Kubernetes入门实验:secret

kubernetes 752 字
作者注:本文仅为笔者学习记录,不具任何参考意义。

k8s secret 实验。
注:本文为笔者实验记录,非教程,另会不定时更新。

环境

1
2
3
4
5
# kubectl get node
NAME              STATUS     ROLES    AGE   VERSION
edge-node         Ready      <none>   15m   v1.17.0
edge-node2        Ready      <none>   16m   v1.17.0
ubuntu            Ready      master   67d   v1.17.0

secret

Secret有三种类型:

  • Opaque:base64 编码格式的 Secret,用来存储密码、密钥等;但数据也可以通过base64 –decode解码得到原始数据,所有加密性很弱。
  • kubernetes.io/dockerconfigjson:用来存储私有docker registry的认证信息。
  • kubernetes.io/service-account-token:用于被serviceaccount引用,serviceaccout 创建时Kubernetes会默认创建对应的secret。Pod如果使用了serviceaccount,对应的secret会自动挂载到Pod目录/run/secrets/kubernetes.io/serviceaccount中。

技术总结

似乎还是能解出敏感文字,如何实际应用?

命令行指定

1
kubectl create secret generic dev-db-secret –from-literal=username=devuser –from-literal=password=S\!B\\*d\$zDsb

注:特殊字符(例如 $, \*! )需要使用\转义。此处密码为S!B\*d$zDsb

从文件创建

1
2
echo -n 'admin' > ./username.txt
echo -n '1f2d1e2e67df' > ./password.txt

创建:

1
kubectl create secret generic db-user-pass --from-file=./username.txt --from-file=./password.txt

1
2
3
4
5
kubectl get secrets
输出
NAME                  TYPE                                  DATA   AGE
db-user-pass          Opaque                                2      26s
default-token-5qgw2   kubernetes.io/service-account-token   3      70d

查看详情:

1
kubectl describe secrets/db-user-pass

解码密钥:

1
2
3
4
5
6
kubectl get secret db-user-pass -o yaml
输出:
data:
  password.txt: MWYyZDFlMmU2N2Rm
  username.txt: YWRtaW4=
kind: Secret

解base64:

1
2
echo 'YWRtaW4=' | base64 --decode
admin

配置文件

1
2
3
4
echo -n 'admin' | base64
YWRtaW4=
echo -n '1f2d1e2e67df' | base64
MWYyZDFlMmU2N2Rm

secret.yaml文件:

1
2
3
4
5
6
7
8
apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  username: YWRtaW4=
  password: MWYyZDFlMmU2N2Rm

创建:

1
kubectl apply -f secret.yaml

编辑:

1
kubectl edit secrets mysecret

将secret挂载到pod中,busybox-pod.yaml:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
apiVersion: v1
kind: Pod
metadata:
  name: busybox-pod
spec:
  containers:
  - name: busybox-pod
    image: latelee/busybox
    imagePullPolicy: IfNotPresent
    command: [ "/bin/sh", "-c", "sleep 3600" ]
    volumeMounts:
    - name: foo
      mountPath: "/etc/foo"
      readOnly: true
  volumes:
  - name: foo
    secret:
      secretName: mysecret

创建、查看、删除:

1
2
3
kubectl apply -f busybox-pod.yaml 
kubectl exec -it busybox-pod -- cat /etc/foo/username
kubectl delete -f busybox-pod.yaml

环境变量方式,busybox-pod1.yaml:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
apiVersion: v1
kind: Pod
metadata:
  name: busybox-pod
spec:
  containers:
  - name: busybox-pod
    image: latelee/busybox
    imagePullPolicy: IfNotPresent
    command: [ "/bin/sh", "-c", "sleep 3600" ]
    env:
      - name: SECRET_USERNAME
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: username
      - name: SECRET_PASSWORD
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: password

创建、查看、删除:

1
2
3
kubectl apply -f busybox-pod1.yaml 
kubectl exec -it busybox-pod -- env
kubectl delete -f busybox-pod1.yaml

TODO:移动其它文件

kubernetes.io/service-account-token

查看当前serviceAccount:

1
2
3
# kubectl get serviceAccounts   // 或 kubectl get sa
NAME      SECRETS   AGE
default   1         75d

每个pod都有默认的secret,查看上述运行pod的serviceaccount:

1
2
3
4
5
6
7
8
9
10
# kubectl get pod busybox-pod  -o yaml | grep serviceAccountName
  serviceAccountName: default

# kubectl describe pod busybox-pod | grep SecretName
    SecretName:  mysecret
    SecretName:  default-token-5qgw2
    
# kubectl get secret // 查看系统默认的secrect
NAME                  TYPE                                  DATA   AGE
default-token-5qgw2   kubernetes.io/service-account-token   3      75d

serviceaccount.yaml

1
2
3
4
5
apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: null
  name: mysa

创建:

1
kubectl apply -f serviceaccount.yaml

查看:

1
2
kubectl get sa mysa -o yaml
kubectl describe sa mysa

查看secrect:

1
2
3
4
kubectl get secret
NAME                  TYPE                                  DATA   AGE
default-token-5qgw2   kubernetes.io/service-account-token   3      75d
mysa-token-dkt5p      kubernetes.io/service-account-token   3      2m50s

删除上述pod,再创建新的,使用新的sa:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
apiVersion: v1
kind: Pod
metadata:
  name: busybox-pod
spec:
  containers:
  - name: busybox-pod
    image: latelee/busybox
    imagePullPolicy: IfNotPresent
    command: [ "/bin/sh", "-c", "sleep 3600" ]
    volumeMounts:
    - name: foo
      mountPath: "/etc/foo"
      readOnly: true
  volumes:
  - name: foo
    secret:
      secretName: mysecret
  serviceAccountName: mysa

创建:

1
kubectl apply -f busybox-pod.yaml

1
kubectl describe pod busybox-pod
  • 本文作者:李迟
  • 版权声明:原创文章,版权归署名作者,转载建议注明出处(当然不注明亦可)。
  • 本文链接:/kubernetes/k8s-practice-secret.html