노출되면 안되는 비밀값을 저장
--from-literal
kubectl create secret generic my-password --from-literal password=p@ssw0rd
kubectl get secrets
kubectl edit secret <secret name>
파일을 이용하여 패스워드 생성
패스워드가 저장된 파일 2개 생성
echo mypassword > pw1 && echo yourpassword > pw2
ls pw*
시크릿 생성
kubectl create secret generic our-password --from-file pw1 --from-file pw2
kubectl get secrets
our-password Opaque 2 5s
시크릿 내용 확인
kubectl decribe secret my-password
# 컨피그맵과 다르게 내용이 노출되지 않는다
Name: my-password
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
kubectl get secrets my-password -o yaml
apiVersion: v1
data:
password: cEBzc3cwcmQ= <= BASE64로 인코딩
kind: Secret
metadata:
creationTimestamp: "2021-02-24T07:05:58Z"
name: my-password
namespace: default
resourceVersion: "262522"
selfLink: /api/v1/namespaces/default/secrets/my-password
uid: 16db2c87-b048-4c2d-8983-04e5362ed8c2
type: Opaque
echo p@ssw0rd | base64
echo cEBzc3cwcmQ= | base64 -d
시크릿에 저장된 모든 값을 가져오기
vi env-from-secret.yaml
apiVersion: v1
kind: Pod
metadata:
name: secret-env-example
spec:
containers:
- name: my-container
image: busybox
args: ["tail", "-f", "/dev/null"]
envFrom:
- secretRef: # my-password 시크릿에 저장된 모든 키-값을 환경변수로 설정
name: my-password
시크릿에 저장된 일부 값을 가져오기
vi selective-env-from-secret.yaml
apiVersion: v1
kind: Pod
metadata:
name: selective-secret-env-example
spec:
containers:
- name: my-container
image: busybox
args: ["tail", "-f", "/dev/null"]
env:
- name: YOUR_PASSWORD
valueFrom:
secretKeyRef:
name: out-password
key: pw2
시크릿에 저장된 값 전체를 포드에 볼륨 마운트
vi volume-mount-secret.yaml
apiVersion: v1
kind: Pod
metadata:
name: secret-volume-example
spec:
containers:
- name: my-container
image: busybox
args: ["tail", "-f", "/dev/null"]
volumeMounts:
- name: secret-volume
mountPath: /etc/secret
volumes:
- name: secret-volume
secret:
secretName: our-password
시크릿에 저장된 값 일부를 포드에 볼륨 마운트
vi selective-volume-mount-secret.yaml
apiVersion: v1
kind: Pod
metadata:
name: selective-secret-volume-example
spec:
containers:
- name: my-container
image: busybox
args: ["tail", "-f", "/dev/null"]
volumeMounts:
- name: secret-volume
mountPath: /etc/secret
volumes:
- name: secret-volume
secret:
secretName: our-password
items:
- key: pw1
path: password1
포드 생성 후 시크릿 확인
포드 생성
kubectl apply -f volume-mount-secret.yaml
kubectl apply -f selective-volume-mount-secret.yaml
시크릿 확인
kubectl exec selective-secret-volume-example -- ls -al /etc/secret
lrwxrwxrwx 1 root root 16 Feb 24 08:06 password1 -> ..data/password1
kubectl exec selective-secret-volume-example -- cat /etc/secret/password1
mypassword
- 시크릿을 pod의 환경변수나 볼륨파일로 가져오면 BASE64로 디코딩된 값을 사용
접근통제 3단계
echo "your_name:$(openssl passwd -quiet -crypt your_password)" | base64
vi nginx-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: nginx-secret
type: Opaque
data:
.htpasswd: eW91cl9uYW1lOmc4TnRBanYyY05iczIK
kubectl apply -f nginx-secret.yaml
kubectl create secret generic nginx-secret --from-literal .htpasswd=eW91cl9uYW1lOmc4TnRBanYyY05iczIK --dry-run -o yaml > test.yaml
cat test.yaml
vi basic-auth.yaml
apiVersion: v1
kind: Service
metadata:
name: basic-auth
spec:
type: NodePort
selector:
app: basic-auth
ports:
- protocol: TCP
port: 80
targetPort: http
nodePort: 30060
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: basic-auth
labels:
app: basic-auth
spec:
replicas: 1
selector:
matchLabels:
app: basic-auth
template:
metadata:
labels:
app: basic-auth
spec:
containers:
- name: nginx
image: "gihyodocker/nginx:latest"
imagePullPolicy: Always
ports:
- name: http
containerPort: 80
env:
- name: BACKEND_HOST
value: "localhost:8080"
- name: BASIC_AUTH_FILE
value: "/etc/nginx/secret/.htpasswd" # (1) 기본 인증에 사용한 인증정보가 담긴 파일
volumeMounts:
- mountPath: /etc/nginx/secret # 볼륨과 연결된 디렉터리 아래에 시크릿 키 이름의 파일이 생성 (1)
name: nginx-secret # 볼륨 이름
readOnly: true
- name: echo
image: "gihyodocker/echo:latest"
imagePullPolicy: Always
ports:
- containerPort: 8080
env:
- name: HTTP_PORT
value: "8080"
volumes:
- name: nginx-secret # 볼륨 이름
secret:
secretName: nginx-secret # 시크릿 이름
kubectl apply -f basic-auth.yaml
kubectl get pods,deployments,services
curl -i http://127.0.0.1:30060
curl -i --user your_name:your_password http://127.0.0.1:30060