k8s学习(17):secret-秘钥

发表于 更新于 分类于

Secret存在意义

Secret解决了密码、token、秘钥等敏感数据的配置问题,而不需要把这些敏感数据暴露到镜像或者Pod spec中。Secret可以以Volume或者环境变量的方式使用

Secret有三种类型:

  • Service Account:用来访问Kubernetes API,由Kubernetes自动创建,并且会自动挂载到/run/secrets/kubernetes.io/serviceaccount目录中

  • Opaque:base64编码格式的Secret,用来存储密码、秘钥等

  • kubernetes.io/dockerconfigjson:用来存储私有docker registry的认证信息

Service Account

Service Account用来访问kubernetes API,由kubernetes自动创建,并且会自动挂载到pod的/run/secrets/kubernetes.io/serviceaccount目录中

1
2
3
4
$ kubectl run nginx --image nginx
deployemnt "nginx" create
$ kubectl get pods
$ kubectl exec nginx-xxxx ls /run/secrets/kubernetes.io/service

这里会进/bin/sh会发现没有这个目录,因为他没有和kubernetes API进行交互

可以进-n kube-system名称空间的pod看

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
[root@k8s-master ~]# kubectl get pods -n kube-system
NAME                                 READY   STATUS    RESTARTS   AGE
coredns-5c98db65d4-gh2qc             1/1     Running   5          5d6h
coredns-5c98db65d4-pczm8             1/1     Running   5          5d6h
etcd-k8s-master                      1/1     Running   5          5d6h
kube-apiserver-k8s-master            1/1     Running   5          5d6h
kube-controller-manager-k8s-master   1/1     Running   11         5d6h
kube-flannel-ds-amd64-2lrvk          1/1     Running   6          5d6h
kube-flannel-ds-amd64-bst48          1/1     Running   5          5d6h
kube-flannel-ds-amd64-jdqq8          1/1     Running   5          5d6h
kube-proxy-dm5p6                     1/1     Running   4          5d6h
kube-proxy-dwdvl                     1/1     Running   5          5d6h
kube-proxy-qhst5                     1/1     Running   5          5d6h
kube-scheduler-k8s-master            1/1     Running   10         5d6h
[root@k8s-master ~]# kubectl exec kube-proxy-dm5p6 -n kube-system ls /run/secrets/kubernetes.io/serviceaccount
ca.crt
namespace
token

Service Account不常用

Opaque Secret

1 创建说明

Opaque类型的数据是一个map类型,要求value是base64编码格式:

1
2
3
4
$ echo -n "admin" | base64
YWRtaW4=
$ echo -n "1f2d1e2e67df" | base64
MWYyZDFlMmU2N2Rm

base64加密只是表面加密,可以用echo -n "YWRtaW4=" | base64 -d**解密

secrets.yaml

1
2
3
4
5
6
7
8
apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  password: MWYyZDFlMmU2N2Rm
  username: YWRtaW4=
1
2
3
4
5
6
7
8
9
10
# 创建
[root@k8s-master ~]# kubectl apply -f secrets.yaml 
secret/mysecret created
# 查看
[root@k8s-master ~]# kubectl get secret
NAME                  TYPE                                  DATA   AGE
basic-auth            Opaque                                1      22h
default-token-89jrq   kubernetes.io/service-account-token   3      5d7h
mysecret              Opaque                                2      3s
tls-secret            kubernetes.io/tls                     2      22h

默认情况下,每个namespace都有一个default-token

2 使用方式

a 将Secret挂载到Volume中

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
apiVersion: v1
kind: Pod
metadata:
  name: secret-test
  labels:
    name: secret-test
spec:
  volumes:
  - name: secrets
    secret:
      secretName: mysecret
  containers:
  - name: db
    image: hub.test.com/library/myapp:v1
    volumeMounts:
    - name: secrets
      mountPath: "/etc/secrets"
      readOnly: true
1
2
3
4
5
6
7
8
9
10
11
12
13
14
# 创建
[root@k8s-master secret]# kubectl create -f pod.yaml 
pod/secret-test created
# 查看
[root@k8s-master secret]# kubectl get pods
NAME          READY   STATUS    RESTARTS   AGE
secret-test   1/1     Running   0          3s
# 进容器查看
[root@k8s-master secret]# kubectl exec -it secret-test -- /bin/sh
/ # cd /etc/secrets/
/etc/secrets # ls
password  username
/etc/secrets # cat *
1f2d1e2e67dfadmin

在创建的时候时候的base64加密,但是在容器中使用的是解密后的数据

b 将Secret导出到环境变量中

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
apiVersion: extensions/v1beta1
kind: Deployment
metadata: 
  name: pod-deploy
spec:
  replicas: 2
  template:
    metadata:
      labels:
        app: pod-deploy
    spec:
      containers:
      - name: pod-1
        image: hub.test.com/library/myapp:v1
        ports:
        - name: http
          containerPort: 80
        env:
        - name: TEST_USER
          valueFrom:
            secretKeyRef:
              name: mysecret
              key: username
        - name: TEST_PASSWORD
          valueFrom:
            secretKeyRef:
              name: mysecret
              key: password
1
2
3
4
5
6
7
8
9
10
11
# 创建
[root@k8s-master secret]# kubectl apply -f deploy-env.yaml 
deployment.extensions/deploy-test created
# 查看
[root@k8s-master secret]# kubectl get pods
NAME                           READY   STATUS    RESTARTS   AGE
deploy-test-869f8f7bc4-d8ltv   1/1     Running   0          3s
secret-test                    1/1     Running   0          12m
[root@k8s-master secret]# kubectl exec deploy-test-869f8f7bc4-d8ltv -it -- /bin/sh
/ # echo $PASSWORD $USERNAME
1f2d1e2e67df admin

kubernetes.io/dockerconfigjson

使用kubectl创建docker registry认证的secret

1
2
$ kubectl create secret docker-registry myregistrykey --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL
secret "myregistrykey" created.

在创建Pod的时候,通过imagePullSecrets来引用刚创建的myregistrykey

举个栗子

1
$ kubectl create secret docker-registry myregistrykey --docker-server=hub.test.com --docker-username=admin --docker-password=Harbor12345 --docker-email=admin@123.com

设置harbor仓库为私有

image-20200203004924734

创建pod.yaml

1
2
3
4
5
6
7
8
9
10
apiVersion: v1
kind: Pod
metadata:
  name: foo
spec:
  containers:
  - name: foo
    image: hub.test.com/private/myapp:v1
  imagePullSecrets:
  - name: myregistrykey
1
2
3
[root@k8s-master registry]# kubectl create -f pod.yaml 
pod/pod-registry-test created