kubernetes使用 (十四) Secret 加密凭证
(Secret 这个单词我百度了一下,意思是"秘密" (。・∀・)ノ)Secret主要是用来对数据进行加密,并将加密后的数据存放在etcd中, 可以在使用时让pod容器,以挂载的方式进行访问他给我们提供了一定的安全性,所以会经常用来存放一些密码、密钥等重要的数据Secret 常用的类型1. Opaque#base64 编码格式的 Secret,用来存储密码、密钥等;#但数据也可以通过base64
·
(Secret 这个单词我百度了一下,意思是"秘密" (。・∀・)ノ)
Secret主要是用来对数据进行加密,并将加密后的数据存放在etcd中, 可以在使用时让pod容器,以挂载的方式进行访问
他给我们提供了一定的安全性,所以会经常用来存放一些密码、密钥等重要的数据
Secret 常用的类型
1. Opaque #base64 编码格式的 Secret,用来存储密码、密钥等;
#但数据也可以通过base64 –decode解码得到原始数据,所以加密性很弱。
2. kubernetes.io/dockerconfigjson #用来存储私有docker registry的认证信息。
3. kubernetes.io/service-account-token
#用于被serviceaccount引用,
#serviceaccout 创建时Kubernetes会默认创建对应的secret。
#Pod如果使用了serviceaccount,对应的secret会自动挂载到Pod目录/run/secrets/kubernetes.io/serviceaccount中。一. Opaque
#下面先手动使用base64加密一下
#我们下面使用这两个加密的值作为案例
[root@k8s-master01 ~]# echo -n "admin" | base64
YWRtaW4=
[root@k8s-master01 ~]# echo -n "123456" | base64
MTIzNDU2创建secret
cat > Secret.yaml <<EOF
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque #指定类型Opaque
data:
username: YWRtaW4= #用户名
password: MTIzNDU2 #密码
EOF部署
kubectl create -f Secret.yaml查看
[root@k8s-master01 ~]# kubectl get Secret
NAME TYPE DATA AGE
default-token-z6w8t kubernetes.io/service-account-token 3 46d
mysecret Opaque 2 23s
#可以看到新建的secret (mysecret )类型为Opaque获取yaml
[root@k8s-master01 ~]# kubectl get Secret mysecret -o yaml
apiVersion: v1
data:
password: MTIzNDU2
username: YWRtaW4= #用户、密码信息
kind: Secret
metadata:
creationTimestamp: "2021-01-25T07:31:06Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:password: {}
f:username: {}
f:type: {}
manager: kubectl
operation: Update
time: "2021-01-25T07:31:06Z"
name: mysecret
namespace: default
resourceVersion: "41420"
selfLink: /api/v1/namespaces/default/secrets/mysecret
uid: 2b1b7fe4-43d4-4950-a9b8-98cfcb7e393b
type: Opaque
上面已经部署了加密文件,应用的方法大致分为2种:
1. 以 "变量" 形式挂载到pod容器
2. 以 "文件" 形式挂载到pod容器
1. 以变量形式挂载
cat > secret-var.yaml <<EOF
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: web
image: nginx:1.15
env:
- name: SECRET_USERNAME #定义挂载到容器的变量名称
valueFrom: #以变量形式挂载
secretKeyRef: #数据来自于secret
name: mysecret #指定secret的名称
key: username #指定要用户名的k/v
- name: SECRET_PASSWORD #同上
valueFrom:
secretKeyRef:
name: mysecret
key: password
EOF部署
kubectl create -f secret-var.yaml查看
[root@k8s-master01 ~]# kubectl get pod
NAME READY STATUS RESTARTS AGE
mypod 1/1 Running 0 3s测试
1. 登陆容器
[root@k8s-master01 ~]# kubectl exec -it mypod bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl kubectl exec [POD] -- [COMMAND] instead.
root@mypod:/# 2. 查看容器内变量
root@mypod:/# env | grep SECRET
SECRET_PASSWORD=123456
SECRET_USERNAME=admin
2. 以文件形式挂载
cat > secret-vol.yaml <<EOF
apiVersion: v1
kind: Pod
metadata:
name: mypod-vol
spec:
containers:
- name: web
image: nginx:1.15
volumeMounts: #使用volumes定义的存储卷进行挂载
- name: foo
mountPath: "/etc/foo" #挂载文件的目录,注意这个是目录,不是挂载进来的文件位置
#你挂载进来的文件会放在/etc/foo目录下
readOnly: true
volumes: #定义存储卷
- name: foo
secret: #存储类型为secret
secretName: mysecret #secret名称
EOF
部署
kubectl create -f secret-vol.yaml查看
[root@k8s-master01 ~]# kubectl get pod
NAME READY STATUS RESTARTS AGE
mypod 1/1 Running 0 5m33s
mypod-vol 1/1 Running 0 3s测试
#登陆容器
kubectl exec -it mypod-vol bash查看挂载文件
root@mypod-vol:/# ls /etc/foo/
password username
#查看文件内信息
root@mypod-vol:/# cat /etc/foo/username
admin
root@mypod-vol:/# cat /etc/foo/password
123456
如果是初学看到这里就可以了,下面的就当我自己的笔记了。有点小乱ヽ(*。>Д<)o゜
二. kubernetes.io/dockerconfigjson
当在需要安全验证的环境中拉取镜像的时候,需要通过用户名和密码。
#获取yaml
kubectl create secret \
docker-registry docker-reg-secret \
--docker-server=192.168.1.20 \
--docker-username=admin \
--docker-password=Harbor12345 \
--docker-email=www.baidu.com -o yaml --dry-run > dockerconfigjson.yaml查看
apiVersion: v1
data:
.dockerconfigjson: eyJhdXRocyI6eyIxOTIuMTY4LjEuMjAiOnsidXNlcm5hbWUiOiJhZG1pbiIsInBhc3N3b3JkIjoiSGFyYm9yMTIzNDUiLCJlbWFpbCI6Ind3dy5iYWlkdS5jb20iLCJhdXRoIjoiWVdSdGFXNDZTR0Z5WW05eU1USXpORFU9In19fQ==
kind: Secret
metadata:
creationTimestamp: null
name: docker-reg-secret
type: kubernetes.io/dockerconfigjson
部署
kubectl create -f dockerconfigjson.yaml在拉取镜像的时候使用
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: web
image: nginx:1.15
imagePullSecrets: #添加
- name: docker-reg-secret查看
[root@k8s-master01 ~]# kubectl describe secret docker-reg-secret
Name: docker-reg-secret
Namespace: default
Labels: <none>
Annotations: <none>
Type: kubernetes.io/dockerconfigjson
Data
====
.dockerconfigjson: 130 bytes
[root@k8s-master01 ~]# kubectl get secret docker-reg-secret -o yaml
apiVersion: v1
data:
.dockerconfigjson: eyJhdXRocyI6eyIxOTIuMTY4LjEuMjAiOnsidXNlcm5hbWUiOiJhZG1pbiIsInBhc3N3b3JkIjoiSGFyYm9yMTIzNDUiLCJlbWFpbCI6Ind3dy5iYWlkdS5jb20iLCJhdXRoIjoiWVdSdGFXNDZTR0Z5WW05eU1USXpORFU9In19fQ==
#将这个加密密码复制下来
kind: Secret
metadata:
creationTimestamp: "2021-01-25T07:59:39Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:.dockerconfigjson: {}
f:type: {}
manager: kubectl
operation: Update
time: "2021-01-25T07:59:39Z"
name: docker-reg-secret
namespace: default
resourceVersion: "45526"
selfLink: /api/v1/namespaces/default/secrets/docker-reg-secret
uid: 03e2b376-c971-4895-b7de-5580676b3ccd
type: kubernetes.io/dockerconfigjson
查看加密信息
echo eyJhdXRocyI6eyIxOTIuMTY4LjEuMjAiOnsidXNlcm5hbWUiOiJhZG1pbiIsInBhc3N3b3JkIjoiSGFyYm9yMTIzNDUiLCJlbWFpbCI6Ind3dy5iYWlkdS5jb20iLCJhdXRoIjoiWVdSdGFXNDZTR0Z5WW05eU1USXpORFU9In19fQ== | base64 -d
返回
{"auths":{"192.168.1.20":{"username":"admin","password":"Harbor12345","email":"www.baidu.com","auth":"YWRtaW46SGFyYm9yMTIzNDU="}}}
三. kubernetes.io/service-account-token
Service Account概念的引入是基于这样的使用场景:
运行在pod里的进程需要调用Kubernetes API以及非Kubernetes API的其它服务。
Service Account它并不是给kubernetes集群的用户使用的,而是给pod里面的进程使用的,它为pod提供必要的身份认证
如果kubernetes开启了ServiceAccount,那么会在每个namespace下面都会创建一个默认的default的sa。
[root@k8s-master01 ~]# kubectl get sa --all-namespaces
NAMESPACE NAME SECRETS AGE
default default 1 46d
kube-node-lease default 1 46d
kube-public default 1 46d
kube-system default 1 46d #这4个都是
kube-system flannel 1 46d
查看yaml
#每个sa下面都会拥有的一个加密的token
[root@k8s-master01 ~]# kubectl get sa default -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: "2020-12-10T03:05:44Z"
name: default
namespace: default
resourceVersion: "250"
selfLink: /api/v1/namespaces/default/serviceaccounts/default
uid: 62a5753c-cb7a-436c-bdcc-de5ebca75063
secrets:
- name: default-token-z6w8t #这里挂载的是名称为default的secrets
#当用户再default(或其他namespace)下创建pod的时候都会默认使用这个sa测试
#创建pod
kubectl create deployment web --image=nginx:1.15
#查看
[root@k8s-master01 ~]# kubectl get pod
NAME READY STATUS RESTARTS AGE
web-7d9697b7f8-gjtwg 1/1 Running 0 24s
#查看详细信息
kubectl get pod web-7d9697b7f8-gjtwg -o yaml
#查看default下默认的secret
[root@k8s-master01 ~]# kubectl get secret default-token-z6w8t -o yaml
apiVersion: v1
data:
ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR2akNDQXFhZ0F3SUJBZ0lVV1IzUVZCNW5PT0JPUjdrb1BzQ0xsV2cxV3E0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbAphV3BwYm1jeEREQUtCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByCmRXSmxjbTVsZEdWek1CNFhEVEl3TVRJeE1EQXlNall3TUZvWERUSTFNVEl3T1RBeU1qWXdNRm93WlRFTE1Ba0cKQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbGFXcHBibWN4RERBSwpCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByZFdKbGNtNWxkR1Z6Ck1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBdW9HZUJMVmgvVHNyMC9lVU9HSmcKUEF1RDl5UTZHeVpNNXNSMVY1ck9QYmZkUmlhQk5Mc2dqcHBzUFYyYXkydUpBYzhLS1RrME0rQkZKZ3BMV2ZiVgplMjZEamZmTW9mdXUrTkprVnhoMXNrOXpjKzc4VnVyUzJyYnQzVXBqRkprU0w5a21LVjArbXZxcjJQWXl1ZnJIClQ3anJ0NXFoK3dSZzIxdlI1c0RCUFB2K1VmaWIwVGxVU0pydDNaeXM2aE54UlhOWk9XeUNEVGFXa1JpdGVCMVMKZVNtOG1LUFJ2MWRmYWhPcUVHWXMyUXA5ejZiVzVUVjJ6YmlmejN3enRXbWtIWjc2ak1wMkxiRTl4WXprem5OSApwb05wcFpTWDFXaGhsVUlEdDgxUnVQdDIwQkl4dXZtYVFLWWdzemhTYTQ2cHVoU0FZYnhxaGRsWEdIdUVnQ2QrClN3SURBUUFCbzJZd1pEQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCL3dJQkFqQWQKQmdOVkhRNEVGZ1FVcFM1QlNYUk1iKzVaZG42MXFlZ284aE1teDMwd0h3WURWUjBqQkJnd0ZvQVVwUzVCU1hSTQpiKzVaZG42MXFlZ284aE1teDMwd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFFTHRxdlVkWnVTbWdOZm9jRHJSCnF1Z1hhbzVFcHpqcWNheFJKNEROVWtXMDBDV2hrY2NNS3A4eUlCSEtmQW5mT2xtR3JNd1hvMGw4dzRvRGl6WEoKUnJVRWhFcnNYVXlkV3hWb2tQZmM4Rk52aVJkc3ExaUFwTzdRa2V3SE85UFl6azV2dkFXR0pGUytPZDV6ZWoxVApBOWg0K1RSN3hHMldJa2dNYnVwdFlaT2NSY1ZNL2FPUmxmVGJMN0p1VzV6WHQ1QVFxRExLUzUzOWFxOGxieDgzCmVGWE9YT2RuTExIREFZd1R2bG92MGFJcEtqdVZhcnBBc04vUXJrMk9lUUFST3RzNXlZbWkycnl1L0FZOFVDU1EKdFVkWkowbnZub2RGbmhSQmF0TkpPQjZrNzVpRU00azJ5VHJsZkVwcmNhSDMrOVNwNmhNeGtVQkhyektqN1BTTQpwOGs9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
namespace: ZGVmYXVsdA==
token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNkltOXhaekZ0WTJvdFVGRXpSWGhTVkdkRlltMTNTR1Z0TVZvdFZXYzVSVFozY2pGbGVWQldXazgxYlZVaWZRLmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUprWldaaGRXeDBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5elpXTnlaWFF1Ym1GdFpTSTZJbVJsWm1GMWJIUXRkRzlyWlc0dGVqWjNPSFFpTENKcmRXSmxjbTVsZEdWekxtbHZMM05sY25acFkyVmhZMk52ZFc1MEwzTmxjblpwWTJVdFlXTmpiM1Z1ZEM1dVlXMWxJam9pWkdWbVlYVnNkQ0lzSW10MVltVnlibVYwWlhNdWFXOHZjMlZ5ZG1salpXRmpZMjkxYm5RdmMyVnlkbWxqWlMxaFkyTnZkVzUwTG5WcFpDSTZJall5WVRVM05UTmpMV05pTjJFdE5ETTJZeTFpWkdOakxXUmxOV1ZpWTJFM05UQTJNeUlzSW5OMVlpSTZJbk41YzNSbGJUcHpaWEoyYVdObFlXTmpiM1Z1ZERwa1pXWmhkV3gwT21SbFptRjFiSFFpZlEuRFdOQVo5ZDF1eVh0aWYzZnRaZExacXF0aHlDcW1TRkw2c2dFUDg0TjlhbDNYcl9HalVGaUp5d25zMjVHb2QxOVN1c0VyMHY1V21LN0JQelNOc1AtQ3F5SzVPVVFKcm4zT1VWcU1rLTdUcEpMeDQ5Z1B3czl2Sk9rMzN1OTdKQUVfS0VrZWtPaGdwTHNINVItTEU2a0NJMGdvSzVYVmRjMFlNdWx3S0lEVEFHeUxWMUphaVV6SU5Pal9wbUFLRG0tdGVLMXdQREN3V2RPTDVibVY2S0N6RWxVSWpPNkY1UE5pVVFNdl9xVWJBVnZGWmtacmtYc2tCelU4VnJ5M1QwbXVNRjF4T1JyOEdkVXByRS0yWV84cWh4cFVUUUxyUXZPNGoyQ1ZjQmFzSjFRek5kZ3dhYTh2OXRYeExFUTJSemVwNno3TGh4UWVpeGZMbHNTdmQxMjVR
kind: Secret
metadata:
annotations:
kubernetes.io/service-account.name: default
kubernetes.io/service-account.uid: 62a5753c-cb7a-436c-bdcc-de5ebca75063
creationTimestamp: "2020-12-10T03:05:44Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:ca.crt: {}
f:namespace: {}
f:token: {}
f:metadata:
f:annotations:
.: {}
f:kubernetes.io/service-account.name: {}
f:kubernetes.io/service-account.uid: {}
f:type: {}
manager: kube-controller-manager
operation: Update
time: "2020-12-10T03:05:44Z"
name: default-token-z6w8t
namespace: default
resourceVersion: "248"
selfLink: /api/v1/namespaces/default/secrets/default-token-z6w8t
uid: 958bd1ce-abef-420c-a2cd-470153221b0a
type: kubernetes.io/service-account-token
测试
root@web-7d9697b7f8-gjtwg:/# ls -l /var/run/secrets/kubernetes.io/serviceaccount/
total 0
lrwxrwxrwx. 1 root root 13 Jan 25 08:34 ca.crt -> ..data/ca.crt
lrwxrwxrwx. 1 root root 16 Jan 25 08:34 namespace -> ..data/namespace
lrwxrwxrwx. 1 root root 12 Jan 25 08:34 token -> ..data/token
#可以看到(ca.crt 、namespace\token)放到容器内了
#那么这个容器就可以通过https的请求访问apiserver了。
开源、云原生的融合云平台
更多推荐
1
0- 0
已为社区贡献10条内容
所有评论(0)