kubernetes(k8s):secret配置管理

文章目录

  • 1. secret配置管理的作用和类型
  • 2. 查看卷的挂载
  • 3. 每个namespace下有一个名为default的默认的serviceaccount对象
  • 4. opaque secret其value为base64编码后的值
    • 4.1 从文件中创建secret
    • 4.2 编写一个secret对象
    • 4.3 将secret挂载到volume中
    • 4.4 向指定路径映射secret密钥
    • 4.5 将secret设置为环境变量
    • 4.6 kubernetes.io/dockerconfigjson用于存储docker registry的认证信息

1. secret配置管理的作用和类型

该卷主要是用来存储pod的一些敏感信息的

  1. Secret 对象类型用来保存敏感信息,例如密码、OAuth 令牌和 ssh key。

  2. 敏感信息放在 secret 中比放在 Pod 的定义或者容器镜像中来说更加安全和灵活。

  3. Pod 可以用两种方式使用 secret
    作为 volume 中的文件被挂载到 pod 中的一个或者多个容器里;
    当 kubelet 为 pod 拉取镜像时使用。

  4. Secret的类型
    Service Account:Kubernetes 自动创建包含访问 API 凭据的 secret,并自动修改
    pod 以使用此类型的 secret。

    Opaque:使用base64编码存储信息,可以通过base64 --decode解码获得原始数据,因此安全性弱。

    kubernetes.io/dockerconfigjson:用于存储docker registry的认证信息。

serviceaccout 创建时 Kubernetes 会默认创建对应的 secret。对应的 secret 会自动挂载到 Pod 的 /run/secrets/kubernetes.io/serviceaccount 目录中。

[kubeadm@server1 configmap]$ kubectl get secrets 
NAME                  TYPE                                  DATA   AGE
default-token-jhnhn   kubernetes.io/service-account-token   3      6d1h
[kubeadm@server1 configmap]$ 

2. 查看卷的挂载

[kubeadm@server2 cm]$ kubectl run test --image=busybox --restart=Never
pod/test created

[kubeadm@server2 cm]$ kubectl describe pod test 
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from default-token-64lq2 (ro)

Volumes:
  default-token-64lq2:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  default-token-64lq2
    Optional:    false
QoS Class:       BestEffort
Node-Selectors:  <none>
Tolerations:     node.kubernetes.io/not-ready:NoExecute for 300s
                 node.kubernetes.io/unreachable:NoExecute for 300s
[kubeadm@server2 cm]$ kubectl get sa
NAME      SECRETS   AGE
default   1         7d21h

[kubeadm@server2 cm]$ kubectl describe sa default 
Name:                default
Namespace:           default
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   default-token-64lq2
Tokens:              default-token-64lq2
Events:              <none>
[kubeadm@server2 cm]$ kubectl run test --image=busybox -it
If you don't see a command prompt, try pressing enter.
/ # ls
bin   dev   etc   home  proc  root  sys   tmp   usr   var
/ # cd /var/run/secrets/kubernetes.io/serviceaccount
/var/run/secrets/kubernetes.io/serviceaccount # ls
ca.crt     namespace  token
/var/run/secrets/kubernetes.io/serviceaccount # 

3. 每个namespace下有一个名为default的默认的serviceaccount对象

[kubeadm@server2 cm]$ kubectl get secret
NAME                  TYPE                                  DATA   AGE
basic-auth            Opaque                                1      46h
default-token-64lq2   kubernetes.io/service-account-token   3      7d23h
tls-secret            kubernetes.io/tls                     2      46h

serviceaccount里有一个名为tokens的可以作为volume一样被mount到pod里的secret,当pod启动时这个secret会被自动mount到pod的指定目录下,用来协助完成pod中的进程访问api server时的身份鉴权过程

[kubeadm@server2 cm]$ kubectl get pod -o yaml
volumeMounts:
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: default-token-64lq2
      readOnly: true

4. opaque secret其value为base64编码后的值

4.1 从文件中创建secret

Opaque secret其value为base64编码后的值

[kubeadm@server2 cm]$ echo -n 'admin' > ./username.txt
[kubeadm@server2 cm]$ echo -n 'westos' > ./password.txt

[kubeadm@server2 cm]$ cat username.txt 
admin

[kubeadm@server2 cm]$ cat password.txt 
westos
[kubeadm@server2 cm]$ kubectl create secret generic my-secret --from-file=username.txt --from-file=password.txt 
secret/my-secret created

[kubeadm@server2 cm]$ kubectl get secret
NAME                  TYPE                                  DATA   AGE
my-secret             Opaque                                2      6s

[kubeadm@server2 cm]$ kubectl describe secrets my-secret 
Name:         my-secret
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
password.txt:  6 bytes
username.txt:  5 bytes
[kubeadm@server2 cm]$ kubectl get secrets my-secret -o yaml
apiVersion: v1
data:
  password.txt: d2VzdG9z
  username.txt: YWRtaW4=
kind: Secret
metadata:
  creationTimestamp: "2020-04-25T12:44:42Z"
  managedFields:
  - apiVersion: v1
    fieldsType: FieldsV1
    fieldsV1:
      f:data:
        .: {}
        f:password.txt: {}
        f:username.txt: {}
      f:type: {}
    manager: kubectl
    operation: Update
    time: "2020-04-25T12:44:42Z"
  name: my-secret
  namespace: default
  resourceVersion: "730162"
  selfLink: /api/v1/namespaces/default/secrets/my-secret
  uid: c018589f-7971-4d84-9a2f-990789344ea1
type: Opaque
[kubeadm@server2 cm]$ echo d2VzdG9z|base64 -d  # 解码
westos

如果密码具有特殊字符,则需要使用\字符对其进行转义,执行一下命令
[kubeadm@server2 cm]$ kubectl create secret generic dev-db-secret --from-literal=username=devuser --from-literal=password=S\!B\\*d\$zDsb
secret/dev-db-secret created

[kubeadm@server2 cm]$ kubectl get secrets dev-db-secret -o yaml
apiVersion: v1
data:
  password: UyFCXCpkJHpEc2I=
  username: ZGV2dXNlcg==

[kubeadm@server2 cm]$ echo UyFCXCpkJHpEc2I=|base64 -d
S!B\*d$zDsb

4.2 编写一个secret对象

[kubeadm@server2 cm]$ echo -n 'admin'|base64
YWRtaW4=

[kubeadm@server2 cm]$ echo -n 'westos'|base64
d2VzdG9z

[kubeadm@server2 cm]$ cat mysecret.yaml 
apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  username: YWRtaW4=
  password: d2VzdG9z
[kubeadm@server2 cm]$ kubectl apply -f mysecret.yaml 
secret/mysecret created

[kubeadm@server2 cm]$ kubectl get secrets 
NAME                  TYPE                                  DATA   AGE
mysecret              Opaque                                2      13s

[kubeadm@server2 cm]$ kubectl get secrets mysecret -o yaml
apiVersion: v1
data:
  password: d2VzdG9z
  username: YWRtaW4=

4.3 将secret挂载到volume中

[kubeadm@server2 secret]$ cat pod.yaml 
apiVersion: v1
kind: Pod
metadata:
  name: mysecret
spec:
  containers:
  - name: nginx
    image: nginx
    volumeMounts:
    - name: secrets
      mountPath: "/secret"
      readOnly: true
  volumes:
  - name: secrets
    secret:
      secretName: mysecret
[kubeadm@server2 secret]$ kubectl apply -f pod.yaml 
pod/mysecret created

[kubeadm@server2 secret]$ kubectl get pod
NAME       READY   STATUS    RESTARTS   AGE
mysecret   1/1     Running   0          5s
test       1/1     Running   1          161m

[kubeadm@server2 secret]$ kubectl exec -it mysecret -- sh
# ls
bin  boot  dev	etc  home  lib	lib64  media  mnt  opt	proc  root  run  sbin  secret  srv  sys  tmp  usr  var
# cd secret
# ls
password  username
# cat password
westos# 

4.4 向指定路径映射secret密钥

[kubeadm@server2 secret]$ cat pod.yaml 
apiVersion: v1
kind: Pod
metadata:
  name: mysecret
spec:
  containers:
  - name: nginx
    image: nginx
    volumeMounts:
    - name: secrets
      mountPath: "/secret"
      readOnly: true
  volumes:
  - name: secrets
    secret:
      secretName: mysecret
      items:
      - key: username
        path: my-group/my-username
[kubeadm@server2 secret]$ kubectl apply -f pod.yaml 
pod/mysecret created

[kubeadm@server2 secret]$ kubectl get pod
NAME       READY   STATUS    RESTARTS   AGE
mysecret   1/1     Running   0          13s

[kubeadm@server2 secret]$ kubectl exec -it mysecret -- bash
root@mysecret:/# cd /secret/
root@mysecret:/secret# ls
my-group
root@mysecret:/secret# cd my-group
root@mysecret:/secret/my-group# ls
my-username
root@mysecret:/secret/my-group# cat my-username 
admin

4.5 将secret设置为环境变量

[kubeadm@server2 secret]$ cat pod.yaml 
apiVersion: v1
kind: Pod
metadata:
  name: secret-env
spec:
  containers:
  - name: nginx
    image: nginx
    env:
      - name: SECRET_USERNAME
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: username
      - name: SECRET_PASSWORD
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: password
[kubeadm@server2 secret]$ kubectl apply -f pod.yaml 
pod/secret-env created
[kubeadm@server2 secret]$ kubectl get pod
NAME         READY   STATUS    RESTARTS   AGE
secret-env   1/1     Running   0          17s

[kubeadm@server2 secret]$ kubectl exec -it secret-env -- bash
root@secret-env:/# env
SECRET_USERNAME=admin
SECRET_PASSWORD=westos

环境变量读取secret很方便,但无法支撑secret动态更新

4.6 kubernetes.io/dockerconfigjson用于存储docker registry的认证信息

[kubeadm@server2 secret]$ cat pod.yaml 
apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
  - name: game2048
    image: reg.westos.org/westos/game2048
  imagePullSecrets:
    - name: myregistrykey
[kubeadm@server2 secret]$ kubectl create secret docker-registry myregistrykey --docker-server=reg.westos.org --docker-username=zjy --docker-password=Westos+001 --docker-email=941070082@qq.com

[kubeadm@server2 secret]$ kubectl describe secrets myregistrykey
Name:         myregistrykey
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  kubernetes.io/dockerconfigjson

Data
====
.dockerconfigjson:  128 bytes
[kubeadm@server2 secret]$ kubectl get secrets myregistrykey -o yaml
apiVersion: v1
data:
  .dockerconfigjson: eyJhdXRocyI6eyJyZWcud2VzdG9zLm9yZyI6eyJ1c2VybmFtZSI6InpqeSIsInBhc3N3b3JkIjoiV2VzdG9zKzAwMSIsImVtYWlsIjoiOTQxMDcwMDgyQHFxLmNvbSIsImF1dGgiOiJlbXA1T2xkbGMzUnZjeXN3TURFPSJ9fX0=
kind: Secret

[kubeadm@server2 secret]$ kubectl apply -f pod.yaml 
pod/mypod created

[kubeadm@server2 secret]$ kubectl get pod
NAME    READY   STATUS    RESTARTS   AGE
mypod   1/1     Running   0          23s

你可能感兴趣的:(kubernetes)