k8s密码管理
1、明文创建mysql pod(不安全)[root@vms20 ~]# docker pull hub.c.163.com/library/mysql[root@vms10 chap5-secrets]# cat mysql.yamlapiVersion: v1kind: Podmetadata:creationTimestamp: nulllabels:run: mysqlname: mysql
·
1、明文创建mysql pod(不安全)
[root@vms20 ~]# docker pull hub.c.163.com/library/mysql
[root@vms10 chap5-secrets]# cat mysql.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: mysql
name: mysql
spec:
containers:
- image: hub.c.163.com/library/mysql
imagePullPolicy: IfNotPresent
name: mysql
env:
- name: MYSQL_ROOT_PASSWORD
value: root123
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
[root@vms10 chap5-secrets]# kubectl apply -f mysql.yaml
pod/mysql created
[root@vms10 chap5-secrets]# kubectl get node
NAME STATUS ROLES AGE VERSION
vms10.rhce.cc Ready control-plane,master 12d v1.22.4
vms20.rhce.cc Ready <none> 12d v1.22.4
vms30.rhce.cc Ready <none> 12d v1.22.4
[root@vms10 chap5-secrets]# kubectl get pod -owide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
mysql 1/1 Running 0 9s 10.244.71.151 vms20.rhce.cc <none> <none>
pod1 2/2 Running 1 (6m3s ago) 89m 10.244.126.50 vms30.rhce.cc <none> <none>
[root@vms10 chap5-secrets]# mysql -uroot -proot123 -h10.244.71.151
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.7.18 MySQL Community Server (GPL)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]>
2、三种secret类型
kubernetes.io/service-account-token
[root@vms10 chap5-secrets]# kubectl create sa sa1
serviceaccount/sa1 created
[root@vms10 chap5-secrets]# kubectl get secret
NAME TYPE DATA AGE
default-token-t48tw kubernetes.io/service-account-token 3 24h
sa1-token-x8c8w kubernetes.io/service-account-token 3 2s
[root@vms10 chap5-secrets]# kubectl delete sa sa1
serviceaccount "sa1" deleted
假设创建了一个pod,使用了harbor里面的镜像,但是harbor没有开启匿名(不能匿名拉取)
这时就需要创建secret,里面包括harbor用户和密码
kubernetes.io/dockerconfigjson:用来存储私有docker registry的认 证信息。
创建harbor秘钥
[root@vms10 ~]# kubectl create secret docker-registry mydocker-secret --docker-server=192.168.26.10 --docker-username=admin --docker-password=Harbor12345
secret/mydocker-secret created
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: pod1
name: pod1
spec:
imagePullSecrets:
name: mydocker-secret
containers:
- image: nginx
imagePullPolicy: IfNotPresent
name: nginx1
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
Opaque:base64编码格式的Secret,用来存储密码、密钥等;但数据也通过base64 –decode解码得到原始数据,所有加密性很弱
1、命令行创建secret
[root@vms10 chap5-secrets]# kubectl create secret generic mysec1 --from-literal=myuser=admin --from-literal=mypass=Harbor12345
secret/mysec1 created
[root@vms10 chap5-secrets]# kubectl get secret
NAME TYPE DATA AGE
default-token-t48tw kubernetes.io/service-account-token 3 25h
mydocker-secret kubernetes.io/dockerconfigjson 1 11m
mysec1 Opaque 2 6s
[root@vms10 chap5-secrets]# kubectl describe secret mysec1
Name: mysec1
Namespace: chap4-volume
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
myuser: 5 bytes
mypass: 11 bytes
# 编码后
[root@vms10 chap5-secrets]# kubectl get secrets mysec1 -o yaml
apiVersion: v1
data:
mypass: SGFyYm9yMTIzNDU=
myuser: YWRtaW4=
kind: Secret
metadata:
creationTimestamp: "2022-03-22T11:52:19Z"
name: mysec1
namespace: chap4-volume
resourceVersion: "235456"
selfLink: /api/v1/namespaces/chap4-volume/secrets/mysec1
uid: 261a5f7a-debd-444c-a465-9e0652c6ffd7
type: Opaque
# 解码
[root@vms10 chap5-secrets]# echo SGFyYm9yMTIzNDU= | base64 -d
Harbor12345
[root@vms10 chap5-secrets]# kubectl get secret mysec1 -o jsonpath='{.data.mypass}' |base64 -d
Harbor123452、file创建secret(键=文件的basename)
[root@vms10 chap5-secrets]# kubectl create secret generic mysec2 --from-file=/etc/hosts --from-file=/etc/issue
secret/mysec2 created
[root@vms10 chap5-secrets]# kubectl describe secret mysec2
Name: mysec2
Namespace: chap4-volume
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
hosts: 260 bytes
issue: 37 bytes
[root@vms10 chap5-secrets]# kubectl get secret mysec2 -o jsonpath='{.data.hosts}' | base64 -d
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.26.10 vms10.rhce.cc vms10
192.168.26.20 vms10.rhce.cc vms20
192.168.26.30 vms10.rhce.cc vms30
[root@vms10 chap5-secrets]# cat env.txt
user=root
password=root123
[root@vms10 chap5-secrets]# kubectl create secret generic mysecret3 --from-env-file=env.txt
[root@vms10 chap5-secrets]# kubectl get secret
mysecret3 Opaque 2 2m38s
[root@vms10 chap5-secrets]# kubectl get secret mysecret3 -o yaml
apiVersion: v1
data:
password: cm9vdDEyMw==
user: cm9vdA==
kind: Secret
metadata:
creationTimestamp: "2022-03-22T11:59:09Z"
name: mysecret3
namespace: chap4-volume
resourceVersion: "236259"
selfLink: /api/v1/namespaces/chap4-volume/secrets/mysecret3
uid: 6a333929-3ecf-4fc2-821a-f00e1ec3e87b
type: Opaque
[root@vms10 chap5-secrets]# echo cm9vdDEyMw== | base64 -d
root123
3、使用secret
以变量的方式
[root@vms10 chap5-secrets]# kubectl create secret generic mysec --from-literal=mysql_root_password=root123
secret/mysec created
[root@vms10 chap5-secrets]# vim mysqlBySecret.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: mysql
name: mysql
spec:
containers:
- image: hub.c.163.com/library/mysql
imagePullPolicy: IfNotPresent
name: mysql
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mysec
key: mysql_root_password
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
[root@vms10 chap5-secrets]# kubectl apply -f mysqlBySecret.yaml
[root@vms10 chap5-secrets]# kubectl get pod -owide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
mysql 1/1 Running 0 5m14s 10.244.126.51 vms30.rhce.cc <none> <none>
[root@vms10 chap5-secrets]# mysql -h 10.244.126.51 -uroot -proot123
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.7.18 MySQL Community Server (GPL)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]>
以卷的方式
[root@vms10 chap5-secrets]# kubectl describe secrets mysec
Name: mysec
Namespace: chap4-volume
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
mysql_root_password: 7 bytes
[root@vms10 chap5-secrets]# cat mysqlBySecret2.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: nginx
name: nginx
spec:
volumes:
- name: v1
secret:
secretName: mysec
containers:
- image: nginx
imagePullPolicy: IfNotPresent
name: c1
resources: {}
volumeMounts:
- name: v1
mountPath: /data
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
[root@vms10 chap5-secrets]# kubectl exec -it nginx -- bash
root@nginx:/# cat /data/mysql_root_password
root123
3、configMap
创建configMap
[root@vms10 chap5-secrets]# kubectl get configmap
NAME DATA AGE
kube-root-ca.crt 1 44h
# 根据变量创建
[root@vms10 chap5-secrets]# kubectl create cm mycm1 --from-literal=user=root --from-literal=password=root123
configmap/mycm1 created
# 根据文件创建
[root@vms10 chap5-secrets]# kubectl create cm mycm2 --from-file=/etc/hosts --from-file=/etc/issue
configmap/mycm2 created
# 插卡configMap
[root@vms10 chap5-secrets]# kubectl describe cm mycm1
Name: mycm1
Namespace: chap4-volume
Labels: <none>
Annotations: <none>
Data
====
password:
----
root123
user:
----
root
BinaryData
====
Events: <none>
[root@vms10 chap5-secrets]# kubectl describe cm mycm2
Name: mycm2
Namespace: chap4-volume
Labels: <none>
Annotations: <none>
Data
====
hosts:
----
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.26.10 vms10.rhce.cc vms10
192.168.26.20 vms10.rhce.cc vms20
192.168.26.30 vms10.rhce.cc vms30
issue:
----
\S
Kernel \r on an \m
192.168.26.10
BinaryData
====
Events: <none>
使用configMap(常用于映射配置文件)
变量
[root@vms10 chap5-secrets]# cat configMap.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: mysql
name: mysql
spec:
containers:
- image: hub.c.163.com/library/mysql
imagePullPolicy: IfNotPresent
name: mysql
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
configMapKeyRef:
name: mycm1
key: password
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
[root@vms10 chap5-secrets]# kubectl get pod -owide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
mysql 1/1 Running 0 53s 10.244.71.156 vms20.rhce.cc <none> <none>
[root@vms10 chap5-secrets]# mysql -h10.244.71.156 -uroot -proot123
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.7.18 MySQL Community Server (GPL)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]>
挂载卷
[root@vms10 chap5-secrets]# cat configMap2.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: nginx
name: nginx
spec:
volumes:
- name: v1
configMap:
name: mycm2
containers:
- image: nginx
imagePullPolicy: IfNotPresent
name: c1
resources: {}
volumeMounts:
- name: v1
mountPath: /data
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
[root@vms10 chap5-secrets]# kubectl exec -it nginx -- bash
root@nginx:/# ls /data/
hosts issue
root@nginx:/# cat /data/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.26.10 vms10.rhce.cc vms10
192.168.26.20 vms10.rhce.cc vms20
192.168.26.30 vms10.rhce.cc vms30
常见用法:以变量的方式引用secret,以卷的方式引用configMap
将nginx配置文件设置成configMap,在pod中引用该配置文件
[root@vms10 chap5-secrets]# kubectl create cm nginx.conf --from-file=nginx.conf
configmap/nginx.conf created
[root@vms10 chap5-secrets]# kubectl get cm
NAME DATA AGE
kube-root-ca.crt 1 45h
mycm1 2 35m
mycm2 2 33m
nginx.conf 1 20s
[root@vms10 chap5-secrets]# cat configMap3.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: nginx
name: nginx
spec:
volumes:
- name: v1
configMap:
name: nginx.conf
containers:
- image: nginx
imagePullPolicy: IfNotPresent
name: c1
resources: {}
volumeMounts:
- name: v1
mountPath: /etc/nginx/nginx.conf
# 没有subPath,会认为nginx.conf是文件夹
subPath: nginx.conf
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
修改配置文件,并使pod生效
[root@vms10 chap5-secrets]# kubectl edit cm nginx.conf
configmap/nginx.conf edited
# 删除pod再重新创建
[root@vms10 chap5-secrets]# kubectl delete pod nginx --force
pod "nginx" force deleted
[root@vms10 chap5-secrets]# kubectl apply -f configMap3.yaml
pod/nginx created
K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容
更多推荐
0
0- 0
已为社区贡献3条内容
所有评论(0)