Kubernetes入门实验:secret

作者注:本文仅为笔者学习记录,不具任何参考意义。

k8s secret 实验。
注:本文为笔者实验记录,非教程,另会不定时更新。

环境

1
2
3
4
5
# kubectl get node
NAME STATUS ROLES AGE VERSION
edge-node Ready <none> 15m v1.17.0
edge-node2 Ready <none> 16m v1.17.0
ubuntu Ready master 67d v1.17.0

secret

Secret有三种类型:

  • Opaque:base64 编码格式的 Secret,用来存储密码、密钥等;但数据也可以通过base64 –decode解码得到原始数据,所有加密性很弱。
  • kubernetes.io/dockerconfigjson:用来存储私有docker registry的认证信息。
  • kubernetes.io/service-account-token:用于被serviceaccount引用,serviceaccout 创建时Kubernetes会默认创建对应的secret。Pod如果使用了serviceaccount,对应的secret会自动挂载到Pod目录/run/secrets/kubernetes.io/serviceaccount中。

技术总结

似乎还是能解出敏感文字,如何实际应用?

命令行指定

1
kubectl create secret generic dev-db-secret –from-literal=username=devuser –from-literal=password=S\!B\\*d\$zDsb

注:特殊字符(例如 $, \*! )需要使用\转义。此处密码为S!B\*d$zDsb

从文件创建

1
2
echo -n 'admin' > ./username.txt
echo -n '1f2d1e2e67df' > ./password.txt

创建:

1
kubectl create secret generic db-user-pass --from-file=./username.txt --from-file=./password.txt

1
2
3
4
5
kubectl get secrets
输出
NAME TYPE DATA AGE
db-user-pass Opaque 2 26s
default-token-5qgw2 kubernetes.io/service-account-token 3 70d

查看详情:

1
kubectl describe secrets/db-user-pass

解码密钥:

1
2
3
4
5
6
kubectl get secret db-user-pass -o yaml
输出:
data:
password.txt: MWYyZDFlMmU2N2Rm
username.txt: YWRtaW4=
kind: Secret

解base64:

1
2
echo 'YWRtaW4=' | base64 --decode
admin

配置文件

1
2
3
4
echo -n 'admin' | base64
YWRtaW4=
echo -n '1f2d1e2e67df' | base64
MWYyZDFlMmU2N2Rm

secret.yaml文件:

1
2
3
4
5
6
7
8
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
username: YWRtaW4=
password: MWYyZDFlMmU2N2Rm

创建:

1
kubectl apply -f secret.yaml

编辑:

1
kubectl edit secrets mysecret

将secret挂载到pod中,busybox-pod.yaml:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
apiVersion: v1
kind: Pod
metadata:
name: busybox-pod
spec:
containers:
- name: busybox-pod
image: latelee/busybox
imagePullPolicy: IfNotPresent
command: [ "/bin/sh", "-c", "sleep 3600" ]
volumeMounts:
- name: foo
mountPath: "/etc/foo"
readOnly: true
volumes:
- name: foo
secret:
secretName: mysecret

创建、查看、删除:

1
2
3
kubectl apply -f busybox-pod.yaml 
kubectl exec -it busybox-pod -- cat /etc/foo/username
kubectl delete -f busybox-pod.yaml

环境变量方式,busybox-pod1.yaml:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
apiVersion: v1
kind: Pod
metadata:
name: busybox-pod
spec:
containers:
- name: busybox-pod
image: latelee/busybox
imagePullPolicy: IfNotPresent
command: [ "/bin/sh", "-c", "sleep 3600" ]
env:
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
name: mysecret
key: username
- name: SECRET_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: password

创建、查看、删除:

1
2
3
kubectl apply -f busybox-pod1.yaml 
kubectl exec -it busybox-pod -- env
kubectl delete -f busybox-pod1.yaml

TODO:移动其它文件

kubernetes.io/service-account-token

查看当前serviceAccount:

1
2
3
# kubectl get serviceAccounts   // 或 kubectl get sa
NAME SECRETS AGE
default 1 75d

每个pod都有默认的secret,查看上述运行pod的serviceaccount:

1
2
3
4
5
6
7
8
9
10
# kubectl get pod busybox-pod  -o yaml | grep serviceAccountName
serviceAccountName: default

# kubectl describe pod busybox-pod | grep SecretName
SecretName: mysecret
SecretName: default-token-5qgw2

# kubectl get secret // 查看系统默认的secrect
NAME TYPE DATA AGE
default-token-5qgw2 kubernetes.io/service-account-token 3 75d

serviceaccount.yaml

1
2
3
4
5
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: null
name: mysa

创建:

1
kubectl apply -f serviceaccount.yaml

查看:

1
2
kubectl get sa mysa -o yaml
kubectl describe sa mysa

查看secrect:

1
2
3
4
kubectl get secret
NAME TYPE DATA AGE
default-token-5qgw2 kubernetes.io/service-account-token 3 75d
mysa-token-dkt5p kubernetes.io/service-account-token 3 2m50s

删除上述pod,再创建新的,使用新的sa:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
apiVersion: v1
kind: Pod
metadata:
name: busybox-pod
spec:
containers:
- name: busybox-pod
image: latelee/busybox
imagePullPolicy: IfNotPresent
command: [ "/bin/sh", "-c", "sleep 3600" ]
volumeMounts:
- name: foo
mountPath: "/etc/foo"
readOnly: true
volumes:
- name: foo
secret:
secretName: mysecret
serviceAccountName: mysa

创建:

1
kubectl apply -f busybox-pod.yaml

1
kubectl describe pod busybox-pod