Article Directory
1. Theoretical knowledge of Secret encryption configuration
1. What is Secret?
The previous article explained the detailed explanation of ConfigMap resource ConfigMap configuration management center , which is used to store plaintext non-encrypted data, such as program configuration files and other information. ConfigMap cannot implement encryption. If we store sensitive information such as tokens, passwords, and secret keys, we need to use Secret type for encryption.
2. The difference between Secret and configMap
- ConfigMap: used to store civilized non-encrypted configuration information.
- Secret: Used to store encrypted data, such as passwords, tokens, and other information.
3. Secret parameters and types
Secret has three optional parameters:
- generic: Generic type, often used to store password data.
- tls: used to store private keys and certificates.
- docker-registry: used to store the authentication information of the docker warehouse.
Secret three types:
- Service Account: used to be referenced by serviceaccount. When serviceaccout is created, Kubernetes will create the corresponding secret by default. If the Pod uses serviceaccount, the corresponding secret will be automatically mounted to the /run/secrets/kubernetes.io/serviceaccount directory of the Pod.
- Opaque: Secret in base64 encoding format, used to store passwords, secret keys, etc. The original data can be obtained through base64 --decode decoding, so the security is weak
- kubernetes.io/dockerconfigjson: Used to store authentication information for private docker registries.
2. Practice: use Secret for encryption
1. Method 1: Importing environment variables
First, encrypt the username and password values first:
echo admin|base64
echo NTQ34tg*@19VF-AdmiN|base64
Create var-secret
a Secret named
cat varSecretConfig.yaml
---
apiVersion: v1
kind: Secret
metadata:
name: var-secret
type: Opaque # 指定加密方式
data:
username: YWRtaW4K # 值是加密后的
password: TlRRMzR0ZypAMTlWRi1BZG1pTgo=
Create a Deployment resource using the busybox image and introduce Secret
cat vardeploy.yaml
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: vardemo
spec:
replicas: 1
selector:
matchLabels:
type: var
template:
metadata:
labels:
type: var
spec:
containers:
- name: vardemo
image: busybox:1.28.0
imagePullPolicy: IfNotPresent
command: ["/bin/sh", "-c", "sleep 36000"]
env:
- name: password
valueFrom:
secretKeyRef:
name: var-secret
key: password
- name: username
valueFrom:
secretKeyRef:
name: var-secret
key: username
Execute the YAML file:
kubectl apply -f varSecretConfig.yaml
kubectl apply -f vardeploy.yaml
View the status of creating resources:
kubectl get pod -l type=var
kubectl get secret var-secret
kubectl describe secret var-secret
Enter the container to check whether the variable is successfully imported:
kubectl exec -it vardemo-5cf58dd664-vnv5q -- /bin/sh
echo $username
admin
echo $password
NTQ34tg*@19VF-AdmiN
2. Method 2: Introduction of volume mount method
Create volume-secret
a Secret named
cat volumeSecretConfig.yaml
---
apiVersion: v1
kind: Secret
metadata:
name: volume-secret
type: Opaque
data:
username: YWRtaW4K
password: TlRRMzR0ZypAMTlWRi1BZG1pTgo=
Create a deployment and introduce secret
cat volumedeploy.yaml
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: volumedemo
spec:
replicas: 1
selector:
matchLabels:
type: volume
template:
metadata:
labels:
type: volume
spec:
volumes:
- name: volume-secret
secret:
secretName: volume-secret # 定义挂载卷
containers:
- name: volumedemo
image: busybox:1.28.0
imagePullPolicy: IfNotPresent
command: ["/bin/sh", "-c", "sleep 36000"]
volumeMounts:
- name: volume-secret
mountPath: /tmp
readOnly: true
Execute the YAML file:
kubectl apply -f volumeSecretConfig.yaml
kubectl apply -f volumedeploy.yaml
Enter the container to view:
kubectl exec -it volumedemo-6dc47cff57-qstv4 -- /bin/sh
cat /tmp/password
NTQ34tg*@19VF-AdmiN
cat /tmp/username
admin