库伯内特斯的秘密 VS 配置图

一直在使用库伯内特的秘密。 现在我们也有了 ConfigMaps。

前进的首选方式是什么——秘密还是配置图?

附注: 经过几次迭代,我们已经稳定在下面的规则:

  • ConfigMaps 是每个解决方案域(可以在域内的微服务之间共享,但最终是单一用途的配置条目)

  • 秘密在解决方案域之间共享,通常代表第三方系统或数据库

31343 次浏览
小开
最佳答案

I'm the author of both of these features. The idea is that you should:

  1. Use Secrets for things which are actually secret like API keys, credentials, etc
  2. Use ConfigMaps for not-secret configuration data

In the future, there will likely be some differentiators for secrets like rotation or support for backing the secret API w/ HSMs, etc. In general, we like intent-based APIs, and the intent is definitely different for secret data vs. plain old configs.

Hope that helps.

小开

One notable difference in the implementation is that kubectl apply -f:

  • ConfigMaps are "unchanged" if the data hasn't changed.
  • Secrets are always "configured" - even if the file hasn't changed
小开

Both, ConfigMaps and Secrets store data as a key value pair. The major difference is, Secrets store data in base64 format meanwhile ConfigMaps store data in a plain text.

If you have some critical data like, keys, passwords, service accounts credentials, db connection string, etc then you should always go for Secrets rather than Configs.

And if you want to do some application configuration using environment variables which you don't want to keep secret/hidden like, app theme, base platform url, etc then you can go for ConfigMaps


提交答案