Kubenetes的加密管理:
第一种:
SECRET会以密文的方式存储,容器通过文件或者变量访问数据
Secret的创建:
第一种:
[root@k8smaster ~]# kubectl create secret generic mysecret --from-literal=username=test --from-literal=password=123456
generic 从本地 file, directory 或者 literal value 创建一个 secret
–from-literal=username=test --from-literal 对应一个键值对 。 键值对 username 值 test
–from-literal=password=123456 键值对 password 值 123456
查看:
[root@k8smaster ~]# kubectl get secrets mysecret
NAME TYPE DATA AGE
mysecret Opaque 2 5m8s
详细查看:
[root@k8smaster ~]# kubectl describe secrets mysecret
Name: mysecret
Namespace: default
Labels:
Annotations:
Type: Opaque
Data
password: 6 bytes
username: 4 bytes
第二种:
[root@k8smaster ~]# mkdir 7-24
[root@k8smaster ~]# cd 7-24/
[root@k8smaster 7-24]# echo -n test > username
[root@k8smaster 7-24]# echo -n 123456 > password
把密码和用户名写进文件里
创建secret:
[root@k8smaster 7-24]# kubectl create secret generic mysecret1 --from-file=username --from-file=password
–from-file=username 对应一个文件 每个文件都有一个信息条目
查看:
[root@k8smaster 7-24]# kubectl get secrets mysecret1
NAME TYPE DATA AGE
mysecret1 Opaque 2 117s
详细查看:
[root@k8smaster 7-24]# kubectl describe secrets mysecret1
Name: mysecret1
Namespace: default
Labels:
Annotations:
Type: Opaque
Data
password: 6 bytes
username: 4 bytes
第三种方法:
[root@k8smaster 7-24]# cat << EOF > envsecret.txt
username=test
password=123456
EOF
[root@k8smaster 7-24]# cat envsecret.txt
username=test
password=123456
创建:
[root@k8smaster 7-24]# kubectl create secret generic mysecret2 --from-env-file=envsecret.txt
–from-env-file=envsecret.txt 指定一个文件
查看:
[root@k8smaster 7-24]# kubectl get secrets mysecret2
NAME TYPE DATA AGE
mysecret2 Opaque 2 22s
第四种方法yml文件:
[root@k8smaster 7-24]# kubectl create secret generic mysecret3 --from-literal=username=test --from-literal=password=123456 --dry-run -o yaml > mysecret.yml
查看文件:
[root@k8smaster 7-24]# cat mysecret.yml
apiVersion: v1
data:
password: MTIzNDU2
username: dGVzdA==
kind: Secret
metadata:
creationTimestamp: null
name: mysecret3
这两个是通过base64编码后的结果
如:
[root@k8smaster 7-24]# echo -n 123456|base64
MTIzNDU2
执行文件:
[root@k8smaster 7-24]# kubectl apply -f mysecret.yml
查看:
[root@k8smaster 7-24]# kubectl get secrets
NAME TYPE DATA AGE
default-token-vmm27 kubernetes.io/service-account-token 3 16d
mysecret Opaque 2 20m
mysecret1 Opaque 2 11m
mysecret2 Opaque 2 7m3s
mysecret3 Opaque 2 18s
详细查看:
[root@k8smaster 7-24]# kubectl describe secrets mysecret3
Name: mysecret3
Namespace: default
Labels:
Annotations:
Type: Opaque
Data
password: 6 bytes
username: 4 bytes
可以看到键的名字
想查看值的话:
[root@k8smaster 7-24]# kubectl edit secrets mysecret3
再通过base64反编码查看到密码:
[root@k8smaster 7-24]# echo -n MTIzNDU2|base64 --decode
123456
Pod通过volume的方式使用secret:
[root@k8smaster 7-24]# vim mypodsec.yml
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mypod
image: busybox
args:- /bin/sh
- -c
- sleep 3000000000
volumeMounts: - mountPath: /etc/fff
name: aaa
readOnly: true
volumes: - name: aaa
secret:
secretName: mysecret3
定义volume的名字为aaa 使用那个secret
执行文件:
[root@k8smaster 7-24]# kubectl apply -f mypodsec.yml
确定pod运行了之后登陆容器查看:
[root@k8smaster 7-24]# kubectl exec -it mypod sh
/ # cd /etc/fff/
/etc/fff # ls
password username
/etc/fff # cat password
123456
/etc/fff # cat username
Test
可以看到就是前面我们定义的键值对 也就是用户名和密码 /etc/fff我们前面编写yml文件时指定volume挂载到/etc/fff下
也可以自定义存放数据的文件名:
[root@k8smaster 7-24]# cp mypodsec.yml mypodsec1.yml
[root@k8smaster 7-24]# vim mypodsec1.yml
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mypod
image: busybox
args:- /bin/sh
- -c
- sleep 3000000000
volumeMounts: - mountPath: /etc/fff
name: aaa
readOnly: true
volumes: - name: aaa
secret:
secretName: mysecret3
items:- key: username
path: aaa/user - key: password
path: aaa/pas
- key: username
删除前面的pod并执行文件:
[root@k8smaster 7-24]# kubectl delete pod mypod
[root@k8smaster 7-24]# kubectl apply -f mypodsec1.yml
查看:
[root@k8smaster 7-24]# kubectl exec -it mypod sh
用户名和密码被存放在了 /etc/fff/aaa 分别叫pas 和user
Secret还支持动态更新 :
我们修改密码:
[root@k8smaster 7-24]# echo -n abcde |base64
YWJjZGU=
[root@k8smaster 7-24]# vim mysecret.yml
apiVersion: v1
data:
password: YWJjZGU=
username: dGVzdA==
kind: Secret
metadata:
creationTimestamp: null
name: mysecret3
执行文件 :
[root@k8smaster 7-24]# kubectl apply -f mysecret.yml
登入容器查看密码:
[root@k8smaster 7-24]# kubectl exec -it mypod sh
/ # cat /etc/fff/aaa/pas
Abcde
可以看到密码由原来的123465 变成了abcde
Pod通过环境变量的方式使用secret:
[root@k8smaster 7-24]# vim msec.yml
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mypod
image: busybox
args:- /bin/sh
- -c
- sleep 3000000000
env:- name: myuser
valueFrom:
secretKeyRef:
name: mysecret3
key: username - name: mypas
valueFrom:
secretKeyRef:
name: mysecret3
key: password
- name: myuser
执行文件:
[root@k8smaster 7-24]# kubectl apply -f msec.yml
查看:
[root@k8smaster 7-24]# kubectl exec -it mypod sh
/ # echo $myuser
test
/ # echo $mypas
abcde
环境变量的方式不支持动态更新,但是读取很方便
Secret主要保存的是一些密码 等加密的信息,像一些配置文件则可以用configmap
创建方式和secret很像都有四种方式:
第一种:
[root@k8smaster 7-24]# kubectl create configmap myconmap --from-literal=test=1 --from-literal=test1=2
第二种:
[root@k8smaster 7-24]# echo -n 1 >test
[root@k8smaster 7-24]# echo -n 2 >test1
[root@k8smaster 7-24]# kubectl create configmap myconmap1 --from-file=test --from-file=test1
第三种:
[root@k8smaster 7-24]# cat < envp.txt
test=1
test1=2
EOF
[root@k8smaster 7-24]# kubectl create configmap myconmap2 --from-env-file=envp.txt
第四种yml文件:
[root@k8smaster 7-24]# kubectl create configmap myconmap2 --from-env-file=envp.txt --dry-run -o yaml > myconmap.yml
查看 :
[root@k8smaster 7-24]# cat myconmap.yml
apiVersion: v1
data:
test: “1”
test1: “2”
kind: ConfigMap
metadata:
creationTimestamp: null
name: myconmap3
执行文件:
[root@k8smaster 7-24]# kubectl apply -f myconmap.yml
查看:
[root@k8smaster 7-24]# kubectl get configmaps
NAME DATA AGE
myconmap 2 6m8s
myconmap1 2 4m55s
myconmap2 2 3m21s
myconmap3 2 18s
详细查看一个:
[root@k8smaster 7-24]# kubectl describe configmaps myconmap3
Name: myconmap3
Namespace: default
Labels:
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{“apiVersion”:“v1”,“data”:{“test”:“1”,“test1”:“2”},“kind”:“ConfigMap”,“metadata”:{“annotations”:{},“creationTimestamp”:null,“name”:"myconm…
Data
test:
1
test1:
2
Events:
可以看都都明文显示出来了
Pod通过volume或者环境变量使用configmap:
volume:
[root@k8smaster 7-24]# cp mypodsec.yml myconf.yml
[root@k8smaster 7-24]# vim myconf.yml
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mypod
image: busybox
args:- /bin/sh
- -c
- sleep 3000000000
volumeMounts: - mountPath: /etc/fff
name: aaa
readOnly: true
volumes: - name: aaa
configMap:
name: myconmap3
执行文件:
[root@k8smaster 7-24]# kubectl apply -f myconf.yml
[root@k8smaster 7-24]# kubectl exec -it mypod sh
/ # cat /etc/fff/test1
2/ #
/ # cat /etc/fff/test
1/ #
环境变量的方式:
[root@k8smaster 7-24]# cp msec.yml mcmp.yml
[root@k8smaster 7-24]# vim mcmp.yml
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mypod
image: busybox
args:- /bin/sh
- -c
- sleep 3000000000
env:- name: myuser
valueFrom:
configMapKeyRef:
name: myconmap3
key: test - name: mypas
valueFrom:
configMapKeyRef:
name: myconmap3
key: test1
- name: myuser
执行文件:
[root@k8smaster 7-24]# kubectl apply -f mcmp.yml
[root@k8smaster 7-24]# kubectl exec -it mypod sh
/ # echo $myuser
1
/ # echo $mypas
2
一般情况下 配置信息都是文件形式的,用yaml或者 --from-file比较好
测试一个:
给pod传一个记录日志的配置信息:
[root@k8smaster 7-24]# vim logging.conf
[root@k8smaster 7-24]# cat logging.conf
class: logging.handlers.RotatingFileHandler
formatter: precise
level: INFO
filename: %hostname-%timestamp.log
用–from-file或者yaml:
[root@k8smaster 7-24]# kubectl create configmap myconmap4 --from-file=logging.conf
[root@k8smaster 7-24]# kubectl create configmap myconmap5 --from-file=logging.conf --dry-run -o yaml > myconmap5.yml
[root@k8smaster 7-24]# cat myconmap5.yml
apiVersion: v1
data:
logging.conf: |
class: logging.handlers.RotatingFileHandler
formatter: precise
level: INFO
filename: %hostname-%timestamp.log
kind: ConfigMap
metadata:
creationTimestamp: null
name: myconmap5
执行文件:
[root@k8smaster 7-24]# kubectl apply -f myconmap5.yml
查看:
在pod中使用这个configmap:
[root@k8smaster 7-24]# vim myconf.yml
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mypod
image: busybox
args:- /bin/sh
- -c
- sleep 3000000000
volumeMounts: - mountPath: /etc/fff
name: aaa
readOnly: true
volumes: - name: aaa
configMap:
name: myconmap5
items:
- key: logging.conf
path: aaa/log.conf
这个键需要kubectl describe configmaps myconmap5 来查看
Data
logging.conf:
class: logging.handlers.RotatingFileHandler
formatter: precise
level: INFO
filename: %hostname-%timestamp.log
Events:
就是这个对应下面的值
执行文件:
[root@k8smaster 7-24]# kubectl apply -f myconf.yml
查看:
[root@k8smaster 7-24]# kubectl exec -it mypod sh
/ # cat /etc/fff/aaa/log.conf
class: logging.handlers.RotatingFileHandler
formatter: precise
level: INFO
filename: %hostname-%timestamp.log
Configmap也支持动态更新:
[root@k8smaster 7-24]# vim myconmap5.yml
重新执行文件:
[root@k8smaster 7-24]# kubectl apply -f myconmap5.yml
查看:
[root@k8smaster 7-24]# kubectl exec -it mypod sh
/ # cat /etc/fff/aaa/log.conf
class: logging.handlers.RotatingFileHandler
formatter: precise
level: INFO
filename: %hostname-%timestamp.log
labels:
name: test
/ #