1、先决条件

  • Docker version 
    • $ docker version
Client: Docker Engine - Community
  Version:          20.10.9
  ## ...
  • Minikube version 
    • $ minikube version
minikube version: v1.11.0
commit: 1787477be296af47561833bcf69ef7a7c677933c
  • Helm version 
    • $ helm version
version.BuildInfo{Version:"v3.7.0", GitCommit:"eeac83883cb4014fe60267ec6373570374ce770b", GitTreeState:"clean", GoVersion:"go1.16.8"}

2、Install the Vault Helm chart

  • Install the latest version of the Vault Helm chart. 
    • helm install vault hashicorp/vault \
  --set='ui.enabled=true' \
  --set='ui.serviceType=NodePort' \
  --set='ui.serviceNodePort=30501' \
  --set='server.service.type=NodePort' \
  --set='server.service.nodePort=30500'

3、Initialize and unseal Vault

  • Initialize Vault with one key share and one key threshold. 
    • $ kubectl exec vault-0 -- vault operator init -key-shares=1 -key-threshold=1 -format=json > cluster-keys.json
  • Display the unseal key found in cluster-keys.json. 
    • $ cat cluster-keys.json | jq -r ".unseal_keys_b64[]"
rrUtT32GztRy/pVWmcH0ZQLCCXon/TxCgi40FL1Zzus=
  • Create a variable named VAULT_UNSEAL_KEY to capture the Vault unseal key. 
    • $ VAULT_UNSEAL_KEY=$(cat cluster-keys.json | jq -r ".unseal_keys_b64[]")
  • Unseal Vault running on the vault-0 pod. 
    • $ kubectl exec vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY
Key                    Value
---                    -----
Seal Type              shamir
Initialized            true
Sealed                 false
Total Shares           1
Threshold              1
Version                1.4.2
Cluster Name           vault-cluster-40bde7f6
Cluster ID             7e0355e2-ee66-4d9e-f4eb-42ef453b857d
HA Enabled             true
HA Cluster             n/a
HA Mode                standby
Active Node Address    <none>
  • Verify all the Vault pods are running and ready. 
    • $ kubectl get pods
NAME                                    READY   STATUS    RESTARTS   AGE
consul-consul-server-0                  1/1     Running   0          10m
consul-consul-sxpbj                     1/1     Running   0          10m
vault-0                                 1/1     Running   0          5m49s
vault-1                                 1/1     Running   0          5m48s
vault-2                                 1/1     Running   0          5m47s
vault-agent-injector-5945fb98b5-vzbqv   1/1     Running   0          5m50s

  • The vault-0, vault-1, and vault-2 pods report that they are Running and ready (1/1).

4、Set a secret in Vault

  • 从cluster-keys.json文件中检索root token 
    • $ cat cluster-keys.json | jq -r ".root_token"
s.VgQvaXl8xGFO1RUxAPbPbsfN
  • First, start an interactive shell session on the `vault-0` pod. 
    • $ kubectl exec --stdin=true --tty=true vault-0 -- /bin/sh
/ $
  • Login with the root token when prompted. 
    • vault login
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                  Value
---                  -----
token                s.g3dGqNy5IYrj8E4EU8mSPeL2
token_accessor       JVsMJHVu6rTWbPLlYmWQTq1R
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"]
  • Enable kv-v2 secrets at the path secret. 
    • $ vault secrets enable -path=secret kv-v2
Success! Enabled the kv-v2 secrets engine at: secret/
  • Create a secret at path `secret/webapp/config` with a `username` and `password`. 
    • $ vault kv put secret/webapp/config username="static-user" password="static-password"
Key              Value
---              -----
created_time     2020-03-24T19:13:06.72377543Z
deletion_time    n/a
destroyed        false
version          1
  • Verify that the secret is defined at the path `secret/webapp/config`. 
    • $ vault kv get secret/webapp/config
====== Metadata ======
Key              Value
---              -----
created_time     2020-03-24T19:13:06.72377543Z
deletion_time    n/a
destroyed        false
version          1

====== Data ======
Key         Value
---         -----
password    static-password
username    static-user
  • Lastly, exit the vault-0 pod. 
    • exit

       

 

5、Configure Kubernetes authentication

  • First, start an interactive shell session on the vault-0 pod. 
    • $ kubectl exec --stdin=true --tty=true vault-0 -- /bin/sh
/ $
  • Enable the Kubernetes authentication method. 
    • $ vault auth enable kubernetes
Success! Enabled kubernetes auth method at: kubernetes/
  • Configure the Kubernetes authentication method to use the location of the Kubernetes API, the service account token, its certificate, and the name of Kubernetes' service account issuer (required with Kubernetes 1.21+). 
    • $ vault write auth/kubernetes/config \
        kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \
        token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
        kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
        issuer="https://kubernetes.default.svc.cluster.local"
Success! Data written to: auth/kubernetes/config
  • Write out the policy named webapp that enables the read capability for secrets at path secret/data/webapp/config. 
    • $ vault policy write webapp - <<EOF
path "secret/data/webapp/config" {
  capabilities = ["read"]
}
EOF
Success! Uploaded policy: webapp
  • Create a Kubernetes authentication role, named webapp, that connects the Kubernetes service account name and webapp policy. 
    • $ vault write auth/kubernetes/role/webapp \
        bound_service_account_names=vault \
        bound_service_account_namespaces=default \
        policies=webapp \
        ttl=24h
Success! Data written to: auth/kubernetes/role/webapp
  • Lastly, exit the vault-0 pod. 
    • $ exit

6、Create Account SA

  • $ kubectl create sa demo-sa --namespace namespace

7、Create Policy

  • path "demoservice/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

 

   

8、Create policy role bind

  • vault write auth/kubernetes/role/demo-role \
        bound_service_account_names=demo-sa \                     /*绑定sa账号*/
        bound_service_account_namespaces=namespace \                   /*指定命名空间*/
        policies=demoservice \                                        /*指定policy*/
        ttl=24h

   

 

 

 

# 云计算 # 容器 # kubernetes
Logo
K8S/Kubernetes

K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容

更多推荐

【深度】阿里巴巴万级规模 K8s 集群全局高可用体系之美

作者 |  韩堂、柘远、沉醉来源 | 阿里巴巴云原生公众号​前言台湾作家林清玄在接受记者采访的时候,如此评价自己 30 多年写作生涯:“第一个十年我才华横溢,‘贼光闪现’,令周边黯然失色;第二个十年,我终于‘宝光现形’,不再去抢风头,反而与身边的美丽相得益彰;进入第三个十年,繁华落尽见真醇,我进入了‘醇光初现’的阶段,真正体味到了境界之美”。​长夜有穷,真水无香。领略过了 K8s“身在江

avatar K8S/Kubernetes

如何基于 K8s 构建下一代 DevOps 平台?

作者 | 孙健波(天元)导读:当前云原生 DevOps 体系现状如何?面临哪些挑战?如何通过 OAM 解决云原生 DevOps 场景下的诸多问题?云原生开发应用模型 OAM(Open Application Model) 社区核心成员孙健波将为大家一一解答,并分享如何基于 OAM 和 Kubernetes 打造无限能力的下一代 DevOps 平台。什么是 DevOps?为什么基于 Kub

avatar K8S/Kubernetes

k8s 火了!

2020,上云之年,产品云端化成为一种趋势。在一线城市,很多公司都已经构建了自己的私有云环境,比如阿里云、网易云、华为云等。而Kubernetes 作为基于容器编排领域的王者,具备扩展...

avatar K8S/Kubernetes