kubernetes(17):K8s的配置管理secret(安全)

k8s的配置管理secret(安全)

https://kubernetes.io/zh/docs/concepts/configuration/secret/

https://www.jianshu.com/p/958f406ec071

https://www.cnblogs.com/Smbands/p/10877529.html

https://kubernetes.io/docs/concepts/configuration/secret/#overview-of-secrets

 

1 secret概述

Secret对象与ConfigMap对象类似,但它主要用于存储以下敏感信息,例如密码,OAuth token和SSH key等等。将这些信息存储在secret中,和直接存储在Pod的定义中,或Docker镜像定义中相比,更加安全和灵活。

 

1.1 Secret类型

Secret有三种类型:

  • Opaque:使用base64编码存储信息,可以通过base64 --decode解码获得原始数据,因此安全性弱。
  • kubernetes.io/dockerconfigjson:用于存储docker registry的认证信息。
  • kubernetes.io/service-account-token:用于被 serviceaccount 引用。serviceaccout 创建时 Kubernetes 会默认创建对应的 secret。Pod 如果使用了 serviceaccount,对应的 secret 会自动挂载到 Pod 的 /run/secrets/kubernetes.io/serviceaccount 目录中。

2 常见Opaque Secret

Opaque类型的Secret,其value为base64编码后的值。

其他的参考https://kubernetes.io/zh/docs/concepts/configuration/secret

 

2.1 从文件中创建Secret

分别创建两个名为username.txt和password.txt的文件:

echo -n "admin" > ./username.txt
echo -n "1f2d1e2e67df" > ./password.txt
#使用kubectl create secret命令创建secret:
kubectl create secret generic db-user-pass --from-file=./username.txt --from-file=./password.txt
#secret "db-user-pass" created

 

2.2 使用描述文件创建Secret

[root@k8s-master ~]# echo -n 'admin' | base64
YWRtaW4=
[root@k8s-master ~]# echo -n '1f2d1e2e67df' | base64
MWYyZDFlMmU2N2Rm
[root@k8s-master ~]#

 

创建secret

# cat secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  username: YWRtaW4=
  password: MWYyZDFlMmU2N2Rm

 

[root@k8s-master secret]# kubectl create -f secret.yaml
secret/mysecret created

 

 

 

查看secret

[root@k8s-master secret]# kubectl get secrets | grep myse
mysecret                             Opaque                                2      2m1s
[root@k8s-master secret]# kubectl describe secrets mysecret
Name:         mysecret
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
password:  12 bytes
username:  5 bytes
[root@k8s-master secret]#
[root@k8s-master secret]# kubectl get secrets mysecret -o yaml
apiVersion: v1
data:
  password: MWYyZDFlMmU2N2Rm
  username: YWRtaW4=
kind: Secret
metadata:
  creationTimestamp: "2019-09-06T07:49:00Z"
  name: mysecret
  namespace: default
  resourceVersion: "1087562"
  selfLink: /api/v1/namespaces/default/secrets/mysecret
  uid: ad119781-ded1-4125-8226-6f9c397ae811
type: Opaque

 

 

2.3 Secret的使用

创建好Secret之后,可以通过两种方式使用:

  • 以Volume方式
  • 以环境变量方式

2.3.1 将Secret挂载到Volume中

# cat mypod1.yaml
apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
  - name: mypod
    image: redis
    volumeMounts:
    - name: foo
      mountPath: "/etc/foo"
      readOnly: true
  volumes:
  - name: foo
    secret:
      secretName: mysecret
[root@k8s-master secret]# kubectl create -f mypod1.yaml
pod/mypod created
[root@k8s-master secret]# kubectl get pods
NAME    READY   STATUS              RESTARTS   AGE
mypod   0/1     ContainerCreating   0          4s
[root@k8s-master secret]# kubectl get pods
NAME    READY   STATUS    RESTARTS   AGE
mypod   1/1     Running   0          19s

 

 

进入Pod查看挂载的Secret:
[root@k8s-master secret]# kubectl exec -it mypod /bin/bash
root@mypod:/data# cd /etc/foo/
root@mypod:/etc/foo# ls
password  username
root@mypod:/etc/foo# cat password
1f2d1e2e67dfroot@mypod:/etc/foo#
root@mypod:/etc/foo# cat username
adminroot@mypod:/etc/foo#

 

也可以只挂载Secret中特定的key:

apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
  - name: mypod
    image: redis
    volumeMounts:
    - name: foo
      mountPath: "/etc/foo"
      readOnly: true
  volumes:
  - name: foo
    secret:
      secretName: mysecret
      items:
      - key: username
        path: my-group/my-username

 

在这种情况下:

username 存储在/etc/foo/my-group/my-username中

password未被挂载

 

2.3.2 将Secret设置为环境变量

apiVersion: v1
kind: Pod
metadata:
  name: secret-env-pod
spec:
  containers:
  - name: mycontainer
    image: redis
    env:
      - name: SECRET_USERNAME
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: username
      - name: SECRET_PASSWORD
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: password
  restartPolicy: Never

 

 

[root@k8s-master secret]# kubectl get pods
NAME             READY   STATUS    RESTARTS   AGE
mypod            1/1     Running   0          10m
secret-env-pod   1/1     Running   0          37s
[root@k8s-master secret]# kubectl exec -it secret-env-pod /bin/bash
root@secret-env-pod:/data# env | grep -E "USERNAME|PASSWORD"
SECRET_USERNAME=admin
SECRET_PASSWORD=1f2d1e2e67df
root@secret-env-pod:/data#

 

 

 

3  一个MySQL密码注入pod样例

 

1.创建secret

kubectl create secret generic test --from-literal=MYSQL_ROOT_PASSWORD=1234567

 

 2.

#vim myapp-demo.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: myapp-demo
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: myapp
  template:
    metadata:
      labels:
        app: myapp
    spec:
      containers:
      - name: myapp
        image: ikubernetes/myapp:v1
        imagePullPolicy: IfNotPresent
        ports:
        - name: http
          containerPort: 80
        volumeMounts:
        - name: mysql
          mountPath: /test/
      volumes:
      - name: mysql
        secret:
          secretName: test

 

 

3.启动pod,查看信息是否注入

[root@k8s-master secret]# kubectl exec -it myapp-demo-b9997455b-5mxjm -- /bin/sh
/ # ls
bin    dev    etc    home   lib    media  mnt    proc   root   run    sbin   srv    sys    test   tmp    usr    var
/ # cd test/
/test # ls
MYSQL_ROOT_PASSWORD
/test # cat MYSQL_ROOT_PASSWORD
1234567/test

 

posted on 2019-10-14 14:30  光阴8023  阅读(895)  评论(0编辑  收藏  举报