반응형
Configmap과 동일하지만 민감한 데이터이다.
value는 base64로 인코딩되어있다.
사용사례는 ssh key file, 자격증명, 사비스 계정 정보 등을 저장한다.
터미널에서 간단하게 생성할 수 도 있다.
kubectl create secret generic my-secret --from-literal=[key]=[value]
ex) kubectl create secret generic my-secret --from-literal=username=vinoth --from-liter
al=password=admin123
# secret 가져오기
kubectl get secret
# secret 상세정보
kubectl get secret -o yaml
apiVersion: v1
items:
- apiVersion: v1
data:
password: YWRtaW4xMjM=
username: dmlub3Ro
kind: Secret
metadata:
creationTimestamp: "2024-12-17T02:24:34Z"
name: my-secret
namespace: default
resourceVersion: "1121"
uid: b3034f27-42f0-41d6-b95a-d3f95a511b44
type: Opaque
kind: List
metadata:
resourceVersion: ""
파일을 작성해보자
리눅스 터미널에서 문자열을 base64로 인코딩해서 입력해야한다.
echo -n test | base64
dGVzdA==
echo -n admin123 | base64
YWRtaW4xMjM=
#04-simple-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: app-secret
data:
username: dGVzdA== # test
password: YWRtaW4xMjM= # admin123
이제 파드에 주입해보자
apiVersion: v1
kind: Secret
metadata:
name: app-secret
data:
username: dGVzdA== # test
password: YWRtaW4xMjM= # admin123
---
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
restartPolicy: Never
containers:
- name: ubuntu
image: ubuntu
env:
- name: "app_username"
valueFrom:
secretKeyRef:
name: app-secret
key: username
- name: "app_password"
valueFrom:
secretKeyRef:
name: app-secret
key: password
args:
- env
실행하고 확인해보면 제대로 들어간것을 확인할 수 있다.
kubectl apply -f 04-simple-secret.yaml
kubectl get secret -o yaml
kubectl logs my-pod
# 결과
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=my-pod
app_password=admin123
app_username=test
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT=tcp://10.96.0.1:443
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
KUBERNETES_SERVICE_HOST=10.96.0.1
KUBERNETES_SERVICE_PORT=443
HOME=/root
또한 전체 env도 가능하다.
apiVersion: v1
kind: Secret
metadata:
name: app-secret
data:
username: dGVzdA== # test
password: YWRtaW4xMjM= # admin123
---
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
restartPolicy: Never
containers:
- name: ubuntu
image: ubuntu
envFrom:
- secretRef:
name: app-secret
args:
- env
Secret - 파일 삽입
01번 파일을 base64로 인코딩하고 입력하자
# 06-inject-secret-as-file.yaml
apiVersion: v1
kind: Secret
metadata:
name: app-secret
data:
app.key: |
YXBpVmVyc2lvbjogdjENCmtpbmQ6IENvbmZpZ01hcA0KbWV0YWRhdGE6DQogIG5hbWU6IGFwcC1w
cm9wZXJ0aWVzDQpkYXRhOg0KICBhcHBVcmw6ICJodHRwOi8vbXktYXBwLXNlcnZpY2UiDQogIHRp
bWVvdXQ6ICIzMCINCi0tLQ0KYXBpVmVyc2lvbjogdjENCmtpbmQ6IFBvZA0KbWV0YWRhdGE6DQog
IG5hbWU6IG15LXBvZA0Kc3BlYzoNCiAgcmVzdGFydFBvbGljeTogTmV2ZXINCiAgY29udGFpbmVy
czoNCiAgICAtIG5hbWU6IHVidW50dQ0KICAgICAgaW1hZ2U6IHVidW50dQ0KICAgICAgZW52Og0K
ICAgICAgICAtIG5hbWU6ICJyZXF1ZXN0LnRpbWVvdXQiDQogICAgICAgICAgdmFsdWVGcm9tOg0K
ICAgICAgICAgICAgY29uZmlnTWFwS2V5UmVmOg0KICAgICAgICAgICAgICBuYW1lOiBhcHAtcHJv
cGVydGllcw0KICAgICAgICAgICAgICBrZXk6IHRpbWVvdXQNCiAgICAgICAgLSBuYW1lOiAiYXBw
bGljYXRpb24udXJsIg0KICAgICAgICAgIHZhbHVlRnJvbToNCiAgICAgICAgICAgIGNvbmZpZ01h
cEtleVJlZjoNCiAgICAgICAgICAgICAgbmFtZTogYXBwLXByb3BlcnRpZXMNCiAgICAgICAgICAg
ICAga2V5OiBhcHBVcmwNCiAgICAgIGFyZ3M6DQogICAgICAgIC0gZW52DQo=
---
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
terminationGracePeriodSeconds: 1
restartPolicy: Never
containers:
- name: ubuntu
image: ubuntu
volumeMounts:
- name: secret-volume
mountPath: /usr/share/props
args:
- sleep
- "3600"
volumes:
- name: secret-volume
secret:
secretName: app-secret
적용하고 파드에 접속해서 확인해보면 파일이 복사된걸 확인할 수 있다.
kubectl apply -f 06-inject-secret-as-file.yaml
kubectl exec -it my-pod -- bash
cd /usr/share/props/
# 파일 확인
cat app.key
# 결과
apiVersion: v1
kind: ConfigMap
metadata:
name: app-properties
data:
appUrl: "http://my-app-service"
timeout: "30"
---
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
restartPolicy: Never
containers:
- name: ubuntu
image: ubuntu
env:
- name: "request.timeout"
valueFrom:
configMapKeyRef:
name: app-properties
key: timeout
- name: "application.url"
valueFrom:
configMapKeyRef:
name: app-properties
key: appUrl
args:
- env
반응형
'Kubernetes' 카테고리의 다른 글
| [Kubernetes] HPA - Horizontal Pod Autoscaler (0) | 2024.12.30 |
|---|---|
| [Kubernetes] Persistent Volume & StatefulSet (0) | 2024.12.30 |
| [Kubernetes] ConfigMap (0) | 2024.12.19 |
| [Kubernetes] Probes (0) | 2024.12.19 |
| [Kubernetes] Namespace (0) | 2024.12.19 |
반응형
Configmap과 동일하지만 민감한 데이터이다.
value는 base64로 인코딩되어있다.
사용사례는 ssh key file, 자격증명, 사비스 계정 정보 등을 저장한다.
터미널에서 간단하게 생성할 수 도 있다.
kubectl create secret generic my-secret --from-literal=[key]=[value]
ex) kubectl create secret generic my-secret --from-literal=username=vinoth --from-liter
al=password=admin123
# secret 가져오기
kubectl get secret
# secret 상세정보
kubectl get secret -o yaml
apiVersion: v1
items:
- apiVersion: v1
data:
password: YWRtaW4xMjM=
username: dmlub3Ro
kind: Secret
metadata:
creationTimestamp: "2024-12-17T02:24:34Z"
name: my-secret
namespace: default
resourceVersion: "1121"
uid: b3034f27-42f0-41d6-b95a-d3f95a511b44
type: Opaque
kind: List
metadata:
resourceVersion: ""
파일을 작성해보자
리눅스 터미널에서 문자열을 base64로 인코딩해서 입력해야한다.
echo -n test | base64
dGVzdA==
echo -n admin123 | base64
YWRtaW4xMjM=
#04-simple-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: app-secret
data:
username: dGVzdA== # test
password: YWRtaW4xMjM= # admin123
이제 파드에 주입해보자
apiVersion: v1
kind: Secret
metadata:
name: app-secret
data:
username: dGVzdA== # test
password: YWRtaW4xMjM= # admin123
---
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
restartPolicy: Never
containers:
- name: ubuntu
image: ubuntu
env:
- name: "app_username"
valueFrom:
secretKeyRef:
name: app-secret
key: username
- name: "app_password"
valueFrom:
secretKeyRef:
name: app-secret
key: password
args:
- env
실행하고 확인해보면 제대로 들어간것을 확인할 수 있다.
kubectl apply -f 04-simple-secret.yaml
kubectl get secret -o yaml
kubectl logs my-pod
# 결과
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=my-pod
app_password=admin123
app_username=test
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT=tcp://10.96.0.1:443
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
KUBERNETES_SERVICE_HOST=10.96.0.1
KUBERNETES_SERVICE_PORT=443
HOME=/root
또한 전체 env도 가능하다.
apiVersion: v1
kind: Secret
metadata:
name: app-secret
data:
username: dGVzdA== # test
password: YWRtaW4xMjM= # admin123
---
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
restartPolicy: Never
containers:
- name: ubuntu
image: ubuntu
envFrom:
- secretRef:
name: app-secret
args:
- env
Secret - 파일 삽입
01번 파일을 base64로 인코딩하고 입력하자
# 06-inject-secret-as-file.yaml
apiVersion: v1
kind: Secret
metadata:
name: app-secret
data:
app.key: |
YXBpVmVyc2lvbjogdjENCmtpbmQ6IENvbmZpZ01hcA0KbWV0YWRhdGE6DQogIG5hbWU6IGFwcC1w
cm9wZXJ0aWVzDQpkYXRhOg0KICBhcHBVcmw6ICJodHRwOi8vbXktYXBwLXNlcnZpY2UiDQogIHRp
bWVvdXQ6ICIzMCINCi0tLQ0KYXBpVmVyc2lvbjogdjENCmtpbmQ6IFBvZA0KbWV0YWRhdGE6DQog
IG5hbWU6IG15LXBvZA0Kc3BlYzoNCiAgcmVzdGFydFBvbGljeTogTmV2ZXINCiAgY29udGFpbmVy
czoNCiAgICAtIG5hbWU6IHVidW50dQ0KICAgICAgaW1hZ2U6IHVidW50dQ0KICAgICAgZW52Og0K
ICAgICAgICAtIG5hbWU6ICJyZXF1ZXN0LnRpbWVvdXQiDQogICAgICAgICAgdmFsdWVGcm9tOg0K
ICAgICAgICAgICAgY29uZmlnTWFwS2V5UmVmOg0KICAgICAgICAgICAgICBuYW1lOiBhcHAtcHJv
cGVydGllcw0KICAgICAgICAgICAgICBrZXk6IHRpbWVvdXQNCiAgICAgICAgLSBuYW1lOiAiYXBw
bGljYXRpb24udXJsIg0KICAgICAgICAgIHZhbHVlRnJvbToNCiAgICAgICAgICAgIGNvbmZpZ01h
cEtleVJlZjoNCiAgICAgICAgICAgICAgbmFtZTogYXBwLXByb3BlcnRpZXMNCiAgICAgICAgICAg
ICAga2V5OiBhcHBVcmwNCiAgICAgIGFyZ3M6DQogICAgICAgIC0gZW52DQo=
---
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
terminationGracePeriodSeconds: 1
restartPolicy: Never
containers:
- name: ubuntu
image: ubuntu
volumeMounts:
- name: secret-volume
mountPath: /usr/share/props
args:
- sleep
- "3600"
volumes:
- name: secret-volume
secret:
secretName: app-secret
적용하고 파드에 접속해서 확인해보면 파일이 복사된걸 확인할 수 있다.
kubectl apply -f 06-inject-secret-as-file.yaml
kubectl exec -it my-pod -- bash
cd /usr/share/props/
# 파일 확인
cat app.key
# 결과
apiVersion: v1
kind: ConfigMap
metadata:
name: app-properties
data:
appUrl: "http://my-app-service"
timeout: "30"
---
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
restartPolicy: Never
containers:
- name: ubuntu
image: ubuntu
env:
- name: "request.timeout"
valueFrom:
configMapKeyRef:
name: app-properties
key: timeout
- name: "application.url"
valueFrom:
configMapKeyRef:
name: app-properties
key: appUrl
args:
- env
반응형
'Kubernetes' 카테고리의 다른 글
| [Kubernetes] HPA - Horizontal Pod Autoscaler (0) | 2024.12.30 |
|---|---|
| [Kubernetes] Persistent Volume & StatefulSet (0) | 2024.12.30 |
| [Kubernetes] ConfigMap (0) | 2024.12.19 |
| [Kubernetes] Probes (0) | 2024.12.19 |
| [Kubernetes] Namespace (0) | 2024.12.19 |
