k8s密码管理

1、明文创建mysql pod(不安全)

[root@vms20 ~]# docker pull hub.c.163.com/library/mysql
[root@vms10 chap5-secrets]# cat mysql.yaml
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: mysql
  name: mysql
spec:
  containers:
  - image: hub.c.163.com/library/mysql
    imagePullPolicy: IfNotPresent
    name: mysql
    env:
    - name: MYSQL_ROOT_PASSWORD
      value: root123
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}


[root@vms10 chap5-secrets]# kubectl apply -f mysql.yaml
pod/mysql created
[root@vms10 chap5-secrets]# kubectl get node
NAME            STATUS   ROLES                  AGE   VERSION
vms10.rhce.cc   Ready    control-plane,master   12d   v1.22.4
vms20.rhce.cc   Ready                     12d   v1.22.4
vms30.rhce.cc   Ready                     12d   v1.22.4
[root@vms10 chap5-secrets]# kubectl get pod -owide
NAME    READY   STATUS    RESTARTS       AGE   IP              NODE            NOMINATED NODE   READINESS GATES
mysql   1/1     Running   0              9s    10.244.71.151   vms20.rhce.cc              
pod1    2/2     Running   1 (6m3s ago)   89m   10.244.126.50   vms30.rhce.cc              
[root@vms10 chap5-secrets]# mysql -uroot -proot123 -h10.244.71.151
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.7.18 MySQL Community Server (GPL)

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]>

2、三种secret类型

kubernetes.io/service-account-token

[root@vms10 chap5-secrets]# kubectl create sa sa1
serviceaccount/sa1 created
[root@vms10 chap5-secrets]# kubectl get secret
NAME                  TYPE                                  DATA   AGE
default-token-t48tw   kubernetes.io/service-account-token   3      24h
sa1-token-x8c8w       kubernetes.io/service-account-token   3      2s
[root@vms10 chap5-secrets]# kubectl delete sa sa1
serviceaccount "sa1" deleted

假设创建了一个pod,使用了harbor里面的镜像,但是harbor没有开启匿名(不能匿名拉取)

这时就需要创建secret,里面包括harbor用户和密码

kubernetes.io/dockerconfigjson:用来存储私有docker registry的认 证信息。

创建harbor秘钥

[root@vms10 ~]# kubectl create secret docker-registry mydocker-secret --docker-server=192.168.26.10 --docker-username=admin --docker-password=Harbor12345
secret/mydocker-secret created

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: pod1
  name: pod1
spec:
  imagePullSecrets:
    name: mydocker-secret
  containers:
  - image: nginx
    imagePullPolicy: IfNotPresent
    name: nginx1
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

 Opaque:base64编码格式的Secret,用来存储密码、密钥等;但数据也通过base64 –decode解码得到原始数据,所有加密性很弱

 1、命令行创建secret

[root@vms10 chap5-secrets]# kubectl create secret generic mysec1 --from-literal=myuser=admin --from-literal=mypass=Harbor12345
secret/mysec1 created
[root@vms10 chap5-secrets]# kubectl get secret
NAME                  TYPE                                  DATA   AGE
default-token-t48tw   kubernetes.io/service-account-token   3      25h
mydocker-secret       kubernetes.io/dockerconfigjson        1      11m
mysec1                Opaque                                2      6s


[root@vms10 chap5-secrets]# kubectl describe secret mysec1
Name:         mysec1
Namespace:    chap4-volume
Labels:       
Annotations:  

Type:  Opaque

Data
====
myuser:  5 bytes
mypass:  11 bytes

# 编码后
[root@vms10 chap5-secrets]# kubectl get secrets mysec1 -o yaml
apiVersion: v1
data:
  mypass: SGFyYm9yMTIzNDU=
  myuser: YWRtaW4=
kind: Secret
metadata:
  creationTimestamp: "2022-03-22T11:52:19Z"
  name: mysec1
  namespace: chap4-volume
  resourceVersion: "235456"
  selfLink: /api/v1/namespaces/chap4-volume/secrets/mysec1
  uid: 261a5f7a-debd-444c-a465-9e0652c6ffd7
type: Opaque

# 解码
[root@vms10 chap5-secrets]# echo SGFyYm9yMTIzNDU= | base64 -d
Harbor12345

[root@vms10 chap5-secrets]# kubectl get secret mysec1 -o jsonpath='{.data.mypass}' |base64 -d
Harbor12345

2、file创建secret(键=文件的basename)

[root@vms10 chap5-secrets]# kubectl create secret generic mysec2 --from-file=/etc/hosts --from-file=/etc/issue
secret/mysec2 created

[root@vms10 chap5-secrets]# kubectl describe secret mysec2
Name:         mysec2
Namespace:    chap4-volume
Labels:       
Annotations:  

Type:  Opaque

Data
====
hosts:  260 bytes
issue:  37 bytes


[root@vms10 chap5-secrets]# kubectl get secret mysec2 -o jsonpath='{.data.hosts}' | base64 -d
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.26.10 vms10.rhce.cc vms10
192.168.26.20 vms10.rhce.cc vms20
192.168.26.30 vms10.rhce.cc vms30
[root@vms10 chap5-secrets]# cat env.txt
user=root
password=root123

[root@vms10 chap5-secrets]# kubectl create secret generic mysecret3 --from-env-file=env.txt

[root@vms10 chap5-secrets]# kubectl get secret
mysecret3             Opaque                                2      2m38s


[root@vms10 chap5-secrets]# kubectl get secret mysecret3 -o yaml
apiVersion: v1
data:
  password: cm9vdDEyMw==
  user: cm9vdA==
kind: Secret
metadata:
  creationTimestamp: "2022-03-22T11:59:09Z"
  name: mysecret3
  namespace: chap4-volume
  resourceVersion: "236259"
  selfLink: /api/v1/namespaces/chap4-volume/secrets/mysecret3
  uid: 6a333929-3ecf-4fc2-821a-f00e1ec3e87b
type: Opaque

[root@vms10 chap5-secrets]# echo cm9vdDEyMw== | base64 -d
root123

3、使用secret

以变量的方式

[root@vms10 chap5-secrets]# kubectl create secret generic mysec  --from-literal=mysql_root_password=root123
secret/mysec created

[root@vms10 chap5-secrets]# vim mysqlBySecret.yaml
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: mysql
  name: mysql
spec:
  containers:
  - image: hub.c.163.com/library/mysql
    imagePullPolicy: IfNotPresent
    name: mysql
    env:
    - name: MYSQL_ROOT_PASSWORD
      valueFrom:
        secretKeyRef:
          name: mysec
          key: mysql_root_password
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

[root@vms10 chap5-secrets]# kubectl apply -f mysqlBySecret.yaml


[root@vms10 chap5-secrets]# kubectl get pod -owide
NAME    READY   STATUS    RESTARTS   AGE     IP              NODE            NOMINATED NODE   READINESS GATES
mysql   1/1     Running   0          5m14s   10.244.126.51   vms30.rhce.cc              

[root@vms10 chap5-secrets]# mysql -h 10.244.126.51 -uroot -proot123
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.7.18 MySQL Community Server (GPL)

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]>

以卷的方式

[root@vms10 chap5-secrets]# kubectl describe secrets mysec
Name:         mysec
Namespace:    chap4-volume
Labels:       
Annotations:  

Type:  Opaque

Data
====
mysql_root_password:  7 bytes

[root@vms10 chap5-secrets]# cat mysqlBySecret2.yaml
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: nginx
  name: nginx
spec:
  volumes:
  - name: v1
    secret:
      secretName: mysec
  containers:
  - image: nginx
    imagePullPolicy: IfNotPresent
    name: c1
    resources: {}
    volumeMounts:
    - name: v1
      mountPath: /data
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

[root@vms10 chap5-secrets]# kubectl exec -it nginx -- bash

root@nginx:/# cat /data/mysql_root_password
root123

3、configMap

创建configMap

[root@vms10 chap5-secrets]# kubectl get configmap
NAME               DATA   AGE
kube-root-ca.crt   1      44h

# 根据变量创建
[root@vms10 chap5-secrets]# kubectl create cm mycm1 --from-literal=user=root --from-literal=password=root123
configmap/mycm1 created

# 根据文件创建
[root@vms10 chap5-secrets]# kubectl create cm mycm2 --from-file=/etc/hosts --from-file=/etc/issue
configmap/mycm2 created


# 插卡configMap
[root@vms10 chap5-secrets]# kubectl describe cm mycm1
Name:         mycm1
Namespace:    chap4-volume
Labels:       
Annotations:  

Data
====
password:
----
root123
user:
----
root

BinaryData
====

Events:  
[root@vms10 chap5-secrets]# kubectl describe cm mycm2
Name:         mycm2
Namespace:    chap4-volume
Labels:       
Annotations:  

Data
====
hosts:
----
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.26.10 vms10.rhce.cc vms10
192.168.26.20 vms10.rhce.cc vms20
192.168.26.30 vms10.rhce.cc vms30

issue:
----
\S
Kernel \r on an \m

192.168.26.10


BinaryData
====

Events:  

使用configMap(常用于映射配置文件)

变量

[root@vms10 chap5-secrets]# cat configMap.yaml
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: mysql
  name: mysql
spec:
  containers:
  - image: hub.c.163.com/library/mysql
    imagePullPolicy: IfNotPresent
    name: mysql
    env:
    - name: MYSQL_ROOT_PASSWORD
      valueFrom:
        configMapKeyRef:
          name: mycm1
          key: password
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}


[root@vms10 chap5-secrets]# kubectl get pod -owide
NAME    READY   STATUS    RESTARTS   AGE   IP              NODE            NOMINATED NODE   READINESS GATES
mysql   1/1     Running   0          53s   10.244.71.156   vms20.rhce.cc              
[root@vms10 chap5-secrets]# mysql -h10.244.71.156 -uroot -proot123
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.7.18 MySQL Community Server (GPL)

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]>

挂载卷

[root@vms10 chap5-secrets]# cat configMap2.yaml
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: nginx
  name: nginx
spec:
  volumes:
  - name: v1
    configMap:
      name: mycm2
  containers:
  - image: nginx
    imagePullPolicy: IfNotPresent
    name: c1
    resources: {}
    volumeMounts:
    - name: v1
      mountPath: /data
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

[root@vms10 chap5-secrets]# kubectl exec -it nginx -- bash
root@nginx:/# ls /data/
hosts  issue
root@nginx:/# cat /data/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.26.10 vms10.rhce.cc vms10
192.168.26.20 vms10.rhce.cc vms20
192.168.26.30 vms10.rhce.cc vms30

常见用法:以变量的方式引用secret,以卷的方式引用configMap

将nginx配置文件设置成configMap,在pod中引用该配置文件

[root@vms10 chap5-secrets]# kubectl create cm nginx.conf --from-file=nginx.conf
configmap/nginx.conf created
[root@vms10 chap5-secrets]# kubectl get cm
NAME               DATA   AGE
kube-root-ca.crt   1      45h
mycm1              2      35m
mycm2              2      33m
nginx.conf         1      20s


[root@vms10 chap5-secrets]# cat configMap3.yaml
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: nginx
  name: nginx
spec:
  volumes:
  - name: v1
    configMap:
      name: nginx.conf
  containers:
  - image: nginx
    imagePullPolicy: IfNotPresent
    name: c1
    resources: {}
    volumeMounts:
    - name: v1
      mountPath: /etc/nginx/nginx.conf
# 没有subPath,会认为nginx.conf是文件夹
      subPath: nginx.conf 
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

修改配置文件,并使pod生效

[root@vms10 chap5-secrets]# kubectl edit cm nginx.conf
configmap/nginx.conf edited

# 删除pod再重新创建

[root@vms10 chap5-secrets]# kubectl delete pod nginx --force
pod "nginx" force deleted

[root@vms10 chap5-secrets]# kubectl apply -f configMap3.yaml
pod/nginx created

你可能感兴趣的:(CKA/CKAD,kubernetes,kubernetes)