Secret
ConfigMap과 유사 하지만 Value값들에 대해 Base64를 통해 암호화하여 저장한다는 차이가 있음
보안이 필요한 값들에 대해 Secret 적용 권장
▶ 보안 ConfigMap
config.dir/nginx.conf 파일 생성
[root@master ~/kube/12/secret]# mkdir config.dir
[root@master ~/kube/12/secret]# cd config.dir/
[root@master ~/kube/12/secret/config.dir]# vi nginx.conf
[root@master ~/kube/12/secret/config.dir]# cat nginx.conf
server {
listen 80 ;
server_name www.example.com;
gzip on;
gzip_types text/plain application/xml;
location / {
root /usr/share/nginx/html;
index index.html index.hml;
}
}secret 생성
[root@master ~/kube/12/secret]# kubectl create secret generic test-secret --from-literal=INTERVAL=2 --from-file=config.dir/nginx.conf
secret/test-secret created
[root@master ~/kube/12/secret]# kubectl get secret
NAME TYPE DATA AGE
mysecret kubernetes.io/dockerconfigjson 1 7d3h
test-secret Opaque 2 7s
[root@master ~/kube/12/secret]# kubectl describe secret test-secret
Name: test-secret
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
INTERVAL: 1 bytes
nginx.conf: 221 bytessecret 확인
[root@master ~/kube/12/secret]# kubectl get secrets test-secret -o yaml
apiVersion: v1
data:
INTERVAL: Mg==
nginx.conf: c2VydmVyIHsKICAgIGxpc3RlbiAgICAgICA4MCA7CiAgICBzZXJ2ZXJfbmFtZSAgd3d3LmV4YW1wbGUuY29tOwoKICAgIGd6aXAgb247CiAgICBnemlwX3R5cGVzIHRleHQvcGxhaW4gYXBwbGljYXRpb24veG1sOwoKICAgIGxvY2F0aW9uIC8gewogICAgICAgIHJvb3QgL3Vzci9zaGFyZS9uZ2lueC9odG1sOwogICAgICAgIGluZGV4IGluZGV4Lmh0bWwgaW5kZXguaG1sOwogICAgfQp9Cgo=
kind: Secret
metadata:
creationTimestamp: "2025-03-15T06:41:47Z"
name: test-secret
namespace: default
resourceVersion: "150746"
uid: 89e84735-029c-44e5-ba51-d44e5c5bd9b4
type: Opaque- decoding 바로 됨!!
※ 그래도, 그래픽 기반 환경에서는 값을 알 수 없어 디코딩할 수 없음[root@master ~/kube/12/secret]# echo Mg== | base64 -d 2
yaml 파일로 secret 생성
[root@master ~/kube/12/secret]# echo -n webadmin | base64
d2ViYWRtaW4=
[root@master ~/kube/12/secret]# echo -n abcd1234 | base64
YWJjZDEyMzQ=
[root@master ~/kube/12/secret]# vi test-secret.yaml
[root@master ~/kube/12/secret]# cat test-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: test-secret
data:
DB_USER: d2ViYWRtaW4= # 암호화된 상태의 값으로 넣을 수 있음
DB_PASS: YWJjZDEyMzQ=
[root@master ~/kube/12/secret]# kubectl apply -f test-secret.yaml
Warning: resource secrets/test-secret is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
secret/test-secret configured
[root@master ~/kube/12/secret]# kubectl get secret
NAME TYPE DATA AGE
mysecret kubernetes.io/dockerconfigjson 1 7d3h
test-secret Opaque 4 7m43s
[root@master ~/kube/12/secret]# kubectl describe secret test-secret
Name: test-secret
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
DB_PASS: 8 bytes
DB_USER: 8 bytes
INTERVAL: 1 bytes
nginx.conf: 221 bytesMongoDB 예제
- Secret
- DB_ROOT_USERNAME
- DB_ROOT_PASSWORD
- ConfigMap
- DB_URL
Secret 생성
[root@master ~/kube/12/mongodb]# vi mongodb-secret.yaml
[root@master ~/kube/12/mongodb]# cat mongodb-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: mongodb-secret
data:
mongo-root-username: ZGJhZG1pbg==
mongo-root-password: YWJjZDEyMzQ=
[root@master ~/kube/12/mongodb]# kubectl apply -f mongodb-secret.yaml
secret/mongodb-secret created
[root@master ~/kube/12/mongodb]# kubectl get secrets
NAME TYPE DATA AGE
mongodb-secret Opaque 2 12s
mysecret kubernetes.io/dockerconfigjson 1 7d4h
[root@master ~/kube/12/mongodb]# kubectl describe secrets mongodb-secret
Name: mongodb-secret
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
mongo-root-password: 8 bytes
mongo-root-username: 7 bytesmongo-deploy 및 서비스 생성
[root@master ~/kube/12/mongodb]# cat mongodb-deploy.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: mongodb
labels:
app: mongodb
spec:
replicas: 1
selector:
matchLabels:
app: mongodb
template:
metadata:
labels:
app: mongodb
spec:
containers:
- name: mongodb
image: mongo
ports:
- containerPort: 27017
env:
- name: MONGO_INITDB_ROOT_USERNAME
valueFrom:
secretKeyRef:
name: mongodb-secret
key: mongo-root-username
- name: MONGO_INITDB_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mongodb-secret
key: mongo-root-password
---
apiVersion: v1
kind: Service
metadata:
name: mongodb-service
spec:
selector:
app: mongodb
ports:
- protocol: TCP
port: 27017
targetPort: 27017
[root@master ~/kube/12/mongodb]# kubectl get po,svc,ep
NAME READY STATUS RESTARTS AGE
pod/mongodb-84d7c8b6dd-q6gxc 1/1 Running 0 25s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kubernetes ClusterIP 10.233.0.1 <none> 443/TCP 6d4h
service/mongodb-service ClusterIP 10.233.59.125 <none> 27017/TCP 25s
NAME ENDPOINTS AGE
endpoints/kubernetes 192.168.2.60:6443 6d4h
endpoints/mongodb-service 10.233.75.9:27017 25sConfigMap 생성
[root@master ~/kube/12/mongodb]# vi mongodb-express-config.yaml
[root@master ~/kube/12/mongodb]# cat mongodb-express-config.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: mongodb-express-configmap
data:
database_url: mongodb-service
[root@master ~/kube/12/mongodb]# kubectl apply -f mongodb-express-config.yaml
configmap/mongodb-express-configmap created
[root@master ~/kube/12/mongodb]# kubectl get configmaps
NAME DATA AGE
kube-root-ca.crt 1 7d5h
mongodb-express-configmap 1 5s
test-config 3 64m
[root@master ~/kube/12/mongodb]# kubectl describe configmaps mongodb-express-configmap
Name: mongodb-express-configmap
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
database_url:
----
mongodb-service
BinaryData
====
Events: <none>mongodb-express-deploy 및 서비스 생성
[root@master ~/kube/12/mongodb]# vi mongodb-express-deploy.yaml
[root@master ~/kube/12/mongodb]# cat mongodb-express-deploy.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: mongodb-express
labels:
app: mongo-express
spec:
replicas: 1
selector:
matchLabels:
app: mongo-express
template:
metadata:
labels:
app: mongo-express
spec:
containers:
- name: mongo-express
image: mongo-express
ports:
- containerPort: 8081
env:
- name: ME_CONFIG_MONGODB_ADMINUSERNAME
valueFrom:
secretKeyRef:
name: mongodb-secret
key: mongo-root-username
- name: ME_CONFIG_MONGODB_ADMINPASSWORD
valueFrom:
secretKeyRef:
name: mongodb-secret
key: mongo-root-password
- name: ME_CONFIG_MONGODB_SERVER
valueFrom:
configMapKeyRef:
name: mongodb-express-configmap
key: database_url
---
apiVersion: v1
kind: Service
metadata:
name: mongodb-express-service
spec:
selector:
app: mongo-express
type: LoadBalancer
ports:
- protocol: TCP
port: 8081
targetPort: 8081
nodePort: 31000
[root@master ~/kube/12/mongodb]# kubectl get po,svc,ep
NAME READY STATUS RESTARTS AGE
pod/mongodb-84d7c8b6dd-q6gxc 1/1 Running 0 6m7s
pod/mongodb-express-769b575648-xf6qt 1/1 Running 0 93s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kubernetes ClusterIP 10.233.0.1 <none> 443/TCP 6d4h
service/mongodb-express-service LoadBalancer 10.233.50.223 <pending> 8081:31000/TCP 93s
service/mongodb-service ClusterIP 10.233.59.125 <none> 27017/TCP 6m7s
NAME ENDPOINTS AGE
endpoints/kubernetes 192.168.2.60:6443 6d4h
endpoints/mongodb-express-service 10.233.102.186:8081 93s
endpoints/mongodb-service 10.233.75.9:27017 6m7sLoadBalancer Port 정보 변경(30000 → 31000)
[root@loadbalancer /root]# vi /etc/haproxy/haproxy.cfg
82 #---------------------------------------------------------------------
83 # round robin balancing between the various backends
84 #---------------------------------------------------------------------
85 backend app
86 balance roundrobin
87 server app1 192.168.2.61:31000 check
88 server app2 192.168.2.62:31000 check
89 server app3 192.168.2.63:31000 check브라우저 접속 확인
💡 왜 접속이 안되는지 알아봐야 함..
