作者注:本文仅为笔者学习记录,不具任何参考意义。
k8s secret 实验。 注:本文为笔者实验记录,非教程,另会不定时更新。
环境 1 2 3 4 5 # kubectl get node NAME STATUS ROLES AGE VERSION edge-node Ready <none> 15m v1.17.0 edge-node2 Ready <none> 16m v1.17.0 ubuntu Ready master 67d v1.17.0
secret Secret有三种类型:
Opaque:base64 编码格式的 Secret,用来存储密码、密钥等;但数据也可以通过base64 –decode解码得到原始数据,所有加密性很弱。
kubernetes.io/dockerconfigjson:用来存储私有docker registry的认证信息。
kubernetes.io/service-account-token:用于被serviceaccount引用,serviceaccout 创建时Kubernetes会默认创建对应的secret。Pod如果使用了serviceaccount,对应的secret会自动挂载到Pod目录/run/secrets/kubernetes.io/serviceaccount中。
技术总结 似乎还是能解出敏感文字,如何实际应用?
命令行指定 1 kubectl create secret generic dev-db-secret –from-literal=username=devuser –from-literal=password=S\!B\\*d\$zDsb
注:特殊字符(例如 $
, \
、*
和 !
)需要使用\
转义。此处密码为S!B\*d$zDsb
。
从文件创建 1 2 echo -n 'admin' > ./username.txt echo -n '1f2d1e2e67df' > ./password.txt
创建:
1 kubectl create secret generic db-user-pass --from-file=./username.txt --from-file=./password.txt
1 2 3 4 5 kubectl get secrets 输出 NAME TYPE DATA AGE db-user-pass Opaque 2 26s default-token-5qgw2 kubernetes.io/service-account-token 3 70d
查看详情:
1 kubectl describe secrets/db-user-pass
解码密钥:
1 2 3 4 5 6 kubectl get secret db-user-pass -o yaml 输出: data: password.txt: MWYyZDFlMmU2N2Rm username.txt: YWRtaW4= kind: Secret
解base64:
1 2 echo 'YWRtaW4=' | base64 --decode admin
配置文件 1 2 3 4 echo -n 'admin' | base64 YWRtaW4= echo -n '1f2d1e2e67df' | base64 MWYyZDFlMmU2N2Rm
secret.yaml文件:
1 2 3 4 5 6 7 8 apiVersion: v1 kind: Secret metadata: name: mysecret type: Opaque data: username: YWRtaW4= password: MWYyZDFlMmU2N2Rm
创建:
1 kubectl apply -f secret.yaml
编辑:
1 kubectl edit secrets mysecret
将secret挂载到pod中,busybox-pod.yaml:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 apiVersion: v1 kind: Pod metadata: name: busybox-pod spec: containers: - name: busybox-pod image: latelee/busybox imagePullPolicy: IfNotPresent command: [ "/bin/sh", "-c", "sleep 3600" ] volumeMounts: - name: foo mountPath: "/etc/foo" readOnly: true volumes: - name: foo secret: secretName: mysecret
创建、查看、删除:
1 2 3 kubectl apply -f busybox-pod.yaml kubectl exec -it busybox-pod -- cat /etc/foo/username kubectl delete -f busybox-pod.yaml
环境变量方式,busybox-pod1.yaml:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 apiVersion: v1 kind: Pod metadata: name: busybox-pod spec: containers: - name: busybox-pod image: latelee/busybox imagePullPolicy: IfNotPresent command: [ "/bin/sh", "-c", "sleep 3600" ] env: - name: SECRET_USERNAME valueFrom: secretKeyRef: name: mysecret key: username - name: SECRET_PASSWORD valueFrom: secretKeyRef: name: mysecret key: password
创建、查看、删除:
1 2 3 kubectl apply -f busybox-pod1.yaml kubectl exec -it busybox-pod -- env kubectl delete -f busybox-pod1.yaml
TODO:移动其它文件
kubernetes.io/service-account-token 查看当前serviceAccount:
1 2 3 # kubectl get serviceAccounts // 或 kubectl get sa NAME SECRETS AGE default 1 75d
每个pod都有默认的secret,查看上述运行pod的serviceaccount:
1 2 3 4 5 6 7 8 9 10 # kubectl get pod busybox-pod -o yaml | grep serviceAccountName serviceAccountName: default # kubectl describe pod busybox-pod | grep SecretName SecretName: mysecret SecretName: default-token-5qgw2 # kubectl get secret // 查看系统默认的secrect NAME TYPE DATA AGE default-token-5qgw2 kubernetes.io/service-account-token 3 75d
serviceaccount.yaml
1 2 3 4 5 apiVersion: v1 kind: ServiceAccount metadata: creationTimestamp: null name: mysa
创建:
1 kubectl apply -f serviceaccount.yaml
查看:
1 2 kubectl get sa mysa -o yaml kubectl describe sa mysa
查看secrect:
1 2 3 4 kubectl get secret NAME TYPE DATA AGE default-token-5qgw2 kubernetes.io/service-account-token 3 75d mysa-token-dkt5p kubernetes.io/service-account-token 3 2m50s
删除上述pod,再创建新的,使用新的sa:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 apiVersion: v1 kind: Pod metadata: name: busybox-pod spec: containers: - name: busybox-pod image: latelee/busybox imagePullPolicy: IfNotPresent command: [ "/bin/sh", "-c", "sleep 3600" ] volumeMounts: - name: foo mountPath: "/etc/foo" readOnly: true volumes: - name: foo secret: secretName: mysecret serviceAccountName: mysa
创建:
1 kubectl apply -f busybox-pod.yaml
1 kubectl describe pod busybox-pod