kubernetes-Secret
Secret
Secret 有三种类型:
Service Account :用来访问 Kubernetes API,由 Kubernetes 自动创建,并且会自动挂载到 Pod 的/run/secrets/kubernetes.io/serviceaccount 目录中
Opaque :base64编码格式的Secret,用来存储密码、密钥等
kubernetes.io/dockerconfigjson :用来存储私有 docker registry 的认证信息
Secret 解决了密码、token、密钥等敏感数据的配置问题,而不需要把这些敏感数据暴露到镜像或者 Pod Spec 中。Secret 可以以 Volume 或者环境变量的方式使用
从文件创建secret
创建认证文本文件
[root@server2 configmap]# echo -n 'admin' > ./username.txt
[root@server2 configmap]# echo -n 'westos' > ./password.txt
[root@server2 configmap]# kubectl create secret generic db-user-pass --from-file=./username.txt --from-file=./password.txt
secret/db-user-pass created
[root@server2 configmap]# kubectl get secrets
NAME TYPE DATA AGE
db-user-pass Opaque 2 9s
default-token-pbw6h kubernetes.io/service-account-token 3 6d19h
查看认证信息
[root@server2 configmap]# kubectl describe secrets db-user-pass
Name: db-user-pass
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
password.txt: 6 bytes
username.txt: 5 bytes
[root@server2 configmap]#
为了安全 kubectl get和kubectl describe 默认不会显示密码,可以通过以下方式查看
[root@server2 configmap]# kubectl get secrets db-user-pass -o yaml
apiVersion: v1
data:
password.txt: d2VzdG9z
username.txt: YWRtaW4=
kind: Secret
metadata:
creationTimestamp: "2021-07-31T05:47:20Z"
name: db-user-pass
namespace: default
resourceVersion: "631826"
uid: f467583b-973c-4919-b799-1b9a2b27c618
type: Opaque
查看加密的明文
[root@server2 configmap]# echo d2VzdG9z | base64 -d
westos[root@server2 configmap]#
编写secret
[root@server2 configmap]# vim secret.yaml
[root@server2 configmap]# cat secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
username: YWRtaW4=
password: d2VzdG9z
[root@server2 configmap]# kubectl apply -f secret.yaml
secret/mysecret created
[root@server2 configmap]#
[root@server2 configmap]# kubectl get secret
NAME TYPE DATA AGE
db-user-pass Opaque 2 141m
default-token-pbw6h kubernetes.io/service-account-token 3 6d21h
mysecret Opaque 2 87s
将Secret挂载到Volume中
编写文件,创建
[root@server2 configmap]# cat secret.yaml
apiVersion: v1
kind: Pod
metadata:
name: mysecret
spec:
containers:
- name: nginx
image: nginx
volumeMounts:
- name: secrets
mountPath: "/secret"
readOnly: true
volumes:
- name: secrets
secret:
secretName: mysecret
[root@server2 configmap]# vim secret.yaml
[root@server2 configmap]# kubectl apply -f secret.yaml
pod/mysecret created
[root@server2 configmap]# kubectl get pod
NAME READY STATUS RESTARTS AGE
mysecret 1/1 Running 0 11s
进入容器查看挂载路径
[root@server2 configmap]# kubectl exec -it mysecret -- bash
root@mysecret:/# ls
bin docker-entrypoint.d home media proc sbin sys var
boot docker-entrypoint.sh lib mnt root secret tmp
dev etc lib64 opt run srv usr
root@mysecret:/# cd secret/
root@mysecret:/secret# ls
password username
root@mysecret:/secret# cat username
adminroot@mysecret:/secret# cat password
westosroot@mysecret:/secret# pwd
/secret
root@mysecret:/secret#
向指定路径映射密钥
[root@server2 configmap]# vim secret.yaml
[root@server2 configmap]# cat secret.yaml
apiVersion: v1
kind: Pod
metadata:
name: mysecret
spec:
containers:
- name: nginx
image: nginx
volumeMounts:
- name: secrets
mountPath: "/secret"
readOnly: true
volumes:
- name: secrets
secret:
secretName: mysecret
items:
- key: username
path: my-group/my-username
[root@server2 configmap]# kubectl apply -f secret.yaml
pod/mysecret created
[root@server2 configmap]# kubectl get pod
NAME READY STATUS RESTARTS AGE
mysecret 1/1 Running 0 16s
进入容器查看挂载路径
[root@server2 configmap]# kubectl exec -it mysecret -- bash
root@mysecret:/# cd secret/
root@mysecret:/secret# ls
my-group
root@mysecret:/secret# cd my-group
root@mysecret:/secret/my-group# ls
my-username
root@mysecret:/secret/my-group# cat my-username
adminroot@mysecret:/secret/my-group#
将Secret设置为环境变量
[root@server2 configmap]# kubectl delete -f secret.yaml
pod "mysecret" deleted
[root@server2 configmap]# vim secret.yaml
[root@server2 configmap]# cat secret.yaml
apiVersion: v1
kind: Pod
metadata:
name: secret-env
spec:
containers:
- name: nginx
image: nginx
env:
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
name: mysecret
key: username
- name: SECRET_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: password
[root@server2 configmap]# kubectl apply -f secret.yaml
pod/secret-env created
[root@server2 configmap]# kubectl get pod
NAME READY STATUS RESTARTS AGE
secret-env 1/1 Running 0 16s
进入容器查看环境
[root@server2 configmap]# kubectl exec -it secret-env -- bash
root@secret-env:/# env
...
SECRET_PASSWORD=westos
...
环境变量读取Secret很方便,但不支持Secret动态更新
存储docker registry的认证信息
创建secret的格式为docker-registry
[root@server2 configmap]# kubectl create secret docker-registry myregistrykey --docker-server=hyl.westos.org --docker-username=admin --docker-password=westos --docker-email=yakexi007@westos.org
secret/myregistrykey created
[root@server2 configmap]# kubectl get secrets
NAME TYPE DATA AGE
myregistrykey kubernetes.io/dockerconfigjson 1 36s
编写registry.yaml,拉取仓库中的镜像
[root@server2 configmap]# vim registry.yaml
[root@server2 configmap]# cat registry.yaml
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: perl
image: reg.westos.org/library/perl
imagePullSecrets:
- name: myregistrykey
[root@server2 configmap]# kubectl apply -f registry.yaml
pod/mypod created
[root@server2 configmap]# kubectl get pod
NAME READY STATUS RESTARTS AGE
mypod 0/1 ContainerCreating 0 6s
查看pod节点详细信息,可以看到已成功拉取
[root@server2 configmap]# kubectl describe pod mypod
Name: mypod
Namespace: default
Priority: 0
Node: server3/172.25.12.3
Start Time: Sat, 31 Jul 2021 04:41:48 -0400
Labels: <none>
Annotations: cni.projectcalico.org/podIP: 10.244.141.226/32
cni.projectcalico.org/podIPs: 10.244.141.226/32
Status: Running
IP: 10.244.141.226
IPs:
IP: 10.244.141.226
Containers:
perl:
Container ID: docker://6e11dbffb75f37ce4aba8a90cb7d756e860ae16daab6980811cef65d7945e160
Image: reg.westos.org/library/perl
Image ID: docker-pullable://reg.westos.org/library/perl@sha256:0245ddad7966262b2df36c6e7effb406b6eee45c1d7cb654097b574bf51e70b5
Port: <none>
Host Port: <none>
State: Waiting
Reason: CrashLoopBackOff
Last State: Terminated
Reason: Completed
Exit Code: 0
Started: Sat, 31 Jul 2021 04:44:48 -0400
Finished: Sat, 31 Jul 2021 04:44:48 -0400
Ready: False
Restart Count: 4
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-qfmn2 (ro)
Conditions:
Type Status
Initialized True
Ready False
ContainersReady False
PodScheduled True
Volumes:
kube-api-access-qfmn2:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 3607
ConfigMapName: kube-root-ca.crt
ConfigMapOptional: <nil>
DownwardAPI: true
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 3m31s default-scheduler Successfully assigned default/mypod to server3
Normal Pulled 118s kubelet Successfully pulled image "reg.westos.org/library/perl" in 1m30.671959322s
Normal Pulling 2m5s (x5 over 5m2s) kubelet Pulling image "reg.westos.org/library/perl"
Normal Created 73s (x4 over 117s) kubelet Created container perl
Normal Started 72s (x4 over 116s) kubelet Started container perl