2 Mart 2022 Çarşamba

Kubernetes kind: Secret - Konfigürasyon Dosyasındaki Gizli Veri

Giriş
Açıklaması şöyle. Gizli veri Base64 olarak yaml dosyasına yazılır. 
Secrets are the same as ConfigMaps but they are for credentials such as usernames, passwords, and tokens.

Secrets in Kubernetes are not secure by nature. The applications have to see the decoded version of the Secrets, so they are not encoded in the network. Further, they are only encoded with the basic base64 encoder. So it is very easy to decode them. To secure Secrets, it is recommended to use EncryptionConfiguration or 3rd party tools such as Hashicorp’s Vault.
Secret'i secretKeyRef Olarak Kullanma
Genellikle secret bir ortam değişkeni (environment variable) haline getirilir.

Örnek
Şöyle yaparız
 env:
 - name: MYSQL_ROOT_PASSWORD 
     valueFrom:
       secretKeyRef:
         name: db-root-credentials 
         key: password
Secret'i Volume Olarak Kullanma
1. volume ile Secret volume haline getirilir
2. Pod volumeMounts ile bu volume'u yükler.
Örnek
Şöyle yaparız
# Pod-definition with secret mounted as a volume into the pod
apiVersion: v1
kind: Pod
metadata:
  name: frontend
spec:
  containers:
    - name: wordpress
      image: wordpress
      volumeMounts:
      - name: secret-vol01
        mountPath: /etc/secret    # files - mounted in this location
        readOnly: true
  volumes:
    - name: secret-vol01
      secret:
        secretName: app-secret

data Alanı
Gizli veri Key/Value şeklindedir ve Base64 ile kodeklenir. Base64 çıktı almak için base64 komutu kullanılabilir. Şöyle yaparız
echo -n '{plaintext}' | base64
data Alanı ve secretKeyRef Kullanımı
Örnek
Şöyle yaparız
apiVersion: v1
kind: Secret
metadata:
  name: db-root-credentials
data:
 password: cm9vdA==
Kullanmak için şöyle yaparız
apiVersion: apps/v1
kind: Deployment
metadata:
  name: mysql
  labels:
    app: mysql
    tier: database
spec:
  selector: 
    matchLabels:
      app: mysql
      tier: database
  strategy:
    type: Recreate
  template:
    metadata:
      labels: 
        app: mysql
        tier: database
    spec:
      containers:
      - image: mysql:5.7 
        args:
          - "--ignore-db-dir=lost+found" 
        name: mysql  
        env:
        - name: MYSQL_ROOT_PASSWORD 
          valueFrom:
            secretKeyRef:
              name: db-root-credentials 
              key: password   
        - name: MYSQL_USER 
          valueFrom:
            secretKeyRef:
              name: db-credentials
              key: username
        - name: MYSQL_PASSWORD 
          valueFrom:
            secretKeyRef:
              name: db-credentials
              key: password
        - name: MYSQL_DATABASE 
            configMapKeyRef:
              name: db-conf
              key: name
        ports:
        - containerPort: 3306
          name: mysql
        volumeMounts:        
        - name: mysql-persistent-storage
          mountPath: /var/lib/mysql 
      volumes:
      - name: mysql-persistent-storage 
        persistentVolumeClaim:
          claimName: mysql-pv-claim
Örnek
Şöyle yaparız. secretKeyRef alaındanki değer secret name ile aynı olmalıdır. 
apiVersion: v1
kind: Secret
metadata:
  name: spring-keycloak-secrets
  namespace: spring-keycloak-demo
type: Opaque
data:
  # You can include additional key value pairs as you do with Opaque Secrets
  keycloak-pass: YWRtaW4K
  postgres-pass: ZXhhbXBsZQo=
Erişmek için  şöyle yaparız. Erişen taraf otomatik olarak Base64 veriyi açar.
apiVersion: apps/v1
kind: Deployment
metadata:
  name: postgres
  namespace: spring-keycloak-demo
spec:
  selector:
    matchLabels:
      app: postgres
  replicas: 1
  template:
    metadata:
      labels:
        app: postgres
    spec:
      containers:
        - name: postgres
          image: postgres:latest
          ports:
            - containerPort: 5432
          env:
            - name: POSTGRES_DB
              value: postgres
            - name: POSTGRES_USER
              value: postgres
            - name: POSTGRES_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: spring-keycloak-secrets
                  key: postgres-pass
data Alanı ve secretName İle Volume Mount Kullanımı

Örnek
Şöyle yaparız. Burada secret veri bir volume'a yükleniyor. Her Key/Value çifti ayrı bir dosya
apiVersion: v1
kind: Secret
metadata:
  name: my-secret
type: Opaque
data:
  username: YWRtaW4=
  password: MTIzNDU2
--
apiVersion: v1
kind: Pod
metadata:
  name: basic-app
spec:
  volumes:
    - name: my-volume-for-secret
      secret:
        secretName: my-secret
  containers:
    - name: basic-app
      image: nginx
      volumeMounts:
        - name: my-volume-for-secret
          mountPath: /etc/my-secret-vol
          readOnly: true
Secret veriye erişmek için şöyle yaparız
> kubectl exec basic-app -- ls /etc/my-secret-vol
password 
username

> kubectl exec basic-app — cat /etc/my-secret-vol/username
admin

> kubectl exec basic-app — cat /etc/my-secret-vol/password
123456
stringData Alanı
Gizli veri String şeklindedir
Örnek
Şöyle yaparız
apiVersion: v1
kind: Secret
metadata:
  name: example-cluster-config
type: Opaque
stringData:
  users.json: |
    {
      "user": [{
        "UserData": "user",
        "Password": ""
      }]
    }
  init_db.sql: |
    
    # Disable remote root access (only allow UNIX socket).
    DELETE FROM mysql.user WHERE User = 'root' AND Host != 'localhost';
    ...


zaman:

Hiç yorum yok:

Yorum Gönder

Kaydol: Kayıt Yorumları (Atom)

Cluster Propotional Autoscaler - ReplicaSet Ekler/Siler

Giriş Açıklaması şöyle CPA aims to horizontally scale the number of Pod replicas based on the cluster’s scale. A common example is DNS ser...