k8s之源之secret和serviceaccount

网友投稿 845 2022-11-08

k8s之源之secret和serviceaccount

k8s之源之secret和serviceaccount

​​istio多集群探秘,部署了50次多集群后我得出的结论​​

​​istio多集群链路追踪,附实操视频​​

​​istio防故障利器,你知道几个,istio新手不要读,太难!​​

​​istio业务权限控制,原来可以这么玩​​

​​istio实现非侵入压缩,微服务之间如何实现压缩​​

​​不懂envoyfilter也敢说精通istio系列-filter-再也不用再代码里写csrf逻辑了​​

​​不懂envoyfilter也敢说精通istio系列filter​​

​​不懂envoyfilter也敢说精通istio系列-network filter-redis proxy​​

​​不懂envoyfilter也敢说精通istio系列-network filter-HttpConnectionManager​​

​​不懂envoyfilter也敢说精通istio系列-ratelimit-istio ratelimit完全手册​​

————————————————

secret:

Secret是用来保存小片敏感数据的k8s资源,例如密码,token,或者秘钥。这类数据当然也可以存放在Pod或者镜像中,但是放在Secret中是为了更方便的控制如何使用数据,并减少暴露的风险

类型:

Secret有四种类型

•Opaque:使用base64编码存储信息,可以通过base64 --decode解码获得原始数据,因此安全性弱。

•kubernetes.io/dockerconfigjson:用于存储docker registry的认证信息。

•kubernetes.io/service-account-token:用于被 serviceaccount 引用。serviceaccout 创建时 Kubernetes 会默认创建对应的 secret。Pod 如果使用了 serviceaccount,对应的 secret 会自动挂载到 Pod 的 /run/secrets/kubernetes.io/serviceaccount 目录中。•kubernetes.io/tls 用于-n 'admin' > ./username.txt

•echo -n '1f2d1e2e67df' > ./password.txt

•kubectl create secret generic db-user-pass --from-file=./username.txt --from-file=./password.txt

Yaml创建secret:

$ echo -n 'admin' | base64 YWRtaW4= $ echo -n '1f2d1e2e67df' | base64 MWYyZDFlMmU2N2RmapiVersion: v1kind: Secretmetadata: name: mysecrettype: Opaquedata: username: YWRtaW4= password: MWYyZDFlMmU2N2Rm

使用Secret:

apiVersion: v1kind: Podmetadata: name: mypodspec: containers: - name: mypod image: redis volumeMounts: - name: foo mountPath: "/etc/foo" readOnly: true volumes: - name: foo secret: secretName: mysecret

apiVersion: v1kind: Podmetadata: name: mypodspec: containers: - name: mypod image: redis volumeMounts: - name: foo mountPath: "/etc/foo" readOnly: true volumes: - name: foo secret: secretName: mysecret items: - key: username path: my-group/my-username

apiVersion: v1kind: Podmetadata: name: mypodspec: containers: - name: mypod image: redis volumeMounts: - name: foo mountPath: "/etc/foo" volumes: - name: foo secret: secretName: mysecret defaultMode: 256

apiVersion: v1kind: Podmetadata: name: mypodspec: containers: - name: mypod image: redis volumeMounts: - name: foo mountPath: "/etc/foo" volumes: - name: foo secret: secretName: mysecret items: - key: username path: my-group/my-username mode: 511

apiVersion: v1kind: Podmetadata: name: secret-env-podspec: containers: - name: mycontainer image: redis env: - name: SECRET_USERNAME valueFrom: secretKeyRef: name: mysecret key: username - name: SECRET_PASSWORD valueFrom: secretKeyRef: name: mysecret key: password restartPolicy: Never

imagePullSecrets:

•kubectl create secret docker-registry --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL

apiVersion: v1kind: Podmetadata: name: foospec: containers: - name: foo image: nginx imagePullSecrets: - name: myregistrykey

Secret限制:

•secret是有命名空间属性的,只有在相同namespace的Pod才能引用它

•单个Secret容量限制的1Mb,这么做是为了防止创建超大的Secret导致apiserver或kubelet的内存耗尽。但是创建过多的小容量secret同样也会耗尽内存,这个问题在将来可能会有方案解决

以“.”开头的key可以产生隐藏文件:

kind: SecretapiVersion: v1metadata: name: dotfile-secretdata: .secret-file: dmFsdWUtMg0KDQo=---kind: PodapiVersion: v1metadata: name: secret-dotfiles-podspec: volumes: - name: secret-volume secret: secretName: dotfile-secret containers: - name: dotfile-test-container image: k8s.gcr.io/busybox command: - ls - "-l" - "/etc/secret-volume" volumeMounts: - name: secret-volume readOnly: true mountPath: "/etc/secret-volume"

tls:

apiVersion: extensions/v1beta1kind: Ingressmetadata: name: ingress-myapp namespace: default annotations: kubernetes.io/ingress.class: "nginx"spec: tls: - hosts: - mynginx.test secretName: nginx-ingress-secret rules: - host: mynginx.test paths: - path: / backend: serviceName: myapp-svc servicePort: 80

serviceaccount:

Service account是为了方便Pod里面的进程调用Kubernetes API或其他外部服务而设计的。它与User account不同

1.User account是为人设计的,而service account则是为Pod中的进程调用Kubernetes API而设计;

2.User account是跨namespace的,而service account则是仅局限它所在的namespace;

3.每个namespace都会自动创建一个default service account

4.Token controller检测service account的创建,并为它们创建secret

5.开启ServiceAccount Admission Controller后

1.每个Pod在创建后都会自动设置spec.serviceAccount为default(除非指定了其他ServiceAccout)

2.验证Pod引用的service account已经存在,否则拒绝创建

3.如果Pod没有指定ImagePullSecrets,则把service account的ImagePullSecrets加到Pod中

4.每个container启动后都会挂载该service account的token和ca.crt到/var/run/secrets/kubernetes.io/serviceaccount/

创建sa:

Kubectl create sa mysaapiVersion: v1kind: ServiceAccountmetadata: name: mysa

给serviceaccount附权限:

kind: RoleapiVersion: rbac.authorization.k8s.io/v1metadata: namespace: default name: pod-readerrules:- apiGroups: [""] resources: ["pods"] verbs: ["get", "watch", "list"]---kind: RoleBindingapiVersion: rbac.authorization.k8s.io/v1metadata: name: read-pods namespace: defaultsubjects:- kind: ServiceAccount name: mysa namespace: defaultroleRef: kind: Role name: pod-reader apiGroup: rbac.authorization.k8s.io

使用:

apiVersion: v1kind: Podmetadata: name: sa-demo labels: app: myappspec: containers: - name: myapp image: nginx ports: - name: containerPort: 80 serviceAccountName: admin

版权声明:本文内容由网络用户投稿,版权归原作者所有,本站不拥有其著作权,亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容,请联系我们jiasou666@gmail.com 处理,核实后本网站将在24小时内删除侵权内容。

上一篇:这是一篇人人都看的懂 HTTPS 的文章
下一篇:Mybatis plus where添加括号方式
相关文章

 发表评论

暂时没有评论,来抢沙发吧~