secret
概念
secret对象类型主要目的是保存和处理敏感信息/私密数据,比如密码,OAuth tokens,ssh keys等信息。将这些信息放在secret对象中比 直接放在pod或docker image中更安全,也更方便使用。
一个已经创建好的secrets对象有两种方式被pod对象使用,其一,在container中的volume对象里以file的形式被使用,其二,在pull images时被kubelet使用。
类型
Opaque任意字符串,默认类型
kubernetes.io/service-account-token:作用于ServiceAccount
kubernetes.io/dockercfg:作用于Docker registry,用户下载docker镜像认证使用
Opaque
创建
文件
实现把需要加密的内容实现base64编码
echo -n lykops | base64
bHlrb3Bz
echo -n 1qaz2wsx | base64
MXFhejJ3c3g=
然后写入test-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: test-secret
namespace:
default
type: Opaque
data:
password: MXFhejJ3c3g=
username: bHlrb3Bz
导入kubectl create -f test-secret.yaml
命令行
kubectl createsecret generic test--secret --from-literal=username=lykops--from-literal=password=1qaz2wsx
pod引用
cat << EOF > test-secret.yaml
apiVersion: v1
kind: Pod
metadata:
name: test-secret-pod
labels:
software: apache
project: test
app: test-secret-pod
version: v1
spec:
containers:
-name: test-secret-pod
image: web:apache
command: [
'sh'
,
'/etc/run.sh'
]
env:
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
name: test-secret
key: username
- name: SECRET_PASSWORD
valueFrom:
secretKeyRef:
name: test-secret
key: password
EOF
kubectl create -f test-secret-pod.yaml
然后进入pod
kubectl exec -it test-secret-pod /bin/bash
执行env | grep -i '^SECRET_'
SECRET_USERNAME=lykops
SECRET_PASSWORD=1qaz2wsx
imagePullSecrets
当在需要安全验证的环境中拉取镜像时,需要通过用户名和密码。
apiVersion: v1
kind: Secret
metadata:
name: myregistrykey
namespace: awesomeapps
data:
.dockerconfigjson:UmVhbGx5IHJlYWxseSByZWVlZWVlZWVlZWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGx5eXl5eXl5eXl5eXl5eXl5eXl5eSBsbGxsbGxsbGxsbGxsbG9vb29vb29vb29vb29vb29vb29vb29vb29vb25ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubmdnZ2dnZ2dnZ2dnZ2dnZ2dnZ2cgYXV0aCBrZXlzCg==
type: kubernetes.io/dockerconfigjson
或者直接通过命令创建
kubectl create secret docker-registrymyregistrykey --docker-server=DOCKER_REGISTRY_SERVER--docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD--docker-email=DOCKER_EMAIL
接下来拉取镜像的时候,就可以使用了
apiVersion: v1
kind: Pod
metadata:
name: foo
namespace: awesomeapps
spec:
containers:
-name: foo
image: janedoe/awesomeapp:v1
imagePullSecrets:
-name: myregistrykey
此种方式有可能会报错。
还有另外一种方式
我们知道使用docker pull去私有仓库拉取镜像,需要先使用docker login登陆一下私有仓库,而login执行的操作,实际上就是在用户的家目录写入了.docker/config.json文件。将此文件做一个软链接到 /var/lib/kubelet/.docker/就可以解决此问题了。当配置了软连接后就不需要在yaml文件中引用前面的创建的secret了。
# cat /root/.docker/config.json # ln -s /root/.docker/ /var/lib/kubelet/.docker/
Service Account
概念
Service Account(以下简称SA)的使用场景:运行在pod里的进程需要调用K8S API以及非K8S API的其它服务。SA
cat ~/.docker/config.json
{
"auths"
: {
"10.39.0.118"
: {
"auth"
:
"Y2hlbm1vOmNtMTM4MTE2NjY3ODY="
},
"10.39.0.12:5000"
: {
"auth"
:
"dXNlcjAxOjEyMzQ1YQ=="
},
"https://10.39.0.12:5000"
: {
"auth"
:
"dXNlcjAxOjEyMzQ1YQ=="
}
}
}
并不是给K8S集群的用户使用的,而是给pod里面的进程使用的,它为pod提供必要的身份认证。
如果K8S开启了SA(位于/etc/kubernetes/controller-manager的KUBE_ADMISSION_CONTROL="--admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota"),那么会在每个namespace下面都会创建一个默认的default的SA。
配置
当用户在namespace下创建pod时会默认使用sa。
……
volumes:
-name:
default
-token-rsf8r
secret:
defaultMode:
420
secretName:
default
-token-rsf8r
|
具体看一下secret
kubectl get secret
default
-token-rsf8r -oyaml
apiVersion: v1
data:
ca.crt:LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR2akNDQXFhZ0F3SUJBZ0lVZlpvZDJtSzNsa3JiMzR3NDhhUmtOc0pVVDJjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbAphVXBwYm1jeEREQUtCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByCmRXSmxjbTVsZEdWek1CNFhEVEUzTURVd01qQTNNekF3TUZvWERUSXlNRFV3TVRBM016QXdNRm93WlRFTE1Ba0cKQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbGFVcHBibWN4RERBSwpCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByZFdKbGNtNWxkR1Z6Ck1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBc2E5Zk1HVGd2MGl0YnlZcHoycXkKOThKWktXdWdFL0VPbXRYS2ExT0Y3ekUxSFh1cDFOVG8rNkhvUEFuR3hhVzg4Q0s0TENrbWhNSGFLdUxnT3IvVApOMGphdnc5YWlPeVdYR1hXUUxVN3U0aVhoaDV6a2N4bmZxRW9JOW9JV2dMTzVEL3hBL0tnZzRQZDRMeFdqMkFQCk4rcVdxQ2crU3BrdkpIQUZWL3IyTk1BbEIzNHBrK0t5djVQMDJSQmd6Y2xTeSs5OUxDWnlIQ1VocGl0TFFabHoKdUNmeGtBeUNoWFcxMWNKdVFtaDM4aFVKa0dhUW9OVDVSNmtoRTArenJDVjVkWnNVMVZuR0FydWxaWXpJY3kregpkeUZpYWYyaitITyt5blg4RUNySzR1TUF3Nk4zN1pnNjRHZVRtbk5EWmVDTTlPelk5czBOVzc1dHU5bHJPZTVqCnZRSURBUUFCbzJZd1pEQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCL3dJQkFqQWQKQmdOVkhRNEVGZ1FVK2RqMThRUkZyMWhKMVhGb1VyYUVVRnpEeVRBd0h3WURWUjBqQkJnd0ZvQVUrZGoxOFFSRgpyMWhKMVhGb1VyYUVVRnpEeVRBd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFBazQ4ODZBa0Fpa3VBVWRiOWU1CitldkVXVVFFaTIyTmc4REhmVTVSbXppU2ZhVllFQ1FuTlBUREprMmYvTm1Kb3RUVWxRZS9Ec3BkNEk1TFova1IKMGI2b1VoZkdmTkVOOXVObkkvZEgzOFBjUTNDaWtVeHhaeFRYTytaaldxcGNHZTRLNzZtaWd2ZWhQR2Z1VUNzQwp0UmZkZDM2YkhnRjN4MzRCWnc5MStDQ2VKQzBSWmNjVENqcHFHUEZFQlM3akJUVUlRVjNodnZycWJMV0hNeTJuCnFIck94UFI1eFkrRU5SQ0xzVWNSdk9icUhBK1g0c1BTdzBwMWpROXNtK1lWNG1ybW9Gd1RyS09kK2FqTVhzVXkKL3ZRYkRzNld4RWkxZ2ZvR3BxZFN6U1k0MS9IWHovMjZWNlFWazJBajdQd0FYZmszYk1wWHdDamRXRG4xODhNbQpXSHM9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
namespace: ZGVmYXVsdA==
token:ZXlKaGJHY2lPaUpTVXpJMU5pSXNJblI1Y0NJNklrcFhWQ0o5LmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUprWldaaGRXeDBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5elpXTnlaWFF1Ym1GdFpTSTZJbVJsWm1GMWJIUXRkRzlyWlc0dGNuTm1PSElpTENKcmRXSmxjbTVsZEdWekxtbHZMM05sY25acFkyVmhZMk52ZFc1MEwzTmxjblpwWTJVdFlXTmpiM1Z1ZEM1dVlXMWxJam9pWkdWbVlYVnNkQ0lzSW10MVltVnlibVYwWlhNdWFXOHZjMlZ5ZG1salpXRmpZMjkxYm5RdmMyVnlkbWxqWlMxaFkyTnZkVzUwTG5WcFpDSTZJakJrWlRJek5UYzFMVEptTURJdE1URmxOeTA1T0dRd0xUVXlOVFJqTkRZeU9HRmtPU0lzSW5OMVlpSTZJbk41YzNSbGJUcHpaWEoyYVdObFlXTmpiM1Z1ZERwa1pXWmhkV3gwT21SbFptRjFiSFFpZlEuSmxuamM0Y0xNYkZrRlJVQjIyWGtFN2t4bTJ1dS1aQm9sUTh4VEdDNmdLOTdSZTVOMzBuY2V0SWJsanVOVWFlaDhtMDk2R19nMHE3cmRvWm5XMTV2OFBVXzNyM1hWWlBNc1lxbGRpZlNJbWtReXFqeEphVlBka3Izam5GWVBkVWNaTmk3MFF3cWtEdm5sMXB4SFRNZTZkTVNPTlExbUVoMHZSbHBhRTdjVWtTVlg5blRzaFVJVTVXWE9wRUxwdTVjVjBHV3ZGeDRDSzR6Umt3clNMdlV5X2d5UGZwLWdYVFZQWU80NkJKSWZtaVhlZGhVaW9nempPN285eGxDbUxQVkhyNkFIZGViNExiTVA1dkJ2MlBSZ2RrMW9keTR0VEdxLVRGU3M2VkNoMTZ4dk5IdTRtRVN5TjZmcXVObzJwYUFOelY4b251aTJuaU4yNTU1TzN4SFdR
kind: Secret
metadata:
annotations:
kubernetes.io/service-account.name:
default
kubernetes.io/service-account.uid: 0de23575-2f02-11e7-98d0-5254c4628ad9
name:
default
-token-rsf8r
namespace:
default
resourceVersion:
"12551"
selfLink: /api/v1/namespaces/
default
/secrets/
default
-token-rsf8r
uid:75c0a236-2f02-11e7-98d0-5254c4628ad9
type: kubernetes.io/service-account-token
上面的内容是经过base64加密过后的,直接进入容器内
ls -l /var/run/secrets/kubernetes.io/serviceaccount/
total
0
lrwxrwxrwx
1
root root
13
May
4
23
:
57
ca.crt -> ..data/ca.crt
lrwxrwxrwx
1
root root
16
May
4
23
:
57
namespace -> ..data/namespace
lrwxrwxrwx
1
root root
12
May
4
23
:
57
token -> ..data/token
可以看到已将ca.crt 、namespace和token放到容器内了,那么这个容器就可以通过https的请求访问apiserver了。
本文出自https://www.2cto.com/net/201708/664156.html
Kubernetes & ServiceAccount
本文参考https://blog.csdn.net/xichenguan/article/details/79345566