata:\n  name: secret-test-pod\n  labels:\n    name: secret-test\nspec:\n  volumes:\n  - name: secret-volume\n    secret:\n      secretName: ssh-key-secret\n  containers:\n  - name: ssh-test-container\n    image: mySshImage\n    volumeMounts:\n    - name: secret-volume\n      readOnly: true\n      mountPath: &quot;\/etc\/secret-volume&quot;<\/code><\/pre>\n<p>\u5bb9\u5668\u4e2d\u7684\u547d\u4ee4\u8fd0\u884c\u65f6\uff0c\u5bc6\u94a5\u7684\u7247\u6bb5\u53ef\u4ee5\u5728\u4ee5\u4e0b\u76ee\u5f55\u627e\u5230\uff1a<\/p>\n<pre><code>\/etc\/secret-volume\/ssh-publickey\n\/etc\/secret-volume\/ssh-privatekey<\/code><\/pre>\n<p>\u7136\u540e\u5bb9\u5668\u53ef\u4ee5\u81ea\u7531\u4f7f\u7528 Secret \u6570\u636e\u5efa\u7acb\u4e00\u4e2a SSH \u8fde\u63a5\u3002<\/p>\n<h3>\u6848\u4f8b\uff1a\u5305\u542b\u751f\u4ea7\/\u6d4b\u8bd5\u51ed\u636e\u7684 Pod<\/h3>\n<p>\u4e0b\u9762\u7684\u4f8b\u5b50\u5c55\u793a\u7684\u662f\u4e24\u4e2a Pod\u3002 \u4e00\u4e2a Pod \u4f7f\u7528\u5305\u542b\u751f\u4ea7\u73af\u5883\u51ed\u636e\u7684 Secret\uff0c\u53e6\u4e00\u4e2a Pod \u4f7f\u7528\u5305\u542b\u6d4b\u8bd5\u73af\u5883\u51ed\u636e\u7684 Secret\u3002<\/p>\n<p>\u4f60\u53ef\u4ee5\u521b\u5efa\u4e00\u4e2a\u5e26\u6709 <code>secretGenerator<\/code> \u5b57\u6bb5\u7684 <code>kustomization.yaml<\/code> \u6587\u4ef6\uff0c\u6216\u8005\u6267\u884c <code>kubectl create secret<\/code>\uff1a<\/p>\n<pre><code class=\"language-shell\">kubectl create secret generic prod-db-secret \\\n  --from-literal=username=produser \\\n  --from-literal=password=Y4nys7f11<\/code><\/pre>\n<p>\u8f93\u51fa\u7c7b\u4f3c\u4e8e\uff1a<\/p>\n<pre><code>secret &quot;prod-db-secret&quot; created\nkubectl create secret generic test-db-secret \\\n  --from-literal=username=testuser \\\n  --from-literal=password=iluvtests<\/code><\/pre>\n<p>\u8f93\u51fa\u7c7b\u4f3c\u4e8e\uff1a<\/p>\n<pre><code>secret &quot;test-db-secret&quot; created<\/code><\/pre>\n<blockquote>\n<p><strong>\u8bf4\u660e\uff1a<\/strong><\/p>\n<p>\u7279\u6b8a\u5b57\u7b26\uff08\u4f8b\u5982 <code>$<\/code>\u3001<code>\\<\/code>\u3001<code>*<\/code>\u3001<code>=<\/code> \u548c <code>MARKDOWN_HASH9033e0e305f247c0c3c80d0c7848c8b3MARKDOWN<em>HASH<\/code>\uff09\u4f1a\u88ab\u4f60\u7684 [Shell](<a href=\"https:\/\/en.wikipedia.org\/wiki\/Shell\">https:\/\/en.wikipedia.org\/wiki\/Shell<\/a><\/em>(computing))\u89e3\u91ca\uff0c\u56e0\u6b64\u9700\u8981\u8f6c\u4e49\u3002 \u5728\u5927\u591a\u6570 Shell \u4e2d\uff0c\u5bf9\u5bc6\u7801\u8fdb\u884c\u8f6c\u4e49\u7684\u6700\u7b80\u5355\u65b9\u5f0f\u662f\u7528\u5355\u5f15\u53f7\uff08<code>&#039;<\/code>\uff09\u5c06\u5176\u62ec\u8d77\u6765\u3002 \u4f8b\u5982\uff0c\u5982\u679c\u60a8\u7684\u5b9e\u9645\u5bc6\u7801\u662f <code>S!B\\*d$zDsb<\/code>\uff0c\u5219\u5e94\u901a\u8fc7\u4ee5\u4e0b\u65b9\u5f0f\u6267\u884c\u547d\u4ee4\uff1a<\/p>\n<pre><code class=\"language-shell\">kubectl create secret generic dev-db-secret --from-literal=username=devuser --from-literal=password='S!B\\*d$zDsb='<\/code><\/pre>\n<p>\u60a8\u65e0\u9700\u5bf9\u6587\u4ef6\u4e2d\u7684\u5bc6\u7801\uff08<code>--from-file<\/code>\uff09\u4e2d\u7684\u7279\u6b8a\u5b57\u7b26\u8fdb\u884c\u8f6c\u4e49\u3002<\/p>\n<\/blockquote>\n<p>\u521b\u5efa pod \uff1a<\/p>\n<pre><code class=\"language-shell\">$ cat &lt;&lt;EOF &gt; pod.yaml\napiVersion: v1\nkind: List\nitems:\n- kind: Pod\n  apiVersion: v1\n  metadata:\n    name: prod-db-client-pod\n    labels:\n      name: prod-db-client\n  spec:\n    volumes:\n    - name: secret-volume\n      secret:\n        secretName: prod-db-secret\n    containers:\n    - name: db-client-container\n      image: myClientImage\n      volumeMounts:\n      - name: secret-volume\n        readOnly: true\n        mountPath: &quot;\/etc\/secret-volume&quot;\n- kind: Pod\n  apiVersion: v1\n  metadata:\n    name: test-db-client-pod\n    labels:\n      name: test-db-client\n  spec:\n    volumes:\n    - name: secret-volume\n      secret:\n        secretName: test-db-secret\n    containers:\n    - name: db-client-container\n      image: myClientImage\n      volumeMounts:\n      - name: secret-volume\n        readOnly: true\n        mountPath: &quot;\/etc\/secret-volume&quot;\nEOF<\/code><\/pre>\n<p>\u5c06 Pod \u6dfb\u52a0\u5230\u540c\u4e00\u4e2a kustomization.yaml \u6587\u4ef6<\/p>\n<pre><code class=\"language-shell\">$ cat &lt;&lt;EOF &gt;&gt; kustomization.yaml\nresources:\n- pod.yaml\nEOF<\/code><\/pre>\n<p>\u901a\u8fc7\u4e0b\u9762\u7684\u547d\u4ee4\u5e94\u7528\u6240\u6709\u5bf9\u8c61<\/p>\n<pre><code class=\"language-shell\">kubectl apply -k .<\/code><\/pre>\n<p>\u4e24\u4e2a\u5bb9\u5668\u90fd\u4f1a\u5728\u5176\u6587\u4ef6\u7cfb\u7edf\u4e0a\u5b58\u5728\u4ee5\u4e0b\u6587\u4ef6\uff0c\u5176\u4e2d\u5305\u542b\u5bb9\u5668\u5bf9\u5e94\u7684\u73af\u5883\u7684\u503c\uff1a<\/p>\n<pre><code>\/etc\/secret-volume\/username\n\/etc\/secret-volume\/password<\/code><\/pre>\n<p>\u8bf7\u6ce8\u610f\uff0c\u4e24\u4e2a Pod \u7684\u89c4\u7ea6\u914d\u7f6e\u4e2d\u4ec5\u6709\u4e00\u4e2a\u5b57\u6bb5\u4e0d\u540c\uff1b\u8fd9\u6709\u52a9\u4e8e\u4f7f\u7528\u5171\u540c\u7684 Pod \u914d\u7f6e\u6a21\u677f\u521b\u5efa \u5177\u6709\u4e0d\u540c\u80fd\u529b\u7684 Pod\u3002<\/p>\n<p>\u60a8\u53ef\u4ee5\u4f7f\u7528\u4e24\u4e2a\u670d\u52a1\u8d26\u53f7\u8fdb\u4e00\u6b65\u7b80\u5316\u57fa\u672c\u7684 Pod \u89c4\u7ea6\uff1a<\/p>\n<ol>\n<li>\u540d\u4e3a <code>prod-user<\/code> \u7684\u670d\u52a1\u8d26\u53f7\u62e5\u6709 <code>prod-db-secret<\/code><\/li>\n<li>\u540d\u4e3a <code>test-user<\/code> \u7684\u670d\u52a1\u8d26\u53f7\u62e5\u6709 <code>test-db-secret<\/code><\/li>\n<\/ol>\n<p>\u7136\u540e\uff0cPod \u89c4\u7ea6\u53ef\u4ee5\u7f29\u77ed\u4e3a\uff1a<\/p>\n<pre><code class=\"language-yaml\">apiVersion: v1\nkind: Pod\nmetadata:\n  name: prod-db-client-pod\n  labels:\n    name: prod-db-client\nspec:\n  serviceAccount: prod-db-client\n  containers:\n  - name: db-client-container\n    image: myClientImage<\/code><\/pre>\n<h3>\u6848\u4f8b\uff1aSecret \u5377\u4e2d\u4ee5\u53e5\u70b9\u53f7\u5f00\u5934\u7684\u6587\u4ef6<\/h3>\n<p>\u4f60\u53ef\u4ee5\u901a\u8fc7\u5b9a\u4e49\u4ee5\u53e5\u70b9\u5f00\u5934\u7684\u952e\u540d\uff0c\u5c06\u6570\u636e\u201c\u9690\u85cf\u201d\u8d77\u6765\u3002 \u4f8b\u5982\uff0c\u5f53\u5982\u4e0b Secret \u88ab\u6302\u8f7d\u5230 <code>secret-volume<\/code> \u5377\u4e2d\uff1a<\/p>\n<pre><code class=\"language-yaml\">apiVersion: v1\nkind: Secret\nmetadata:\n  name: dotfile-secret\ndata:\n  .secret-file: dmFsdWUtMg0KDQo=\n---\napiVersion: v1\nkind: Pod\nmetadata:\n  name: secret-dotfiles-pod\nspec:\n  volumes:\n  - name: secret-volume\n    secret:\n      secretName: dotfile-secret\n  containers:\n  - name: dotfile-test-container\n    image: k8s.gcr.io\/busybox\n    command:\n    - ls\n    - &quot;-l&quot;\n    - &quot;\/etc\/secret-volume&quot;\n    volumeMounts:\n    - name: secret-volume\n      readOnly: true\n      mountPath: &quot;\/etc\/secret-volume&quot;<\/code><\/pre>\n<p>\u5377\u4e2d\u5c06\u5305\u542b\u552f\u4e00\u7684\u53eb\u505a <code>.secret-file<\/code> \u7684\u6587\u4ef6\u3002 \u5bb9\u5668 <code>dotfile-test-container<\/code> \u4e2d\uff0c\u8be5\u6587\u4ef6\u5904\u4e8e <code>\/etc\/secret-volume\/.secret-file<\/code> \u8def\u5f84\u4e0b\u3002<\/p>\n<blockquote>\n<p><strong>\u8bf4\u660e\uff1a<\/strong> \u4ee5\u70b9\u53f7\u5f00\u5934\u7684\u6587\u4ef6\u5728 <code>ls -l<\/code> \u7684\u8f93\u51fa\u4e2d\u4f1a\u88ab\u9690\u85cf\u8d77\u6765\uff1b \u5217\u51fa\u76ee\u5f55\u5185\u5bb9\u65f6\uff0c\u5fc5\u987b\u4f7f\u7528 <code>ls -la<\/code> \u624d\u80fd\u770b\u5230\u5b83\u4eec\u3002<\/p>\n<\/blockquote>\n<h3>\u6848\u4f8b\uff1aSecret \u4ec5\u5bf9 Pod \u4e2d\u7684\u4e00\u4e2a\u5bb9\u5668\u53ef\u89c1<\/h3>\n<p>\u8003\u8651\u4e00\u4e2a\u9700\u8981\u5904\u7406 HTTP \u8bf7\u6c42\u3001\u6267\u884c\u4e00\u4e9b\u590d\u6742\u7684\u4e1a\u52a1\u903b\u8f91\uff0c\u7136\u540e\u4f7f\u7528 HMAC \u7b7e\u7f72\u4e00\u4e9b\u6d88\u606f\u7684\u5e94\u7528\u3002 \u56e0\u4e3a\u5e94\u7528\u7a0b\u5e8f\u903b\u8f91\u590d\u6742\uff0c\u670d\u52a1\u5668\u4e2d\u53ef\u80fd\u4f1a\u5b58\u5728\u4e00\u4e2a\u672a\u88ab\u6ce8\u610f\u7684\u8fdc\u7a0b\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e\uff0c \u53ef\u80fd\u4f1a\u5c06\u79c1\u94a5\u66b4\u9732\u7ed9\u653b\u51fb\u8005\u3002<\/p>\n<p>\u89e3\u51b3\u7684\u529e\u6cd5\u53ef\u4ee5\u662f\u5c06\u5e94\u7528\u5206\u4e3a\u4e24\u4e2a\u8fdb\u7a0b\uff0c\u5206\u522b\u8fd0\u884c\u5728\u4e24\u4e2a\u5bb9\u5668\u4e2d\uff1a \u524d\u7aef\u5bb9\u5668\uff0c\u7528\u4e8e\u5904\u7406\u7528\u6237\u4ea4\u4e92\u548c\u4e1a\u52a1\u903b\u8f91\uff0c\u4f46\u65e0\u6cd5\u770b\u5230\u79c1\u94a5\uff1b \u7b7e\u540d\u5bb9\u5668\uff0c\u53ef\u4ee5\u770b\u5230\u79c1\u94a5\uff0c\u54cd\u5e94\u6765\u81ea\u524d\u7aef\uff08\u4f8b\u5982\u901a\u8fc7\u672c\u5730\u4e3b\u673a\u7f51\u7edc\uff09\u7684\u7b80\u5355\u7b7e\u540d\u8bf7\u6c42\u3002<\/p>\n<p>\u4f7f\u7528\u8fd9\u79cd\u5206\u5272\u65b9\u6cd5\uff0c\u653b\u51fb\u8005\u73b0\u5728\u5fc5\u987b\u6b3a\u9a97\u5e94\u7528\u7a0b\u5e8f\u670d\u52a1\u5668\u624d\u80fd\u8fdb\u884c\u4efb\u610f\u7684\u64cd\u4f5c\uff0c \u8fd9\u53ef\u80fd\u6bd4\u4f7f\u5176\u8bfb\u53d6\u6587\u4ef6\u66f4\u96be\u3002<\/p>\n<h2>\u6700\u4f73\u5b9e\u8df5<\/h2>\n<h3>\u5ba2\u6237\u7aef\u4f7f\u7528 Secret API<\/h3>\n<p>\u5f53\u90e8\u7f72\u4e0e Secret API \u4ea4\u4e92\u7684\u5e94\u7528\u7a0b\u5e8f\u65f6\uff0c\u5e94\u4f7f\u7528 <a href=\"https:\/\/kubernetes.io\/zh\/docs\/reference\/access-authn-authz\/authorization\/\">\u9274\u6743\u7b56\u7565<\/a>\uff0c \u4f8b\u5982 <a href=\"https:\/\/kubernetes.io\/zh\/docs\/reference\/access-authn-authz\/rbac\/\">RBAC<\/a>\uff0c\u6765\u9650\u5236\u8bbf\u95ee\u3002<\/p>\n<p>Secret \u4e2d\u7684\u503c\u5bf9\u4e8e\u4e0d\u540c\u7684\u73af\u5883\u6765\u8bf4\u91cd\u8981\u6027\u53ef\u80fd\u4e0d\u540c\u3002 \u5f88\u591a Secret \u90fd\u53ef\u80fd\u5bfc\u81f4 Kubernetes \u96c6\u7fa4\u5185\u90e8\u7684\u6743\u9650\u8d8a\u754c\uff08\u4f8b\u5982\u670d\u52a1\u8d26\u53f7\u4ee4\u724c\uff09 \u751a\u81f3\u9003\u9038\u5230\u96c6\u7fa4\u5916\u90e8\u3002 \u5373\u4f7f\u67d0\u4e00\u4e2a\u5e94\u7528\u7a0b\u5e8f\u53ef\u4ee5\u5c31\u6240\u4ea4\u4e92\u7684 Secret \u7684\u80fd\u529b\u4f5c\u51fa\u6b63\u786e\u6289\u62e9\uff0c\u4f46\u662f\u540c\u4e00\u547d\u540d\u7a7a\u95f4\u4e2d \u7684\u5176\u4ed6\u5e94\u7528\u7a0b\u5e8f\u5374\u53ef\u80fd\u4e0d\u8fd9\u6837\u505a\u3002<\/p>\n<p>\u7531\u4e8e\u8fd9\u4e9b\u539f\u56e0\uff0c\u5728\u547d\u540d\u7a7a\u95f4\u4e2d <code>watch<\/code> \u548c <code>list<\/code> Secret \u7684\u8bf7\u6c42\u662f\u975e\u5e38\u5f3a\u5927\u7684\u80fd\u529b\uff0c \u662f\u5e94\u8be5\u907f\u514d\u7684\u884c\u4e3a\u3002\u5217\u51fa Secret \u7684\u64cd\u4f5c\u53ef\u4ee5\u8ba9\u5ba2\u6237\u7aef\u68c0\u67e5\u8be5\u547d\u540d\u7a7a\u95f4\u4e2d\u5b58\u5728\u7684\u6240\u6709 Secret\u3002 \u5728\u7fa4\u96c6\u4e2d <code>watch<\/code> \u548c <code>list<\/code> \u6240\u6709 Secret \u7684\u80fd\u529b\u5e94\u8be5\u53ea\u4fdd\u7559\u7ed9\u7279\u6743\u6700\u9ad8\u7684\u7cfb\u7edf\u7ea7\u7ec4\u4ef6\u3002<\/p>\n<p>\u9700\u8981\u8bbf\u95ee Secret API \u7684\u5e94\u7528\u7a0b\u5e8f\u5e94\u8be5\u9488\u5bf9\u6240\u9700\u8981\u7684 Secret \u6267\u884c <code>get<\/code> \u8bf7\u6c42\u3002 \u8fd9\u6837\uff0c\u7ba1\u7406\u5458\u5c31\u80fd\u9650\u5236\u5bf9\u6240\u6709 Secret \u7684\u8bbf\u95ee\uff0c\u540c\u65f6\u4e3a\u5e94\u7528\u6240\u9700\u8981\u7684 <a href=\"https:\/\/kubernetes.io\/zh\/docs\/reference\/access-authn-authz\/rbac\/#referring-to-resources\">\u5b9e\u4f8b\u8bbe\u7f6e\u8bbf\u95ee\u5141\u8bb8\u6e05\u5355<\/a> \u3002<\/p>\n<p>\u4e3a\u4e86\u83b7\u5f97\u9ad8\u4e8e\u8f6e\u8be2\u64cd\u4f5c\u7684\u6027\u80fd\uff0c\u5ba2\u6237\u7aef\u8bbe\u8ba1\u8d44\u6e90\u65f6\uff0c\u53ef\u4ee5\u5f15\u7528 Secret\uff0c\u7136\u540e\u5bf9\u8d44\u6e90\u6267\u884c <code>watch<\/code> \u64cd\u4f5c\uff0c\u5728\u5f15\u7528\u66f4\u6539\u65f6\u91cd\u65b0\u68c0\u7d22 Secret\u3002 \u6b64\u5916\uff0c\u793e\u533a\u8fd8\u5b58\u5728\u4e00\u79cd <a href=\"https:\/\/github.com\/kubernetes\/community\/blob\/master\/contributors\/design-proposals\/bulk_watch.md\">\u201c\u6279\u91cf\u76d1\u63a7\u201d API<\/a> \u7684\u63d0\u6848\uff0c\u5141\u8bb8\u5ba2\u6237\u7aef <code>watch<\/code> \u72ec\u7acb\u7684\u8d44\u6e90\uff0c\u8be5\u529f\u80fd\u53ef\u80fd\u4f1a\u5728\u5c06\u6765\u7684 Kubernetes \u7248\u672c\u4e2d\u63d0\u4f9b\u3002<\/p>\n<h2>\u5b89\u5168\u5c5e\u6027<\/h2>\n<h3>\u4fdd\u62a4<\/h3>\n<p>\u56e0\u4e3a Secret \u5bf9\u8c61\u53ef\u4ee5\u72ec\u7acb\u4e8e\u4f7f\u7528\u5b83\u4eec\u7684 Pod \u800c\u521b\u5efa\uff0c\u6240\u4ee5\u5728\u521b\u5efa\u3001\u67e5\u770b\u548c\u7f16\u8f91 Pod \u7684\u6d41\u7a0b\u4e2d Secret \u88ab\u66b4\u9732\u7684\u98ce\u9669\u8f83\u5c0f\u3002\u7cfb\u7edf\u8fd8\u53ef\u4ee5\u5bf9 Secret \u5bf9\u8c61\u91c7\u53d6\u989d\u5916\u7684\u9884\u9632\u6027\u4fdd\u62a4\u63aa\u65bd\uff0c \u4f8b\u5982\uff0c\u5728\u53ef\u80fd\u7684\u60c5\u51b5\u4e0b\u907f\u514d\u5c06\u5176\u5199\u5230\u78c1\u76d8\u3002<\/p>\n<p>\u53ea\u6709\u5f53\u67d0\u8282\u70b9\u4e0a\u7684 Pod \u9700\u8981\u7528\u5230\u67d0 Secret \u65f6\uff0c\u8be5 Secret \u624d\u4f1a\u88ab\u53d1\u9001\u5230\u8be5\u8282\u70b9\u4e0a\u3002 Secret \u4e0d\u4f1a\u88ab\u5199\u5165\u78c1\u76d8\uff0c\u800c\u662f\u88ab kubelet \u5b58\u50a8\u5728 tmpfs \u4e2d\u3002 \u4e00\u65e6\u4f9d\u8d56\u4e8e\u5b83\u7684 Pod \u88ab\u5220\u9664\uff0cSecret \u6570\u636e\u7684\u672c\u5730\u526f\u672c\u5c31\u88ab\u5220\u9664\u3002<\/p>\n<p>\u540c\u4e00\u8282\u70b9\u4e0a\u7684\u5f88\u591a\u4e2a Pod \u53ef\u80fd\u62e5\u6709\u591a\u4e2a Secret\u3002 \u4f46\u662f\uff0c\u53ea\u6709 Pod \u6240\u8bf7\u6c42\u7684 Secret \u5728\u5176\u5bb9\u5668\u4e2d\u624d\u662f\u53ef\u89c1\u7684\u3002 \u56e0\u6b64\uff0c\u4e00\u4e2a Pod \u4e0d\u80fd\u8bbf\u95ee\u53e6\u4e00\u4e2a Pod \u7684 Secret\u3002<\/p>\n<p>\u540c\u4e00\u4e2a Pod \u4e2d\u53ef\u80fd\u6709\u591a\u4e2a\u5bb9\u5668\u3002\u4f46\u662f\uff0cPod \u4e2d\u7684\u6bcf\u4e2a\u5bb9\u5668\u5fc5\u987b\u901a\u8fc7 <code>volumeeMounts<\/code> \u8bf7\u6c42\u6302\u8f7d Secret \u5377\u624d\u80fd\u4f7f\u5377\u4e2d\u7684 Secret \u5bf9\u5bb9\u5668\u53ef\u89c1\u3002 \u8fd9\u4e00\u5b9e\u73b0\u53ef\u4ee5\u7528\u4e8e\u5728 Pod \u7ea7\u522b<a href=\"https:\/\/kubernetes.io\/zh\/docs\/concepts\/configuration\/secret\/#secret-visible-to-only-one-container\">\u6784\u5efa\u5b89\u5168\u5206\u533a<\/a>\u3002<\/p>\n<p>\u5728\u5927\u591a\u6570 Kubernetes \u53d1\u884c\u7248\u4e2d\uff0c\u7528\u6237\u4e0e API \u670d\u52a1\u5668\u4e4b\u95f4\u7684\u901a\u4fe1\u4ee5\u53ca \u4ece API \u670d\u52a1\u5668\u5230 kubelet \u7684\u901a\u4fe1\u90fd\u53d7\u5230 SSL\/TLS \u7684\u4fdd\u62a4\u3002 \u901a\u8fc7\u8fd9\u4e9b\u901a\u9053\u4f20\u8f93\u65f6\uff0cSecret \u53d7\u5230\u4fdd\u62a4\u3002<\/p>\n<p><strong>FEATURE STATE:<\/strong> <code>Kubernetes v1.13 [beta]<\/code><\/p>\n<p>\u4f60\u53ef\u4ee5\u4e3a Secret \u6570\u636e\u5f00\u542f<a href=\"https:\/\/kubernetes.io\/zh\/docs\/tasks\/administer-cluster\/encrypt-data\/\">\u9759\u6001\u52a0\u5bc6<\/a>\uff0c \u8fd9\u6837 Secret \u6570\u636e\u5c31\u4e0d\u4f1a\u4ee5\u660e\u6587\u5f62\u5f0f\u5b58\u50a8\u5230<a href=\"https:\/\/kubernetes.io\/zh\/docs\/tasks\/administer-cluster\/configure-upgrade-etcd\/\">etcd<\/a> \u4e2d\u3002<\/p>\n<h3>\u98ce\u9669<\/h3>\n<ul>\n<li>API \u670d\u52a1\u5668\u4e0a\u7684 Secret \u6570\u636e\u4ee5\u7eaf\u6587\u672c\u7684\u65b9\u5f0f\u5b58\u50a8\u5728 etcd \u4e2d\uff0c\u56e0\u6b64\uff1a\n<ul>\n<li>\u7ba1\u7406\u5458\u5e94\u8be5\u4e3a\u96c6\u7fa4\u6570\u636e\u5f00\u542f\u9759\u6001\u52a0\u5bc6\uff08\u8981\u6c42 v1.13 \u6216\u8005\u66f4\u9ad8\u7248\u672c\uff09\u3002<\/li>\n<li>\u7ba1\u7406\u5458\u5e94\u8be5\u9650\u5236\u53ea\u6709 admin \u7528\u6237\u80fd\u8bbf\u95ee etcd\uff1b<\/li>\n<li>API \u670d\u52a1\u5668\u4e2d\u7684 Secret \u6570\u636e\u4f4d\u4e8e etcd \u4f7f\u7528\u7684\u78c1\u76d8\u4e0a\uff1b\u7ba1\u7406\u5458\u53ef\u80fd\u5e0c\u671b\u5728\u4e0d\u518d\u4f7f\u7528\u65f6\u64e6\u9664\/\u7c89\u788e etcd \u4f7f\u7528\u7684\u78c1\u76d8<\/li>\n<li>\u5982\u679c etcd \u8fd0\u884c\u5728\u96c6\u7fa4\u5185\uff0c\u7ba1\u7406\u5458\u5e94\u8be5\u786e\u4fdd etcd \u4e4b\u95f4\u7684\u901a\u4fe1\u4f7f\u7528 SSL\/TLS \u8fdb\u884c\u52a0\u5bc6\u3002<\/li>\n<\/ul>\n<\/li>\n<li>\u5982\u679c\u60a8\u5c06 Secret \u6570\u636e\u7f16\u7801\u4e3a base64 \u7684\u6e05\u5355\uff08JSON \u6216 YAML\uff09\u6587\u4ef6\uff0c\u5171\u4eab\u8be5\u6587\u4ef6\u6216\u5c06\u5176\u68c0\u5165\u4ee3\u7801\u5e93\uff0c\u8be5\u5bc6\u7801\u5c06\u4f1a\u88ab\u6cc4\u9732\u3002 Base64 \u7f16\u7801\u4e0d\u662f\u4e00\u79cd\u52a0\u5bc6\u65b9\u5f0f\uff0c\u5e94\u8be5\u89c6\u540c\u7eaf\u6587\u672c\u3002<\/li>\n<li>\u5e94\u7528\u7a0b\u5e8f\u5728\u4ece\u5377\u4e2d\u8bfb\u53d6 Secret \u540e\u4ecd\u7136\u9700\u8981\u4fdd\u62a4 Secret \u7684\u503c\uff0c\u4f8b\u5982\u4e0d\u4f1a\u610f\u5916\u5c06\u5176\u5199\u5165\u65e5\u5fd7\u6216\u53d1\u9001\u7ed9\u4e0d\u4fe1\u4efb\u65b9\u3002<\/li>\n<li>\u53ef\u4ee5\u521b\u5efa\u4f7f\u7528 Secret \u7684 Pod \u7684\u7528\u6237\u4e5f\u53ef\u4ee5\u770b\u5230\u8be5 Secret \u7684\u503c\u3002\u5373\u4f7f API \u670d\u52a1\u5668\u7b56\u7565\u4e0d\u5141\u8bb8\u7528\u6237\u8bfb\u53d6 Secret \u5bf9\u8c61\uff0c\u7528\u6237\u4e5f\u53ef\u4ee5\u8fd0\u884c Pod \u5bfc\u81f4 Secret \u66b4\u9732\u3002<\/li>\n<li>\u76ee\u524d\uff0c\u4efb\u4f55\u8282\u70b9\u7684 root \u7528\u6237\u90fd\u53ef\u4ee5\u901a\u8fc7\u6a21\u62df kubelet \u6765\u8bfb\u53d6 API \u670d\u52a1\u5668\u4e2d\u7684\u4efb\u4f55 Secret\u3002 \u4ec5\u5411\u5b9e\u9645\u9700\u8981 Secret \u7684\u8282\u70b9\u53d1\u9001 Secret \u6570\u636e\u624d\u80fd\u9650\u5236\u8282\u70b9\u7684 root \u8d26\u53f7\u6f0f\u6d1e\u7684\u5f71\u54cd\uff0c \u8be5\u529f\u80fd\u8fd8\u5728\u8ba1\u5212\u4e2d\u3002<\/li>\n<\/ul>\n<p>\u539f\u6587\uff1a<a href=\"https:\/\/kubernetes.io\/zh\/docs\/concepts\/configuration\/secret\/\">https:\/\/kubernetes.io\/zh\/docs\/concepts\/configuration\/secret\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Secret Secret \u5bf9\u8c61\u7c7b\u578b\u7528\u6765\u4fdd\u5b58\u654f\u611f\u4fe1\u606f\uff0c\u4f8b\u5982\u5bc6\u7801\u3001OAuth \u4ee4\u724c\u548c SSH \u5bc6\u94a5\u3002 \u5c06\u8fd9\u4e9b\u4fe1\u606f<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34],"tags":[107],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>kubernetes Secret \u6982\u5ff5\u914d\u7f6e\u3002 - Linux\u81ea\u52a8\u5316\u8fd0\u7ef4<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.linuxdevops.cn\/2021\/07\/kubernetes-secret-concept-configuration\/\" \/>\n<meta property=\"og:locale\" content=\"zh_CN\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"kubernetes Secret \u6982\u5ff5\u914d\u7f6e\u3002 - Linux\u81ea\u52a8\u5316\u8fd0\u7ef4\" \/>\n<meta property=\"og:description\" content=\"Secret Secret \u5bf9\u8c61\u7c7b\u578b\u7528\u6765\u4fdd\u5b58\u654f\u611f\u4fe1\u606f\uff0c\u4f8b\u5982\u5bc6\u7801\u3001OAuth \u4ee4\u724c\u548c SSH \u5bc6\u94a5\u3002 \u5c06\u8fd9\u4e9b\u4fe1\u606f\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.linuxdevops.cn\/2021\/07\/kubernetes-secret-concept-configuration\/\" \/>\n<meta property=\"og:site_name\" content=\"Linux\u81ea\u52a8\u5316\u8fd0\u7ef4\" \/>\n<meta property=\"article:published_time\" content=\"2021-07-05T02:31:57+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-04-07T01:56:36+00:00\" \/>\n<meta name=\"author\" content=\"\u7ba1\u7406\u5458\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.linuxdevops.cn\/2021\/07\/kubernetes-secret-concept-configuration\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.linuxdevops.cn\/2021\/07\/kubernetes-secret-concept-configuration\/\"},\"author\":{\"name\":\"\u7ba1\u7406\u5458\",\"@id\":\"https:\/\/www.linuxdevops.cn\/#\/schema\/person\/3e206335d5796fdd8679e449df72a0d1\"},\"headline\":\"kubernetes Secret \u6982\u5ff5\u914d\u7f6e\u3002\",\"datePublished\":\"2021-07-05T02:31:57+00:00\",\"dateModified\":\"2023-04-07T01:56:36+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.linuxdevops.cn\/2021\/07\/kubernetes-secret-concept-configuration\/\"},\"wordCount\":518,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.linuxdevops.cn\/#\/schema\/person\/3e206335d5796fdd8679e449df72a0d1\"},\"keywords\":[\"kubernetes secret\"],\"articleSection\":[\"Kubernetes\"],\"inLanguage\":\"zh-CN\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.linuxdevops.cn\/2021\/07\/kubernetes-secret-concept-configuration\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.linuxdevops.cn\/2021\/07\/kubernetes-secret-concept-configuration\/\",\"url\":\"https:\/\/www.linuxdevops.cn\/2021\/07\/kubernetes-secret-concept-configuration\/\",\"name\":\"kubernetes Secret \u6982\u5ff5\u914d\u7f6e\u3002 - Linux\u81ea\u52a8\u5316\u8fd0\u7ef4\",\"isPartOf\":{\"@id\":\"https:\/\/www.linuxdevops.cn\/#website\"},\"datePublished\":\"2021-07-05T02:31:57+00:00\",\"dateModified\":\"2023-04-07T01:56:36+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.linuxdevops.cn\/2021\/07\/kubernetes-secret-concept-configuration\/#breadcrumb\"},\"inLanguage\":\"zh-CN\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.linuxdevops.cn\/2021\/07\/kubernetes-secret-concept-configuration\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.linuxdevops.cn\/2021\/07\/kubernetes-secret-concept-configuration\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"\u9996\u9875\",\"item\":\"https:\/\/www.linuxdevops.cn\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"kubernetes\",\"item\":\"https:\/\/www.linuxdevops.cn\/kubernetes\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"kubernetes Secret \u6982\u5ff5\u914d\u7f6e\u3002\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.linuxdevops.cn\/#website\",\"url\":\"https:\/\/www.linuxdevops.cn\/\",\"name\":\"Linux\u81ea\u52a8\u5316\u8fd0\u7ef4\",\"description\":\"Linux\u81ea\u52a8\u5316\u8fd0\u7ef4\u7b14\u8bb0\",\"publisher\":{\"@id\":\"https:\/\/www.linuxdevops.cn\/#\/schema\/person\/3e206335d5796fdd8679e449df72a0d1\"},\"alternateName\":\"linuxdevops\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.linuxdevops.cn\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"zh-CN\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/www.linuxdevops.cn\/#\/schema\/person\/3e206335d5796fdd8679e449df72a0d1\",\"name\":\"\u7ba1\u7406\u5458\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-CN\",\"@id\":\"https:\/\/www.linuxdevops.cn\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/www.linuxdevops.cn\/wp-content\/uploads\/2019\/07\/cropped-index.jpg\",\"contentUrl\":\"https:\/\/www.linuxdevops.cn\/wp-content\/uploads\/2019\/07\/cropped-index.jpg\",\"width\":512,\"height\":512,\"caption\":\"\u7ba1\u7406\u5458\"},\"logo\":{\"@id\":\"https:\/\/www.linuxdevops.cn\/#\/schema\/person\/image\/\"},\"description\":\"\u7ba1\u7406\u5458\",\"url\":\"https:\/\/www.linuxdevops.cn\/author\/root\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"kubernetes Secret \u6982\u5ff5\u914d\u7f6e\u3002 - Linux\u81ea\u52a8\u5316\u8fd0\u7ef4","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.linuxdevops.cn\/2021\/07\/kubernetes-secret-concept-configuration\/","og_locale":"zh_CN","og_type":"article","og_title":"kubernetes Secret \u6982\u5ff5\u914d\u7f6e\u3002 - Linux\u81ea\u52a8\u5316\u8fd0\u7ef4","og_description":"Secret Secret \u5bf9\u8c61\u7c7b\u578b\u7528\u6765\u4fdd\u5b58\u654f\u611f\u4fe1\u606f\uff0c\u4f8b\u5982\u5bc6\u7801\u3001OAuth \u4ee4\u724c\u548c SSH \u5bc6\u94a5\u3002 \u5c06\u8fd9\u4e9b\u4fe1\u606f","og_url":"https:\/\/www.linuxdevops.cn\/2021\/07\/kubernetes-secret-concept-configuration\/","og_site_name":"Linux\u81ea\u52a8\u5316\u8fd0\u7ef4","article_published_time":"2021-07-05T02:31:57+00:00","article_modified_time":"2023-04-07T01:56:36+00:00","author":"\u7ba1\u7406\u5458","twitter_card":"summary_large_image","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.linuxdevops.cn\/2021\/07\/kubernetes-secret-concept-configuration\/#article","isPartOf":{"@id":"https:\/\/www.linuxdevops.cn\/2021\/07\/kubernetes-secret-concept-configuration\/"},"author":{"name":"\u7ba1\u7406\u5458","@id":"https:\/\/www.linuxdevops.cn\/#\/schema\/person\/3e206335d5796fdd8679e449df72a0d1"},"headline":"kubernetes Secret \u6982\u5ff5\u914d\u7f6e\u3002","datePublished":"2021-07-05T02:31:57+00:00","dateModified":"2023-04-07T01:56:36+00:00","mainEntityOfPage":{"@id":"https:\/\/www.linuxdevops.cn\/2021\/07\/kubernetes-secret-concept-configuration\/"},"wordCount":518,"commentCount":0,"publisher":{"@id":"https:\/\/www.linuxdevops.cn\/#\/schema\/person\/3e206335d5796fdd8679e449df72a0d1"},"keywords":["kubernetes secret"],"articleSection":["Kubernetes"],"inLanguage":"zh-CN","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.linuxdevops.cn\/2021\/07\/kubernetes-secret-concept-configuration\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.linuxdevops.cn\/2021\/07\/kubernetes-secret-concept-configuration\/","url":"https:\/\/www.linuxdevops.cn\/2021\/07\/kubernetes-secret-concept-configuration\/","name":"kubernetes Secret \u6982\u5ff5\u914d\u7f6e\u3002 - Linux\u81ea\u52a8\u5316\u8fd0\u7ef4","isPartOf":{"@id":"https:\/\/www.linuxdevops.cn\/#website"},"datePublished":"2021-07-05T02:31:57+00:00","dateModified":"2023-04-07T01:56:36+00:00","breadcrumb":{"@id":"https:\/\/www.linuxdevops.cn\/2021\/07\/kubernetes-secret-concept-configuration\/#breadcrumb"},"inLanguage":"zh-CN","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.linuxdevops.cn\/2021\/07\/kubernetes-secret-concept-configuration\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.linuxdevops.cn\/2021\/07\/kubernetes-secret-concept-configuration\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"\u9996\u9875","item":"https:\/\/www.linuxdevops.cn\/"},{"@type":"ListItem","position":2,"name":"kubernetes","item":"https:\/\/www.linuxdevops.cn\/kubernetes\/"},{"@type":"ListItem","position":3,"name":"kubernetes Secret \u6982\u5ff5\u914d\u7f6e\u3002"}]},{"@type":"WebSite","@id":"https:\/\/www.linuxdevops.cn\/#website","url":"https:\/\/www.linuxdevops.cn\/","name":"Linux\u81ea\u52a8\u5316\u8fd0\u7ef4","description":"Linux\u81ea\u52a8\u5316\u8fd0\u7ef4\u7b14\u8bb0","publisher":{"@id":"https:\/\/www.linuxdevops.cn\/#\/schema\/person\/3e206335d5796fdd8679e449df72a0d1"},"alternateName":"linuxdevops","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.linuxdevops.cn\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"zh-CN"},{"@type":["Person","Organization"],"@id":"https:\/\/www.linuxdevops.cn\/#\/schema\/person\/3e206335d5796fdd8679e449df72a0d1","name":"\u7ba1\u7406\u5458","image":{"@type":"ImageObject","inLanguage":"zh-CN","@id":"https:\/\/www.linuxdevops.cn\/#\/schema\/person\/image\/","url":"https:\/\/www.linuxdevops.cn\/wp-content\/uploads\/2019\/07\/cropped-index.jpg","contentUrl":"https:\/\/www.linuxdevops.cn\/wp-content\/uploads\/2019\/07\/cropped-index.jpg","width":512,"height":512,"caption":"\u7ba1\u7406\u5458"},"logo":{"@id":"https:\/\/www.linuxdevops.cn\/#\/schema\/person\/image\/"},"description":"\u7ba1\u7406\u5458","url":"https:\/\/www.linuxdevops.cn\/author\/root\/"}]}},"_links":{"self":[{"href":"https:\/\/www.linuxdevops.cn\/wp-json\/wp\/v2\/posts\/1085"}],"collection":[{"href":"https:\/\/www.linuxdevops.cn\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.linuxdevops.cn\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.linuxdevops.cn\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.linuxdevops.cn\/wp-json\/wp\/v2\/comments?post=1085"}],"version-history":[{"count":1,"href":"https:\/\/www.linuxdevops.cn\/wp-json\/wp\/v2\/posts\/1085\/revisions"}],"predecessor-version":[{"id":1086,"href":"https:\/\/www.linuxdevops.cn\/wp-json\/wp\/v2\/posts\/1085\/revisions\/1086"}],"wp:attachment":[{"href":"https:\/\/www.linuxdevops.cn\/wp-json\/wp\/v2\/media?parent=1085"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.linuxdevops.cn\/wp-json\/wp\/v2\/categories?post=1085"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.linuxdevops.cn\/wp-json\/wp\/v2\/tags?post=1085"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}