Secret

13. Secret

  • 概述
Secret的功能类似于ConfigMap给pod提供额外的配置信息,但是Secret是一种包含少量敏感信息例如密码、令牌或秘钥的对象

Secret的名称必须是合法的DNS子域名

每个Secret的大小最多为1MiB,注意是为了避免用户创建非常大的Secret进而导致API服务器和kubelet内存耗尽,不过创建很多小的Secret也可能耗尽内存,可以使用资源配额来约束每个名字空间中Secret的个数

在通过YAML文件创建Secret时,可以设置data或stringData资源,data和stringData字段都是可选的,data字段中所有键值都必须base64编码的字符串,如果不希望执行这种base64字符串的转换操作,也可以选择设置stringData字段,其中可以使用任何非加密的字符串作为其取值

Pod可以用三种方式的任意一种来使用Secret:
作为挂载到一个或多个容器上的卷中的文件(crt文件、key文件)作为容器的环境变量
有kubelet在为Pod拉取镜像时使用(与镜像仓库的认证)

13.1 Secret简介类型

Kubernetes默认支持多种不同类型的Secret,用于一不同的使用场景,不同类型的Secret配置参数也不一样

Secret类型 使用场景
Opaque 用户定义的任意数据
kubernetes.io/service-account-token ServiceAccoubt 令牌
kubernetes.io/dockercfg ~/.dockercfg 文件序列化形式
kubernetes.io/dockerconfigjson ~/.docker/config.json 文件的序列化形式
kubernetes.io/basic-auth 用于基本身份认证的凭据
kubernetes.io/ssh-auth 用于SSH身份认证的凭据
kubernetes.io/tls 用于TLS环境,保存crt证书和key证书
kubernetes.io/token 启动引导令牌数据

13.2 data类型加密

  • 不是加密会报语法错误
root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# echo admin | base64
YWRtaW4K
root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# echo 123456 | base64
MTIzNDU2Cg==

root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# cat 1-secret-Opaque-data.yaml 
apiVersion: v1
kind: Secret
metadata:
  name: mysecret-data
  namespace: myserver
type: Opaque
data:
  user: YWRtaW4K
  password: MTIzNDU2Cg==
  age: MTgK #非base64加密的会报错
  • 解密
root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# kubectl get secrets -n myserver mysecret-data -o yaml
apiVersion: v1
data:
  age: MTgK
  password: MTIzNDU2Cg==
  user: YWRtaW4K
kind: Secret
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","data":{"age":"MTgK","password":"MTIzNDU2Cg==","user":"YWRtaW4K"},"kind":"Secret","metadata":{"annotations":{},"name":"mysecret-data","namespace":"myserver"},"type":"Opaque"}
  creationTimestamp: "2022-11-26T02:47:26Z"
  name: mysecret-data
  namespace: myserver
  resourceVersion: "777078"
  uid: 5fef55f2-4eb0-4128-9ed6-cd97835b0643
type: Opaque


root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# echo YWRtaW4K | base64 -d
admin

13.3 StringData

  • 自动加密
root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# cat 2-secret-Opaque-stringData.yaml 
apiVersion: v1
kind: Secret
metadata:
  name: mysecret-stringdata
  namespace: myserver
type: Opaque
stringData:
  user: 'admin'
  password: '123456'

13.4 加密数据挂载做认证文件

root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# cat 3-secret-Opaque-mount.yaml 
#apiVersion: extensions/v1beta1
apiVersion: apps/v1
kind: Deployment
metadata:
  name: myserver-myapp-app1-deployment
  namespace: myserver
spec:
  replicas: 1
  selector:
    matchLabels:
      app: myserver-myapp-app1
  template:
    metadata:
      labels:
        app: myserver-myapp-app1
    spec:
      containers:
      - name: myserver-myapp-app1
        image: tomcat:7.0.94-alpine
        ports:
        - containerPort: 8080
        volumeMounts:
        - mountPath: /data/myserver/auth
          name: myserver-auth-secret 
      volumes:
      - name: myserver-auth-secret
        secret:
          secretName: mysecret-data #挂载指定的secret,挂载后会将base64解密为明文

---
apiVersion: v1
kind: Service
metadata:
  name: myserver-myapp-app1
  namespace: myserver
spec:
  ports:
  - name: http
    port: 8080
    targetPort: 8080
    nodePort: 30018
    protocol: TCP
  type: NodePort
  selector:
    app: myserver-myapp-app1

root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# kubectl exec -it -n myserver myserver-myapp-app1-deployment-5f5776776b-4vrld bash
bash-4.4# cd /data/myserver/auth
bash-4.4# ls
age       password  user
bash-4.4# cat password 
123456
bash-4.4# cat user 
admin

  • 挂载的数据可以在etcd中找到
root@k8s-etcd1:~# etcdctl get / --keys-only --prefix | grep mysecret
/registry/secrets/myserver/mysecret-data
/registry/secrets/myserver/mysecret-stringdata
root@k8s-etcd1:~# etcdctl get /registry/secrets/myserver/mysecret-stringdata
/registry/secrets/myserver/mysecret-stringdata
k8s


v1Secretׄ 
« 
mysecret-stringdatmyserver"*$435fd42f-78d4-42d9-a077-8c001bdacf462ɾb
0kubectl.kubernetes.io/last-applied-configuration¸{"apiVersion":"v1","kind":"Secret","metadata":{"annotations":{},"name":"mysecret-stringdata","namespace":"myserver"},"stringData":{"password":"123456","user":"admin"},"type":"Opaque"}
z܁
kubectl-client-side-applyUpdatevɾFieldsV1: 
{"f:data":{".":{},"f:password":{},"f:user":{}},"f:metadata":{"f:annotations":{".":{},"f:kubectl.kubernetes.io/last-applied-configuration":{}}},"f:type":{}}B                                                                                                             password123456 
useradminOpaque"

13.5 Kubernetes.io/tls-为nginx提供证书

root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# mkdir -p certs
#生成证书
openssl req -x509 -sha256 -newkey rsa:4096 -keyout ca.key -out ca.crt -days 3560 -nodes -subj '/CN=www.ca.com'
openssl req -new -newkey rsa:4096 -keyout server.key -out server.csr -nodes -subj '/CN=www.mysite.com'
openssl x509 -req -sha256 -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
#创建一个secrts 并指定证书 cert是公钥 key是私钥
kubectl create secret tls myserver-tls-key --cert=./server.crt --key=./server.key -n myserver

root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret/certs# kubectl get secrets -n myserver myserver-tls-key
NAME               TYPE                DATA   AGE
myserver-tls-key   kubernetes.io/tls   2      19m

root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret/certs# ll
total 28
drwxr-xr-x 2 root root 4096 Nov 26 05:17 ./
drwxr-xr-x 3 root root 4096 Jul 31 10:42 ../
-rw-r--r-- 1 root root 1809 Nov 26 05:14 ca.crt
-rw------- 1 root root 3272 Nov 26 05:14 ca.key
-rw-r--r-- 1 root root 1667 Nov 26 05:17 server.crt
-rw-r--r-- 1 root root 1590 Nov 26 05:16 server.csr
-rw------- 1 root root 3272 Nov 26 05:16 server.key

root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# cat 4-secret-tls.yaml 
apiVersion: v1
kind: ConfigMap
metadata:
  name: nginx-config
  namespace: myserver
data:
 default: |
    server {
       listen       80;
       server_name  www.mysite.com;
       listen 443 ssl;
       ssl_certificate /etc/nginx/conf.d/certs/tls.crt;
       ssl_certificate_key /etc/nginx/conf.d/certs/tls.key;

       location / {
           root /usr/share/nginx/html; 
           index index.html;
           if ($scheme = http ){  #未加条件判断,会导致死循环
              rewrite / https://www.mysite.com permanent;
           }  

           if (!-e $request_filename) {
               rewrite ^/(.*) /index.html last;
           }
       }
    }

---
#apiVersion: extensions/v1beta1
apiVersion: apps/v1
kind: Deployment
metadata:
  name: myserver-myapp-frontend-deployment
  namespace: myserver
spec:
  replicas: 1
  selector:
    matchLabels:
      app: myserver-myapp-frontend
  template:
    metadata:
      labels:
        app: myserver-myapp-frontend
    spec:
      containers:
      - name: myserver-myapp-frontend
        image: nginx:1.20.2-alpine 
        ports:
          - containerPort: 80
        volumeMounts:
          - name: nginx-config
            mountPath:  /etc/nginx/conf.d/myserver
          - name: myserver-tls-key
            mountPath:  /etc/nginx/conf.d/certs
      volumes:
      - name: nginx-config
        configMap:
          name: nginx-config
          items:
             - key: default
               path: mysite.conf
      - name: myserver-tls-key
        secret:
          secretName: myserver-tls-key 


---
apiVersion: v1
kind: Service
metadata:
  name: myserver-myapp-frontend
  namespace: myserver
spec:
  type: NodePort
  ports:
  - name: http
    port: 80
    targetPort: 80
    nodePort: 30020
    protocol: TCP
  - name: htts
    port: 443
    targetPort: 443
    nodePort: 30019
    protocol: TCP
  selector:
    app: myserver-myapp-frontend 
  • 检测
#然后需要把证书引入到nginx配置文件中才能生效 否则你现在查看端口并没有监听443端口 然后重启 certs引入这个
#配置文件中已经把证书生成挂载过来了
/ # cd /etc/nginx/conf.d/certs
/etc/nginx/conf.d/certs # ls
tls.crt  tls.key

#nginx配置文件已经挂载过来
/ # cd /etc/nginx/conf.d/myserver/
/etc/nginx/conf.d/myserver # ls
mysite.conf

#nginx.conf主配置文件中添加包含
include /etc/nginx/conf.d/myserver/*.conf;

nginx -t
nginx -s reload
netstat -tanlp
#显示证书
curl -lvk https://www.mysite.com

13.6 kubernetes.io/dockerconfig.json

#创建私有仓库认证文件
kubectl create secret generic aliyun-registry-image-pull-key \
--from-file=.dockerconfigjson=/root/.docker/config.json \
--type=kubernetes.io/dockerconfigjson \
-n myserver

root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# kubectl get secrets -n myserver 
NAME                             TYPE                             DATA   AGE
aliyun-registry-image-pull-key   kubernetes.io/dockerconfigjson   1      45s
myserver-tls-key                 kubernetes.io/tls                2      114m

#查看创建的认证信息
root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# kubectl get secrets -n myserver aliyun-registry-image-pull-key  -o yaml

apiVersion: v1
data:
  .dockerconfigjson: ewoJImF1dGhzIjogewoJCSJoYXJib3IubmJyaGNlLmNvbSI6IHsKCQkJImF1dGgiOiAiY1hWNWFUcElZWEppYjNJeE1qTTBOUT09IgoJCX0KCX0KfQ==
kind: Secret
metadata:
  creationTimestamp: "2022-11-26T07:13:15Z"
  name: aliyun-registry-image-pull-key
  namespace: myserver
  resourceVersion: "807752"
  uid: d8949f22-addc-4aef-a958-2249d967758c
type: kubernetes.io/dockerconfigjson
  • YAML文件 可以拉取的
#这个关键字就是 imagePullSecrets 拉取认证信息
root@deploy-harbor:~/20220731/k8s-Resource-N70/case11-secret# cat 5-secret-imagePull.yaml 
#apiVersion: extensions/v1beta1
apiVersion: apps/v1
kind: Deployment
metadata:
  name: myserver-myapp-frontend-deployment
  namespace: myserver
spec:
  replicas: 1
  selector:
    matchLabels:
      app: myserver-myapp-frontend
  template:
    metadata:
      labels:
        app: myserver-myapp-frontend
    spec:
      containers:
      - name: myserver-myapp-frontend
        image: registry.cn-qingdao.aliyuncs.com/zhangshijie/nginx:1.16.1-alpine-perl 
        ports:
          - containerPort: 80
      imagePullSecrets:
        - name: aliyun-registry-image-pull-key

---
apiVersion: v1
kind: Service
metadata:
  name: myserver-myapp-frontend
  namespace: myserver
spec:
  ports:
  - name: http
    port: 80
    targetPort: 80
    nodePort: 30022
    protocol: TCP
  type: NodePort
  selector:
    app: myserver-myapp-frontend 
posted @ 2022-12-06 21:37  YIDADA-SRE  阅读(191)  评论(0编辑  收藏  举报