1.Secret概述
Secret解决了密码、token、秘钥等敏感数据的配置问题,而不需要把这些敏感数据暴露到镜像或者Pod Spec中。Secret可以以Volume或者环境变量的方式使用。
用户可以创建 secret,同时系统也创建了一些 secret。
要使用 secret,pod 需要引用 secret。Pod 可以用两种方式使用 secret:作为 volume 中的文件被挂载到 pod 中的一个或者多个容器里,或者当 kubelet 为 pod 拉取镜像时使用。
2.Secret类型
- Service Account:用来访问Kubernetes API,由Kubernetes自动创建,并且会自动挂载到Pod的 /run/secrets/kubernetes.io/serviceaccount 目录中。
- Opaque:base64编码格式的Secret,用来存储密码、秘钥等。
- kubernetes.io/dockerconfigjson:用来存储私有docker registry的认证信息。
2.1 Service Account
通过kube-proxy查看
[root@k8s-master ~]# kubectl get pod -A | grep 'kube-proxy' kube-system kube-proxy-c2mxx 1/1 Running 0 28h kube-system kube-proxy-j4zlw 1/1 Running 0 28h kube-system kube-proxy-jffp7 1/1 Running 0 28h [root@k8s-master ~]# kubectl exec -it -n kube-system kube-proxy-c2mxx -- sh # ls -l /run/secrets/kubernetes.io/serviceaccount total 0 lrwxrwxrwx 1 root root 13 Sep 7 04:23 ca.crt -> ..data/ca.crt lrwxrwxrwx 1 root root 16 Sep 7 04:23 namespace -> ..data/namespace lrwxrwxrwx 1 root root 12 Sep 7 04:23 token -> ..data/token
2.2 Opaque Secret
2.2.1创建secret
1)手动加密,基于base64加密
[root@k8s-master ~]# echo -n 'admin' | base64 YWRtaW4= [root@k8s-master ~]# echo -n '1f2d1e2e67df' | base64 MWYyZDFlMmU2N2Rm
2)yaml文件
[root@k8s-master secret]# pwd /root/k8s_practice/secret [root@k8s-master secret]# cat secret.yaml apiVersion: v1 kind: Secret metadata: name: mysecret type: Opaque data: username: YWRtaW4= password: MWYyZDFlMmU2N2Rm
或者通过如下命令行创建【secret名称故意设置不一样,以方便查看对比】,生成secret后会自动加密,而非明文存储。
kubectl create secret generic db-user-pass --from-literal=username=admin --from-literal=password=1f2d1e2e67df
3)生成secret,并查看状态
[root@k8s-master secret]# kubectl apply -f secret.yaml secret/mysecret created [root@k8s-master secret]# kubectl get secrets NAME TYPE DATA AGE default-token-5xwvl kubernetes.io/service-account-token 3 30h mysecret Opaque 2 12s #已创建 tls-secret kubernetes.io/tls 2 23h [root@k8s-master secret]# kubectl get secrets mysecret -o yaml #查看mysecrect详细信息 apiVersion: v1 data: password: MWYyZDFlMmU2N2Rm username: YWRtaW4= kind: Secret metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"v1","data":{"password":"MWYyZDFlMmU2N2Rm","username":"YWRtaW4="},"kind":"Secret","metadata":{"annotations":{},"name":"mysecret","namespace":"default"},"type":"Opaque"} creationTimestamp: "2021-09-08T09:21:23Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:password: {} f:username: {} f:metadata: f:annotations: .: {} f:kubectl.kubernetes.io/last-applied-configuration: {} f:type: {} manager: kubectl-client-side-apply operation: Update time: "2021-09-08T09:21:23Z" name: mysecret namespace: default resourceVersion: "273247" selfLink: /api/v1/namespaces/default/secrets/mysecret uid: 338226e7-be86-46df-829b-9c9d206e0daa type: Opaque [root@k8s-master secret]# kubectl describe secrets mysecret Name: mysecret Namespace: default Labels: <none> Annotations: <none> Type: Opaque Data ==== password: 12 bytes username: 5 bytes
2.2.2将Secret挂载到Volume中
1)yaml文件
[root@k8s-master secret]# pwd /root/k8s_practice/secret [root@k8s-master secret]# cat pod_secret_volume.yaml piVersion: v1 kind: Pod metadata: name: pod-secret-volume spec: containers: - name: myapp image: registry.cn-beijing.aliyuncs.com/google_registry/myapp:v1 volumeMounts: - name: secret-volume mountPath: /etc/secret readOnly: true volumes: - name: secret-volume secret: secretName: mysecret #将mysecret挂载到Volume
2)启动pod并查看状态
[root@k8s-master secret]# kubectl apply -f pod_secret_volume.yaml pod/pod-secret-volume created [root@k8s-master secret]# kubectl get pod -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES pod-secret-volume 1/1 Running 0 6s 10.244.2.8 k8s-node2 <none> <none>
3)查看secret信息
[root@k8s-master secret]# kubectl exec -it pod-secret-volume -- /bin/sh / # ls /etc/secret password username / # cat /etc/secret/password / # cat /etc/secret/username admin/ # / # cat /etc/secret/password 1f2d1e2e67df/ #
由上可见,在pod中的secret信息实际已经被解密。
2.2.3将Secret导入到环境变量中
1)yaml文件
[root@k8s-master secret]# pwd /root/k8s_practice/secret [root@k8s-master secret]# cat pod_secret_env.yaml pod_secret_env.yaml apiVersion: v1 kind: Pod metadata: name: pod-secret-env spec: containers: - name: myapp image: registry.cn-beijing.aliyuncs.com/google_registry/myapp:v1 env: - name: SECRET_USERNAME valueFrom: secretKeyRef: name: mysecret key: username - name: SECRET_PASSWORD valueFrom: secretKeyRef: name: mysecret key: password restartPolicy: Never
2)启动pod并查看状态
[root@k8s-master secret]# kubectl apply -f pod_secret_env.yaml pod/pod-secret-env created [root@k8s-master secret]# kubectl get pod -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES pod-secret-env 1/1 Running 0 9s 10.244.1.9 k8s-node1 <none> <none>
3)查看secret信息
[root@k8s-master secret]# kubectl exec -it pod-secret-env -- /bin/sh / # env MYAPP_SVC_PORT_80_TCP_ADDR=10.98.57.156 KUBERNETES_PORT=tcp://10.96.0.1:443 KUBERNETES_SERVICE_PORT=443 MYAPP_SVC_PORT_80_TCP_PORT=80 HOSTNAME=pod-secret-env SHLVL=1 MYAPP_SVC_PORT_80_TCP_PROTO=tcp HOME=/root SECRET_PASSWORD=1f2d1e2e67df MYAPP_SVC_PORT_80_TCP=tcp://10.98.57.156:80 TERM=xterm NGINX_VERSION=1.12.2 KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin KUBERNETES_PORT_443_TCP_PORT=443 KUBERNETES_PORT_443_TCP_PROTO=tcp MYAPP_SVC_SERVICE_HOST=10.98.57.156 SECRET_USERNAME=admin KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443 KUBERNETES_SERVICE_PORT_HTTPS=443 PWD=/ KUBERNETES_SERVICE_HOST=10.96.0.1 MYAPP_SVC_SERVICE_PORT=80 MYAPP_SVC_PORT=tcp://10.98.57.156:80
由上可见,在pod中的secret信息实际已经被解密。
2.3 docker-registry Secret
首先使用harbor搭建镜像仓库,搭建部署过程参考:https://www.cnblogs.com/wuxinchun/p/15196731.html
1)harbor部分配置文件信息
[root@k8s-master harbor]# pwd /root/App/harbor [root@k8s-master harbor]# vim harbor.yml # Configuration file of Harbor hostname: 172.16.1.110 # http related config http: # port for http, default is 80. If https enabled, this port will redirect to https port port: 5000 # https related config https: # https port for harbor, default is 443 port: 443 # The path of cert and key files for nginx certificate: /etc/harbor/cert/httpd.crt private_key: /etc/harbor/cert/httpd.key harbor_admin_password: Harbor12345
2)启动harbor后客户端http设置
集群所有机器都要操作
[root@k8s-master ~]# vim /etc/docker/daemon.json { "exec-opts": ["native.cgroupdriver=systemd"], "log-driver": "json-file", "log-opts": { "max-size": "100m" }, "insecure-registries": ["172.16.1.110:5000"] } [root@k8s-master ~]# [root@k8s-master ~]# systemctl restart docker # 重启docker服务
添加了 “insecure-registries”: [“172.16.1.110:5000”] 这行,其中172.16.1.110为内网IP地址。该文件必须符合 json 规范,否则 Docker 将不能启动。
如果在Harbor所在的机器重启了docker服务,记得要重新启动Harbor。
3)创建「私有」仓库
4)镜像上传
docker pull registry.cn-beijing.aliyuncs.com/google_registry/myapp:v1 docker tag registry.cn-beijing.aliyuncs.com/google_registry/myapp:v1 172.16.1.110:5000/k8s-secret/myapp:v1 # 登录 docker login 172.16.1.110:5000 -u admin -p Harbor12345 # 上传 docker push 172.16.1.110:5000/k8s-secret/myapp:v1
5)退出登录
之后在操作机上退出harbor登录,便于后面演示
### 退出harbor登录 [root@k8s-node02 ~]# docker logout 172.16.1.110:5000 Removing login credentials for 172.16.1.110:5000 ### 拉取失败,需要先登录。表明完成准备工作 [root@k8s-master secret]# docker pull 172.16.1.110:5000/k8s-secret/myapp:v1 Error response from daemon: pull access denied for 172.16.1.110:5000/k8s-secret/myapp, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
6)pod通过Secret下载镜像
通过命令行创建Secret,并查看其描述信息
[root@k8s-master secret]# kubectl create secret docker-registry myregistrysecret --docker-server='172.16.1.110:5000' --docker-username='admin' --docker-password='Harbor12345' secret/myregistrysecret created [root@k8s-master secret]# [root@k8s-master secret]# kubectl get secret NAME TYPE DATA AGE basic-auth Opaque 1 2d14h default-token-v48g4 kubernetes.io/service-account-token 3 27d myregistrysecret kubernetes.io/dockerconfigjson 1 8s # 刚刚创建的 mysecret Opaque 2 118m tls-secret kubernetes.io/tls 2 3d4h [root@k8s-master secret]# [root@k8s-master secret]# kubectl get secret myregistrysecret -o yaml ### 查看详细信息 apiVersion: v1 data: .dockerconfigjson: eyJhdXRocyI6eyIxMC4wLjAuMTEwOjUwMDAiOnsidXNlcm5hbWUiOiJhZG1pbiIsInBhc3N3b3JkIjoiSGFyYm9yMTIzNDUiLCJhdXRoIjoiWVdSdGFXNDZTR0Z5WW05eU1USXpORFU9In19fQ== kind: Secret metadata: creationTimestamp: "2020-06-08T16:07:32Z" name: myregistrysecret namespace: default resourceVersion: "1004582" selfLink: /api/v1/namespaces/default/secrets/myregistrysecret uid: b95f4386-64bc-4ba3-b43a-08afb1c1eb9d type: kubernetes.io/dockerconfigjson [root@k8s-master secret]# [root@k8s-master secret]# kubectl describe secret myregistrysecret ### 查看描述信息 Name: myregistrysecret Namespace: default Labels: <none> Annotations: <none> Type: kubernetes.io/dockerconfigjson Data ==== .dockerconfigjson: 109 bytes
7)修改之前的yaml文件
[root@k8s-master secret]# cat pod_secret_registry.yaml apiVersion: v1 kind: Pod metadata: name: pod-secret-registry spec: containers: - name: myapp image: 172.16.1.110:5000/k8s-secret/myapp:v1 imagePullSecrets: - name: myregistrysecret
8)启动pod并查看状态
[root@k8s-master secret]# kubectl apply -f pod_secret_registry.yaml pod/pod-secret-registry created [root@k8s-master secret]# [root@k8s-master secret]# kubectl get pod -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES pod-secret-registry 1/1 Running 0 8s 10.244.2.162 k8s-node02 <none> <none> [root@k8s-master secret]# [root@k8s-master secret]# kubectl describe pod pod-secret-registry Name: pod-secret-registry Namespace: default Priority: 0 Node: k8s-node02/172.16.1.112 Start Time: Tue, 09 Jun 2020 00:22:40 +0800 Labels: <none> Annotations: kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{},"name":"pod-secret-registry","namespace":"default"},"spec":{"containers":[{"i... Status: Running IP: 10.244.2.162 IPs: IP: 10.244.2.162 Containers: myapp: Container ID: docker://ef4d42f1f1616a44c2a6c0a5a71333b27f46dfe76eb392962813a28d69150c00 Image: 172.16.1.110:5000/k8s-secret/myapp:v1 Image ID: docker-pullable://172.16.1.110:5000/k8s-secret/myapp@sha256:9eeca44ba2d410e54fccc54cbe9c021802aa8b9836a0bcf3d3229354e4c8870e Port: <none> Host Port: <none> State: Running Started: Tue, 09 Jun 2020 00:22:41 +0800 Ready: True Restart Count: 0 Environment: <none> Mounts: /var/run/secrets/kubernetes.io/serviceaccount from default-token-v48g4 (ro) Conditions: Type Status Initialized True Ready True ContainersReady True PodScheduled True Volumes: default-token-v48g4: Type: Secret (a volume populated by a Secret) SecretName: default-token-v48g4 Optional: false QoS Class: BestEffort Node-Selectors: <none> Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s node.kubernetes.io/unreachable:NoExecute for 300s Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Scheduled 22s default-scheduler Successfully assigned default/pod-secret-registry to k8s-node02 Normal Pulling 22s kubelet, k8s-node02 Pulling image "172.16.1.110:5000/k8s-secret/myapp:v1" Normal Pulled 22s kubelet, k8s-node02 Successfully pulled image "172.16.1.110:5000/k8s-secret/myapp:v1" Normal Created 22s kubelet, k8s-node02 Created container myapp Normal Started 21s kubelet, k8s-node02 Started container myapp
由上可见,通过secret认证后pod拉取私有镜像是可以的。