Kubernetes(k8s)密碼管理：Secret

目錄

• 一.系統環境
• 二.前言
• 三.Secret概覽
• 四.Secret 的型別
• 五.各種型別的secret使用例項
  • 5.1 建立kubernetes.io/service-account-token型別的secret
  • 5.2 建立Docker映象倉庫型別的secret
  • 5.3 建立Opaque型別的secret(鍵值對)
  • 5.4 建立Opaque型別的secret（對檔案加密）
• 六.以環境變數的方式使用 Secret
  • 6.1 明文方式儲存MySQL密碼
  • 6.2 使用secret密文方式儲存MySQL密碼
• 七.以卷的方式使用secret
  • 7.1 以卷的方式使用secret
  • 7.2 使用secret傳遞Nginx配置檔案

一.系統環境

伺服器版本	docker軟體版本	Kubernetes(k8s)叢集版本	CPU架構
CentOS Linux release 7.4.1708 (Core)	Docker version 20.10.12	v1.21.9	x86_64

Kubernetes叢集架構：k8scloude1作為master節點，k8scloude2，k8scloude3作為worker節點

伺服器	作業系統版本	CPU架構	程式	功能描述
k8scloude1/192.168.110.130	CentOS Linux release 7.4.1708 (Core)	x86_64	docker，kube-apiserver，etcd，kube-scheduler，kube-controller-manager，kubelet，kube-proxy，coredns，calico	k8s master節點
k8scloude2/192.168.110.129	CentOS Linux release 7.4.1708 (Core)	x86_64	docker，kubelet，kube-proxy，calico	k8s worker節點
k8scloude3/192.168.110.128	CentOS Linux release 7.4.1708 (Core)	x86_64	docker，kubelet，kube-proxy，calico	k8s worker節點

二.前言

使用secret的前提是已經有一套可以正常執行的Kubernetes叢集，關於Kubernetes(k8s)叢集的安裝部署，可以檢視部落格《Centos7 安裝部署Kubernetes(k8s)叢集》https://www.cnblogs.com/renshengdezheli/p/16686769.html。

三.Secret概覽

Secret 是一種包含少量敏感資訊例如密碼、令牌或金鑰的物件。 這樣的資訊可能會被放在 Pod 規約中或者映象中。 使用 Secret 意味著你不需要在應用程式程式碼中包含機密資料。

由於建立 Secret 可以獨立於使用它們的 Pod， 因此在建立、檢視和編輯 Pod 的工作流程中暴露 Secret（及其資料）的風險較小。 Kubernetes 和在叢集中執行的應用程式也可以對 Secret 採取額外的預防措施， 例如避免將機密資料寫入非易失性儲存。

Secret 類似於 ConfigMap 但專門用於儲存機密資料。

注意：預設情況下，Kubernetes Secret 未加密地儲存在 API 伺服器的底層資料儲存（etcd）中。 任何擁有 API 訪問許可權的人都可以檢索或修改 Secret，任何有權訪問 etcd 的人也可以。 此外，任何有許可權在名稱空間中建立 Pod 的人都可以使用該訪問許可權讀取該名稱空間中的任何 Secret； 這包括間接訪問，例如建立 Deployment 的能力。為了安全地使用 Secret，請至少執行以下步驟：

• 為 Secret 啟用靜態加密。

• 以最小特權訪問 Secret 並啟用或配置 RBAC 規則。

• 限制 Secret 對特定容器的訪問。

• 考慮使用外部 Secret 儲存驅動。

四.Secret 的型別

建立 Secret 時，你可以使用 Secret 資源的 type 欄位，或者與其等價的 kubectl 命令列引數（如果有的話）為其設定型別。 Secret 型別有助於對 Secret 資料進行程式設計處理。

Kubernetes 提供若干種內建的型別，用於一些常見的使用場景。 針對這些型別，Kubernetes 所執行的合法性檢查操作以及對其所實施的限制各不相同。

透過為 Secret 物件的 type 欄位設定一個非空的字串值，你也可以定義並使用自己 Secret 型別（如果 type 值為空字串，則被視為 Opaque 型別）。
當 Secret 配置檔案中未作顯式設定時，預設的 Secret 型別是 Opaque。 當你使用 kubectl 來建立一個 Secret 時，你會使用 generic 子命令來標明要建立的是一個 Opaque 型別 的Secret。 例如，下面的命令會建立一個空的 Opaque 型別 Secret 物件：

kubectl create secret generic empty-secret
kubectl get secret empty-secret

內建型別	用法
Opaque	使用者定義的任意資料
kubernetes.io/service-account-token	服務賬號令牌
kubernetes.io/dockercfg	~/.dockercfg 檔案的序列化形式
kubernetes.io/dockerconfigjson	~/.docker/config.json 檔案的序列化形式
kubernetes.io/basic-auth	用於基本身份認證的憑據
kubernetes.io/ssh-auth	用於 SSH 身份認證的憑據
kubernetes.io/tls	用於 TLS 客戶端或者伺服器端的資料
bootstrap.kubernetes.io/token	啟動引導令牌資料

五.各種型別的secret使用例項

5.1 建立kubernetes.io/service-account-token型別的secret

檢視secret，存在一個預設的secret。

[root@k8scloude1 secret-manage]# kubectl get secrets
NAME                  TYPE                                  DATA   AGE
default-token-wkjv8   kubernetes.io/service-account-token   3      26m

kubernetes.io/service-account-token型別的secret：每建立一個service-account賬號，都會自動建立一個secret，這個secret用於儲存token。

#檢視sa
[root@k8scloude1 secret-manage]# kubectl get sa
NAME      SECRETS   AGE
default   1         170m

#建立service-account
[root@k8scloude1 secret-manage]# kubectl create sa satest
serviceaccount/satest created

#自動建立一個secret
[root@k8scloude1 secret-manage]# kubectl get secrets 
NAME                  TYPE                                  DATA   AGE
default-token-wkjv8   kubernetes.io/service-account-token   3      171m
satest-token-xv8x5    kubernetes.io/service-account-token   3      5s

刪除service-account

[root@k8scloude1 secret-manage]# kubectl delete sa satest 
serviceaccount "satest" deleted

[root@k8scloude1 secret-manage]# kubectl get secrets 
NAME                  TYPE                                  DATA   AGE
default-token-wkjv8   kubernetes.io/service-account-token   3      171m

5.2 建立Docker映象倉庫型別的secret

檢視imagePullSecrets的說明資訊，imagePullSecrets 欄位是一個列表，包含對同一名稱空間中 Secret 的引用。 你可以使用 imagePullSecrets 將包含 Docker（或其他）映象倉庫密碼的 Secret 傳遞給 kubelet。kubelet 使用此資訊來替 Pod 拉取私有映象。

[root@k8scloude1 secret-manage]# kubectl explain pods.spec.imagePullSecrets
KIND:     Pod
VERSION:  v1

RESOURCE: imagePullSecrets <[]Object>

DESCRIPTION:
     ImagePullSecrets is an optional list of references to secrets in the same
     namespace to use for pulling any of the images used by this PodSpec. If
     specified, these secrets will be passed to individual puller
     implementations for them to use. For example, in the case of docker, only
     DockerConfig type secrets are honored. More info:
     https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod

     LocalObjectReference contains enough information to let you locate the
     referenced object inside the same namespace.

FIELDS:
   name	<string>
     Name of the referent. More info:
     https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

檢視Docker映象倉庫型別的secret幫助

[root@k8scloude1 secret-manage]# kubectl create secret docker-registry --help | grep docker
      '$ docker login DOCKER_REGISTRY_SERVER --username=DOCKER_USER --password=DOCKER_PASSWORD --email=DOCKER_EMAIL'.
 That produces a ~/.dockercfg file that is used by subsequent 'docker push' and 'docker pull' commands to authenticate to the registry. The email address is optional.
  by creating a dockercfg secret and attaching it to your service account.
  # If you don't already have a .dockercfg file, you can create a dockercfg secret directly by using:
  kubectl create secret docker-registry my-secret --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL
  # Create a new secret named my-secret from ~/.docker/config.json
  kubectl create secret docker-registry my-secret --from-file=.dockerconfigjson=path/to/.docker/config.json
      --docker-email='': Email for Docker registry
      --docker-password='': Password for Docker registry authentication
      --docker-server='https://index.docker.io/v1/': Server location for Docker registry
      --docker-username='': Username 為 Docker registry authentication
  kubectl create secret docker-registry NAME --docker-username=user --docker-password=password --docker-email=email [--docker-server=string] [--from-file=[key=]source] [--dry-run=server|client|none] [options]

建立一個映象倉庫型別的secret，該secret包含了映象倉庫的賬號，密碼，伺服器地址

[root@k8scloude1 secret-manage]# kubectl create secret docker-registry dockerregistrysecret --docker-username=LZ --docker-password='qwer' --docker-server=http://192.168.110.133
secret/dockerregistrysecret created

[root@k8scloude1 secret-manage]# kubectl get secrets 
NAME                   TYPE                                  DATA   AGE
default-token-wkjv8    kubernetes.io/service-account-token   3      3h3m
dockerregistrysecret   kubernetes.io/dockerconfigjson        1      14s

kubernetes.io/dockerconfigjson型別的secrets用於映象倉庫不允許匿名使用者pull映象的情況，imagePullSecrets: dockerregistrysecret 指定映象倉庫的secret，dockerregistrysecret這個secrets裡記錄了映象倉庫的賬號密碼，這樣就可以成功pull映象下來了。

[root@k8scloude1 secret-manage]# vim test.yaml 

[root@k8scloude1 secret-manage]# cat test.yaml 
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: mysql
  name: mysql
spec:
  terminationGracePeriodSeconds: 0
  #imagePullSecrets: dockerregistrysecret  指定映象倉庫的secret
  imagePullSecrets: dockerregistrysecret
  containers:
  - image: 192.168.110.133/secret/mysql:latest
    imagePullPolicy: IfNotPresent
    name: mysql
    resources: {}
    env:
    - name: MYSQL_ROOT_PASSWORD
      value: rootsec
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

刪除dockerregistrysecret

[root@k8scloude1 secret-manage]# kubectl delete secrets dockerregistrysecret 
secret "dockerregistrysecret" deleted

[root@k8scloude1 secret-manage]# kubectl get secrets 
NAME                  TYPE                                  DATA   AGE
default-token-wkjv8   kubernetes.io/service-account-token   3      3h11m

5.3 建立Opaque型別的secret(鍵值對)

Opaque型別的secret建立語法為

kubectl create secret generic name --from-literal=鍵=值 --from-literal=鍵1=值1

建立secret的名字為genericsecret，兩個鍵值對：tom=asd lisi=qwe，可以認為tom的密碼為：asd，以此類推

[root@k8scloude1 secret-manage]# kubectl create secret generic genericsecret --from-literal=tom=asd --from-literal=lisi=qwe
secret/genericsecret created

檢視secret

[root@k8scloude1 secret-manage]# kubectl get secrets 
NAME                  TYPE                                  DATA   AGE
default-token-wkjv8   kubernetes.io/service-account-token   3      3h20m
genericsecret         Opaque                                2      20s

檢視secret的描述資訊，在Data那裡可以看到lisi和tom的密碼是沒有顯示的

[root@k8scloude1 secret-manage]# kubectl describe secrets genericsecret 
Name:         genericsecret
Namespace:    secret-manage
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
lisi:  3 bytes
tom:   3 bytes

以yaml檔案的形式顯示secrets，可以看到lisi和tom的密碼已經被加密顯示，是base64加密的。

lisi: cXdl tom: YXNk lisi和tom的密碼是被base64加密過的。

[root@k8scloude1 secret-manage]# kubectl get secrets genericsecret -o yaml
apiVersion: v1
data:
  lisi: cXdl
  tom: YXNk
kind: Secret
metadata:
  creationTimestamp: "2022-01-21T07:13:57Z"
  name: genericsecret
  namespace: secret-manage
  resourceVersion: "875438"
  selfLink: /api/v1/namespaces/secret-manage/secrets/genericsecret
  uid: 6326fa13-ec9f-42dd-8eed-b35261389dde
type: Opaque

可以對密碼進行解密：

[root@k8scloude1 secret-manage]# echo cXdl | base64 -d
qwe

[root@k8scloude1 secret-manage]# echo YXNk | base64 -d
asd

以JSON的格式顯示

[root@k8scloude1 secret-manage]# kubectl get secrets genericsecret -o json
{
    "apiVersion": "v1",
    "data": {
        "lisi": "cXdl",
        "tom": "YXNk"
    },
    "kind": "Secret",
    "metadata": {
        "creationTimestamp": "2022-01-21T07:13:57Z",
        "name": "genericsecret",
        "namespace": "secret-manage",
        "resourceVersion": "875438",
        "selfLink": "/api/v1/namespaces/secret-manage/secrets/genericsecret",
        "uid": "6326fa13-ec9f-42dd-8eed-b35261389dde"
    },
    "type": "Opaque"
}

查詢lisi，tom的密碼

[root@k8scloude1 secret-manage]# kubectl get secrets genericsecret -o jsonpath={.data.lisi}
cXdl

[root@k8scloude1 secret-manage]# kubectl get secrets genericsecret -o jsonpath={.data.tom}
YXNk

查詢secret的型別

[root@k8scloude1 secret-manage]# kubectl get secrets genericsecret -o jsonpath={.type}
Opaque

5.4 建立Opaque型別的secret（對檔案加密）

secret可以直接使用檔案進行加密，鍵為：檔名 值為：檔案內容，使用檔案進行加密的語法如下：

kubectl create secret generic name --from-file=/dir/file --from-file=/dir1/file1

這個也是鍵值對，鍵：/etc/hosts檔案 值：檔案內容

[root@k8scloude1 secret-manage]# kubectl create secret generic filesecret --from-file=/etc/hosts
secret/filesecret created

[root@k8scloude1 secret-manage]# kubectl get secrets 
NAME                  TYPE                                  DATA   AGE
default-token-wkjv8   kubernetes.io/service-account-token   3      3h34m
filesecret            Opaque                                1      6s
genericsecret         Opaque                                2      14m

檢視secret的內容，host的內容同樣被加密

[root@k8scloude1 secret-manage]# kubectl get secrets filesecret -o yaml
apiVersion: v1
data:
  hosts: MTI3LjAuMC4xICAgbG9jYWxob3N0IGxvY2FsaG9zdC5sb2NhbGRvbWFpbiBsb2NhbGhvc3Q0IGxvY2FsaG9zdDQubG9jYWxkb21haW40Cjo6MSAgICAgICAgIGxvY2FsaG9zdCBsb2NhbGhvc3QubG9jYWxkb21haW4gbG9jYWxob3N0NiBsb2NhbGhvc3Q2LmxvY2FsZG9tYWluNgoxOTIuMTY4LjExMC4xMzAgazhzY2xvdWRlMQoxOTIuMTY4LjExMC4xMjkgazhzY2xvdWRlMgoxOTIuMTY4LjExMC4xMjggazhzY2xvdWRlMwo=
kind: Secret
metadata:
  creationTimestamp: "2022-01-21T07:28:10Z"
  name: filesecret
  namespace: secret-manage
  resourceVersion: "877063"
  selfLink: /api/v1/namespaces/secret-manage/secrets/filesecret
  uid: 30880892-3fbe-4baf-8d9b-953c7cbe5534
type: Opaque


[root@k8scloude1 secret-manage]# kubectl get secrets filesecret -o jsonpath={.data.hosts}
MTI3LjAuMC4xICAgbG9jYWxob3N0IGxvY2FsaG9zdC5sb2NhbGRvbWFpbiBsb2NhbGhvc3Q0IGxvY2FsaG9zdDQubG9jYWxkb21haW40Cjo6MSAgICAgICAgIGxvY2FsaG9zdCBsb2NhbGhvc3QubG9jYWxkb21haW4gbG9jYWxob3N0NiBsb2NhbGhvc3Q2LmxvY2FsZG9tYWluNgoxOTIuMTY4LjExMC4xMzAgazhzY2xvdWRlMQoxOTIuMTY4LjExMC4xMjkgazhzY2xvdWRlMgoxOTIuMTY4LjExMC4xMjggazhzY2xvdWRlMwo=

對secret進行解密

[root@k8scloude1 secret-manage]# kubectl get secrets filesecret -o jsonpath={.data.hosts} | base64 -d
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.110.130 k8scloude1
192.168.110.129 k8scloude2
192.168.110.128 k8scloude3

直接使用兩個檔案建立secret

[root@k8scloude1 secret-manage]# kubectl create secret generic filesecret2 --from-file=/etc/hosts --from-file=/etc/shadow
secret/filesecret2 created

[root@k8scloude1 secret-manage]# kubectl get secrets filesecret2 -o yaml
apiVersion: v1
data:
  hosts: MTI3LjAuMC4xICAgbG9jYWxob3N0IGxvY2FsaG9zdC5sb2NhbGRvbWFpbiBsb2NhbGhvc3Q0IGxvY2FsaG9zdDQubG9jYWxkb21haW40Cjo6MSAgICAgICAgIGxvY2FsaG9zdCBsb2NhbGhvc3QubG9jYWxkb21haW4gbG9jYWxob3N0NiBsb2NhbGhvc3Q2LmxvY2FsZG9tYWluNgoxOTIuMTY4LjExMC4xMzAgazhzY2xvdWRlMQoxOTIuMTY4LjExMC4xMjkgazhzY2xvdWRlMgoxOTIuMTY4LjExMC4xMjggazhzY2xvdWRlMwo=
  shadow: cm9vdDokNiRaZEx6M20wRTk1clQ2RlJyJGNuWVJwMDU2bkZxVWJublovS3g4QzdzVkY0ZnZoWjNyM1VBRk5LWFYvVkhMQ1AwTGlwNGYzcDgydXMwLlYxeVcyb25RRzM5SzQ4LnAweUhTSmRkZnQuOjowOjk5OTk5Ojc6OjoKYmluOio6MTcxMTA6MDo5OTk5OTo3Ojo6CmRhZW1vbjoqOjE3MTEwOjA6OTk5OTk6Nzo6OgphZG06KjoxNzExMDowOjk5OTk5Ojc6OjoKbHA6KjoxNzExMDowOjk5OTk5Ojc6OjoKc3luYzoqOjE3MTEwOjA6OTk5OTk6Nzo6OgpzaHV0ZG93bjoqOjE3MTEwOjA6OTk5OTk6Nzo6OgpoYWx0Oio6MTcxMTA6MDo5OTk5OTo3Ojo6Cm1haWw6KjoxNzExMDowOjk5OTk5Ojc6OjoKb3BlcmF0b3I6KjoxNzExMDowOjk5OTk5Ojc6OjoKZ2FtZXM6KjoxNzExMDowOjk5OTk5Ojc6OjoKZnRwOio6MTcxMTA6MDo5OTk5OTo3Ojo6Cm5vYm9keToqOjE3MTEwOjA6OTk5OTk6Nzo6OgpzeXN0ZW1kLW5ldHdvcms6ISE6MTc4MjI6Ojo6OjoKZGJ1czohIToxNzgyMjo6Ojo6Ogpwb2xraXRkOiEhOjE3ODIyOjo6Ojo6CnBvc3RmaXg6ISE6MTc4MjI6Ojo6OjoKc3NoZDohIToxNzgyMjo6Ojo6OgpjaHJvbnk6ISE6MTc4MjI6Ojo6OjoKdG9tOiQ2JDEzdFdxdkFXUTBuR1hIMUUkVUx4aC5NcmZzUGh5QXhBMm84RUVqVTlrSnpSUlJPVEcxb1BkZXJvNlUyYmljZjRYYkFNVThyanZSQ2lTSlhnWEVrWjltTjhqYjFlZVJja1dmdm1XWjA6OjA6OTk5OTk6Nzo6Ogo=
kind: Secret
metadata:
  creationTimestamp: "2022-01-21T07:34:10Z"
  name: filesecret2
  namespace: secret-manage
  resourceVersion: "877748"
  selfLink: /api/v1/namespaces/secret-manage/secrets/filesecret2
  uid: e18212f1-eac1-457a-9b5f-aad39485f4dd
type: Opaque

解密

[root@k8scloude1 secret-manage]# kubectl get secrets filesecret2 -o jsonpath={.data.shadow} | base64 -d
root:$6$ZdLz3m0E95rT6FRr$cnYRp056nFqUbnnZ/Kx8C7sVF4fvhZ3r3UAFNKXV/VHLCP0Lip4f3p82us0.V1yW2onQG39K48.p0yHSJddft.::0:99999:7:::
bin:*:17110:0:99999:7:::
daemon:*:17110:0:99999:7:::
adm:*:17110:0:99999:7:::
lp:*:17110:0:99999:7:::
sync:*:17110:0:99999:7:::
shutdown:*:17110:0:99999:7:::
halt:*:17110:0:99999:7:::
mail:*:17110:0:99999:7:::
operator:*:17110:0:99999:7:::
games:*:17110:0:99999:7:::
ftp:*:17110:0:99999:7:::
nobody:*:17110:0:99999:7:::
systemd-network:!!:17822::::::
dbus:!!:17822::::::
polkitd:!!:17822::::::
postfix:!!:17822::::::
sshd:!!:17822::::::
chrony:!!:17822::::::
tom:$6$13tWqvAWQ0nGXH1E$ULxh.MrfsPhyAxA2o8EEjU9kJzRRROTG1oPdero6U2bicf4XbAMU8rjvRCiSJXgXEkZ9mN8jb1eeRckWfvmWZ0::0:99999:7:::

六.以環境變數的方式使用 Secret

6.1 明文方式儲存MySQL密碼

建立目錄存放yaml檔案

[root@k8scloude1 ~]# mkdir secret-manage   

建立名稱空間

[root@k8scloude1 ~]# kubectl create ns secret-manage  

把名稱空間切換到secret-manage

[root@k8scloude1 secret-manage]# kubens secret-manage
Context "kubernetes-admin@kubernetes" modified.
Active namespace is "secret-manage".

現在還沒有pod

[root@k8scloude1 ~]# cd secret-manage/

[root@k8scloude1 secret-manage]# pwd
/root/secret-manage

[root@k8scloude1 secret-manage]# kubectl get pod -o wide
No resources found in secret-manage namespace.

配置一個mysql pod，設定mysql 的root密碼為rootsec

[root@k8scloude1 secret-manage]# cat mysql.yaml 
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: mysql
  name: mysql
spec:
  terminationGracePeriodSeconds: 0
  containers:
  - image: hub.c.163.com/library/mysql:latest
    imagePullPolicy: IfNotPresent
    name: mysql
    resources: {}
    #設定環境變數
    env:
    #MySQL資料庫的root密碼為rootsec
    - name: MYSQL_ROOT_PASSWORD
      value: rootsec
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

建立pod

[root@k8scloude1 secret-manage]# kubectl apply -f mysql.yaml 
pod/mysql created

[root@k8scloude1 secret-manage]# kubectl get pods -o wide
NAME    READY   STATUS    RESTARTS   AGE   IP               NODE         NOMINATED NODE   READINESS GATES
mysql   1/1     Running   0          6s    10.244.112.133   k8scloude2   <none>           <none>

安裝mysql客戶端，mariadb命令和mysql命令基本相同

[root@k8scloude1 secret-manage]# yum -y install mariadb

連線mysql容器，成功連線mysql

[root@k8scloude1 secret-manage]# mysql -uroot -prootsec -h 10.244.112.133
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.7.18 MySQL Community Server (GPL)

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]> exit
Bye

檢視pod的描述資訊，發現mysql root密碼是以明文的形式存在。

MYSQL_ROOT_PASSWORD: rootsec 直接就看到root密碼了，不安全。所以我們可以採用secret的方式讓賬號密碼不以明文的形式顯示。

[root@k8scloude1 secret-manage]# kubectl describe pod mysql | grep -A10 Environment
    Environment:
      MYSQL_ROOT_PASSWORD:  rootsec
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-gbdtf (ro)
Conditions:
  Type              Status
  Initialized       True 
  Ready             True 
  ContainersReady   True 
  PodScheduled      True 
Volumes:

刪除pod

[root@k8scloude1 secret-manage]# kubectl delete pod mysql --force
warning: Immediate deletion does not wait for confirmation that the running resource has been terminated. The resource may continue to run on the cluster indefinitely.
pod "mysql" force deleted

[root@k8scloude1 secret-manage]# kubectl get pod -o wide
No resources found in secret-manage namespace.

6.2 使用secret密文方式儲存MySQL密碼

現在把secret運用到pod裡，配置MySQL pod的yaml檔案

[root@k8scloude1 secret-manage]# vim mysqlsecret.yaml 

#以環境變數的方式引用secret
[root@k8scloude1 secret-manage]# cat mysqlsecret.yaml 
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: mysql
  name: mysql
spec:
  terminationGracePeriodSeconds: 0
  containers:
  - image: hub.c.163.com/library/mysql:latest
    imagePullPolicy: IfNotPresent
    name: mysql
    resources: {}
    env:
    - name: MYSQL_ROOT_PASSWORD
      valueFrom:
        secretKeyRef:
          #指定secret的名字和key
          name: genericsecret
          key: lisi
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

建立pod

[root@k8scloude1 secret-manage]# kubectl apply -f mysqlsecret.yaml 
pod/mysql created

[root@k8scloude1 secret-manage]# kubectl get pod -o wide
NAME    READY   STATUS    RESTARTS   AGE   IP               NODE         NOMINATED NODE   READINESS GATES
mysql   1/1     Running   0          26s   10.244.112.132   k8scloude2   <none>           <none>

成功登入mysql

[root@k8scloude1 secret-manage]# mysql -uroot -pqwe -h 10.244.112.132
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.7.18 MySQL Community Server (GPL)

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]> exit
Bye

檢視pod的描述資訊：MYSQL_ROOT_PASSWORD: <set to the key 'lisi' in secret 'genericsecret'> Optional: false，mysql的密碼沒有顯示，這時候，MYSQL_ROOT_PASSWORD密碼就不會以明文的方式顯示了

[root@k8scloude1 secret-manage]# kubectl describe pod mysql | grep -A10 Environment
    Environment:
      MYSQL_ROOT_PASSWORD:  <set to the key 'lisi' in secret 'genericsecret'>  Optional: false
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-wl5jt (ro)
Conditions:
  Type              Status
  Initialized       True 
  Ready             True 
  ContainersReady   True 
  PodScheduled      True 
Volumes:

刪除pod

[root@k8scloude1 secret-manage]# kubectl delete pod mysql --force
warning: Immediate deletion does not wait for confirmation that the running resource has been terminated. The resource may continue to run on the cluster indefinitely.
pod "mysql" force deleted

七.以卷的方式使用secret

7.1 以卷的方式使用secret

配置mysql pod的yaml檔案，讓secret以卷的方式應用，把filesecret值的內容掛載到/secret目錄

[root@k8scloude1 secret-manage]# vim volumesecret.yaml 

[root@k8scloude1 secret-manage]# cat volumesecret.yaml 
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: mysql
  name: mysql
spec:
  terminationGracePeriodSeconds: 0
  #定義secret型別的卷
  volumes:
  - name: sec1
    secret:
      secretName: filesecret
  containers:
  - image: hub.c.163.com/library/mysql:latest
    imagePullPolicy: IfNotPresent
    name: mysql
    resources: {}
    #把sec1卷掛載到/secret目錄
    volumeMounts:
    - name: sec1
      mountPath: /secret
    env:
    - name: MYSQL_ROOT_PASSWORD
      valueFrom:
        secretKeyRef:
          name: genericsecret
          key: lisi
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

建立pod

[root@k8scloude1 secret-manage]# kubectl apply -f volumesecret.yaml 
pod/mysql created

[root@k8scloude1 secret-manage]# kubectl get pod -o wide
NAME    READY   STATUS    RESTARTS   AGE   IP               NODE         NOMINATED NODE   READINESS GATES
mysql   1/1     Running   0          57s   10.244.112.134   k8scloude2   <none>           <none>

進入mysql容器，hosts檔案已經被掛載到/secret/目錄下

[root@k8scloude1 secret-manage]# kubectl exec -it mysql -- bash
root@mysql:/# ls /secret/
hosts
root@mysql:/# cat /secret/hosts 
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.110.130 k8scloude1
192.168.110.129 k8scloude2
192.168.110.128 k8scloude3
root@mysql:/# 
root@mysql:/# exit
exit

刪除pod

[root@k8scloude1 secret-manage]# kubectl delete pod mysql --force
warning: Immediate deletion does not wait for confirmation that the running resource has been terminated. The resource may continue to run on the cluster indefinitely.
pod "mysql" force deleted

filesecret2這個secret包含了兩個檔案，所以就掛載了兩個檔案到/secret目錄下

[root@k8scloude1 secret-manage]# vim volumesecret.yaml 

[root@k8scloude1 secret-manage]# cat volumesecret.yaml 
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: mysql
  name: mysql
spec:
  terminationGracePeriodSeconds: 0
  #定義secret型別的卷
  volumes:
  - name: sec1
    secret:
      secretName: filesecret2
  containers:
  - image: hub.c.163.com/library/mysql:latest
    imagePullPolicy: IfNotPresent
    name: mysql
    resources: {}
    #把sec1卷掛載到/secret目錄
    volumeMounts:
    - name: sec1
      mountPath: /secret
    env:
    - name: MYSQL_ROOT_PASSWORD
      valueFrom:
        secretKeyRef:
          name: genericsecret
          key: lisi
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

建立pod

[root@k8scloude1 secret-manage]# kubectl apply -f volumesecret.yaml 
pod/mysql created

[root@k8scloude1 secret-manage]# kubectl get pod -o wide
NAME    READY   STATUS    RESTARTS   AGE   IP               NODE         NOMINATED NODE   READINESS GATES
mysql   1/1     Running   0          12s   10.244.112.135   k8scloude2   <none>           <none>

/secret/下有兩個檔案

[root@k8scloude1 secret-manage]# kubectl exec -it mysql -- bash
root@mysql:/# ls /secret/
hosts  shadow
root@mysql:/# exit
exit

刪除pod

[root@k8scloude1 secret-manage]# kubectl delete pod mysql --force
warning: Immediate deletion does not wait for confirmation that the running resource has been terminated. The resource may continue to run on the cluster indefinitely.
pod "mysql" force deleted

filesecret2這個secret包含兩個檔案，subPath: shadow表示只掛載shadow檔案

[root@k8scloude1 secret-manage]# vim volumesecret.yaml 

[root@k8scloude1 secret-manage]# cat volumesecret.yaml 
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: mysql
  name: mysql
spec:
  terminationGracePeriodSeconds: 0
  volumes:
  - name: sec1
    secret:
      secretName: filesecret2
  containers:
  - image: hub.c.163.com/library/mysql:latest
    imagePullPolicy: IfNotPresent
    name: mysql
    resources: {}
    volumeMounts:
    - name: sec1
      mountPath: /secret/sha.txt
      #subPath: shadow表示只掛載shadow檔案
      subPath: shadow
    env:
    - name: MYSQL_ROOT_PASSWORD
      valueFrom:
        secretKeyRef:
          name: genericsecret
          key: lisi
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

建立pod

[root@k8scloude1 secret-manage]# kubectl apply -f volumesecret.yaml 
pod/mysql created

[root@k8scloude1 secret-manage]# kubectl get pod -o wide
NAME    READY   STATUS    RESTARTS   AGE   IP               NODE         NOMINATED NODE   READINESS GATES
mysql   1/1     Running   0          16s   10.244.112.136   k8scloude2   <none>           <none>

只有一個檔案被掛載

[root@k8scloude1 secret-manage]# kubectl exec -it mysql -- bash
root@mysql:/# ls /secret/
sha.txt
root@mysql:/# cat /secret/sha.txt 
root:$6$ZdLz3m0E95rT6FRr$cnYRp056nFqUbnnZ/Kx8C7sVF4fvhZ3r3UAFNKXV/VHLCP0Lip4f3p82us0.V1yW2onQG39K48.p0yHSJddft.::0:99999:7:::
bin:*:17110:0:99999:7:::
daemon:*:17110:0:99999:7:::
adm:*:17110:0:99999:7:::
lp:*:17110:0:99999:7:::
sync:*:17110:0:99999:7:::
shutdown:*:17110:0:99999:7:::
halt:*:17110:0:99999:7:::
mail:*:17110:0:99999:7:::
operator:*:17110:0:99999:7:::
games:*:17110:0:99999:7:::
ftp:*:17110:0:99999:7:::
nobody:*:17110:0:99999:7:::
systemd-network:!!:17822::::::
dbus:!!:17822::::::
polkitd:!!:17822::::::
postfix:!!:17822::::::
sshd:!!:17822::::::
chrony:!!:17822::::::
tom:$6$13tWqvAWQ0nGXH1E$ULxh.MrfsPhyAxA2o8EEjU9kJzRRROTG1oPdero6U2bicf4XbAMU8rjvRCiSJXgXEkZ9mN8jb1eeRckWfvmWZ0::0:99999:7:::
root@mysql:/# 
root@mysql:/# exit
exit

刪除pod

[root@k8scloude1 secret-manage]# kubectl delete pod mysql --force
warning: Immediate deletion does not wait for confirmation that the running resource has been terminated. The resource may continue to run on the cluster indefinitely.
pod "mysql" force deleted

7.2 使用secret傳遞Nginx配置檔案

以卷的方式引用secret，這種方式可以用來傳遞配置檔案，不過更推薦使用ConfigMap傳遞配置檔案。

建立一個名為nginxconfsecret的secret，該secret裡包含一個Nginx的配置檔案。

[root@k8scloude1 secret-manage]# kubectl create secret generic nginxconfsecret --from-file=nginx.conf 
secret/nginxconfsecret created

[root@k8scloude1 secret-manage]# kubectl get secrets 
NAME                  TYPE                                  DATA   AGE
default-token-wkjv8   kubernetes.io/service-account-token   3      4h47m
filesecret            Opaque                                1      73m
filesecret2           Opaque                                2      67m
genericsecret         Opaque                                2      87m
nginxconfsecret       Opaque                                1      17s

以yaml檔案的形式檢視secret

[root@k8scloude1 secret-manage]# kubectl get secrets nginxconfsecret -o yaml
apiVersion: v1
data:
  nginx.conf: CnVzZXIgIG5naW54Owp3b3JrZXJfcHJvY2Vzc2VzICBhdXRvOwoKZXJyb3JfbG9nICAvdmFyL2xvZy9uZ2lueC9lcnJvci5sb2cgbm90aWNlOwpwaWQgICAgICAgIC92YXIvcnVuL25naW54LnBpZDsKCgpldmVudHMgewogICAgd29ya2VyX2Nvbm5lY3Rpb25zICAxMDI0Owp9CgoKaHR0cCB7CiAgICBpbmNsdWRlICAgICAgIC9ldGMvbmdpbngvbWltZS50eXBlczsKICAgIGRlZmF1bHRfdHlwZSAgYXBwbGljYXRpb24vb2N0ZXQtc3RyZWFtOwoKICAgIGxvZ19mb3JtYXQgIG1haW4gICckcmVtb3RlX2FkZHIgLSAkcmVtb3RlX3VzZXIgWyR0aW1lX2xvY2FsXSAiJHJlcXVlc3QiICcKICAgICAgICAgICAgICAgICAgICAgICckc3RhdHVzICRib2R5X2J5dGVzX3NlbnQgIiRodHRwX3JlZmVyZXIiICcKICAgICAgICAgICAgICAgICAgICAgICciJGh0dHBfdXNlcl9hZ2VudCIgIiRodHRwX3hfZm9yd2FyZGVkX2ZvciInOwoKICAgIGFjY2Vzc19sb2cgIC92YXIvbG9nL25naW54L2FjY2Vzcy5sb2cgIG1haW47CgogICAgc2VuZGZpbGUgICAgICAgIG9uOwogICAgI3RjcF9ub3B1c2ggICAgIG9uOwoKICAgIGtlZXBhbGl2ZV90aW1lb3V0ICA2NTsKCiAgICAjZ3ppcCAgb247CgogICAgaW5jbHVkZSAvZXRjL25naW54L2NvbmYuZC8qLmNvbmY7Cn0KCg==
kind: Secret
metadata:
  creationTimestamp: "2022-01-21T08:40:57Z"
  name: nginxconfsecret
  namespace: secret-manage
  resourceVersion: "885421"
  selfLink: /api/v1/namespaces/secret-manage/secrets/nginxconfsecret
  uid: 97da759f-ef07-4edb-94a2-f04b043d7336
type: Opaque

配置Nginx pod的配置檔案，把secret：nginxconfsecret包含的nginx.conf掛載到/etc/nginx/nginx.conf下。

[root@k8scloude1 secret-manage]# vim volumenginxconfsecret.yaml 

[root@k8scloude1 secret-manage]# cat volumenginxconfsecret.yaml 
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: nginx
  name: nginx
spec:
  terminationGracePeriodSeconds: 0
  #定義secret型別的卷
  volumes:
  - name: sec1
    secret:
      secretName: nginxconfsecret
  containers:
  - image: nginx
    imagePullPolicy: IfNotPresent
    name: nginx
    resources: {}
    #把nginxconfsecret這個secret掛載到/etc/nginx/nginx.conf
    volumeMounts:
    - name: sec1
      mountPath: /etc/nginx/nginx.conf
      subPath: nginx.conf
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

建立pod

[root@k8scloude1 secret-manage]# kubectl apply -f volumenginxconfsecret.yaml 
pod/nginx created

[root@k8scloude1 secret-manage]# kubectl get pod -o wide
NAME    READY   STATUS    RESTARTS   AGE   IP               NODE         NOMINATED NODE   READINESS GATES
nginx   1/1     Running   0          15s   10.244.112.138   k8scloude2   <none>           <none>

進入Nginx容器，檢視Nginx的配置檔案

[root@k8scloude1 secret-manage]# kubectl exec -it nginx -- bash
root@nginx:/# ls /etc/nginx/
conf.d	fastcgi_params	mime.types  modules  nginx.conf  scgi_params  uwsgi_params
root@nginx:/# ls /etc/nginx/nginx.conf 
/etc/nginx/nginx.conf

root@nginx:/# cat /etc/nginx/nginx.conf | head -3

user  nginx;
worker_processes  auto;
root@nginx:/# exit
exit

這種方式可以改變secret的內容從而達到改變容器裡配置檔案內容的目的，但是編輯secret（edit secret）的時候內容加密了，不好修改，這種方式不常用，推薦使用ConfigMap傳遞配置檔案。

刪除pod

[root@k8scloude1 secret-manage]# kubectl delete pod nginx --force
warning: Immediate deletion does not wait for confirmation that the running resource has been terminated. The resource may continue to run on the cluster indefinitely.
pod "nginx" force deleted