您当前的位置: 首页 > 慢生活 > 程序人生 网站首页程序人生
39、存储 Secret(1)
发布时间:2023-01-01 00:53:28编辑:雪饮阅读()
Step1
一些官方pod或者说需要访问到api(应该是apiServer)的pod会存在sa
就挑选这里随便一个kube-proxy
[root@k8s-master01 configmap]# kubectl get pod -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-5c98db65d4-6kdwt 0/1 Running 41 3h25m
coredns-699cc4c4cb-d4wjw 0/1 CrashLoopBackOff 459 18d
coredns-699cc4c4cb-kt7rb 0/1 Running 462 18d
etcd-k8s-master01 1/1 Running 15 18d
kube-apiserver-k8s-master01 1/1 Running 17 18d
kube-controller-manager-k8s-master01 1/1 Running 19 18d
kube-flannel-ds-amd64-5nncq 1/1 Running 6 4d
kube-flannel-ds-amd64-7jgqg 1/1 Running 7 4d
kube-flannel-ds-amd64-xsq8h 1/1 Running 7 4d
kube-proxy-4lwzp 1/1 Running 15 18d
kube-proxy-m6bsz 1/1 Running 16 18d
kube-proxy-xqhhg 1/1 Running 15 18d
kube-scheduler-k8s-master01 1/1 Running 19 18d
进入后可以看到有证书、名称空间、token
[root@k8s-master01 configmap]# kubectl exec kube-proxy-4lwzp -n kube-system -it -- /bin/sh
# ls /run/secrets/kubernetes.io/serviceaccount
ca.crt namespace token
这个是证书信息,好像是什么双向认证的证书信息
# cat /run/secrets/kubernetes.io/serviceaccount/ca.crt
-----BEGIN CERTIFICATE-----
MIICyDCCAbCgAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
cm5ldGVzMB4XDTIyMTIxMzE0MjY0NVoXDTMyMTIxMDE0MjY0NVowFTETMBEGA1UE
AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN1D
KV6YCA7aMGzO2b+UILGtRwFIkh/o6DNEXcQk2AWcszf6nrNGB4jeONzWsIkhQoPw
85X4Y4Xdf0sobdWQEAmMPsVktmld8OPfMl9sFP6xvvH+vTNWU5cerNnlTZDm2200
OBv2Ykm8oJSjw1rTCtAV/vBPCUespdQpKyNmhhonkYH1m2tEOV0Vdj0HplkzomfY
YwNNR8j2x2FMsInT6BI5qlKeoArfEBmF96ntm+4RVnzurnvRMlJ2bzbRGn+PpcYB
dCWk9uvcd2iOmiXVCfDaFXG4Y2SlCdWnvo3Koi0yhLgG/Bt9WRwGsFsz2mU8cPZ9
fXlIgVkcDk2o12NPJI0CAwEAAaMjMCEwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB
/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBALrjdDcJ6NhQwDbvAyK+lRskqsrD
z1IkHKxD2B+mmhgVTNtvzyRLPoAtn3Awqk2KjcxfnrMX/kuq7PgqL/AtUtmioU1z
lqFb3iK1FidCXVqTi71s3MrLeUYy32r3gedvFyEcInhB0SnaEAJgRBoxVmzepe8O
W++KEwK2toDwSPd87Y/d+aCum6hzptvN2n4mW/FduCM4/cYOyPPjQKHneGSBt5ry
H06kUm5TCuKkNvVR0FIp7MF4/cQB8oyrRXtluhfvgN9jEfozTNde3lalBDSy7S6E
DHqXebQ4Ley3IG3csePsuIzoZdbIwfyovjs3Vv8qgweySlNV81rYGRLOrx8=
-----END CERTIFICATE-----
当前在那个名称空间下的
# cat /run/secrets/kubernetes.io/serviceaccount/namespace
kube-system#
token是认证密钥信息
# cat /run/secrets/kubernetes.io/serviceaccount/token
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlLXByb3h5LXRva2VuLWc0N2M1Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6Imt1YmUtcHJveHkiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJmZGY5YWU5MS03Mzg0LTQ0NzYtOWNkYS1hZmZmOTk2Nzc5MzciLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06a3ViZS1wcm94eSJ9.voSwp99YjTjGoLRldaKoHklAFocssChj4FIrNyjgyFayV0OouvheTo-O0TzM-myukVcZkKGAL2oGMbuzkMexN5u2-tUtIvb3jloZfUN8wvKSOaW3ZTxBqyP6ALKcDyJui6-ttY9yOEiiVzOOmj9JOQ3iqNlSZxF8dUixlYRfjI1v6Sdj4c9TD9HS9qnWAeu5yqJDpjHLCT3B8mZomw6fIoR5-EKbvyk38dyT5FtUE8NutjUg9Ota7YcrmqBm-MEmJUOWbOHbYD-lC1gAfB4591iOyVBptJVcJd-d8pcOpw8XrwIVonukqpGLvvhz_oXH8gMiMCPXgw4NWqxjCKBmQQ#
由这3个组成了我们的sa(service account)
Step2
echo -n 表示要输出的内容不换行
接下来我们如果用linux进行base64加密,只需要用如这个命令
[root@k8s-master01 configmap]# echo -n "admin" | base64
YWRtaW4=
这里我们是对假如用户名为admin进行了加密
同样假如我们密码为1f2d1e2e67df,也进行加密下
[root@k8s-master01 configmap]# echo -n "1f2d1e2e67df" | base64
MWYyZDFlMmU2N2Rm
当然base64是可逆的
[root@k8s-master01 configmap]# echo -n "YWRtaW4=" | base64 -d
admin
这不就解密了
基于此我们就可以创建一个secret
[root@k8s-master01 configmap]# cat sec.yaml
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
password: MWYyZDFlMmU2N2Rm
username: YWRtaW4=
[root@k8s-master01 configmap]# kubectl apply -f sec.yaml
secret/mysecret created
[root@k8s-master01 configmap]# kubectl get secret
NAME TYPE DATA AGE
basic-auth Opaque 1 2d1h
default-token-d8kh2 kubernetes.io/service-account-token 3 18d
mysecret Opaque 2 51s
tls-secret kubernetes.io/tls 2 2d2h
这里还可以看到一个default-token的secret,其实这个secret是在任何名称空间都有,这里看到的这个就是默认名称空间的。
比如这里
[root@k8s-master01 configmap]# kubectl get secret -n kube-system
NAME TYPE DATA AGE
attachdetach-controller-token-h789p kubernetes.io/service-account-token 3 18d
bootstrap-signer-token-lgpj2 kubernetes.io/service-account-token 3 18d
certificate-controller-token-xznft kubernetes.io/service-account-token 3 18d
clusterrole-aggregation-controller-token-jxcnr kubernetes.io/service-account-token 3 18d
coredns-token-zkxx5 kubernetes.io/service-account-token 3 18d
cronjob-controller-token-w5pqp kubernetes.io/service-account-token 3 18d
daemon-set-controller-token-jxzz8 kubernetes.io/service-account-token 3 18d
default-token-wv9kz kubernetes.io/service-account-token 3 18d
deployment-controller-token-p5gfb kubernetes.io/service-account-token 3 18d
disruption-controller-token-xhhnc kubernetes.io/service-account-token 3 18d
endpoint-controller-token-mqxc7 kubernetes.io/service-account-token 3 18d
expand-controller-token-rl2jt kubernetes.io/service-account-token 3 18d
flannel-token-lqgc4 kubernetes.io/service-account-token 3 18d
generic-garbage-collector-token-zlfdl kubernetes.io/service-account-token 3 18d
horizontal-pod-autoscaler-token-kgncw kubernetes.io/service-account-token 3 18d
job-controller-token-qt67t kubernetes.io/service-account-token 3 18d
kube-proxy-token-g47c5 kubernetes.io/service-account-token 3 18d
namespace-controller-token-vbxd7 kubernetes.io/service-account-token 3 18d
node-controller-token-fdzt7 kubernetes.io/service-account-token 3 18d
persistent-volume-binder-token-mkdbj kubernetes.io/service-account-token 3 18d
pod-garbage-collector-token-pqcwz kubernetes.io/service-account-token 3 18d
pv-protection-controller-token-m45ng kubernetes.io/service-account-token 3 18d
pvc-protection-controller-token-xk8bg kubernetes.io/service-account-token 3 18d
replicaset-controller-token-znpwh kubernetes.io/service-account-token 3 18d
replication-controller-token-4ff4v kubernetes.io/service-account-token 3 18d
resourcequota-controller-token-j2skg kubernetes.io/service-account-token 3 18d
service-account-controller-token-th8hf kubernetes.io/service-account-token 3 18d
service-controller-token-62r76 kubernetes.io/service-account-token 3 18d
statefulset-controller-token-qwv8p kubernetes.io/service-account-token 3 18d
token-cleaner-token-bmxlg kubernetes.io/service-account-token 3 18d
ttl-controller-token-75s62 kubernetes.io/service-account-token 3 18d
所以说k8s会默认为每个名称空间创建一个sa,用于我们pod的挂载。
然后我们将刚才创建的这个secret挂载到卷(挂载到pod)
[root@k8s-master01 configmap]# cat pod1.yaml
apiVersion: v1
kind: Pod
metadata:
labels:
name: seret-test
name: seret-test
spec:
volumes:
- name: secrets
secret:
secretName: mysecret
containers:
- image: wangyanglinux/myapp:v1
name: db
volumeMounts:
- name: secrets
mountPath: "/etc/secrets"
readOnly: true
[root@k8s-master01 configmap]# kubectl get pod
NAME READY STATUS RESTARTS AGE
my-nginx-7b55868ff4-ld9v8 1/1 Running 0 6h16m
seret-test 1/1 Running 0 74s
可以看到实际挂载后就是明文的文件内容了
[root@k8s-master01 configmap]# kubectl exec seret-test -it -- /bin/sh
/ # ls /etc/secrets
password username
/ # cat /etc/secrets/password
1f2d1e2e67df/ # cat /etc/secrets/username
admin/ #
已解密的
Step3
先清理下pod
[root@k8s-master01 configmap]# kubectl delete pod --all
pod "my-nginx-7b55868ff4-ld9v8" deleted
pod "seret-test" deleted
接下来我们将刚才创建secret换step2的挂载到卷为挂载到pod的环境变量上
[root@k8s-master01 configmap]# cat env.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: pod-deployment
spec:
replicas: 2
template:
metadata:
labels:
app: pod-deployment
spec:
containers:
- name: pod-1
image: wangyanglinux/myapp:v1
ports:
- containerPort : 80
env:
- name: TEST_USER
valueFrom:
secretKeyRef:
name: mysecret
key: username
- name: TEST_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: password
[root@k8s-master01 configmap]# kubectl apply -f env.yaml
deployment.extensions/pod-deployment created
我们挂载到pod的环境变量名分别是TEST_USER和TEST_PASSWORD,这两个变量都分别来自于mysecret这个secret中的username的key和password的key中的。
[root@k8s-master01 configmap]# kubectl get pod
NAME READY STATUS RESTARTS AGE
my-nginx-7b55868ff4-vlwrm 1/1 Running 0 13m
pod-deployment-747f78bc67-7pvbp 1/1 Running 0 99s
pod-deployment-747f78bc67-wq8sr 1/1 Running 0 99s
由于这里是deployment部署方式,所以这里我们随便选择一个deployment进入即可
可以看到同样是明文出来的
[root@k8s-master01 configmap]# kubectl exec pod-deployment-747f78bc67-7pvbp -it -- /bin/sh
/ # echo $TEST_USER
admin
/ # echo $TEST_PASSWORD
1f2d1e2e67df
/ #
Step4
无论是挂载到卷还是挂载到环境变量,总之至少在yaml文件编写过程中是密文的。在创建secret时候用的也是加密后的base64值,只在最终挂载后才明文。
关键字词:存储,Secret
下一篇:40、存储 Secret(2)
相关文章
- 38、存储 configmap(2)
- 37、存储 configmap(1)
- 13_EL_获取域中存储的值_List集合&Map集合值
- 12_EL_获取域中存储的值_对象值(对象值、对象属性值(通
- 11_EL_获取域中存储的值(从request与session中拿取数据
- workerman的http服务-session管理-更改存储驱动
- workerman的http服务-session管理-设置session存储位
- workerman的http服务-session管理-更改session存储引
- workerman的http服务-session会话-存储session
- elasticSearch桶聚合-ip范围与IP类型字段存储方式