2 Mart 2022 Çarşamba

Kubernetes kind: Secret - Konfigürasyon Dosyasındaki Gizli Veri

Giriş
Açıklaması şöyle. Gizli veri Base64 olarak yaml dosyasına yazılır. 
Secrets are the same as ConfigMaps but they are for credentials such as usernames, passwords, and tokens.

Secrets in Kubernetes are not secure by nature. The applications have to see the decoded version of the Secrets, so they are not encoded in the network. Further, they are only encoded with the basic base64 encoder. So it is very easy to decode them. To secure Secrets, it is recommended to use EncryptionConfiguration or 3rd party tools such as Hashicorp’s Vault.
Secret Tipleri
1.Opaque Secret. Açıklaması şöyle
Opaque Secrets are used to store arbitrary user-defined data. Opaque is the default Secret type, meaning that when creating a Secret and we don’t specify any type, the secret will be considered Opaque.
2. Service Account Token Secret. 
Açıklaması şöyle
This is a legacy mechanism that provides long-lived ServiceAccount credentials to Pods. 
3. Docker Config Secret. Açıklaması şöyle
We use a Docker config secret to store the credentials for accessing a container image registry. 
Örnek
Şöyle yaparız
apiVersion: v1
kind: Secret
metadata:
  name: secret-dockercfg
type: kubernetes.io/dockercfg
data:
  .dockercfg: |
    eyJhdXRocyI6eyJodHRwczovL2V4YW1wbGUvdjEvIjp7ImF1dGgiOiJvcGVuc2VzYW1lIn19fQo=
4. Basic Authentication Secret. Açıklaması şöyle
The kubernetes.io/basic-auth type is provided for storing credentials needed for basic authentication. When using a basic authentication Secret, the data field must contain at least one of the following keys: username (the user name for authentication) and password(the password or token for authentication)
Örnek
Şöyle yaparız
apiVersion: v1
kind: Secret
metadata:
  name: secret-basic-auth
type: kubernetes.io/basic-auth
stringData:
  username: admin # required field for kubernetes.io/basic-auth
  password: t0p-Secret # required field for kubernetes.io/basic-auth
5. SSH Authentication secret. Açıklaması şöyle
The built-in type kubernetes.io/ssh-auth is provided for storing data used in SSH authentication. When using an SSH authentication, you must specify a ssh-privatekey key-value pair in the data (or stringData) field as the SSH credential to use.
Örnek
Şöyle yaparız
apiVersion: v1
kind: Secret
metadata:
  name: secret-ssh-auth
type: kubernetes.io/ssh-auth
data:
  # the data is abbreviated in this example
  ssh-privatekey: |
    UG91cmluZzYlRW1vdGljb24lU2N1YmE=
6. TLS secret
Açıklaması şöyle
The kubernetes.io/tls Secret type is for storing a certificate and its associated key that are typically used for TLS. When using a TLS secret, we must provide the tls.key and the tls.crtin the configuration’s data (or stringData) field.
Örnek
Şöyle yaparız
apiVersion: v1
kind: Secret
metadata:
  name: secret-tls
type: kubernetes.io/tls
data:
  # values are base64 encoded, which obscures them but does NOT provide
  # any useful level of confidentiality
  tls.crt: |
    LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNVakNDQWJzQ0FnMytNQTBHQ1NxR1NJYjNE
    UUVCQlFVQU1JR2JNUXN3Q1FZRFZRUUdFd0pLVURFT01Bd0cKQTFVRUNCTUZWRzlyZVc4eEVEQU9C
    Z05WQkFjVEIwTm9kVzh0YTNVeEVUQVBCZ05WQkFvVENFWnlZVzVyTkVSRQpNUmd3RmdZRFZRUUxF
    dzlYWldKRFpYSjBJRk4xY0hCdmNuUXhHREFXQmdOVkJBTVREMFp5WVc1ck5FUkVJRmRsCllpQkRR
    VEVqTUNFR0NTcUdTSWIzRFFFSkFSWVVjM1Z3Y0c5eWRFQm1jbUZ1YXpSa1pDNWpiMjB3SGhjTk1U
    TXcKTVRFeE1EUTFNVE01V2hjTk1UZ3dNVEV3TURRMU1UTTVXakJMTVFzd0NRWURWUVFHREFKS1VE
    RVBNQTBHQTFVRQpDQXdHWEZSdmEzbHZNUkV3RHdZRFZRUUtEQWhHY21GdWF6UkVSREVZTUJZR0Ex
    VUVBd3dQZDNkM0xtVjRZVzF3CmJHVXVZMjl0TUlHYU1BMEdDU3FHU0liM0RRRUJBUVVBQTRHSUFE
    Q0JoQUo5WThFaUhmeHhNL25PbjJTbkkxWHgKRHdPdEJEVDFKRjBReTliMVlKanV2YjdjaTEwZjVN
    Vm1UQllqMUZTVWZNOU1vejJDVVFZdW4yRFljV29IcFA4ZQpqSG1BUFVrNVd5cDJRN1ArMjh1bklI
    QkphVGZlQ09PekZSUFY2MEdTWWUzNmFScG04L3dVVm16eGFLOGtCOWVaCmhPN3F1TjdtSWQxL2pW
    cTNKODhDQXdFQUFUQU5CZ2txaGtpRzl3MEJBUVVGQUFPQmdRQU1meTQzeE15OHh3QTUKVjF2T2NS
    OEtyNWNaSXdtbFhCUU8xeFEzazlxSGtyNFlUY1JxTVQ5WjVKTm1rWHYxK2VSaGcwTi9WMW5NUTRZ
    RgpnWXcxbnlESnBnOTduZUV4VzQyeXVlMFlHSDYyV1hYUUhyOVNVREgrRlowVnQvRGZsdklVTWRj
    UUFEZjM4aU9zCjlQbG1kb3YrcE0vNCs5a1h5aDhSUEkzZXZ6OS9NQT09Ci0tLS0tRU5EIENFUlRJ
    RklDQVRFLS0tLS0K    
  # In this example, the key data is not a real PEM-encoded private key
  tls.key: |
    RXhhbXBsZSBkYXRhIGZvciB0aGUgVExTIGNydCBmaWVsZA==
7. Bootstrap Token Secret. Açıklaması şöyle
The bootstrap.kubernetes.io/token Secret type is for tokens used during the node bootstrap process. We typically create a bootstrap token Secret in the kube-system namespace and named in the form bootstrap-token-<token-id> where <token-id> is a 6 character string of the token ID.
 secrets
Örnek
Şöyle yaparız
apiVersion: v1
kind: Secret
metadata:
  name: bootstrap-token-5emitj
  namespace: kube-system
type: bootstrap.kubernetes.io/token
data:
  auth-extra-groups: c3lzdGVtOmJvb3RzdHJhcHBlcnM6a3ViZWFkbTpkZWZhdWx0LW5vZGUtdG9rZW4=
  expiration: MjAyMC0wOS0xM1QwNDozOToxMFo=
  token-id: NWVtaXRq
  token-secret: a3E0Z2lodnN6emduMXAwcg==
  usage-bootstrap-authentication: dHJ1ZQ==
  usage-bootstrap-signing: dHJ1ZQ==
Secret'i Kullanma

1. Secret'i secretKeyRef Olarak Kullanma
Genellikle secret bir ortam değişkeni (environment variable) haline getirilir.

Örnek
Şöyle yaparız
 env:
 - name: MYSQL_ROOT_PASSWORD 
     valueFrom:
       secretKeyRef:
         name: db-root-credentials 
         key: password
2. Secret'i Volume Olarak Kullanma
Secret'i Volume Olarak Kullanma yazısına taşıdım

Alanlar
data Alanı
Gizli veri Key/Value şeklindedir ve Base64 ile kodeklenir. Base64 çıktı almak için base64 komutu kullanılabilir. Şöyle yaparız
echo -n '{plaintext}' | base64
data Alanı ve secretKeyRef Kullanımı
Örnek
Şöyle yaparız
apiVersion: v1
kind: Secret
metadata:
  name: db-root-credentials
data:
 password: cm9vdA==
Kullanmak için şöyle yaparız
apiVersion: apps/v1
kind: Deployment
metadata:
  name: mysql
  labels:
    app: mysql
    tier: database
spec:
  selector: 
    matchLabels:
      app: mysql
      tier: database
  strategy:
    type: Recreate
  template:
    metadata:
      labels: 
        app: mysql
        tier: database
    spec:
      containers:
      - image: mysql:5.7 
        args:
          - "--ignore-db-dir=lost+found" 
        name: mysql  
        env:
        - name: MYSQL_ROOT_PASSWORD 
          valueFrom:
            secretKeyRef:
              name: db-root-credentials 
              key: password   
        - name: MYSQL_USER 
          valueFrom:
            secretKeyRef:
              name: db-credentials
              key: username
        - name: MYSQL_PASSWORD 
          valueFrom:
            secretKeyRef:
              name: db-credentials
              key: password
        - name: MYSQL_DATABASE 
            configMapKeyRef:
              name: db-conf
              key: name
        ports:
        - containerPort: 3306
          name: mysql
        volumeMounts:        
        - name: mysql-persistent-storage
          mountPath: /var/lib/mysql 
      volumes:
      - name: mysql-persistent-storage 
        persistentVolumeClaim:
          claimName: mysql-pv-claim
Örnek
Şöyle yaparız. secretKeyRef alaındanki değer secret name ile aynı olmalıdır. 
apiVersion: v1
kind: Secret
metadata:
  name: spring-keycloak-secrets
  namespace: spring-keycloak-demo
type: Opaque
data:
  # You can include additional key value pairs as you do with Opaque Secrets
  keycloak-pass: YWRtaW4K
  postgres-pass: ZXhhbXBsZQo=
Erişmek için  şöyle yaparız. Erişen taraf otomatik olarak Base64 veriyi açar.
apiVersion: apps/v1
kind: Deployment
metadata:
  name: postgres
  namespace: spring-keycloak-demo
spec:
  selector:
    matchLabels:
      app: postgres
  replicas: 1
  template:
    metadata:
      labels:
        app: postgres
    spec:
      containers:
        - name: postgres
          image: postgres:latest
          ports:
            - containerPort: 5432
          env:
            - name: POSTGRES_DB
              value: postgres
            - name: POSTGRES_USER
              value: postgres
            - name: POSTGRES_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: spring-keycloak-secrets
                  key: postgres-pass
stringData Alanı
Gizli veri String şeklindedir
Örnek
Şöyle yaparız
apiVersion: v1
kind: Secret
metadata:
  name: example-cluster-config
type: Opaque
stringData:
  users.json: |
    {
      "user": [{
        "UserData": "user",
        "Password": ""
      }]
    }
  init_db.sql: |
    
    # Disable remote root access (only allow UNIX socket).
    DELETE FROM mysql.user WHERE User = 'root' AND Host != 'localhost';
    ...


zaman:

Hiç yorum yok:

Yorum Gönder

Kaydol: Kayıt Yorumları (Atom)

Kubernetes 1.33 - Octarine

Giriş Yenilikler şöyle 1. Native Sidecar Containers 2. In-Place Pod Resizing: The End of Disruptive Scaling Artık pod'un belleğini çalış...