k8s secret 实验。
注:本文为笔者实验记录,非教程。
环境
# kubectl get node
NAME STATUS ROLES AGE VERSION
edge-node Ready <none> 15m v1.17.0
edge-node2 Ready <none> 16m v1.17.0
ubuntu Ready master 67d v1.17.0
secret
Secret有三种类型:
- Opaque:base64 编码格式的 Secret,用来存储密码、密钥等;但数据也可以通过base64 –decode解码得到原始数据,所有加密性很弱。
- kubernetes.io/dockerconfigjson:用来存储私有docker registry的认证信息。
- kubernetes.io/service-account-token:用于被serviceaccount引用,serviceaccout 创建时Kubernetes会默认创建对应的secret。Pod如果使用了serviceaccount,对应的secret会自动挂载到Pod目录/run/secrets/kubernetes.io/serviceaccount中。
技术总结
似乎还是能解出敏感文字,如何实际应用?
命令行指定
kubectl create secret generic dev-db-secret –from-literal=username=devuser –from-literal=password=S\!B\\*d\$zDsb
注:特殊字符(例如 $, \、* 和 ! )需要使用\转义。此处密码为S!B\*d$zDsb。
从文件创建
echo -n 'admin' > ./username.txt
echo -n '1f2d1e2e67df' > ./password.txt
创建:
kubectl create secret generic db-user-pass --from-file=./username.txt --from-file=./password.txt
kubectl get secrets
输出
NAME TYPE DATA AGE
db-user-pass Opaque 2 26s
default-token-5qgw2 kubernetes.io/service-account-token 3 70d
查看详情:
kubectl describe secrets/db-user-pass
解码密钥:
kubectl get secret db-user-pass -o yaml
输出:
data:
password.txt: MWYyZDFlMmU2N2Rm
username.txt: YWRtaW4=
kind: Secret
解base64:
echo 'YWRtaW4=' | base64 --decode
admin
配置文件
echo -n 'admin' | base64
YWRtaW4=
echo -n '1f2d1e2e67df' | base64
MWYyZDFlMmU2N2Rm
secret.yaml文件:
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
username: YWRtaW4=
password: MWYyZDFlMmU2N2Rm
创建:
kubectl apply -f secret.yaml
编辑:
kubectl edit secrets mysecret
将secret挂载到pod中,busybox-pod.yaml:
apiVersion: v1
kind: Pod
metadata:
name: busybox-pod
spec:
containers:
- name: busybox-pod
image: latelee/busybox
imagePullPolicy: IfNotPresent
command: [ "/bin/sh", "-c", "sleep 3600" ]
volumeMounts:
- name: foo
mountPath: "/etc/foo"
readOnly: true
volumes:
- name: foo
secret:
secretName: mysecret
创建、查看、删除:
kubectl apply -f busybox-pod.yaml
kubectl exec -it busybox-pod -- cat /etc/foo/username
kubectl delete -f busybox-pod.yaml
环境变量方式,busybox-pod1.yaml:
apiVersion: v1
kind: Pod
metadata:
name: busybox-pod
spec:
containers:
- name: busybox-pod
image: latelee/busybox
imagePullPolicy: IfNotPresent
command: [ "/bin/sh", "-c", "sleep 3600" ]
env:
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
name: mysecret
key: username
- name: SECRET_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: password
创建、查看、删除:
kubectl apply -f busybox-pod1.yaml
kubectl exec -it busybox-pod -- env
kubectl delete -f busybox-pod1.yaml
TODO:移动其它文件
kubernetes.io/service-account-token
查看当前serviceAccount:
# kubectl get serviceAccounts // 或 kubectl get sa
NAME SECRETS AGE
default 1 75d
每个pod都有默认的secret,查看上述运行pod的serviceaccount:
# kubectl get pod busybox-pod -o yaml | grep serviceAccountName
serviceAccountName: default
# kubectl describe pod busybox-pod | grep SecretName
SecretName: mysecret
SecretName: default-token-5qgw2
# kubectl get secret // 查看系统默认的secrect
NAME TYPE DATA AGE
default-token-5qgw2 kubernetes.io/service-account-token 3 75d
serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: null
name: mysa
创建:
kubectl apply -f serviceaccount.yaml
查看:
kubectl get sa mysa -o yaml
kubectl describe sa mysa
查看secrect:
kubectl get secret
NAME TYPE DATA AGE
default-token-5qgw2 kubernetes.io/service-account-token 3 75d
mysa-token-dkt5p kubernetes.io/service-account-token 3 2m50s
删除上述pod,再创建新的,使用新的sa:
apiVersion: v1
kind: Pod
metadata:
name: busybox-pod
spec:
containers:
- name: busybox-pod
image: latelee/busybox
imagePullPolicy: IfNotPresent
command: [ "/bin/sh", "-c", "sleep 3600" ]
volumeMounts:
- name: foo
mountPath: "/etc/foo"
readOnly: true
volumes:
- name: foo
secret:
secretName: mysecret
serviceAccountName: mysa
创建:
kubectl apply -f busybox-pod.yaml
kubectl describe pod busybox-pod