为什么在不需要configmaps的情况下k8s机密需要使用base64编码? [英] Why does k8s secrets need to be base64 encoded when configmaps does not?

问题描述

为什么在不需要configmaps的情况下，k8s的机密需要使用base64编码?

Why does k8s secrets need to be base64 encoded when configmaps does not?

创建configmap时，您只需执行以下操作即可:

When creating a configmap you simply do somthing like this:

apiVersion: v1
kind: ConfigMap
metadata:
  name: my-configmap
data:
  SOME_KEY: a string value

但是，当您想创建一个秘密时，您必须 echo -n "some secret string" | base64，然后将其结果保存在文件中，如下所示:

But when you want to create a secret you have to echo -n "some secret string" | base64 and then put the result of that in a file looking something like this:

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
type: Opaque
data:
  SOME_KEY: c29tZSBzZWNyZXQgc3RyaW5n

我真的想知道为什么会有这种区别吗? kubernetes的秘密仅仅是base64编码的字符串吗?我希望机密会以加密方式存储在kubernetes中.

I really wonder why there is this difference? Are kubernetes secrets simply base64 encoded strings? I would expect that secrets were stored encrypted in kubernetes.

推荐答案

秘密可以包含二进制数据(类型为map[string][]byte)，并且字节数组在JSON序列化中为base64编码.

Secrets can contain binary data (the type is map[string][]byte), and byte arrays are base64-encoded in JSON serialization.

ConfigMaps仅包含字符串数据(类型为map[string]string)，因此JSON序列化仅输出字符串.

ConfigMaps only contain string data (the type is map[string]string), so the JSON serialization just outputs the string.

在1.10版本中，ConfigMaps具有一个新的binaryData字段，该字段允许存储二进制数据，该二进制数据是base64编码的，就像机密一样. https://github.com/kubernetes/kubernetes/pull/57938

In 1.10, ConfigMaps have a new binaryData field that allows storing binary data, which is base64-encoded, just like secrets. https://github.com/kubernetes/kubernetes/pull/57938

这篇关于为什么在不需要configmaps的情况下k8s机密需要使用base64编码?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！