企企业运维----Docker-kubernetes-Secret配置管理

kubernetes-Secret


Secret

Secret 有三种类型:

Service Account :用来访问 Kubernetes API,由 Kubernetes 自动创建,并且会自动挂载到 Pod 的/run/secrets/kubernetes.io/serviceaccount  目录中

Opaque :base64编码格式的Secret,用来存储密码、密钥等

kubernetes.io/dockerconfigjson :用来存储私有 docker registry 的认证信息

Secret 解决了密码、token、密钥等敏感数据的配置问题,而不需要把这些敏感数据暴露到镜像或者 Pod Spec 中。Secret 可以以 Volume 或者环境变量的方式使用

从文件创建secret

创建认证文本文件

[root@server2 configmap]# echo -n 'admin' > ./username.txt
[root@server2 configmap]# echo -n 'westos' > ./password.txt
[root@server2 configmap]# kubectl create secret generic db-user-pass --from-file=./username.txt --from-file=./password.txt
secret/db-user-pass created
[root@server2 configmap]# kubectl get secrets
NAME                  TYPE                                  DATA   AGE
db-user-pass          Opaque                                2      9s
default-token-pbw6h   kubernetes.io/service-account-token   3      6d19h

查看认证信息

[root@server2 configmap]# kubectl describe secrets db-user-pass
Name:         db-user-pass
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
password.txt:  6 bytes
username.txt:  5 bytes
[root@server2 configmap]# 

为了安全 kubectl get和kubectl describe 默认不会显示密码,可以通过以下方式查看

[root@server2 configmap]# kubectl get secrets db-user-pass -o yaml
apiVersion: v1
data:
  password.txt: d2VzdG9z
  username.txt: YWRtaW4=
kind: Secret
metadata:
  creationTimestamp: "2021-07-31T05:47:20Z"
  name: db-user-pass
  namespace: default
  resourceVersion: "631826"
  uid: f467583b-973c-4919-b799-1b9a2b27c618
type: Opaque

查看加密的明文

[root@server2 configmap]# echo d2VzdG9z | base64 -d
westos[root@server2 configmap]# 

编写secret

[root@server2 configmap]# vim secret.yaml
[root@server2 configmap]# cat secret.yaml 
apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  username: YWRtaW4=
  password: d2VzdG9z

[root@server2 configmap]# kubectl apply -f secret.yaml
secret/mysecret created
[root@server2 configmap]# 
[root@server2 configmap]# kubectl get secret
NAME                  TYPE                                  DATA   AGE
db-user-pass          Opaque                                2      141m
default-token-pbw6h   kubernetes.io/service-account-token   3      6d21h
mysecret              Opaque                                2      87s

将Secret挂载到Volume中

编写文件,创建

[root@server2 configmap]# cat secret.yaml 
apiVersion: v1
kind: Pod
metadata:
  name: mysecret
spec:
  containers:
  - name: nginx
    image: nginx
    volumeMounts:
    - name: secrets
      mountPath: "/secret"
      readOnly: true
  volumes:
  - name: secrets
    secret:
      secretName: mysecret

[root@server2 configmap]# vim secret.yaml 
[root@server2 configmap]# kubectl apply -f secret.yaml
pod/mysecret created
[root@server2 configmap]# kubectl get pod
NAME                                READY   STATUS      RESTARTS   AGE
mysecret                            1/1     Running     0          11s

进入容器查看挂载路径

[root@server2 configmap]# kubectl exec -it mysecret -- bash
root@mysecret:/# ls
bin   docker-entrypoint.d   home   media  proc	sbin	sys  var
boot  docker-entrypoint.sh  lib    mnt	  root	secret	tmp
dev   etc		    lib64  opt	  run	srv	usr
root@mysecret:/# cd secret/
root@mysecret:/secret# ls
password  username
root@mysecret:/secret# cat username 
adminroot@mysecret:/secret# cat password 
westosroot@mysecret:/secret# pwd
/secret
root@mysecret:/secret# 
向指定路径映射密钥
[root@server2 configmap]# vim secret.yaml 
[root@server2 configmap]# cat secret.yaml 
apiVersion: v1
kind: Pod
metadata:
  name: mysecret
spec:
  containers:
  - name: nginx
    image: nginx
    volumeMounts:
    - name: secrets
      mountPath: "/secret"
      readOnly: true
  volumes:
  - name: secrets
    secret:
      secretName: mysecret
      items:
      - key: username
        path: my-group/my-username
[root@server2 configmap]# kubectl apply -f secret.yaml
pod/mysecret created
[root@server2 configmap]# kubectl get pod
NAME                                READY   STATUS      RESTARTS   AGE
mysecret                            1/1     Running     0          16s

进入容器查看挂载路径

[root@server2 configmap]# kubectl exec -it  mysecret -- bash
root@mysecret:/# cd secret/
root@mysecret:/secret# ls
my-group
root@mysecret:/secret# cd my-group
root@mysecret:/secret/my-group# ls
my-username
root@mysecret:/secret/my-group# cat my-username 
adminroot@mysecret:/secret/my-group# 

将Secret设置为环境变量
[root@server2 configmap]# kubectl delete -f secret.yaml 
pod "mysecret" deleted
[root@server2 configmap]# vim secret.yaml 
[root@server2 configmap]# cat secret.yaml 
apiVersion: v1
kind: Pod
metadata:
  name: secret-env
spec:
  containers:
  - name: nginx
    image: nginx
    env:
      - name: SECRET_USERNAME
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: username
      - name: SECRET_PASSWORD
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: password

[root@server2 configmap]# kubectl apply -f secret.yaml 
pod/secret-env created
[root@server2 configmap]# kubectl get pod
NAME                                READY   STATUS      RESTARTS   AGE
secret-env                          1/1     Running     0          16s

进入容器查看环境

[root@server2 configmap]# kubectl exec -it  secret-env -- bash
root@secret-env:/# env

...
SECRET_PASSWORD=westos
...

环境变量读取Secret很方便,但不支持Secret动态更新

存储docker registry的认证信息

企企业运维----Docker-kubernetes-Secret配置管理
创建secret的格式为docker-registry

[root@server2 configmap]# kubectl create secret docker-registry myregistrykey --docker-server=hyl.westos.org --docker-username=admin --docker-password=westos --docker-email=yakexi007@westos.org
secret/myregistrykey created
[root@server2 configmap]# kubectl get secrets 
NAME                  TYPE                                  DATA   AGE
myregistrykey         kubernetes.io/dockerconfigjson        1      36s

编写registry.yaml,拉取仓库中的镜像

[root@server2 configmap]# vim registry.yaml
[root@server2 configmap]# cat registry.yaml 
apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
    - name: perl
      image: reg.westos.org/library/perl
  imagePullSecrets:
    - name: myregistrykey
    
[root@server2 configmap]# kubectl apply -f registry.yaml 
pod/mypod created
[root@server2 configmap]# kubectl get pod
NAME                                READY   STATUS              RESTARTS   AGE
mypod                               0/1     ContainerCreating   0          6s

查看pod节点详细信息,可以看到已成功拉取

[root@server2 configmap]# kubectl describe pod mypod
Name:         mypod
Namespace:    default
Priority:     0
Node:         server3/172.25.12.3
Start Time:   Sat, 31 Jul 2021 04:41:48 -0400
Labels:       <none>
Annotations:  cni.projectcalico.org/podIP: 10.244.141.226/32
              cni.projectcalico.org/podIPs: 10.244.141.226/32
Status:       Running
IP:           10.244.141.226
IPs:
  IP:  10.244.141.226
Containers:
  perl:
    Container ID:   docker://6e11dbffb75f37ce4aba8a90cb7d756e860ae16daab6980811cef65d7945e160
    Image:          reg.westos.org/library/perl
    Image ID:       docker-pullable://reg.westos.org/library/perl@sha256:0245ddad7966262b2df36c6e7effb406b6eee45c1d7cb654097b574bf51e70b5
    Port:           <none>
    Host Port:      <none>
    State:          Waiting
      Reason:       CrashLoopBackOff
    Last State:     Terminated
      Reason:       Completed
      Exit Code:    0
      Started:      Sat, 31 Jul 2021 04:44:48 -0400
      Finished:     Sat, 31 Jul 2021 04:44:48 -0400
    Ready:          False
    Restart Count:  4
    Environment:    <none>
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-qfmn2 (ro)
Conditions:
  Type              Status
  Initialized       True 
  Ready             False 
  ContainersReady   False 
  PodScheduled      True 
Volumes:
  kube-api-access-qfmn2:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    ConfigMapOptional:       <nil>
    DownwardAPI:             true
QoS Class:                   BestEffort
Node-Selectors:              <none>
Tolerations:                 node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type     Reason     Age                  From               Message
  ----     ------     ----                 ----               -------
  Normal   Scheduled  3m31s                default-scheduler  Successfully assigned default/mypod to server3
  Normal   Pulled     118s                 kubelet            Successfully pulled image "reg.westos.org/library/perl" in 1m30.671959322s
  Normal   Pulling    2m5s (x5 over 5m2s)    kubelet            Pulling image "reg.westos.org/library/perl"
  Normal   Created    73s (x4 over 117s)   kubelet            Created container perl
  Normal   Started    72s (x4 over 116s)   kubelet            Started container perl

上一篇:buuctf web(五)——[护网杯 2018]easy_tornado


下一篇:【K8s概念】Secret