kubernetes(17):K8s的配置管理secret(安全)
k8s的配置管理secret(安全)
https://kubernetes.io/zh/docs/concepts/configuration/secret/
https://www.jianshu.com/p/958f406ec071
https://www.cnblogs.com/Smbands/p/10877529.html
https://kubernetes.io/docs/concepts/configuration/secret/#overview-of-secrets
1 secret概述
Secret对象与ConfigMap对象类似,但它主要用于存储以下敏感信息,例如密码,OAuth token和SSH key等等。将这些信息存储在secret中,和直接存储在Pod的定义中,或Docker镜像定义中相比,更加安全和灵活。
1.1 Secret类型
Secret有三种类型:
- Opaque:使用base64编码存储信息,可以通过base64 --decode解码获得原始数据,因此安全性弱。
- kubernetes.io/dockerconfigjson:用于存储docker registry的认证信息。
- kubernetes.io/service-account-token:用于被 serviceaccount 引用。serviceaccout 创建时 Kubernetes 会默认创建对应的 secret。Pod 如果使用了 serviceaccount,对应的 secret 会自动挂载到 Pod 的 /run/secrets/kubernetes.io/serviceaccount 目录中。
2 常见Opaque Secret
Opaque类型的Secret,其value为base64编码后的值。
其他的参考https://kubernetes.io/zh/docs/concepts/configuration/secret
2.1 从文件中创建Secret
分别创建两个名为username.txt和password.txt的文件:
echo -n "admin" > ./username.txt echo -n "1f2d1e2e67df" > ./password.txt #使用kubectl create secret命令创建secret: kubectl create secret generic db-user-pass --from-file=./username.txt --from-file=./password.txt #secret "db-user-pass" created
2.2 使用描述文件创建Secret
[root@k8s-master ~]# echo -n 'admin' | base64 YWRtaW4= [root@k8s-master ~]# echo -n '1f2d1e2e67df' | base64 MWYyZDFlMmU2N2Rm [root@k8s-master ~]#
创建secret
# cat secret.yaml apiVersion: v1 kind: Secret metadata: name: mysecret type: Opaque data: username: YWRtaW4= password: MWYyZDFlMmU2N2Rm
[root@k8s-master secret]# kubectl create -f secret.yaml
secret/mysecret created
查看secret
[root@k8s-master secret]# kubectl get secrets | grep myse mysecret Opaque 2 2m1s [root@k8s-master secret]# kubectl describe secrets mysecret Name: mysecret Namespace: default Labels: <none> Annotations: <none> Type: Opaque Data ==== password: 12 bytes username: 5 bytes [root@k8s-master secret]# [root@k8s-master secret]# kubectl get secrets mysecret -o yaml apiVersion: v1 data: password: MWYyZDFlMmU2N2Rm username: YWRtaW4= kind: Secret metadata: creationTimestamp: "2019-09-06T07:49:00Z" name: mysecret namespace: default resourceVersion: "1087562" selfLink: /api/v1/namespaces/default/secrets/mysecret uid: ad119781-ded1-4125-8226-6f9c397ae811 type: Opaque
2.3 Secret的使用
创建好Secret之后,可以通过两种方式使用:
- 以Volume方式
- 以环境变量方式
2.3.1 将Secret挂载到Volume中
# cat mypod1.yaml apiVersion: v1 kind: Pod metadata: name: mypod spec: containers: - name: mypod image: redis volumeMounts: - name: foo mountPath: "/etc/foo" readOnly: true volumes: - name: foo secret: secretName: mysecret
[root@k8s-master secret]# kubectl create -f mypod1.yaml pod/mypod created [root@k8s-master secret]# kubectl get pods NAME READY STATUS RESTARTS AGE mypod 0/1 ContainerCreating 0 4s [root@k8s-master secret]# kubectl get pods NAME READY STATUS RESTARTS AGE mypod 1/1 Running 0 19s
进入Pod查看挂载的Secret:
[root@k8s-master secret]# kubectl exec -it mypod /bin/bash root@mypod:/data# cd /etc/foo/ root@mypod:/etc/foo# ls password username root@mypod:/etc/foo# cat password 1f2d1e2e67dfroot@mypod:/etc/foo# root@mypod:/etc/foo# cat username adminroot@mypod:/etc/foo#
也可以只挂载Secret中特定的key:
apiVersion: v1 kind: Pod metadata: name: mypod spec: containers: - name: mypod image: redis volumeMounts: - name: foo mountPath: "/etc/foo" readOnly: true volumes: - name: foo secret: secretName: mysecret items: - key: username path: my-group/my-username
在这种情况下:
username 存储在/etc/foo/my-group/my-username中
password未被挂载
2.3.2 将Secret设置为环境变量
apiVersion: v1 kind: Pod metadata: name: secret-env-pod spec: containers: - name: mycontainer image: redis env: - name: SECRET_USERNAME valueFrom: secretKeyRef: name: mysecret key: username - name: SECRET_PASSWORD valueFrom: secretKeyRef: name: mysecret key: password restartPolicy: Never
[root@k8s-master secret]# kubectl get pods NAME READY STATUS RESTARTS AGE mypod 1/1 Running 0 10m secret-env-pod 1/1 Running 0 37s [root@k8s-master secret]# kubectl exec -it secret-env-pod /bin/bash root@secret-env-pod:/data# env | grep -E "USERNAME|PASSWORD" SECRET_USERNAME=admin SECRET_PASSWORD=1f2d1e2e67df root@secret-env-pod:/data#
3 一个MySQL密码注入pod样例
1.创建secret
kubectl create secret generic test --from-literal=MYSQL_ROOT_PASSWORD=1234567
2.
#vim myapp-demo.yaml apiVersion: apps/v1 kind: Deployment metadata: name: myapp-demo namespace: default spec: replicas: 1 selector: matchLabels: app: myapp template: metadata: labels: app: myapp spec: containers: - name: myapp image: ikubernetes/myapp:v1 imagePullPolicy: IfNotPresent ports: - name: http containerPort: 80 volumeMounts: - name: mysql mountPath: /test/ volumes: - name: mysql secret: secretName: test
3.启动pod,查看信息是否注入
[root@k8s-master secret]# kubectl exec -it myapp-demo-b9997455b-5mxjm -- /bin/sh / # ls bin dev etc home lib media mnt proc root run sbin srv sys test tmp usr var / # cd test/ /test # ls MYSQL_ROOT_PASSWORD /test # cat MYSQL_ROOT_PASSWORD 1234567/test