In-depth analysis of cloud native how to use KubeSeal to efficiently encrypt and manage the Secret of the Kubernetes cluster

Others 2023-07-15 19:09:12 views: null

1. Installation

① Install KubeSeal

$ wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.18.0/kubeseal-0.18.0-linux-amd64.tar.gz
$ tar -xvf kubeseal-0.18.0-linux-amd64.tar.gz
$ cp kubeseal /usr/local/bin/
$ kubeseal --version

② install the controller

$ kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.18.0/controller.yaml
  • After executing the above command, a controller Pod will be started under the kube-system namespace:
$ k get pod -n kube-system |grep seal
sealed-secrets-controller-b9fb75d85-k4csm    1/1     Running   0          7h28m
  • After the Pod starts, use port forwarding to map to the local:
$ kubectl -n kube-system port-forward svc/sealed-secrets-controller 8080:8080

2. How to use

① Generate an encrypted file

  • First create a file named secret-example.yaml locally, and the secret field before encoding is mysupersecret:
apiVersion: v1
kind: Secret
metadata:
  name: secret-example
data:
  secret: bXlzdXBlcnNlY3JldAo=
  • Use the following command to convert secret-example.yaml into an encrypted file sealed-secret-example.yaml:
$ kubeseal --secret-file secret-example.yaml --sealed-secret-file sealed-secret-example.yaml
  • The content of sealed-secret-example.yaml is as follows, spec.encryptedData.secret is the encrypted content:
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  creationTimestamp: null
  name: secret-example
  namespace: kube-system
spec:
  encryptedData:
    secret: AgB1ZZg8+J+0HLymOQZdTfWVQZiNkhm5X6WULJuBAAEaQQNhM8i2TV2I1SgKT4sUOCRv90XA1oeFld3XoGPjvYE3leOD1cvK1dDVqno6mNLRziokISk/9fB3cVE2GVgyCud//M53xNpVemDufgsJS2q/KGIOeNEijk9ZM2FaKoLDwtPaVNL0NfmC2xne2XtWJp+/eMOREhbubQhnj5M/Se75axazviuDNf6Ss9fAuR38Msd5DXnKBtyrckEHSa8TDn8ErssOh0ogX14e0/ThN3EWJecSBtx7Xfd0m90+vjmvWevMag442349aquR/qLo0mg40mhcCqSBw/MjaIGZ2F5XRufG1WEP43OgLMTixN2lLSU3eYTrv5t075taI9WJgoOl0DD8UA74EMpX7RMKTiXD6C0XngKmMKg5fUK7JNLFfwHMRPi4zNTwJa9ViDyD0iAJrGGbmMso/nHEtwOtrLE5Rrf0kLQ5N6Lj57gOBdqu903/vDM4Jm695GvEWL2aR3ShOxasHCuZeXj8Q5+KYWeF9sySiJH8bwEtaw6x7j9AxBOwjxWYD0Jvj9KhtlqBa4okSDc3bcgRKGhsSXQx6jOumI5rj+V542hkB6Z8JOtJ17VmzR6XDQDmqSl1FqqwKD5n5yUy5Kf6pJYBnsgKn3TzesQ6JfQbyRLTh1Pn3odOYCnp+Ixbd0Tgn0n5m0KO3RX0hiwGoe0hObIZcsF36g==
  template:
    data: null
    metadata:
      creationTimestamp: null
      name: secret-example
      namespace: kube-system
  • The encrypted file can be saved to Gitlab to create an encrypted file:
$ k create -f sealed-secret-example.yaml
sealedsecret.bitnami.com/secret-example created

$ k get sealedsecrets.bitnami.com
NAME             AGE
secret-example   6s
  • After creating the encrypted file, the Controller will decrypt and generate the corresponding secret:
$ k get secrets |grep secret-example
secret-example                                   Opaque                                1      2m15s
  • View the content of the secret resource generated by the Controller, and you can see that data.secret is consistent with the content of the secret-example.yaml file created above:
$ k get secret secret-example -oyaml
apiVersion: v1
data:
  secret: bXlzdXBlcnNlY3JldAo=
kind: Secret
metadata:
  creationTimestamp: "2022-06-10T00:50:40Z"
  name: secret-example
  namespace: kube-system
  ownerReferences:
  - apiVersion: bitnami.com/v1alpha1
    controller: true
    kind: SealedSecret
    name: secret-example
    uid: 57a5b691-9bb5-4dac-800a-1a1baa878299
  resourceVersion: "675560"
  uid: e0db31ad-082b-4596-9fd0-28cc810d86f4
type: Opaque
  • Note: SealedSecret and the corresponding secret resource must be in the same namespace.

② TIPs

  • kubeseal supports the following APIs:
Route Description
/healthz Health check route useful for the readiness and liveness probes and for creating an external probe; for example with blackbox exporter
/metrics Endpoint for the Prometheus to retrieve the controller’s metrics
/v1/verify Validates a secret
/v1/rotate Rotates the secret
/v1/cert.pem Retrieves the public certificate
  • In the above example, the certificate used by the Controller is generated by itself, and you can also specify your own certificate, which is more convenient for migration and management. There may be confusion when using KubeSeal. If users directly mount secrets in other namespaces, this may lead to secret leaks. Officials have explained this, such as the namespace and resource types that users can access through RBAC.

Guess you like

Origin blog.csdn.net/Forever_wj/article/details/131407884
Recommended
Face Wall Intelligence releases the Eurux-8x22B open source large model - it can be called the "science champion"
Kaiyuan Daily | Google supports Hongmeng to take over; open source Rabbit R1; Android phones supported by Docker; Microsoft’s anxiety and ambition; Haier Electric shuts down the open platform
Ranking
Jianzhi offer interview questions 68-II. The nearest common ancestor of a binary tree (recursive)
jQuery Mobile development 1-UI components
Summary of Kotlin function knowledge
[ZZ] The Naked Truth About Anisotropic Filtering
Diagnosis: record a recovery of abnormal CRASH storage caused the database to be unable to be opened normally
Redis introduction and Linux installation Redis
Experiment 2 Introduction to switches
glances open source command-line system monitoring tools introduced
Use of selector
vue3 handwriting a carousel picture
Daily
More
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)

Code World

© 2018 codetd.com