Secret #
一、Secret概述 #
Secret是Kubernetes中存储敏感信息的资源,如密码、OAuth令牌、SSH密钥等。
1.1 Secret功能 #
text
Secret功能
│
├── 敏感数据存储
│ ├── 密码
│ ├── 令牌
│ └── 密钥
│
├── 数据注入
│ ├── 环境变量
│ └── 文件挂载
│
└── 安全保护
├── Base64编码
└── 加密存储
1.2 Secret类型 #
| 类型 | 用途 |
|---|---|
| Opaque | 通用Secret |
| kubernetes.io/service-account-token | ServiceAccount令牌 |
| kubernetes.io/dockercfg | Docker配置 |
| kubernetes.io/dockerconfigjson | Docker配置JSON |
| kubernetes.io/basic-auth | 基本认证 |
| kubernetes.io/ssh-auth | SSH认证 |
| kubernetes.io/tls | TLS证书 |
| bootstrap.kubernetes.io/token | 引导令牌 |
二、创建Secret #
2.1 命令行创建 #
bash
# 从字面值创建
kubectl create secret generic my-secret \
--from-literal=username=admin \
--from-literal=password=secret123
# 从文件创建
kubectl create secret generic ssh-secret \
--from-file=id_rsa=/path/to/id_rsa
# 从env文件创建
kubectl create secret generic env-secret \
--from-env-file=secret.env
# 创建TLS Secret
kubectl create secret tls my-tls \
--cert=path/to/cert.crt \
--key=path/to/cert.key
# 创建Docker Registry Secret
kubectl create secret docker-registry my-registry \
--docker-server=registry.example.com \
--docker-username=admin \
--docker-password=secret \
--docker-email=admin@example.com
2.2 YAML创建 #
yaml
apiVersion: v1
kind: Secret
metadata:
name: my-secret
type: Opaque
data:
username: YWRtaW4=
password: c2VjcmV0MTIz
bash
# Base64编码
echo -n 'admin' | base64
# 输出: YWRtaW4=
echo -n 'secret123' | base64
# 输出: c2VjcmV0MTIz
# Base64解码
echo 'YWRtaW4=' | base64 -d
# 输出: admin
2.3 查看Secret #
bash
# 查看Secret列表
kubectl get secrets
# 查看详情
kubectl describe secret my-secret
# 查看YAML
kubectl get secret my-secret -o yaml
# 解码查看
kubectl get secret my-secret -o jsonpath='{.data.password}' | base64 -d
三、使用Secret #
3.1 环境变量注入 #
yaml
apiVersion: v1
kind: Pod
metadata:
name: secret-env-pod
spec:
containers:
- name: app
image: nginx
env:
- name: DB_USERNAME
valueFrom:
secretKeyRef:
name: my-secret
key: username
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: my-secret
key: password
3.2 注入所有环境变量 #
yaml
apiVersion: v1
kind: Pod
metadata:
name: secret-envfrom-pod
spec:
containers:
- name: app
image: nginx
envFrom:
- secretRef:
name: my-secret
3.3 文件挂载 #
yaml
apiVersion: v1
kind: Pod
metadata:
name: secret-volume-pod
spec:
containers:
- name: app
image: nginx
volumeMounts:
- name: secret-volume
mountPath: /etc/secrets
readOnly: true
volumes:
- name: secret-volume
secret:
secretName: my-secret
3.4 挂载特定键 #
yaml
volumes:
- name: secret-volume
secret:
secretName: my-secret
items:
- key: username
path: db-username.txt
3.5 设置文件权限 #
yaml
volumes:
- name: secret-volume
secret:
secretName: my-secret
defaultMode: 0400
四、常用Secret类型 #
4.1 TLS Secret #
yaml
apiVersion: v1
kind: Secret
metadata:
name: tls-secret
type: kubernetes.io/tls
data:
tls.crt: LS0tLS1CRUdJTi...
tls.key: LS0tLS1CRUdJTi...
yaml
# 在Ingress中使用
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: tls-ingress
spec:
tls:
- hosts:
- example.com
secretName: tls-secret
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web-service
port:
number: 80
4.2 Docker Registry Secret #
yaml
apiVersion: v1
kind: Secret
metadata:
name: registry-secret
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: eyJhdXRocyI6eyJyZWdpc3RyeS5leGFtcGxlLmNvbSI6eyJ1c2VybmFtZSI6ImFkbWluIiwicGFzc3dvcmQiOiJzZWNyZXQiLCJhdXRoIjoiWVdSdGFXNDZTR0Z5WW05eU1USXpORFU9In19fQ==
yaml
# 在Pod中使用
apiVersion: v1
kind: Pod
metadata:
name: private-pod
spec:
imagePullSecrets:
- name: registry-secret
containers:
- name: app
image: registry.example.com/myapp:latest
4.3 SSH认证Secret #
yaml
apiVersion: v1
kind: Secret
metadata:
name: ssh-secret
type: kubernetes.io/ssh-auth
data:
ssh-privatekey: LS0tLS1CRUdJTi...
4.4 基本认证Secret #
yaml
apiVersion: v1
kind: Secret
metadata:
name: basic-auth-secret
type: kubernetes.io/basic-auth
stringData:
username: admin
password: secret123
五、Secret加密 #
5.1 静态加密 #
yaml
# 加密配置
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
- secrets
providers:
- aescbc:
keys:
- name: key1
secret: <base64-encoded-32-byte-key>
- identity: {}
5.2 启用加密 #
bash
# kube-apiserver参数
--encryption-provider-config=/etc/kubernetes/encryption-config.yaml
5.3 加密现有Secret #
bash
# 加密所有Secret
kubectl get secrets --all-namespaces -o json | kubectl replace -f -
六、实际应用示例 #
6.1 数据库连接 #
yaml
apiVersion: v1
kind: Secret
metadata:
name: mysql-secret
type: Opaque
stringData:
mysql-root-password: rootpassword
mysql-user: appuser
mysql-password: apppassword
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: mysql
spec:
replicas: 1
selector:
matchLabels:
app: mysql
template:
metadata:
labels:
app: mysql
spec:
containers:
- name: mysql
image: mysql:8.0
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mysql-secret
key: mysql-root-password
- name: MYSQL_USER
valueFrom:
secretKeyRef:
name: mysql-secret
key: mysql-user
- name: MYSQL_PASSWORD
valueFrom:
secretKeyRef:
name: mysql-secret
key: mysql-password
6.2 API密钥 #
yaml
apiVersion: v1
kind: Secret
metadata:
name: api-keys
type: Opaque
stringData:
api-key: sk-xxxxxxxxxxxx
api-secret: secret-xxxxxxxxxxxx
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: api-app
spec:
replicas: 3
selector:
matchLabels:
app: api
template:
metadata:
labels:
app: api
spec:
containers:
- name: api
image: myapi:latest
env:
- name: API_KEY
valueFrom:
secretKeyRef:
name: api-keys
key: api-key
- name: API_SECRET
valueFrom:
secretKeyRef:
name: api-keys
key: api-secret
七、Secret管理 #
7.1 查看Secret #
bash
# 查看列表
kubectl get secrets
# 查看详情
kubectl describe secret <secret-name>
# 解码查看
kubectl get secret <secret-name> -o jsonpath='{.data.password}' | base64 -d
7.2 更新Secret #
bash
# 编辑更新
kubectl edit secret <secret-name>
# 使用patch更新
kubectl patch secret <secret-name> --type='json' -p='[{"op": "replace", "path": "/data/password", "value":"newbase64value"}]'
7.3 删除Secret #
bash
# 删除Secret
kubectl delete secret <secret-name>
八、安全最佳实践 #
8.1 最小权限 #
yaml
# 只挂载需要的键
volumes:
- name: secret-volume
secret:
secretName: my-secret
items:
- key: password
path: password.txt
8.2 只读挂载 #
yaml
volumeMounts:
- name: secret-volume
mountPath: /etc/secrets
readOnly: true
8.3 使用命名空间隔离 #
yaml
# 不同环境使用不同Secret
apiVersion: v1
kind: Secret
metadata:
name: db-secret
namespace: production
---
apiVersion: v1
kind: Secret
metadata:
name: db-secret
namespace: development
8.4 RBAC控制 #
yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: secret-reader
rules:
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["my-secret"]
verbs: ["get"]
九、故障排查 #
9.1 常见问题 #
bash
# 查看Secret是否存在
kubectl get secret <secret-name>
# 查看Secret内容
kubectl describe secret <secret-name>
# 检查Pod环境变量
kubectl exec -it <pod-name> -- env | grep -i secret
# 检查挂载文件
kubectl exec -it <pod-name> -- ls -la /etc/secrets
9.2 问题诊断 #
| 问题 | 原因 | 解决方案 |
|---|---|---|
| Secret不存在 | 未创建或名称错误 | 检查Secret名称 |
| 解码失败 | Base64格式错误 | 检查编码格式 |
| 权限不足 | RBAC限制 | 检查权限配置 |
十、总结 #
10.1 核心要点 #
| 要点 | 说明 |
|---|---|
| 用途 | 敏感数据存储 |
| 类型 | Opaque、TLS、Docker等 |
| 编码 | Base64编码存储 |
| 安全 | 启用静态加密 |
10.2 下一步 #
掌握了Secret后,让我们学习 环境变量管理,了解更灵活的配置管理方法。
最后更新:2026-03-28