Giriş
Açıklaması şöyle. Gizli veri Base64 olarak yaml dosyasına yazılır.
Secrets are the same as ConfigMaps but they are for credentials such as usernames, passwords, and tokens.Secrets in Kubernetes are not secure by nature. The applications have to see the decoded version of the Secrets, so they are not encoded in the network. Further, they are only encoded with the basic base64 encoder. So it is very easy to decode them. To secure Secrets, it is recommended to use EncryptionConfiguration or 3rd party tools such as Hashicorp’s Vault.
Secret Tipleri
1.Opaque Secret. Açıklaması şöyleOpaque Secrets are used to store arbitrary user-defined data. Opaque is the default Secret type, meaning that when creating a Secret and we don’t specify any type, the secret will be considered Opaque.
2. Service Account Token Secret.
We use a Docker config secret to store the credentials for accessing a container image registry.
Örnek
Şöyle yaparız
apiVersion: v1
kind: Secret
metadata:
name: secret-dockercfg
type: kubernetes.io/dockercfg
data:
.dockercfg: |
eyJhdXRocyI6eyJodHRwczovL2V4YW1wbGUvdjEvIjp7ImF1dGgiOiJvcGVuc2VzYW1lIn19fQo= 4. Basic Authentication Secret. Açıklaması şöyle
The kubernetes.io/basic-auth type is provided for storing credentials needed for basic authentication. When using a basic authentication Secret, the data field must contain at least one of the following keys: username (the user name for authentication) and password(the password or token for authentication)
Örnek
Şöyle yaparız
apiVersion: v1 kind: Secret metadata: name: secret-basic-auth type: kubernetes.io/basic-auth stringData: username: admin # required field for kubernetes.io/basic-auth password: t0p-Secret # required field for kubernetes.io/basic-auth
5. SSH Authentication secret. Açıklaması şöyle
The built-in type kubernetes.io/ssh-auth is provided for storing data used in SSH authentication. When using an SSH authentication, you must specify a ssh-privatekey key-value pair in the data (or stringData) field as the SSH credential to use.
Örnek
Şöyle yaparız
apiVersion: v1
kind: Secret
metadata:
name: secret-ssh-auth
type: kubernetes.io/ssh-auth
data:
# the data is abbreviated in this example
ssh-privatekey: |
UG91cmluZzYlRW1vdGljb24lU2N1YmE= 6. TLS secret
Açıklaması şöyle
The kubernetes.io/tls Secret type is for storing a certificate and its associated key that are typically used for TLS. When using a TLS secret, we must provide the tls.key and the tls.crtin the configuration’s data (or stringData) field.
Örnek
Şöyle yaparız
apiVersion: v1
kind: Secret
metadata:
name: secret-tls
type: kubernetes.io/tls
data:
# values are base64 encoded, which obscures them but does NOT provide
# any useful level of confidentiality
tls.crt: |
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNVakNDQWJzQ0FnMytNQTBHQ1NxR1NJYjNE
UUVCQlFVQU1JR2JNUXN3Q1FZRFZRUUdFd0pLVURFT01Bd0cKQTFVRUNCTUZWRzlyZVc4eEVEQU9C
Z05WQkFjVEIwTm9kVzh0YTNVeEVUQVBCZ05WQkFvVENFWnlZVzVyTkVSRQpNUmd3RmdZRFZRUUxF
dzlYWldKRFpYSjBJRk4xY0hCdmNuUXhHREFXQmdOVkJBTVREMFp5WVc1ck5FUkVJRmRsCllpQkRR
VEVqTUNFR0NTcUdTSWIzRFFFSkFSWVVjM1Z3Y0c5eWRFQm1jbUZ1YXpSa1pDNWpiMjB3SGhjTk1U
TXcKTVRFeE1EUTFNVE01V2hjTk1UZ3dNVEV3TURRMU1UTTVXakJMTVFzd0NRWURWUVFHREFKS1VE
RVBNQTBHQTFVRQpDQXdHWEZSdmEzbHZNUkV3RHdZRFZRUUtEQWhHY21GdWF6UkVSREVZTUJZR0Ex
VUVBd3dQZDNkM0xtVjRZVzF3CmJHVXVZMjl0TUlHYU1BMEdDU3FHU0liM0RRRUJBUVVBQTRHSUFE
Q0JoQUo5WThFaUhmeHhNL25PbjJTbkkxWHgKRHdPdEJEVDFKRjBReTliMVlKanV2YjdjaTEwZjVN
Vm1UQllqMUZTVWZNOU1vejJDVVFZdW4yRFljV29IcFA4ZQpqSG1BUFVrNVd5cDJRN1ArMjh1bklI
QkphVGZlQ09PekZSUFY2MEdTWWUzNmFScG04L3dVVm16eGFLOGtCOWVaCmhPN3F1TjdtSWQxL2pW
cTNKODhDQXdFQUFUQU5CZ2txaGtpRzl3MEJBUVVGQUFPQmdRQU1meTQzeE15OHh3QTUKVjF2T2NS
OEtyNWNaSXdtbFhCUU8xeFEzazlxSGtyNFlUY1JxTVQ5WjVKTm1rWHYxK2VSaGcwTi9WMW5NUTRZ
RgpnWXcxbnlESnBnOTduZUV4VzQyeXVlMFlHSDYyV1hYUUhyOVNVREgrRlowVnQvRGZsdklVTWRj
UUFEZjM4aU9zCjlQbG1kb3YrcE0vNCs5a1h5aDhSUEkzZXZ6OS9NQT09Ci0tLS0tRU5EIENFUlRJ
RklDQVRFLS0tLS0K
# In this example, the key data is not a real PEM-encoded private key
tls.key: |
RXhhbXBsZSBkYXRhIGZvciB0aGUgVExTIGNydCBmaWVsZA== 7. Bootstrap Token Secret. Açıklaması şöyle
The bootstrap.kubernetes.io/token Secret type is for tokens used during the node bootstrap process. We typically create a bootstrap token Secret in the kube-system namespace and named in the form bootstrap-token-<token-id> where <token-id> is a 6 character string of the token ID.
secrets
Örnek
Şöyle yaparız
apiVersion: v1 kind: Secret metadata: name: bootstrap-token-5emitj namespace: kube-system type: bootstrap.kubernetes.io/token data: auth-extra-groups: c3lzdGVtOmJvb3RzdHJhcHBlcnM6a3ViZWFkbTpkZWZhdWx0LW5vZGUtdG9rZW4= expiration: MjAyMC0wOS0xM1QwNDozOToxMFo= token-id: NWVtaXRq token-secret: a3E0Z2lodnN6emduMXAwcg== usage-bootstrap-authentication: dHJ1ZQ== usage-bootstrap-signing: dHJ1ZQ==
Secret'i Kullanma
1. Secret'i secretKeyRef Olarak Kullanma
Genellikle secret bir ortam değişkeni (environment variable) haline getirilir.
Örnek
Şöyle yaparız
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: db-root-credentials
key: password 2. Secret'i Volume Olarak Kullanma
Secret'i Volume Olarak Kullanma yazısına taşıdım
Alanlar
data Alanı
Gizli veri Key/Value şeklindedir ve Base64 ile kodeklenir. Base64 çıktı almak için base64 komutu kullanılabilir. Şöyle yaparız
echo -n '{plaintext}' | base64data Alanı ve secretKeyRef Kullanımı
Örnek
Şöyle yaparız
apiVersion: v1 kind: Secret metadata: name: db-root-credentials data: password: cm9vdA==
Kullanmak için şöyle yaparız
apiVersion: apps/v1
kind: Deployment
metadata:
name: mysql
labels:
app: mysql
tier: database
spec:
selector:
matchLabels:
app: mysql
tier: database
strategy:
type: Recreate
template:
metadata:
labels:
app: mysql
tier: database
spec:
containers:
- image: mysql:5.7
args:
- "--ignore-db-dir=lost+found"
name: mysql
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: db-root-credentials
key: password
- name: MYSQL_USER
valueFrom:
secretKeyRef:
name: db-credentials
key: username
- name: MYSQL_PASSWORD
valueFrom:
secretKeyRef:
name: db-credentials
key: password
- name: MYSQL_DATABASE
configMapKeyRef:
name: db-conf
key: name
ports:
- containerPort: 3306
name: mysql
volumeMounts:
- name: mysql-persistent-storage
mountPath: /var/lib/mysql
volumes:
- name: mysql-persistent-storage
persistentVolumeClaim:
claimName: mysql-pv-claimÖrnek
Şöyle yaparız. secretKeyRef alaındanki değer secret name ile aynı olmalıdır.
Erişmek için şöyle yaparız. Erişen taraf otomatik olarak Base64 veriyi açar.apiVersion: v1kind: Secretmetadata:name: spring-keycloak-secretsnamespace: spring-keycloak-demotype: Opaquedata:# You can include additional key value pairs as you do with Opaque Secretskeycloak-pass: YWRtaW4Kpostgres-pass: ZXhhbXBsZQo=
apiVersion: apps/v1
kind: Deployment
metadata:
name: postgres
namespace: spring-keycloak-demo
spec:
selector:
matchLabels:
app: postgres
replicas: 1
template:
metadata:
labels:
app: postgres
spec:
containers:
- name: postgres
image: postgres:latest
ports:
- containerPort: 5432
env:
- name: POSTGRES_DB
value: postgres
- name: POSTGRES_USER
value: postgres
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: spring-keycloak-secrets
key: postgres-passstringData Alanı
Gizli veri String şeklindedir
Örnek
Şöyle yaparız
apiVersion: v1
kind: Secret
metadata:
name: example-cluster-config
type: Opaque
stringData:
users.json: |
{
"user": [{
"UserData": "user",
"Password": ""
}]
}
init_db.sql: |
# Disable remote root access (only allow UNIX socket).
DELETE FROM mysql.user WHERE User = 'root' AND Host != 'localhost';
...
Hiç yorum yok:
Yorum Gönder