技术流ken

运维拯救世界

课堂记录:k8s机密信息管理及k8s监控(五)–技术流ken

secret

 

第一步:加密用户名及密码

[root@ken1 ~]# echo "123" | base64
MTIzCg==
[root@ken1 ~]# echo ken | base64 
a2VuCg==

 

第二步:编写secret的yaml文件

apiVersion: v1
kind: Secret
metadata:
 name: mysecret
data:
  name: a2VuCg==
  mima: MTIzCg==

 

第三步:执行yml文件

[root@ken1 ~]# kubectl apply -f secret.yml 

 

第四步:查看secret

[root@ken1 ~]# kubectl get secret
NAME                  TYPE                                  DATA   AGE
default-token-wc4hc   kubernetes.io/service-account-token   3      7d15h
mysecret              Opaque                                2      19h

 

第五步:查看secret信息

[root@ken1 ~]# kubectl describe secret mysecret
Name:         mysecret
Namespace:    default
Labels:       <none>
Annotations:  
Type:         Opaque

Data
====
mima:  5 bytes
name:  4 bytes

 

第六步:编辑secret获取加密数据

[root@ken1 ~]# kubectl edit secret mysecret

# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
  mima: MTIzNAo=
  name: a2VuCg==
kind: Secret
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","data":{"mima":"MTIzNAo=","name":"a2VuCg=="},"kind":"Secret","metadata":{"annotations":{},"name":"mysecret","namespace":"default"}}
  creationTimestamp: "2019-08-22T06:26:46Z"
  name: mysecret
  namespace: default
  resourceVersion: "111906"
  selfLink: /api/v1/namespaces/default/secrets/mysecret
  uid: c3d1aa93-bc53-4a97-a9cf-e1a9e1fcdadf

 

第七步:解码

[root@ken1 ~]# echo "a2VuCg==" | base64 --decode
ken
[root@ken1 ~]# echo "MTIzNAo=" | base64 --decode
1234

 

使用secret

有两种方式

  1. 以volume的形式挂载到pod
  2. 以环境变量的方式使用

 

 

以volume的形式挂载到pod

 

第一步:创建pod并编写yml文件

apiVersion: v1
kind: Pod
metadata:
  name: pod-secret
spec:
  containers:
  - name: busybox
    image: busybox
    imagePullPolicy: IfNotPresent
    args:
    - /bin/sh
    - -c
    - touch test; sleep 60000
    volumeMounts:
    - name: ken
      mountPath: /ken
  volumes:
  - name: ken
    secret:
     secretName: mysecret

 

第二步:执行yaml文件

[root@ken1 ~]# kubectl apply -f pod-secret.yml

 

第三步:进入pod查看secret

 

[root@ken1 ~]# kubectl exec -it pod-secret1 /bin/sh
/ # ls
bin   dev   etc   home  ken   proc  root  sys   test  tmp   usr   var
/ # cd kne
/bin/sh: cd: can't cd to kne: No such file or directory
/ # cd ken
/ken # ls
mima  name
/ken # cat mima 
1234
/ken # cat name 
ken

 

第四步:动态更新密码

一、生成加密密码

[root@ken1 ~]# echo 12345 | base64 
MTIzNDUK

 

二、修改secret文件

apiVersion: v1
kind: Secret
metadata:
 name: mysecret
data:
  name: a2VuCg==
  mima: MTIzNDUK

 

三、执行yml文件

[root@ken1 ~]# kubectl apply -f secret.yml 

 

第五步:查看密码

[root@ken1 ~]# kubectl exec -it pod-secret1 /bin/sh
/ # ls
bin   dev   etc   home  ken   proc  root  sys   test  tmp   usr   var
/ # cd ken
/ken # ls
mima  name
/ken # cat mima 
12345

 

注意:secret只有在以volume形式使用的时候才支持动态更新,环境变量的方式不知道动态更新密码!

 

二、以环境变量的方式使用secret

 

第一步:编写yaml文件

apiVersion: v1
kind: Pod
metadata:
  name: pod-secret2
spec:
  containers:
  - name: busybox
    image: busybox
    env:
    - name: MYSQL_ROOT_PASSWORD
      valueFrom:
       secretKeyRef:
        name: mysecret
        key: mima
    args:
    - /bin/sh
    - -c
    - touch test; sleep 6000

 

第二步:执行yml文件

[root@ken1 ~]# kubectl apply -f pod-secret2.yml 

 

第三步:查看pod

[root@ken1 ~]# kubectl get po
NAME          READY   STATUS    RESTARTS   AGE
nginx-hostp   1/1     Running   1          23h
pod-cm        1/1     Running   1          19h
pod-secret1   1/1     Running   0          9m38s
pod-secret2   1/1     Running   0          22s

 

第四步:进入pod

[root@ken1 ~]# kubectl exec -it pod-secret2 /bin/sh
/ # ls
bin   dev   etc   home  proc  root  sys   test  tmp   usr   var
/ # printenv
KUBERNETES_SERVICE_PORT=443
KUBERNETES_PORT=tcp://10.96.0.1:443
HOSTNAME=pod-secret2
SHLVL=1
HOME=/root
MYSQL_ROOT_PASSWORD=12345

TERM=xterm
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
KUBERNETES_SERVICE_HOST=10.96.0.1
PWD=/

 

注意:这种方式不支持密码动态更新

 

 

 

configMap

 

创建configMap

 

第一步:编写yml文件

apiVersion: v1
kind: ConfigMap
metadata:
 name: mycm
data:
  name: ken
  mima: ken123

 

第二步:执行yml文件

[root@ken1 ~]# kubectl apply -f cm.yml

 

第三步:查看cm

[root@ken1 ~]# kubectl get cm
NAME    DATA   AGE
mycm    2      19s

 

第四步:查看具体指

[root@ken1 ~]# kubectl describe  cm mycm
Name:         mycm
Namespace:    default
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                {"apiVersion":"v1","data":{"mima":"ken123","name":"ken"},"kind":"ConfigMap","metadata":{"annotations":{},"name":"mycm","namespace":"defaul...

Data
====
mima:
----
ken123
name:
----
ken

 

 

 

有两种方式使用cm

1.以volume形式

2.以环境变量的形式

 

演示以环境变量的方式使用cm

 

第一步:编写yml文件

apiVersion: v1
kind: Pod
metadata:
  name: pod-cm
spec:
  containers:
  - name: busybox
    image: busybox
    env:
    - name: MYSQL_ROOT_PASSWORD
      valueFrom:
       configMapKeyRef:
        name: mycm
        key: mima
    args:
    - /bin/sh
    - -c 
    - touch test; sleep 6000

 

第二步:执行该yml文件

[root@ken1 ~]# kubectl apply -f pod-cm.yml 

 

第三步:查看容器

[root@ken1 ~]# kubectl get po
NAME          READY   STATUS    RESTARTS   AGE
nginx-hostp   1/1     Running   1          24h
pod-cm        1/1     Running   1          19h
pod-cm1       1/1     Running   0          25s
pod-secret1   1/1     Running   0          44m
pod-secret2   1/1     Running   0          34m

 

第四步:进入容器

[root@ken1 ~]# kubectl exec -it pod-cm1 sh
/ # ls
bin   dev   etc   home  proc  root  sys   test  tmp   usr   var
/ # printenv
KUBERNETES_SERVICE_PORT=443
KUBERNETES_PORT=tcp://10.96.0.1:443
HOSTNAME=pod-cm1
SHLVL=1
HOME=/root
MYSQL_ROOT_PASSWORD=ken123
TERM=xterm
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
KUBERNETES_SERVICE_HOST=10.96.0.1

发表评论

电子邮件地址不会被公开。