K8s中Secrets

Posted dalianpai

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了K8s中Secrets相关的知识,希望对你有一定的参考价值。

Secret 存在意义
Secret 解决了密码、token、密钥等敏感数据的配置问题,而不需要把这些敏感数据暴露到镜像或者 Pod Spec
中。Secret 可以以 Volume 或者环境变量的方式使用
Secret 有三种类型:

  • Service Account :用来访问 Kubernetes API,由 Kubernetes 自动创建,并且会自动挂载到 Pod 的/run/secrets/kubernetes.io/serviceaccount 目录中。
  • Opaque :base64编码格式的Secret,用来存储密码、密钥等
  • kubernetes.io/dockerconfigjson :用来存储私有 docker registry 的认证信息

Service Account
Service Account 用来访问 Kubernetes API,由 Kubernetes 自动创建,并且会自动挂载到 Pod的
/run/secrets/kubernetes.io/serviceaccount 目录中

[root@k8s-master ~]# kubectl get pod -n kube-system
NAME                                 READY   STATUS    RESTARTS   AGE
coredns-58cc8c89f4-9gn5g             1/1     Running   5          6d16h
coredns-58cc8c89f4-xxzx7             1/1     Running   5          6d16h
etcd-k8s-master                      1/1     Running   6          6d16h
kube-apiserver-k8s-master            1/1     Running   6          6d16h
kube-controller-manager-k8s-master   1/1     Running   9          6d16h
kube-flannel-ds-amd64-4bc88          1/1     Running   7          6d15h
kube-flannel-ds-amd64-lzwd6          1/1     Running   8          6d15h
kube-flannel-ds-amd64-vw4vn          1/1     Running   8          6d15h
kube-proxy-bs8sd                     1/1     Running   6          6d15h
kube-proxy-nfvtt                     1/1     Running   5          6d15h
kube-proxy-rn98b                     1/1     Running   6          6d16h
kube-scheduler-k8s-master            1/1     Running   8          6d16h
[root@k8s-master ~]# kubectl exec kube-proxy-bs8sd -it -- /bin/sh
Error from server (NotFound): pods "kube-proxy-bs8sd" not found
[root@k8s-master ~]# kubectl exec kube-proxy-bs8sd -n kube-system -it -- /bin/sh
# ls -l
total 0
drwxr-xr-x   1 root root   31 Apr  1  2019 bin
drwxr-xr-x   2 root root    6 Feb  3  2019 boot
drwxr-xr-x  16 root root 3140 Dec 26 01:31 dev
drwxr-xr-x   1 root root   66 Dec 26 01:31 etc
drwxr-xr-x   2 root root    6 Feb  3  2019 home
drwxr-xr-x   1 root root   21 Dec 26 01:31 lib
drwxr-xr-x   2 root root   34 Feb 28  2019 lib64
drwxr-xr-x   2 root root    6 Feb 28  2019 media
drwxr-xr-x   2 root root    6 Feb 28  2019 mnt
drwxr-xr-x   2 root root    6 Feb 28  2019 opt
dr-xr-xr-x 203 root root    0 Dec 26 01:31 proc
drwx------   2 root root    6 Mar 25  2019 root
drwxr-xr-x   1 root root   41 Dec 26 01:31 run
drwxr-xr-x   1 root root  311 Apr  1  2019 sbin
drwxr-xr-x   2 root root    6 Feb 28  2019 srv
dr-xr-xr-x  13 root root    0 Dec 26 01:28 sys
drwxrwxrwt   1 root root    6 Apr  1  2019 tmp
drwxr-xr-x   1 root root   19 Feb 28  2019 usr
drwxr-xr-x   1 root root   17 Feb 28  2019 var
# cd /run
# ls -l
total 0
drwxrwxrwt 2 root root  6 Feb 28  2019 lock
drwxr-xr-x 3 root root 27 Dec 26 01:31 secrets
-rw-rw-r-- 1 root utmp  0 Feb 28  2019 utmp
-rw------- 1 root root  0 Dec 26 01:29 xtables.lock
# cd se ^Hcrets^H^H
/bin/sh: 4: cd: can‘t cd to se
# cd secrets
# cd kubernetes.io
# ls -l
total 0
drwxrwxrwt 3 root root 140 Dec 26 01:31 serviceaccount
# cat serviceaccount
cat: serviceaccount: Is a directory
# cd serviceaccount
# ls
ca.crt  namespace  token
# cat ca.crt
-----BEGIN CERTIFICATE-----
MIICyDCCAbCgAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
cm5ldGVzMB4XDTE5MTIxOTE0MjAwOFoXDTI5MTIxNjE0MjAwOFowFTETMBEGA1UE
AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOS3
ApN2B1OzGwDCATVFjwO4WlFp4UX6a01YrMZ9PK6SnYUaEPqprh9lnebu31KzhMjA
VQk1bAxaq3pnrX8VUywe0sFLqulSy6JlvvbnRQXqF6oB4pO5Zm3byYifex7XXkzc
WFox9dnpYFLJ2BM1CACRix0dFUCvrYVuJozrh7iiHohRl4H61WoX2dyP4F9tMSOh
Meztlduq4cLYxDSkL+OBrrV75Z3YffI8eYNwEjm9h9J+SfwglWCAvrvLEsZ7Htsp
77rsJHI8KcVywsyMjfDzeY3l+w67gmCshnqU7L8zBCPiCayq/p/ZL0Pdro2lTB3Q
r3GwOr4Q0k0mkgaahxsCAwEAAaMjMCEwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB
/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAEt7tdYYbxPjrsILC3VhfHS0XxBZ
Bq9lo7BeXuMlyf/pL1lvHHziacsyAzpA5L1DHg6lmpbjX4Ek4xNTRjy9MSnD4Rd3
v+l/ICEy5ZCptOA8uWNBpRDZPf88w3HoUh6Ew3bMJlRl1tITt1RCuLmi/29Kn/xq
EHwimSAExFGGiiMtCueuhnRSdqb2fFfkKub0fFoQaUTmO2cB/2DYBWwxiq0ZFLL0
IBe0jTemhueFIPezRbe0+6RDiNu9/a8XRV+/LDpeeq4Oc8OkQjkE12bJjiXnDH+1
Ug7sDApg/jO+FVyBmuGBPtVLKXHuoKWUqbmnQ0MphYT7lsRFCyCIK1Qta+g=
-----END CERTIFICATE-----
# cat namespace
kube-system# cat token
eyJhbGciOiJSUzI1NiIsImtpZCI6IktTaWpWSDJoem5WTzNZdExreU9sV2dqLVpTa1NzVHdZeE56clZuZ2JxQncifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlLXByb3h5LXRva2VuLWo4cW1nIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6Imt1YmUtcHJveHkiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI3MDhjN2FmNy1lNTRmLTQzYzAtOThmMC0yMmIzNzJkYmViMmIiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06a3ViZS1wcm94eSJ9.jtInRSdyfO78kYy66nvlnzpoQ9s4G6n8aS3eqbyCw4VfTDUFzhvfBCHak5gncVSMERlOGFJbW2zyS3kGJwfFpyDBz_GpO1w7H7IQheRRhz2h1JAR8qQfottZD6QQvNbLWFr3xtca9UDkzytcN5wlV4HTnL0knLFeLDsD1K5QR-bpAZY6or2CG2U71XYy37RNqLhxNSJRvuvgaBfa-q46T6u9Z2GyrRESLPcHY9_CKRZ9greluyuzA9HvTUbDS57IuXy1qXQUYaxsjE3C6dpcSx4AszFGo70Zf2kj7us0iK_8tIAMFdsLURF88zeAKbega2LRMZ3g_h2okq-5BU2TZg# exit
[root@k8s-master ~]#

Opaque Secret
Ⅰ、创建说明
Opaque 类型的数据是一个 map 类型,要求 value 是 base64 编码格式:

[root@k8s-master secrets]# echo -n "admin" | base64
YWRtaW4=
[root@k8s-master secrets]# echo -n "1f2d1e2e67df" | base64
MWYyZDFlMmU2N2Rm
[root@k8s-master secrets]# cat sec.yaml
apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  password: MWYyZDFlMmU2N2Rm
  username: YWRtaW4=
[root@k8s-master secrets]#

Ⅱ、使用方式
1、将 Secret 挂载到 Volume 中

[root@k8s-master secrets]# cat pod1.yaml
apiVersion: v1
kind: Pod
metadata:
  labels:
    name: seret-test
  name: seret-test
spec:
  volumes:
  - name: secrets
    secret:
      secretName: mysecret
  containers:
  - image: wangyanglinux/myapp:v1
    name: db
    volumeMounts:
    - name: secrets
      mountPath: "/etc/secrets"
      readOnly: true
[root@k8s-master secrets]#
[root@k8s-master secrets]# vim pod1.yaml
[root@k8s-master secrets]# kubectl apply -f pod1.yaml
pod/seret-test created
[root@k8s-master secrets]# kubectl get pod
NAME                        READY   STATUS    RESTARTS   AGE
my-nginx-5d57c6897b-fm2ql   1/1     Running   1          15h
seret-test                  1/1     Running   0          15s
[root@k8s-master secrets]# kubectl exec seret-test -it -- cat /etc/secrets/admin
cat: can‘t open ‘/etc/secrets/admin‘: No such file or directory
command terminated with exit code 1
[root@k8s-master secrets]# kubectl exec seret-test -it -- cat /etc/secrets/username
admin[root@k8s-master secrets]# kubectl exec seret-test -it -- cat /etc/secrets/password

2、将 Secret 导出到环境变量中

[root@k8s-master secrets]# cat deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: pod-deployment
spec:
  replicas: 2
  selector:
    matchLabels:
      app: pod-deployment
  template:
    metadata:
      labels:
        app: pod-deployment
    spec:
      containers:
      - name: pod-12
        image: wangyanglinux/myapp:v1
        ports:
        - containerPort: 80
        env:
        - name: TEST_USER
          valueFrom:
            secretKeyRef:
              name: mysecret
              key: username
        - name: TEST_PASSWORD
          valueFrom:
            secretKeyRef:
              name: mysecret
              key: password
[root@k8s-master secrets]#
[root@k8s-master secrets]# vim deployment.yaml
[root@k8s-master secrets]# kubectl apply -f deployment.yaml
deployment.apps/pod-deployment created
[root@k8s-master secrets]# kubectl get pod
NAME                             READY   STATUS                       RESTARTS   AGE
my-nginx-5d57c6897b-gh5v6        1/1     Running                      0          30m
pod-deployment-86575c7c5-d2pjf   0/1     CreateContainerConfigError   0          5s
pod-deployment-86575c7c5-rcmq8   0/1     CreateContainerConfigError   0          5s
seret-test                       1/1     Running                      0          35m
[root@k8s-master secrets]# kubectl get pod
NAME                             READY   STATUS                       RESTARTS   AGE
my-nginx-5d57c6897b-gh5v6        1/1     Running                      0          30m
pod-deployment-86575c7c5-d2pjf   0/1     CreateContainerConfigError   0          12s
pod-deployment-86575c7c5-rcmq8   0/1     CreateContainerConfigError   0          12s
seret-test                       1/1     Running                      0          35m
[root@k8s-master secrets]# kubectl get pod
NAME                             READY   STATUS                       RESTARTS   AGE
my-nginx-5d57c6897b-gh5v6        1/1     Running                      0          30m
pod-deployment-86575c7c5-d2pjf   0/1     CreateContainerConfigError   0          13s
pod-deployment-86575c7c5-rcmq8   0/1     CreateContainerConfigError   0          13s
seret-test                       1/1     Running                      0          35m
[root@k8s-master secrets]# kubectl get pod
NAME                             READY   STATUS                       RESTARTS   AGE
my-nginx-5d57c6897b-gh5v6        1/1     Running                      0          30m
pod-deployment-86575c7c5-d2pjf   0/1     CreateContainerConfigError   0          14s
pod-deployment-86575c7c5-rcmq8   0/1     CreateContainerConfigError   0          14s
seret-test                       1/1     Running                      0          35m
[root@k8s-master secrets]# kubectl get secret
NAME                  TYPE                                  DATA   AGE
basic-auth            Opaque                                1      39h
default-token-6wcrh   kubernetes.io/service-account-token   3      6d17h
tls-secret            kubernetes.io/tls                     2      40h
[root@k8s-master secrets]# ll
总用量 12
-rw-r--r-- 1 root root 620 12月 26 15:37 deployment.yaml
-rw-r--r-- 1 root root   0 12月 26 15:07 enc.yaml
-rw-r--r-- 1 root root 311 12月 26 15:02 pod1.yaml
-rw-r--r-- 1 root root 124 12月 26 14:55 sec.yaml
[root@k8s-master secrets]# kubectl apply -f sec.yaml
secret/mysecret created
[root@k8s-master secrets]# kubectl get secret
NAME                  TYPE                                  DATA   AGE
basic-auth            Opaque                                1      39h
default-token-6wcrh   kubernetes.io/service-account-token   3      6d17h
mysecret              Opaque                                2      3s
tls-secret            kubernetes.io/tls                     2      40h
[root@k8s-master secrets]# kubectl get pod
NAME                             READY   STATUS                       RESTARTS   AGE
my-nginx-5d57c6897b-gh5v6        1/1     Running                      0          31m
pod-deployment-86575c7c5-d2pjf   1/1     Running                      0          80s
pod-deployment-86575c7c5-rcmq8   0/1     CreateContainerConfigError   0          80s
seret-test                       1/1     Running                      0          36m
[root@k8s-master secrets]# kubectl get pod
NAME                             READY   STATUS    RESTARTS   AGE
my-nginx-5d57c6897b-gh5v6        1/1     Running   0          31m
pod-deployment-86575c7c5-d2pjf   1/1     Running   0          83s
pod-deployment-86575c7c5-rcmq8   1/1     Running   0          83s
seret-test                       1/1     Running   0          36m
[root@k8s-master secrets]# kubectl exec pod-deployment-86575c7c5-rcmq8 -it -- /bin/sh
/ # ls
bin    dev    etc    home   lib    media  mnt    proc   root   run    sbin   srv    sys    tmp    usr    var
/ # echo $TEST_USER
admin
/ # echo $TEST_PASSWORD
1f2d1e2e67df
/ # exit

kubernetes.io/dockerconfigjson
使用 Kuberctl 创建 docker registry 认证的 secret:查看博客

以上是关于K8s中Secrets的主要内容,如果未能解决你的问题,请参考以下文章

K8S之Secret

安装k8s高可用时候的报错解决

Dapr + .NET Core实战Secrets

找不到配置文件“secrets.json”并且不是可选的(.NET 6)

Dapr + .NET 实战Secrets

云原生生态周报 Vol. 2