Kubernetes K8S之存储Secret详解
2024-04-09 13:35:19
Kubernetes K8S之存储Secret详解
- Secret概述
- Secret类型
- Service Account
- Opaque Secret
- 创建secret
- 将Secret挂载到Volume中
- 将Secret导入到环境变量中
- docker-registry Secret
- harbor镜像仓库
- pod直接下载镜像
- pod通过Secret下载镜像
原文地址:
Kubernetes K8S之存储Secret详解
Secret概述
Secret解决了密码、token、秘钥等敏感数据的配置问题,而不需要把这些敏感数据暴露到镜像或者Pod Spec中。Secret可以以Volume或者环境变量的方式使用。
用户可以创建 secret,同时系统也创建了一些 secret。
要使用 secret,pod 需要引用 secret。Pod 可以用两种方式使用 secret:作为 volume 中的文件被挂载到 pod 中的一个或者多个容器里,或者当 kubelet 为 pod 拉取镜像时使用。
Secret类型
- Service Account:用来访问Kubernetes API,由Kubernetes自动创建,并且会自动挂载到Pod的 /run/secrets/kubernetes.io/serviceaccount 目录中。
- Opaque:base64编码格式的Secret,用来存储密码、秘钥等。
- kubernetes.io/dockerconfigjson:用来存储私有docker registry的认证信息。
Service Account
通过kube-proxy查看
[root@k8s-master ~]# kubectl get pod -A | grep 'kube-proxy'
kube-system kube-proxy-6bfh7 1/1 Running 12 7d3h
kube-system kube-proxy-6vfkf 1/1 Running 11 7d3h
kube-system kube-proxy-bvl9n 1/1 Running 11 7d3h
[root@k8s-master ~]#
[root@k8s-master ~]# kubectl exec -it -n kube-system kube-proxy-6bfh7 -- /bin/sh
# ls -l /run/secrets/kubernetes.io/serviceaccount
total 0
lrwxrwxrwx 1 root root 13 Jun 8 13:39 ca.crt -> ..data/ca.crt
lrwxrwxrwx 1 root root 16 Jun 8 13:39 namespace -> ..data/namespace
lrwxrwxrwx 1 root root 12 Jun 8 13:39 token -> ..data/token
Opaque Secret
创建secret
手动加密,基于base64加密
[root@k8s-master ~]# echo -n 'admin' | base64
YWRtaW4=
[root@k8s-master ~]# echo -n '1f2d1e2e67df' | base64
MWYyZDFlMmU2N2Rm
yaml文件
1 [root@k8s-master secret]# pwd2 /root/k8s_practice/secret3 [root@k8s-master secret]# cat secret.yaml 4 apiVersion: v15 kind: Secret6 metadata:7 name: mysecret8 type: Opaque9 data:
10 username: YWRtaW4=
11 password: MWYyZDFlMmU2N2Rm
或者通过如下命令行创建【secret名称故意设置不一样,以方便查看对比】,生成secret后会自动加密,而非明文存储。
kubectl create secret generic db-user-pass --from-literal=username=admin --from-literal=password=1f2d1e2e67df
生成secret,并查看状态
[root@k8s-master secret]# kubectl apply -f secret.yaml
secret/mysecret created
[root@k8s-master secret]#
[root@k8s-master secret]# kubectl get secret ### 查看默认名称空间的secret简要信息
NAME TYPE DATA AGE
basic-auth Opaque 1 2d12h
default-token-v48g4 kubernetes.io/service-account-token 3 27d
mysecret Opaque 2 23s ### 可见已创建
tls-secret kubernetes.io/tls 2 3d2h
[root@k8s-master secret]#
[root@k8s-master secret]# kubectl get secret mysecret -o yaml ### 查看mysecret详细信息
apiVersion: v1
data:password: MWYyZDFlMmU2N2Rmusername: YWRtaW4=
kind: Secret
metadata:annotations:kubectl.kubernetes.io/last-applied-configuration: |{"apiVersion":"v1","data":{"password":"MWYyZDFlMmU2N2Rm","username":"YWRtaW4="},"kind":"Secret","metadata":{"annotations":{},"name":"mysecret","namespace":"default"},"type":"Opaque"}creationTimestamp: "2020-06-08T14:08:59Z"name: mysecretnamespace: defaultresourceVersion: "987419"selfLink: /api/v1/namespaces/default/secrets/mysecretuid: 27b58929-71c4-495b-99a5-0d411910a529
type: Opaque
[root@k8s-master secret]#
[root@k8s-master secret]# kubectl describe secret mysecret ### 查看描述信息
Name: mysecret
Namespace: default
Labels: <none>
Annotations:
Type: OpaqueData
====
password: 12 bytes
username: 5 bytes
将Secret挂载到Volume中
yaml文件
[root@k8s-master secret]# pwd
/root/k8s_practice/secret
[root@k8s-master secret]# cat pod_secret_volume.yaml
apiVersion: v1
kind: Pod
metadata:name: pod-secret-volume
spec:containers:- name: myappimage: registry.cn-beijing.aliyuncs.com/google_registry/myapp:v1volumeMounts:- name: secret-volumemountPath: /etc/secretreadOnly: truevolumes:- name: secret-volumesecret:secretName: mysecret
启动pod并查看状态
[root@k8s-master secret]# kubectl apply -f pod_secret_volume.yaml
pod/pod-secret-volume created
[root@k8s-master secret]#
[root@k8s-master secret]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
pod-secret-volume 1/1 Running 0 16s 10.244.2.159 k8s-node02 <none> <none>
查看secret信息
[root@k8s-master secret]# kubectl exec -it pod-secret-volume -- /bin/sh
/ # ls /etc/secret
password username
/ #
/ # cat /etc/secret/username
admin/ #
/ #
/ # cat /etc/secret/password
1f2d1e2e67df/ #
由上可见,在pod中的secret信息实际已经被解密。
将Secret导入到环境变量中
yaml文件
[root@k8s-master secret]# pwd
/root/k8s_practice/secret
[root@k8s-master secret]# cat pod_secret_env.yaml
apiVersion: v1
kind: Pod
metadata:name: pod-secret-env
spec:containers:- name: myappimage: registry.cn-beijing.aliyuncs.com/google_registry/myapp:v1env:- name: SECRET_USERNAMEvalueFrom:secretKeyRef:name: mysecretkey: username- name: SECRET_PASSWORDvalueFrom:secretKeyRef:name: mysecretkey: passwordrestartPolicy: Never
启动pod并查看状态
[root@k8s-master secret]# kubectl apply -f pod_secret_env.yaml
pod/pod-secret-env created
[root@k8s-master secret]#
[root@k8s-master secret]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
pod-secret-env 1/1 Running 0 6s 10.244.2.160 k8s-node02 <none> <none>
查看secret信息
[root@k8s-master secret]# kubectl exec -it pod-secret-env -- /bin/sh
/ # env
………………
HOME=/root
SECRET_PASSWORD=1f2d1e2e67df ### secret信息
MYAPP_SVC_PORT_80_TCP=tcp://10.98.57.156:80
TERM=xterm
NGINX_VERSION=1.12.2
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_PROTO=tcp
MYAPP_SVC_SERVICE_HOST=10.98.57.156
SECRET_USERNAME=admin ### secret信息
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
………………
由上可见,在pod中的secret信息实际已经被解密。
docker-registry Secret
harbor镜像仓库
首先使用harbor搭建镜像仓库,搭建部署过程参考:「Harbor企业级私有Docker镜像仓库部署」
harbor部分配置文件信息
[root@k8s-master harbor]# pwd
/root/App/harbor
[root@k8s-master harbor]# vim harbor.yml
# Configuration file of Harbor
hostname: 172.16.1.110# http related config
http:# port for http, default is 80. If https enabled, this port will redirect to https portport: 5000# https related config
https:# https port for harbor, default is 443port: 443# The path of cert and key files for nginxcertificate: /etc/harbor/cert/httpd.crtprivate_key: /etc/harbor/cert/httpd.key
harbor_admin_password: Harbor12345
启动harbor后客户端http设置
集群所有机器都要操作
[root@k8s-master ~]# vim /etc/docker/daemon.json
{"exec-opts": ["native.cgroupdriver=systemd"],"log-driver": "json-file","log-opts": {"max-size": "100m"},"insecure-registries": ["172.16.1.110:5000"]
}
[root@k8s-master ~]#
[root@k8s-master ~]# systemctl restart docker # 重启docker服务
添加了 “insecure-registries”: [“172.16.1.110:5000”] 这行,其中172.16.1.110为内网IP地址。该文件必须符合 json 规范,否则 Docker 将不能启动。
如果在Harbor所在的机器重启了docker服务,记得要重新启动Harbor。
创建「私有」仓库
镜像上传
docker pull registry.cn-beijing.aliyuncs.com/google_registry/myapp:v1
docker tag registry.cn-beijing.aliyuncs.com/google_registry/myapp:v1 172.16.1.110:5000/k8s-secret/myapp:v1
# 登录
docker login 172.16.1.110:5000 -u admin -p Harbor12345
# 上传
docker push 172.16.1.110:5000/k8s-secret/myapp:v1
退出登录
之后在操作机上退出harbor登录,便于后面演示
### 退出harbor登录
[root@k8s-node02 ~]# docker logout 172.16.1.110:5000
Removing login credentials for 172.16.1.110:5000
### 拉取失败,需要先登录。表明完成准备工作
[root@k8s-master secret]# docker pull 172.16.1.110:5000/k8s-secret/myapp:v1
Error response from daemon: pull access denied for 172.16.1.110:5000/k8s-secret/myapp, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
pod直接下载镜像
在yaml文件中指定image后,直接启动pod
[root@k8s-master secret]# pwd
/root/k8s_practice/secret
[root@k8s-master secret]# cat pod_secret_registry.yaml
apiVersion: v1
kind: Pod
metadata:name: pod-secret-registry
spec:containers:- name: myappimage: 172.16.1.110:5000/k8s-secret/myapp:v1
启动pod并查看状态
[root@k8s-master secret]# kubectl apply -f pod_secret_registry.yaml
pod/pod-secret-registry created
[root@k8s-master secret]#
[root@k8s-master secret]# kubectl get pod -o wide ### 可见镜像下载失败
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
pod-secret-registry 0/1 ImagePullBackOff 0 7s 10.244.2.161 k8s-node02 <none> <none>
[root@k8s-master secret]#
[root@k8s-master secret]# kubectl describe pod pod-secret-registry ### 查看pod详情
Name: pod-secret-registry
Namespace: default
Priority: 0
Node: k8s-node02/172.16.1.112
Start Time: Mon, 08 Jun 2020 23:59:07 +0800
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:{"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{},"name":"pod-secret-registry","namespace":"default"},"spec":{"containers":[{"i...
Status: Pending
IP: 10.244.2.161
IPs:IP: 10.244.2.161
Containers:myapp:Container ID:Image: 172.16.1.110:5000/k8s-secret/myapp:v1Image ID:
………………
Events:Type Reason Age From Message---- ------ ---- ---- -------Normal Scheduled 23s default-scheduler Successfully assigned default/pod-secret-registry to k8s-node02Normal BackOff 19s (x2 over 20s) kubelet, k8s-node02 Back-off pulling image "172.16.1.110:5000/k8s-secret/myapp:v1"Warning Failed 19s (x2 over 20s) kubelet, k8s-node02 Error: ImagePullBackOffNormal Pulling 9s (x2 over 21s) kubelet, k8s-node02 Pulling image "172.16.1.110:5000/k8s-secret/myapp:v1"Warning Failed 9s (x2 over 21s) kubelet, k8s-node02 Failed to pull image "172.16.1.110:5000/k8s-secret/myapp:v1": rpc error: code = Unknown desc = Error response from daemon: pull access denied for 172.16.1.110:5000/k8s-secret/myapp, repository does not exist or may require 'docker login': denied: requested access to the resource is deniedWarning Failed 9s (x2 over 21s) kubelet, k8s-node02 Error: ErrImagePull
[root@k8s-master secret]#
[root@k8s-master secret]# kubectl delete -f pod_secret_registry.yaml
可见拉取私有镜像失败。
pod通过Secret下载镜像
通过命令行创建Secret,并查看其描述信息
[root@k8s-master secret]# kubectl create secret docker-registry myregistrysecret --docker-server='172.16.1.110:5000' --docker-username='admin' --docker-password='Harbor12345'
secret/myregistrysecret created
[root@k8s-master secret]#
[root@k8s-master secret]# kubectl get secret
NAME TYPE DATA AGE
basic-auth Opaque 1 2d14h
default-token-v48g4 kubernetes.io/service-account-token 3 27d
myregistrysecret kubernetes.io/dockerconfigjson 1 8s # 刚刚创建的
mysecret Opaque 2 118m
tls-secret kubernetes.io/tls 2 3d4h
[root@k8s-master secret]#
[root@k8s-master secret]# kubectl get secret myregistrysecret -o yaml ### 查看详细信息
apiVersion: v1
data:.dockerconfigjson: eyJhdXRocyI6eyIxMC4wLjAuMTEwOjUwMDAiOnsidXNlcm5hbWUiOiJhZG1pbiIsInBhc3N3b3JkIjoiSGFyYm9yMTIzNDUiLCJhdXRoIjoiWVdSdGFXNDZTR0Z5WW05eU1USXpORFU9In19fQ==
kind: Secret
metadata:creationTimestamp: "2020-06-08T16:07:32Z"name: myregistrysecretnamespace: defaultresourceVersion: "1004582"selfLink: /api/v1/namespaces/default/secrets/myregistrysecretuid: b95f4386-64bc-4ba3-b43a-08afb1c1eb9d
type: kubernetes.io/dockerconfigjson
[root@k8s-master secret]#
[root@k8s-master secret]# kubectl describe secret myregistrysecret ### 查看描述信息
Name: myregistrysecret
Namespace: default
Labels: <none>
Annotations: <none>Type: kubernetes.io/dockerconfigjsonData
====
.dockerconfigjson: 109 bytes
修改之前的yaml文件
[root@k8s-master secret]# cat pod_secret_registry.yaml
apiVersion: v1
kind: Pod
metadata:name: pod-secret-registry
spec:containers:- name: myappimage: 172.16.1.110:5000/k8s-secret/myapp:v1imagePullSecrets:- name: myregistrysecret
启动pod并查看状态
[root@k8s-master secret]# kubectl apply -f pod_secret_registry.yaml
pod/pod-secret-registry created
[root@k8s-master secret]#
[root@k8s-master secret]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
pod-secret-registry 1/1 Running 0 8s 10.244.2.162 k8s-node02 <none> <none>
[root@k8s-master secret]#
[root@k8s-master secret]# kubectl describe pod pod-secret-registry
Name: pod-secret-registry
Namespace: default
Priority: 0
Node: k8s-node02/172.16.1.112
Start Time: Tue, 09 Jun 2020 00:22:40 +0800
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:{"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{},"name":"pod-secret-registry","namespace":"default"},"spec":{"containers":[{"i...
Status: Running
IP: 10.244.2.162
IPs:IP: 10.244.2.162
Containers:myapp:Container ID: docker://ef4d42f1f1616a44c2a6c0a5a71333b27f46dfe76eb392962813a28d69150c00Image: 172.16.1.110:5000/k8s-secret/myapp:v1Image ID: docker-pullable://172.16.1.110:5000/k8s-secret/myapp@sha256:9eeca44ba2d410e54fccc54cbe9c021802aa8b9836a0bcf3d3229354e4c8870ePort: <none>Host Port: <none>State: RunningStarted: Tue, 09 Jun 2020 00:22:41 +0800Ready: TrueRestart Count: 0Environment: <none>Mounts:/var/run/secrets/kubernetes.io/serviceaccount from default-token-v48g4 (ro)
Conditions:Type StatusInitialized TrueReady TrueContainersReady TruePodScheduled True
Volumes:default-token-v48g4:Type: Secret (a volume populated by a Secret)SecretName: default-token-v48g4Optional: false
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute for 300snode.kubernetes.io/unreachable:NoExecute for 300s
Events:Type Reason Age From Message---- ------ ---- ---- -------Normal Scheduled 22s default-scheduler Successfully assigned default/pod-secret-registry to k8s-node02Normal Pulling 22s kubelet, k8s-node02 Pulling image "172.16.1.110:5000/k8s-secret/myapp:v1"Normal Pulled 22s kubelet, k8s-node02 Successfully pulled image "172.16.1.110:5000/k8s-secret/myapp:v1"Normal Created 22s kubelet, k8s-node02 Created container myappNormal Started 21s kubelet, k8s-node02 Started container myapp
由上可见,通过secret认证后pod拉取私有镜像是可以的。
Kubernetes K8S之存储Secret详解相关推荐
- Kubernetes K8S之存储Volume详解
K8S之存储Volume概述与说明,并详解常用Volume示例 主机配置规划 服务器名称(hostname) 系统版本 配置 内网IP 外网IP(模拟) k8s-master CentOS7.7 2C ...
- Kubernetes K8S之存储PV-PVC详解
K8S之存储PV-PVC概述与说明,并详解常用PV-PVC示例 概述 与管理计算实例相比,管理存储是一个明显的问题.PersistentVolume子系统为用户和管理员提供了一个API,该API从如何 ...
- kubernetes系列10—存储卷详解
kubernetes系列10-存储卷详解 1.认识存储卷 1.1 背景 默认情况下容器中的磁盘文件是非持久化的,容器中的磁盘的生命周期是短暂的,这就带来了一系列的问题:第一,当一个容器损坏之后,kub ...
- 【云原生 | Kubernetes 系列】K8s 实战 管理 Secret 详解
kubectl 管理 Secret 前言 一.使用 kubectl 管理 Secret 1.1.创建 Secret 1.2.验证 Secret 1.3.解码 Secret 1.4.清理 二.使用配置文 ...
- k8s volume mysql_Kubernetes K8S之存储Volume详解
K8S之存储Volume概述与说明,并详解常用Volume示例 1. 主机配置规划 2. Volume概述 在容器中的文件在磁盘上是临时存放的,当容器关闭时这些临时文件也会被一并清除.这给容器中运行的 ...
- K8S之存储PV-PVC详解
概述 与管理计算实例相比,管理存储是一个明显的问题.PersistentVolume子系统为用户和管理员提供了一个API,该API从如何使用存储中抽象出如何提供存储的详细信息.为此,我们引入了两个新的 ...
- k8s学习笔记(10)--- kubernetes核心组件之controller manager详解
kubernetes核心组件之controller manager详解 一.Controller Manager简介 1.1 Replication Controller 1.2 Node Contr ...
- k8s安装和部署详解
k8s安装和部署详解 文章目录 k8s安装和部署详解 kubernetes官方提供的三种部署方式 minikube kubeadm 二进制包 使用kubeadm方式安装 1.准备环境 2.确认dock ...
- 容器编排技术 -- Kubernetes kubectl create clusterrolebinding 命令详解
容器编排技术 -- Kubernetes kubectl create clusterrolebinding 命令详解 1 kubectl create clusterrolebinding 2 语法 ...
最新文章
- pytorch优化器与学习率设置详解
- SSH服务理论+实践
- java中两个整形相除,向上取整
- python中的字典推导式_python 字典推导式(经典代码)(22)
- html代码在线运行环境,ES5/可执行代码与执行环境
- 训练千亿参数模型的法宝,昇腾CANN异构计算架构来了~
- 绝对式编码器的ssi协议 stm32 hal
- JavaFx loading 数据加载中效果
- 服务器snb芯片组,认识6系列主板芯片组
- 如何用ps做计算机科学系的logo,PS教你制作一个精致的大众汽车LOGO图文教程
- 次氯酸钠发生器选型依据,再也不怕选不对设备了
- 笔记本外接显示器提示输入不支援
- 简单分析一个通过 js 劫持进行案例
- 如何开发一个小程序游戏?
- 让AI为你制作思维导图 —— ChatMind
- VMwareWorkstation虚拟机安装Linux系统
- 牛客寒假算法基础集训营5 J 炫酷数学
- Python爬取全国大学排名 用pyecharts进行大屏可视化
- Jeremy Cole大神关于Innodb的文章分享
- R语言滞后差分diff()函数