Kubernetes introductory experiment: Secret

K8s Secret experiment. Note: this paper is the author’s experimental record, not a tutorial.

The environment

# kubectl get node NAME STATUS ROLES AGE VERSION edge-node Ready <none> 15m v1.17.0 edge-node2 Ready < None > 16m v1.17.0 Ubuntu Ready Master 67D V1.17.0Copy the code

secret

Secret comes in three types:

Opaque: Secret in base64 encoding format, used to store passwords and keys. But the data can also be decoded through Base64 – decode to get the original data, all encryption is very weak.
Kubernetes. IO/dockerconfigjson: used to store the private docker registry authentication information.
Kubernetes. IO /service-account-token: used to be referenced by serviceAccount. When serviceAccOut is created, Kubernetes creates secret by default. Pod if use serviceaccount, corresponding secret automatically mount to Pod directory/run/secrets/kubernetes. IO/serviceaccount.

Technical summary

Seems to be able to solve the sensitive text, how to practical application?

Command line specification

Kubectl create secret generic dev-db-secret -- from-literal=username=devuser -- from-literal=password=S\! B\\*d\$zDsbCopy the code

Note: Special characters (such as $, \, * and!) Use \ escape. The password is S! B \ * d $zDsb.

Create from file

echo -n 'admin' > ./username.txt
echo -n '1f2d1e2e67df' > ./password.txt
Copy the code

Create:

kubectl create secret generic db-user-pass --from-file=./username.txt --from-file=./password.txt
Copy the code

Kubectl get secrets NAME TYPE DATA AGE db-user-pass Opaque 2 26s default-token-5qgw2 kubernetes.io/service-account-token 3 70dCopy the code

For details:

kubectl describe secrets/db-user-pass
Copy the code

Decoding key:

Kubectl get secret db-user-pass-o yaml Output: data: password. TXT: MWYyZDFlMmU2N2Rm username. TXT: YWRtaW4= kind: secretCopy the code

Base64 solution:

echo 'YWRtaW4=' | base64 --decode
admin
Copy the code

The configuration file

echo -n 'admin' | base64
YWRtaW4=
echo -n '1f2d1e2e67df' | base64
MWYyZDFlMmU2N2Rm
Copy the code

Secret. Yaml files:

apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  username: YWRtaW4=
  password: MWYyZDFlMmU2N2Rm
Copy the code

Create:

kubectl apply -f secret.yaml
Copy the code

Editor:

kubectl edit secrets mysecret
Copy the code

Mount secret to pod, busybox-pod.yaml:

apiVersion: v1
kind: Pod
metadata:
  name: busybox-pod
spec:
  containers:
  - name: busybox-pod
    image: latelee/busybox
    imagePullPolicy: IfNotPresent
    command: [ "/bin/sh", "-c", "sleep 3600" ]
    volumeMounts:
    - name: foo
      mountPath: "/etc/foo"
      readOnly: true
  volumes:
  - name: foo
    secret:
      secretName: mysecret
Copy the code

Create, view, delete:

kubectl apply -f busybox-pod.yaml 
kubectl exec -it busybox-pod -- cat /etc/foo/username
kubectl delete -f busybox-pod.yaml 
Copy the code

Busybox-pod1. yaml:

apiVersion: v1
kind: Pod
metadata:
  name: busybox-pod
spec:
  containers:
  - name: busybox-pod
    image: latelee/busybox
    imagePullPolicy: IfNotPresent
    command: [ "/bin/sh", "-c", "sleep 3600" ]
    env:
      - name: SECRET_USERNAME
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: username
      - name: SECRET_PASSWORD
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: password
Copy the code

Create, view, delete:

kubectl apply -f busybox-pod1.yaml 
kubectl exec -it busybox-pod -- env
kubectl delete -f busybox-pod1.yaml 
Copy the code

TODO: Move other files

kubernetes.io/service-account-token

View the current serviceAccount:

# kubectl get serviceAccounts // or kubectl get sa NAME SECRETS AGE default 1 75dCopy the code

Each pod has a default secret, check out serviceAccount running pod above:

# kubectl get pod busybox-pod -o yaml | grep serviceAccountName serviceAccountName: default # kubectl describe pod busybox-pod | grep SecretName SecretName: mysecret SecretName: Default-token-5qgw2 # kubectl get secret // Check the default secrect NAME TYPE DATA AGE default-token-5qgw2 kubernetes.io/service-account-token 3 75dCopy the code

serviceaccount.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: null
  name: mysa
Copy the code

Create:

kubectl apply -f serviceaccount.yaml 
Copy the code

To view:

kubectl get sa mysa -o yaml
kubectl describe sa mysa
Copy the code

Check the secrect:

kubectl get secret
NAME                  TYPE                                  DATA   AGE
default-token-5qgw2   kubernetes.io/service-account-token   3      75d
mysa-token-dkt5p      kubernetes.io/service-account-token   3      2m50s
Copy the code

Delete the pod and create a new one using the new SA:

apiVersion: v1
kind: Pod
metadata:
  name: busybox-pod
spec:
  containers:
  - name: busybox-pod
    image: latelee/busybox
    imagePullPolicy: IfNotPresent
    command: [ "/bin/sh", "-c", "sleep 3600" ]
    volumeMounts:
    - name: foo
      mountPath: "/etc/foo"
      readOnly: true
  volumes:
  - name: foo
    secret:
      secretName: mysecret
  serviceAccountName: mysa
Copy the code

Create:

kubectl apply -f busybox-pod.yaml 
Copy the code

kubectl describe pod busybox-pod
Copy the code

Kubernetes introductory experiment: Secret

The environment

secret

Technical summary

Command line specification

Create from file

The configuration file

kubernetes.io/service-account-token

Related Posts

SSH port forwarding and SOCKS proxy

Documentation for Kafka cluster and CMAK deployment

Asynchronous Programming 101: Advanced Asyncio part 1