k8s学习(十二) 使用secret
ConfigMap是用来存储一些非安全的配置信息,如果涉及到一些安全相关的数据的话用ConfigMap就非常不妥了,
因为ConfigMap明文存储的,这个时候使用Secret,Secret用来保存敏感信息,例如密码、OAuth 令牌和 ssh key等等,
将这些信息放在Secret中比放在Pod的定义中或者docker镜像中来说更加安全和灵活。
Secret有三种类型:
Opaque:base64 编码格式的 Secret,用来存储密码、密钥等;但数据也可以通过base64 –decode解码得到原始数据,所有加密性很弱。
kubernetes.io/dockerconfigjson:用来存储私有docker registry的认证信息。
kubernetes.io/service-account-token:用于被serviceaccount引用,serviceaccout 创建时Kubernetes会默认创建对应的secret。Pod如果使用了serviceaccount,对应的secret会自动挂载到Pod目录/run/secrets/kubernetes.io/serviceaccount中。
1、Opaque Secret
Opaque 类型的数据是一个 map 类型,要求value是base64编码格式。
比如我们来创建一个用户名为 zhangsan,密码为 zhangsan 的 Secret 对象,
首先我们先把这用户名和密码做 base64 编码
[root@k8s-node1 k8s]# echo -n "zhangsan" | base64
emhhbmdzYW4=
创建secret-opaque.yaml文件
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
username: emhhbmdzYW4=
password: emhhbmdzYW4=
[root@k8s-node1 k8s]# kubectl create -f secret-opaque.yaml
secret/mysecret created
查看secret
[root@k8s-node1 k8s]# kubectl get secret
NAME TYPE DATA AGE
cluster-admin-dashboard-sa-token-hld8l kubernetes.io/service-account-token 3 11d
default-token-7c9dp kubernetes.io/service-account-token 3 11d
myregistrykey6 kubernetes.io/dockerconfigjson 1 7d5h
mysecret Opaque 2 35s
[root@k8s-node1 k8s]# kubectl describe secret mysecret
Name: mysecret
Namespace: default
Labels:
Annotations:
Type: Opaque
Data
====
password: 8 bytes
username: 8 bytes
使用环境变量引用secret
yaml文件:
apiVersion: v1
kind: Pod
metadata:
name: secret-opaque-env-pod
spec:
containers:
- name: secret-opaque-env-pod
image: busybox
command: [ "/bin/sh", "-c", "env" ]
env:
- name: USERNAME
valueFrom:
secretKeyRef:
name: mysecret
key: username
- name: PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: password
kubectl create -f test-secret-opaque-env-pod.yaml
[root@k8s-node1 k8s]# kubectl logs secret-opaque-env-pod
KUBE_NODE_SERVICE_PORT_8080_TCP_PROTO=tcp
KUBE_NODE_HPA_DEMO_SERVICE_PORT=tcp://10.97.179.242:8080
KUBERNETES_SERVICE_PORT=443
KUBERNETES_PORT=tcp://10.96.0.1:443
KUBE_NODE_HPA_DEMO_SERVICE_SERVICE_PORT=8080
KUBE_NODE_SERVICE_PORT=tcp://10.96.77.110:8080
KUBE_NODE_SERVICE_SERVICE_PORT=8080
HOSTNAME=secret-opaque-env-pod
SHLVL=1
KUBE_NODE_HPA_DEMO_SERVICE_PORT_8080_TCP=tcp://10.97.179.242:8080
HOME=/root
KUBE_NODE_SERVICE_PORT_8080_TCP=tcp://10.96.77.110:8080
USERNAME=zhangsan
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
KUBE_NODE_HPA_DEMO_SERVICE_PORT_8080_TCP_ADDR=10.97.179.242
KUBE_NODE_HPA_DEMO_SERVICE_SERVICE_HOST=10.97.179.242
KUBERNETES_SERVICE_HOST=10.96.0.1
PWD=/
PASSWORD=zhangsan
KUBE_NODE_SERVICE_SERVICE_HOST=10.96.77.110
KUBE_NODE_SERVICE_PORT_8080_TCP_ADDR=10.96.77.110
KUBE_NODE_HPA_DEMO_SERVICE_PORT_8080_TCP_PORT=8080
KUBE_NODE_HPA_DEMO_SERVICE_PORT_8080_TCP_PROTO=tcp
KUBE_NODE_SERVICE_PORT_8080_TCP_PORT=8080
使用volume挂载引用secret
编辑yaml
apiVersion: v1
kind: Pod
metadata:
name: secret-opaque-volume
spec:
containers:
- name: secret2
image: busybox
command: ["/bin/sh", "-c", "ls /etc/secrets"]
volumeMounts:
- name: secrets
mountPath: /etc/secrets
volumes:
- name: secrets
secret:
secretName: mysecret
kubectl create -f test-secret-opaque-volume.yaml
查看日志
[root@k8s-node1 k8s]# kubectl logs secret-opaque-volume
password
username
可以看到secret把两个key挂载成了两个对应的文件。
2、kubernetes.io/dockerconfigjson
用来docker registry认证,直接使用kubectl create命令创建即可,如下:
[root@k8s-node1 k8s]# kubectl create secret docker-registry dockersecret --docker-server=172.16.10.190 --docker-username=admin --docker-password=admin123 [email protected]
secret/dockersecret created
查看secret
[root@k8s-node1 k8s]# kubectl get secret
NAME TYPE DATA AGE
cluster-admin-dashboard-sa-token-hld8l kubernetes.io/service-account-token 3 11d
default-token-7c9dp kubernetes.io/service-account-token 3 11d
dockersecret kubernetes.io/dockerconfigjson 1 21s
myregistrykey6 kubernetes.io/dockerconfigjson 1 7d5h
mysecret Opaque 2 23m
[root@k8s-node1 k8s]# kubectl describe secret dockersecret
Name: dockersecret
Namespace: default
Labels:
Annotations:
Type: kubernetes.io/dockerconfigjson
Data
====
.dockerconfigjson: 128 bytes
[root@k8s-node1 k8s]# kubectl get secret dockersecret -o yaml
apiVersion: v1
data:
.dockerconfigjson: eyJhdXRocyI6eyIxNzIuMTYuMTAuMTkwIjp7InVzZXJuYW1lIjoiYWRtaW4iLCJwYXNzd29yZCI6ImFkbWluMTIzIiwiZW1haWwiOiJhZG1pbkBleGFtcGxlLm9yZyIsImF1dGgiOiJZV1J0YVc0NllXUnRhVzR4TWpNPSJ9fX0=
kind: Secret
metadata:
creationTimestamp: "2019-09-02T06:59:49Z"
name: dockersecret
namespace: default
resourceVersion: "1527270"
selfLink: /api/v1/namespaces/default/secrets/dockersecret
uid: 84eeeea8-34c7-432a-ac4c-a6c277b7fbc6
type: kubernetes.io/dockerconfigjson
查看上面的数据的base64解码
[root@k8s-node1 k8s]# echo eyJhdXRocyI6eyIxNzIuMTYuMTAuMTkwIjp7InVzZXJuYW1lIjoiYWRtaW4iLCJwYXNzd29yZCI6ImFkbWluMTIzIiwiZW1haWwiOiJhZG1pbkBleGFtcGxlLm9yZyIsImF1dGgiOiJZV1J0YVc0NllXUnRhVzR4TWpNPSJ9fX0= | base64 -d
{"auths":{"172.16.10.190":{"username":"admin","password":"admin123","email":"[email protected]","auth":"YWRtaW46YWRtaW4xMjM="}}}[root@k8s-node1 k8s]#
3、kubernetes.io/service-account-token
另外一种Secret类型就是kubernetes.io/service-account-token,用于被serviceaccount引用。serviceaccout 创建时 Kubernetes 会默认创建对应的 secret。Pod 如果使用了 serviceaccount,对应的secret会自动挂载到Pod的/run/secrets/kubernetes.io/serviceaccount目录中。
部署dashboard时使用过这种方式
创建一个cluster-admin角色的service account , 和一个clusterrolebinding, 以便访问所有的k8s资源
kubectl create serviceaccount cluster-admin-dashboard-sa
kubectl create clusterrolebinding cluster-admin-dashboard-sa \
--clusterrole=cluster-admin \
--serviceaccount=default:cluster-admin-dashboard-sa
获取token
[root@k8s-node1 tmp]# kubectl get secret | grep cluster-admin-dashboard-sa
cluster-admin-dashboard-sa-token-hld8l kubernetes.io/service-account-token 3 45m
root@k8s-node1 tmp]# kubectl describe secrets/cluster-admin-dashboard-sa-token-hld8l
Name: cluster-admin-dashboard-sa-token-hld8l
Namespace: default
Labels:
Annotations: kubernetes.io/service-account.name: cluster-admin-dashboard-sa
kubernetes.io/service-account.uid: 80ba693e-d03f-4087-a200-d3ab69f89f3f
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 7 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImNsdXN0ZXItYWRtaW4tZGFzaGJvYXJkLXNhLXRva2VuLWhsZDhsIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImNsdXN0ZXItYWRtaW4tZGFzaGJvYXJkLXNhIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiODBiYTY5M2UtZDAzZi00MDg3LWEyMDAtZDNhYjY5Zjg5ZjNmIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6Y2x1c3Rlci1hZG1pbi1kYXNoYm9hcmQtc2EifQ.Ho8tO6L7KWSbxB632DasnoDbBDBLua9L9eJ48tfwmgJJQTLNaOrWP3hxsfGSVSsLuZVlNApYzxziRcdT7xVZ-IcRx2bWV4CF5aV8TcGXToXVQ4ibNlS8Lq6d9kERsx2wIiNj81K6lQk0TsyjbzOsGvAGwxizdWB_eAk1wwJWminuBQWostUBYjhnYE0hmqRijQ62u__MA95cMqS-rw6x2sAirOSwL-68LNLPPMnIcq4hXXrHxdbPLKo3E7KG_V0pH9rlEN6T865EGjQDpk4rcM8av6xw2ek2FcUWKxREGvficllhJWnhlCBdEgpA-YkP4yPziWTmwANlhfVWj_yV5g
4、Secret 与 ConfigMap 对比
最后我们来对比下Secret和ConfigMap这两种资源对象的异同点:
相同点:
key/value的形式
属于某个特定的namespace
可以导出到环境变量
可以通过目录/文件形式挂载
通过 volume 挂载的配置信息均可热更新
不同点:
Secret 可以被 ServerAccount 关联
Secret 可以存储 docker register 的鉴权信息,用在 ImagePullSecret 参数中,用于拉取私有仓库的镜像
Secret 支持 Base64 加密
Secret 分为 kubernetes.io/service-account-token、kubernetes.io/dockerconfigjson、Opaque 三种类型,而 Configmap 不区分类型