- secrets는 configmap과 동일하다.
- configmap의 특징 get을 하면 다 노출된다.
- 예를 들어 mysql pod로 생성하는 경우 사용자 아이디, 패스워드 가 필요하다
- 그것을 decoupling 메소드로 제공할것인데 그대로 노출되면 안되니 Base64기반으로 encoding 한다.

1.인증정보개인 비밀 key, 보안상 중요 데이터를 다루는 method
2.key/value형태이며 value 는 Base64 로 encoding
3.최대1M 까지 제한
4.binarydata 를 secret 에 포함시킬 수 있다
5.memory기반으로 mount 하여 사용한다
6.포드에서secret value 를 read 시 자동 decoding

7.tls 인증서 저장, mysql 생성시 보통 secret 사용

 

모든 namespace마다 기본 secrets를 소유하고 있다

token 부분은 디코딩되어 secret 관련 정보가 노출됨을 확인 한다.

root@ip-172-31-4-27:~/pv# kubectl create ns test-ns
namespace/test-ns created
root@ip-172-31-4-27:~/pv# kubectl get po -n test-ns
No resources found in test-ns namespace.
root@ip-172-31-4-27:~/pv# kubectl -n test-ns run test-pod --image nginx
pod/test-pod created
root@ip-172-31-4-27:~/pv# kubectl -n test-ns get po
NAME       READY   STATUS    RESTARTS   AGE
test-pod   1/1     Running   0          12s
root@ip-172-31-4-27:~/pv# kubectl -n test-ns get secrets 
NAME                  TYPE                                  DATA   AGE
default-token-k8s47   kubernetes.io/service-account-token   3      54s
root@ip-172-31-4-27:~/pv# kubectl -n test-ns describe po test-pod 
Name:         test-pod
Namespace:    test-ns
Priority:     0
Node:         ip-172-31-13-180/172.31.13.180
Start Time:   Wed, 02 Dec 2020 07:43:58 +0000
Labels:       run=test-pod
Annotations:  cni.projectcalico.org/podIP: 192.168.82.32/32
              cni.projectcalico.org/podIPs: 192.168.82.32/32
Status:       Running
IP:           192.168.82.32
IPs:
  IP:  192.168.82.32
Containers:
  test-pod:
    Container ID:   docker://686218b8475872970576022ba56cbfa0d50cd957d2ada837c3ce5315a5f5175d
    Image:          nginx
    Image ID:       docker-pullable://nginx@sha256:6b1daa9462046581ac15be20277a7c75476283f969cb3a61c8725ec38d3b01c3
    Port:           <none>
    Host Port:      <none>
    State:          Running
      Started:      Wed, 02 Dec 2020 07:44:03 +0000
    Ready:          True
    Restart Count:  0
    Environment:    <none>
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from default-token-k8s47 (ro)
Conditions:
  Type              Status
  Initialized       True 
  Ready             True 
  ContainersReady   True 
  PodScheduled      True 
Volumes:
  default-token-k8s47:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  default-token-k8s47
    Optional:    false
QoS Class:       BestEffort
Node-Selectors:  <none>
Tolerations:     node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                 node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type    Reason     Age    From               Message
  ----    ------     ----   ----               -------
  Normal  Scheduled  2m18s  default-scheduler  Successfully assigned test-ns/test-pod to ip-172-31-13-180
  Normal  Pulling    2m17s  kubelet            Pulling image "nginx"
  Normal  Pulled     2m13s  kubelet            Successfully pulled image "nginx" in 3.440920104s
  Normal  Created    2m13s  kubelet            Created container test-pod
  Normal  Started    2m13s  kubelet            Started container test-pod
root@ip-172-31-4-27:~/pv# kubectl -n test-ns get secrets  
NAME                  TYPE                                  DATA   AGE
default-token-k8s47   kubernetes.io/service-account-token   3      5m19s
root@ip-172-31-4-27:~/pv# kubectl -n test-ns get secrets default-token-k8s47 
NAME                  TYPE                                  DATA   AGE
default-token-k8s47   kubernetes.io/service-account-token   3      5m42s
root@ip-172-31-4-27:~/pv# kubectl describe -n test-ns get secrets default-token-k8s47 
error: the server doesn't have a resource type "get"
root@ip-172-31-4-27:~/pv# kubectl describe -n test-ns secrets default-token-k8s47 
Name:         default-token-k8s47
Namespace:    test-ns
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: default
              kubernetes.io/service-account.uid: 79168c03-f9b2-4747-9f64-014de6d49d31

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1066 bytes
namespace:  7 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6ImxoZEdBYnhGY2I2Y2k5N2RYcHBSOThYODNMb1E0ZkpORS1IU2h5Vy0xUU0ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJ0ZXN0LW5zIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9rZW4tazhzNDciLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6Ijc5MTY4YzAzLWY5YjItNDc0Ny05ZjY0LTAxNGRlNmQ0OWQzMSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDp0ZXN0LW5zOmRlZmF1bHQifQ.fbSTWDIFsO2PkfWEJv9B-vFsBNFjMJTwkO4JFOYhqek0vVoRtRzFrYEVarHxw2YE4iUbL4tecFM5AEiuD3HgZGBzr5H73ZgG3ExwPIlzsOnVEg49MAB0wp5oZuH0ANUJXhR1SYyymOdHRAPEqHGIXhM8-PKYJUrXBrVVVozhoRFykxVrROIxaRr6Acg7HeScSOVG7_PaP5xnrBcjwOA29Tvn-KdG6VV4FaAKAY170qlR74ebykGW0urd9III9z1BbQDobi6Y1oOEs4BCO65xz6t4k9tiTp9MLS7SkZ4Mva-O4rxbo56U2HEdvfkUB33OnLRW6hJ3RXWwSZJtts7uJQ

 

+ Recent posts