Kubernetes-密码管理

目录

  1. 问题
  2. secret
  1. configmap

前提:敏感数据,不保存在yaml中。敏感数据保存k8s集群中,将用户定义的密码保存在secret和configmap中
secret将明文进行base64编码

  • 问题
trnuser@k8s:~/pod$ cat wordpress-mysql.yml 
---
apiVersion: v1
kind: Service
metadata:
  name: wordpress-mysql
  labels:
    app: wordpress
spec:
  ports:
    - port: 3306
  selector:
    app: wordpress
    tier: mysql
  clusterIP: None
---
apiVersion: apps/v1 # for k8s versions before 1.9.0 use apps/v1beta2  and before 1.8.0 use extensions/v1beta1
kind: Deployment
metadata:
  name: wordpress-mysql
  labels:
    app: wordpress
spec:
  replicas: 2
  selector:
    matchLabels:
      app: wordpress
      tier: mysql
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: wordpress
        tier: mysql
    spec:
      containers:
      - image: mysql:5.7
        name: mysql
        env:
        - name: MYSQL_ROOT_PASSWORD
          value: redhat   #明文密码
          #valueFrom:
          # secretKeyRef:
          #    name: mysql
          #    key: mysql-password
        livenessProbe:
          tcpSocket:
            port: 3306
        ports:
        - containerPort: 3306
          name: mysql
        volumeMounts:
        - name: mysql-persistent-storage
          mountPath: /var/lib/mysql
        volumes:
        - name: mysql-persistent-storage
          persistentVolumeClaim:
          claimName: mysql-pv-claim
  • 解决方案: 将密码保存到secret中
trnuser@k8s:~/pod$ kubectl api-resources | grep secret
secrets                                                                       true         Secret
trnuser@k8s:~/pod$ kubectl api-resources | grep configmap
configmaps                        cm                                          true         ConfigMap
trnuser@k8s:~/pod$ 
  • secret
kubectl create secret generic mysql --from-literal=mysql-password=redhat
  • 查看密码
trnuser@k8s:~/pod$ kubectl describe secrets mysql -n secret
Name:         mysql
Namespace:    secret
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
mysql-password:  6 bytes

-----------------
trnuser@k8s:~/pod$ kubectl get secrets mysql -n secret -o yaml
apiVersion: v1
data:
  mysql-password: cmVkaGF0
kind: Secret
metadata:
  creationTimestamp: "2021-03-01T07:00:49Z"
  managedFields:
  - apiVersion: v1
    fieldsType: FieldsV1
    fieldsV1:
      f:data:
        .: {}
        f:mysql-password: {}
      f:type: {}
    manager: kubectl
    operation: Update
    time: "2021-03-01T07:00:49Z"
  name: mysql
  namespace: secret
  resourceVersion: "1304905"
  selfLink: /api/v1/namespaces/secret/secrets/mysql
  uid: ce213f79-3759-4d38-9c7d-da41f8fe1d83
type: Opaque
  • 解码secret
echo -n 'cmVkaGF0' | base64 --decode 
  • 部署pod调用secrets
trnuser@k8s:~/pod$ cat wordpress-mysql.yml 
---
apiVersion: v1
kind: Service
metadata:
  name: wordpress-mysql
  labels:
    app: wordpress
spec:
  ports:
    - port: 3306
  selector:
    app: wordpress
    tier: mysql
  clusterIP: None
---
apiVersion: apps/v1 # for k8s versions before 1.9.0 use apps/v1beta2  and before 1.8.0 use extensions/v1beta1
kind: Deployment
metadata:
  name: wordpress-mysql
  labels:
    app: wordpress
spec:
  replicas: 2
  selector:
    matchLabels:
      app: wordpress
      tier: mysql
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: wordpress
        tier: mysql
    spec:
      containers:
      - image: mysql:5.7
        name: mysql
        env:
        - name: MYSQL_ROOT_PASSWORD
          valueFrom:
            secretKeyRef:
              name: mysql
              key: mysql-password
              #value: redhat
        livenessProbe:
          tcpSocket:
            port: 3306
        ports:
        - containerPort: 3306
          name: mysql
          #        volumeMounts:
          #        - name: mysql-persistent-storage
          #          mountPath: /var/lib/mysql
          #      volumes:
          #      - name: mysql-persistent-storage
          #        persistentVolumeClaim:
          #          claimName: mysql-pv-claim
  • 读取文件中内容
echo -n 'zhangsan' > username 
  • 创建secret
kubectl create secret generic users --from-file=username 
  • 文件中创建多个变量
[root@master ~]# vim secret.txt 
[root@master ~]# cat secret.txt 
user1=zhangsan 
password1=redhat 
user2=lisi 
password2=redha
kubectl create secret generic users-2 --from-env-file=secret.txt 
  • configmap
kubectl create configmap cmap1 --from-literal=user1=zhangsan --from-literal=user2=lisi 
trnuser@k8s:~/pod$ kubectl get configmap cmap1 -o yaml -n secret 
apiVersion: v1
data:
  user1: zhangsan
  user2: lisi
kind: ConfigMap
metadata:
  creationTimestamp: "2021-03-02T02:36:23Z"
  managedFields:
  - apiVersion: v1
    fieldsType: FieldsV1
    fieldsV1:
      f:data:
        .: {}
        f:user1: {}
        f:user2: {}
    manager: kubectl
    operation: Update
    time: "2021-03-02T02:36:23Z"
  name: cmap1
  namespace: secret
  resourceVersion: "1482007"
  selfLink: /api/v1/namespaces/secret/configmaps/cmap1
  uid: 81158352-60c2-4706-b384-f3efe88bcadc
上一篇:【ABAP系列】ABAP CL_ABAP_CONV_IN_CE


下一篇:宿主系统为Ubuntu 14,CentOS 6.5 安装VirtualBox增强工具失败:Building the OpenGL support module[FAILED]