一、secret概述
1、注意事项
secret资源的功能类似于、但它专用于存放敏感数据、例如密码、数字证书、私钥、令牌和SSH key等
需要注意的是、在master节点上、secret对象以非加密的格式存储于etcd中,因此管理员必须加以精心管控以确保敏感数据的机密性、必须确保etcd集群节点间以及API server的安全通信、etcd服务的访问授权、还包括用户访问API server时的授权、因为拥有创建pod资源的用户都可以使用secret资源并能通过pod中的容器访问其数据
2、两种用途
一是作为存储卷注入到pod上由容器应用程序所使用
二是用于kubelet为POD里的容器拉取镜像时向私有仓库提供认证信息
不过后面使用ServiceAccount资源自建的secret对象是一种更安全性的方式
二、创建secret资源(命令式创建)
1、generic标识符创建的secret对象为Opaque类型
1、创建
[root@master chapter8]# kubectl create secret generic mysal-auth --from-literal=username=root --from-literal=password=ikubernetes secret/mysal-auth created
2、验证
查看新建的资源属性信息、由下面的命令及输出结果可以看出、以generic标识符创建的secret对象为Opaque类型、其键值数据会以base64的编码格式进行保存和打印
[root@master chapter8]# kubectl get secrets mysal-auth -o yaml
apiVersion: v1
data:
password: aWt1YmVybmV0ZXM=
username: cm9vdA==
kind: Secret
metadata:
creationTimestamp: "2020-09-01T07:22:58Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:password: {}
f:username: {}
f:type: {}
manager: kubectl
operation: Update
time: "2020-09-01T07:22:58Z"
name: mysal-auth
namespace: default
resourceVersion: "6309979"
selfLink: /api/v1/namespaces/default/secrets/mysal-auth
uid: 43573f71-255d-4dc7-acd8-e3e5a42d55ee
type: Opaque
不过kubernetes系统的secrets对象的base64编码的数据并非加密格式、许多相关的工具程序均可轻松完成解码、如下面所示的base64命令
[root@master chapter8]# echo aWt1YmVybmV0ZXM= | base64 -d ikubernetes[root@master chapter8]#
2、创建用于ssh认证的secrets对象
对于本身以存储与文件中的数据、也可以在创建generic格式secrets的对象时使用"--from-file"、选项从文件中直接进行加载、例如创建用于ssh认证的secrets对象时、如果尚且没有认证信息你文件、则需要首先使用命令生成一堆认证文件
[root@master chapter8]# ssh-keygen -t rsa -P '' -f ${HOME}/.ssh/id_rsa
Generating public/private rsa key pair.
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? Y
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:4TyF9Zx0hBkWcvICRm4OrWPz3Na1YNcSNfa3eCARWPc root@master
The key's randomart image is:
+---[RSA 2048]----+
| .+ *+BBoo.|
| + = X=oo.o|
| . * o.=..Eo|
| B o .. ooo|
| = S o.+o.|
| . = o o +.o |
| o o . . |
| . |
| |
+----[SHA256]-----+
加载文件内容生成secrets对象
[root@master chapter8]# kubectl create secret generic ssh-key-secret --from-file=ssh-privatekey=${HOME}/.ssh/id_rsa --from-file=ssh-publickey=${home}/.ssh/id_rsa.pub
Error from server (AlreadyExists): secrets "ssh-key-secret" already exists
3、生成基于私钥和数字证书文件创建用于SSL/TLS通信的secrets对象
生成私钥和自签证书
[root@master chapter8]# umask 077;openssl genrsa -out nginx.key 2048 Generating RSA private key, 2048 bit long modulus .......................+++ ...+++ e is 65537 (0x10001) [root@master chapter8]# ll nginx.* -rw------- 1 root root 1679 Sep 1 15:36 nginx.key
生成secrets对象
[root@master chapter8]# openssl req -new -x509 -key nginx.key -out nginx.crt -subj /C=CN/ST=Beijing/L=Beijing/O=DevOps/CN=www.iliunx.io [root@master chapter8]# ll nginx.* -rw------- 1 root root 1285 Sep 1 15:38 nginx.crt -rw------- 1 root root 1679 Sep 1 15:36 nginx.key
注意其类型应该为“kubernetes.io/tls” 例如细面命令结果中显示
[root@master chapter8]# kubectl create secret tls nginx-ssl --key=./nginx.key --cert=./nginx.crt secret/nginx-ssl created [root@master chapter8]# kubectl get secrets nginx-ssl NAME TYPE DATA AGE nginx-ssl kubernetes.io/tls 2 13s
三、创建secret资源(清单式创建)
1、字段详解
[root@master chapter8]# kubectl explain secret
KIND: Secret
VERSION: v1
DESCRIPTION:
Secret holds secret data of a certain type. The total bytes of the values
in the Data field must be less than MaxSecretSize bytes.
FIELDS:
apiVersion <string>
APIVersion defines the versioned schema of this representation of an
object. Servers should convert recognized schemas to the latest internal
value, and may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
data <map[string]string>
#"key:value" 格式的数据、通产格式敏感信息、数据格式需要是以Base64格式编码的字符串、因此需要用户实现完成编码
Data contains the secret data. Each key must consist of alphanumeric
characters, '-', '_' or '.'. The serialized form of the secret data is a
base64 encoded string, representing the arbitrary (possibly non-string)
data value here. Described in https://tools.ietf.org/html/rfc4648#section-4
immutable <boolean>
Immutable, if set to true, ensures that data stored in the Secret cannot be
updated (only object metadata can be modified). If not set to true, the
field can be modified at any time. Defaulted to nil. This is an alpha field
enabled by ImmutableEphemeralVolumes feature gate.
kind <string>
Kind is a string value representing the REST resource this object
represents. Servers may infer this from the endpoint the client submits
requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata <Object>
Standard object's metadata. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
stringData <map[string]string>
#以明文格式(非Base64编码)定义的"key:value" 数据;无须用户实现对数据进行Base64编码,而是在创建为Secret对象时自动进行编码并保存于data字段中stringData字段中的明文不会被API Servers输出,不过若是使用"kubectl apply" 命令进行的创建、那么注解信息中还是可能会直接输出这些信息的
stringData allows specifying non-binary secret data in string form. It is
provided as a write-only convenience method. All keys and values are merged
into the data field on write, overwriting any existing values. It is never
output when reading from the API.
type <string>
#为了便于配置文件中的资源定义示例、其使用stringData提供了明文格式的键值数据、从而免去了事先进行手动编码的麻烦
Used to facilitate programmatic handling of secret data.
2、secret-demo.yaml 定义示例
其使用stringData提供了明文格式的键值数据、从而免去了事先进行手动编码的麻烦
[root@master chapter8]# cat secret-demo.yaml apiVersion: v1 kind: Secret metadata: name: secret-demo stringData: username: redis password: redispass type: Opaque
secret对象也是kubernetes系统的"一等公民"、因此使用标准资源创建命令即可完成其创建、相比较来说、基于清单文件将保存于文件中的敏感信息创建secret对象时,用户首先需要将敏感信息独处、转为编码Base64编码格式而后再将其创建为清单文件,过程繁琐、反而不如命令式创建来的便捷、不过、如果存在多次创建或重构之需,那么将其保存为配置清单也是形式所需
四、secret存储卷
1、资源清单
[root@master chapter8]# cat secret-demo.yaml
apiVersion: v1
kind: Secret
metadata:
name: secret-demo
stringData:
username: redis
password: redispass
type: Opaque
[root@master chapter8]# cat secret-volume-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: secret-volume-demo
namespace: default
spec:
containers:
- image: nginx:alpine
name: web-server
volumeMounts:
- name: nginxcert
mountPath: /etc/nginx/ssl/
readOnly: true
volumes:
- name: nginxcert
secret:
secretName: nginx-ssl
2、创建验证
[root@master chapter8]# kubectl apply -f secret-volume-pod.yaml pod/secret-volume-demo created [root@master chapter8]# kubectl exec secret-volume-demo ls /etc/nginx/ssl kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl kubectl exec [POD] -- [COMMAND] instead. tls.crt tls.key
五、imagePullSecret资源对象
1、创建docker-registry类型的对象
[root@master chapter8]# kubectl create secret docker-registry local-registry --docker-username=Ops --docker-password=Opspasil=ops@ilinux.io
2、打印类型信息
[root@master chapter8]# kubectl get secrets local-registry NAME TYPE DATA AGE local-registry kubernetes.io/dockerconfigjson 1 13s
3、通过字段使用此secrets 对象
资源清单
[root@master chapter8]# cat secret-imagepull-pod.yaml.0
apiVersion: v1
kind: Pod
metadata:
name: secret-imagepull-demo
namespace: default
spec:
imagePullSecrets:
- name: local-registry
containers:
- image: registry.ikubernetes.io/dev/myimage
name: myapp
验证
[root@master chapter8]# kubectl get pods|grep secret-imagepull-demo
secret-imagepull-demo 0/1 ImagePullBackOff 0 23h
[root@master chapter8]# kubectl describe pod secret-imagepull-demo
Name: secret-imagepull-demo
Namespace: default
Priority: 0
Node: node1/192.168.118.19
Start Time: Tue, 01 Sep 2020 15:47:16 +0800
Labels: <none>
Annotations: Status: Pending
IP: 10.244.1.57
IPs:
IP: 10.244.1.57
Containers:
myapp:
Container ID:
Image: registry.ikubernetes.io/dev/myimage
Image ID:
Port: <none>
Host Port: <none>
State: Waiting
Reason: ErrImagePull
Ready: False
Restart Count: 0
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from default-token-pwl2t (ro)
Conditions:
Type Status
Initialized True
Ready False
ContainersReady False
PodScheduled True
Volumes:
default-token-pwl2t:
Type: Secret (a volume populated by a Secret)
SecretName: default-token-pwl2t
Optional: false
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s
node.kubernetes.io/unreachable:NoExecute for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning Failed 8m59s (x6246 over 23h) kubelet, node1 Error: ImagePullBackOff
Normal BackOff 4m6s (x6268 over 23h) kubelet, node1 Back-off pulling image "registry.ikubernetes.io/dev/myimage"