技术流ken

运维拯救世界

课堂记录:k8s机密信息管理及k8s监控(五)–技术流ken

secret

 

第一步:加密用户名及密码

[root@ken1 ~]# echo "123" | base64
MTIzCg==
[root@ken1 ~]# echo ken | base64 
a2VuCg==

 

第二步:编写secret的yaml文件

apiVersion: v1
kind: Secret
metadata:
 name: mysecret
data:
  name: a2VuCg==
  mima: MTIzCg==

 

第三步:执行yml文件

[root@ken1 ~]# kubectl apply -f secret.yml 

 

第四步:查看secret

[root@ken1 ~]# kubectl get secret
NAME                  TYPE                                  DATA   AGE
default-token-wc4hc   kubernetes.io/service-account-token   3      7d15h
mysecret              Opaque                                2      19h

 

第五步:查看secret信息

[root@ken1 ~]# kubectl describe secret mysecret
Name:         mysecret
Namespace:    default
Labels:       <none>
Annotations:  
Type:         Opaque

Data
====
mima:  5 bytes
name:  4 bytes

 

第六步:编辑secret获取加密数据

[root@ken1 ~]# kubectl edit secret mysecret

# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
  mima: MTIzNAo=
  name: a2VuCg==
kind: Secret
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","data":{"mima":"MTIzNAo=","name":"a2VuCg=="},"kind":"Secret","metadata":{"annotations":{},"name":"mysecret","namespace":"default"}}
  creationTimestamp: "2019-08-22T06:26:46Z"
  name: mysecret
  namespace: default
  resourceVersion: "111906"
  selfLink: /api/v1/namespaces/default/secrets/mysecret
  uid: c3d1aa93-bc53-4a97-a9cf-e1a9e1fcdadf

 

第七步:解码

[root@ken1 ~]# echo "a2VuCg==" | base64 --decode
ken
[root@ken1 ~]# echo "MTIzNAo=" | base64 --decode
1234

 

使用secret

有两种方式

  1. 以volume的形式挂载到pod
  2. 以环境变量的方式使用

 

 

以volume的形式挂载到pod

 

第一步:创建pod并编写yml文件

apiVersion: v1
kind: Pod
metadata:
  name: pod-secret
spec:
  containers:
  - name: busybox
    image: busybox
    imagePullPolicy: IfNotPresent
    args:
    - /bin/sh
    - -c
    - touch test; sleep 60000
    volumeMounts:
    - name: ken
      mountPath: /ken
  volumes:
  - name: ken
    secret:
     secretName: mysecret

 

第二步:执行yaml文件

[root@ken1 ~]# kubectl apply -f pod-secret.yml

 

第三步:进入pod查看secret

 

[root@ken1 ~]# kubectl exec -it pod-secret1 /bin/sh
/ # ls
bin   dev   etc   home  ken   proc  root  sys   test  tmp   usr   var
/ # cd kne
/bin/sh: cd: can't cd to kne: No such file or directory
/ # cd ken
/ken # ls
mima  name
/ken # cat mima 
1234
/ken # cat name 
ken

 

第四步:动态更新密码

一、生成加密密码

[root@ken1 ~]# echo 12345 | base64 
MTIzNDUK

 

二、修改secret文件

apiVersion: v1
kind: Secret
metadata:
 name: mysecret
data:
  name: a2VuCg==
  mima: MTIzNDUK

 

三、执行yml文件

[root@ken1 ~]# kubectl apply -f secret.yml 

 

第五步:查看密码

[root@ken1 ~]# kubectl exec -it pod-secret1 /bin/sh
/ # ls
bin   dev   etc   home  ken   proc  root  sys   test  tmp   usr   var
/ # cd ken
/ken # ls
mima  name
/ken # cat mima 
12345

 

注意:secret只有在以volume形式使用的时候才支持动态更新,环境变量的方式不知道动态更新密码!

 

二、以环境变量的方式使用secret

 

第一步:编写yaml文件

apiVersion: v1
kind: Pod
metadata:
  name: pod-secret2
spec:
  containers:
  - name: busybox
    image: busybox
    env:
    - name: MYSQL_ROOT_PASSWORD
      valueFrom:
       secretKeyRef:
        name: mysecret
        key: mima
    args:
    - /bin/sh
    - -c
    - touch test; sleep 6000

 

第二步:执行yml文件

[root@ken1 ~]# kubectl apply -f pod-secret2.yml 

 

第三步:查看pod

[root@ken1 ~]# kubectl get po
NAME          READY   STATUS    RESTARTS   AGE
nginx-hostp   1/1     Running   1          23h
pod-cm        1/1     Running   1          19h
pod-secret1   1/1     Running   0          9m38s
pod-secret2   1/1     Running   0          22s

 

第四步:进入pod

[root@ken1 ~]# kubectl exec -it pod-secret2 /bin/sh
/ # ls
bin   dev   etc   home  proc  root  sys   test  tmp   usr   var
/ # printenv
KUBERNETES_SERVICE_PORT=443
KUBERNETES_PORT=tcp://10.96.0.1:443
HOSTNAME=pod-secret2
SHLVL=1
HOME=/root
MYSQL_ROOT_PASSWORD=12345

TERM=xterm
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
KUBERNETES_SERVICE_HOST=10.96.0.1
PWD=/

 

注意:这种方式不支持密码动态更新

 

 

 

configMap

 

创建configMap

 

第一步:编写yml文件

apiVersion: v1
kind: ConfigMap
metadata:
 name: mycm
data:
  name: ken
  mima: ken123

 

第二步:执行yml文件

[root@ken1 ~]# kubectl apply -f cm.yml

 

第三步:查看cm

[root@ken1 ~]# kubectl get cm
NAME    DATA   AGE
mycm    2      19s

 

第四步:查看具体指

[root@ken1 ~]# kubectl describe  cm mycm
Name:         mycm
Namespace:    default
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                {"apiVersion":"v1","data":{"mima":"ken123","name":"ken"},"kind":"ConfigMap","metadata":{"annotations":{},"name":"mycm","namespace":"defaul...

Data
====
mima:
----
ken123
name:
----
ken

 

 

 

有两种方式使用cm

1.以volume形式

2.以环境变量的形式

 

演示以环境变量的方式使用cm

 

第一步:编写yml文件

apiVersion: v1
kind: Pod
metadata:
  name: pod-cm
spec:
  containers:
  - name: busybox
    image: busybox
    env:
    - name: MYSQL_ROOT_PASSWORD
      valueFrom:
       configMapKeyRef:
        name: mycm
        key: mima
    args:
    - /bin/sh
    - -c 
    - touch test; sleep 6000

 

第二步:执行该yml文件

[root@ken1 ~]# kubectl apply -f pod-cm.yml 

 

第三步:查看容器

[root@ken1 ~]# kubectl get po
NAME          READY   STATUS    RESTARTS   AGE
nginx-hostp   1/1     Running   1          24h
pod-cm        1/1     Running   1          19h
pod-cm1       1/1     Running   0          25s
pod-secret1   1/1     Running   0          44m
pod-secret2   1/1     Running   0          34m

 

第四步:进入容器

[root@ken1 ~]# kubectl exec -it pod-cm1 sh
/ # ls
bin   dev   etc   home  proc  root  sys   test  tmp   usr   var
/ # printenv
KUBERNETES_SERVICE_PORT=443
KUBERNETES_PORT=tcp://10.96.0.1:443
HOSTNAME=pod-cm1
SHLVL=1
HOME=/root
MYSQL_ROOT_PASSWORD=ken123
TERM=xterm
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
KUBERNETES_SERVICE_HOST=10.96.0.1

12 thoughts on “课堂记录:k8s机密信息管理及k8s监控(五)–技术流ken

  1. My wife and i got quite joyous that Emmanuel could finish off his investigation with the ideas he made from your very own web site. It’s not at all simplistic just to happen to be giving freely guidelines that many the others could have been trying to sell. And we also recognize we have the writer to appreciate for this. The specific explanations you made, the simple blog navigation, the relationships you help engender – it’s mostly awesome, and it is helping our son and our family feel that that subject is interesting, and that’s extraordinarily vital. Thank you for everything!

  2. Thank you for all your labor on this web site. Gloria really likes doing investigations and it’s easy to understand why. A lot of people learn all concerning the compelling way you render very useful guidance on this web blog and in addition strongly encourage contribution from others on the issue so our child is without a doubt being taught a lot. Have fun with the remaining portion of the year. Your conducting a wonderful job.

  3. I am just commenting to make you be aware of of the notable encounter my daughter had using yuor web blog. She realized several issues, not to mention what it’s like to have an awesome helping nature to get other people quite simply know just exactly chosen multifaceted subject matter. You truly surpassed people’s desires. Thank you for supplying the good, trusted, educational as well as easy tips about your topic to Mary.

  4. I wanted to draft you the little bit of note just to give many thanks the moment again relating to the striking tricks you have shared on this website. It has been so particularly open-handed with people like you giving unreservedly exactly what a few people might have advertised for an ebook to end up making some money on their own, principally given that you might well have done it in case you considered necessary. Those concepts in addition acted like the great way to be certain that the rest have the same zeal similar to my personal own to grasp a lot more regarding this condition. I am certain there are several more pleasant occasions up front for folks who go through your blog.

  5. My spouse and i felt really ecstatic when Albert could do his basic research from your precious recommendations he obtained from your very own weblog. It’s not at all simplistic just to continually be freely giving solutions which a number of people have been trying to sell. Therefore we recognize we need the writer to thank for that. The most important explanations you’ve made, the straightforward web site menu, the friendships you can give support to create – it’s got all spectacular, and it’s really helping our son and us understand this subject matter is fun, which is certainly exceedingly mandatory. Thanks for all!

  6. I actually wanted to develop a small word so as to thank you for the precious secrets you are sharing on this website. My prolonged internet investigation has finally been honored with reputable content to go over with my guests. I ‘d tell you that most of us site visitors actually are truly blessed to dwell in a good network with so many brilliant individuals with very helpful things. I feel very lucky to have encountered your site and look forward to some more exciting minutes reading here. Thank you once again for everything.

  7. I am glad for writing to let you understand what a beneficial discovery my cousin’s girl enjoyed viewing your site. She even learned such a lot of issues, which include what it’s like to possess an ideal helping spirit to let folks really easily grasp specific problematic things. You undoubtedly exceeded our desires. Many thanks for providing those valuable, dependable, edifying and cool guidance on that topic to Lizeth.

  8. I wish to show some thanks to you for bailing me out of this circumstance. Because of looking through the the web and obtaining tips which were not powerful, I was thinking my life was done. Living without the approaches to the difficulties you have resolved by means of your good article content is a critical case, as well as the kind that could have negatively affected my career if I had not come across your web blog. Your good understanding and kindness in maneuvering every aspect was excellent. I don’t know what I would’ve done if I hadn’t come upon such a solution like this. It’s possible to now relish my future. Thanks very much for this high quality and sensible guide. I will not hesitate to suggest your blog to any person who wants and needs support about this area.

  9. I precisely desired to thank you very much once more. I do not know the things I could possibly have undertaken in the absence of these smart ideas shared by you directly on such problem. Completely was a real troublesome situation for me personally, nevertheless looking at the specialized style you treated that took me to jump over joy. I will be thankful for the assistance as well as sincerely hope you know what an amazing job you have been accomplishing training other individuals through the use of your webblog. Probably you haven’t got to know any of us.

发表评论

邮箱地址不会被公开。