- secrets는 configmap과 동일하다.
- configmap의 특징 get을 하면 다 노출된다.
- 예를 들어 mysql pod로 생성하는 경우 사용자 아이디, 패스워드 가 필요하다
- 그것을 decoupling 메소드로 제공할것인데 그대로 노출되면 안되니 Base64기반으로 encoding 한다.
1.인증정보개인 비밀 key, 보안상 중요 데이터를 다루는 method
2.key/value형태이며 value 는 Base64 로 encoding
3.최대1M 까지 제한
4.binarydata 를 secret 에 포함시킬 수 있다
5.memory기반으로 mount 하여 사용한다
6.포드에서secret value 를 read 시 자동 decoding
7.tls 인증서 저장, mysql 생성시 보통 secret 사용
모든 namespace마다 기본 secrets를 소유하고 있다
token 부분은 디코딩되어 secret 관련 정보가 노출됨을 확인 한다.
root@ip-172-31-4-27:~/pv# kubectl create ns test-ns
namespace/test-ns created
root@ip-172-31-4-27:~/pv# kubectl get po -n test-ns
No resources found in test-ns namespace.
root@ip-172-31-4-27:~/pv# kubectl -n test-ns run test-pod --image nginx
pod/test-pod created
root@ip-172-31-4-27:~/pv# kubectl -n test-ns get po
NAME READY STATUS RESTARTS AGE
test-pod 1/1 Running 0 12s
root@ip-172-31-4-27:~/pv# kubectl -n test-ns get secrets
NAME TYPE DATA AGE
default-token-k8s47 kubernetes.io/service-account-token 3 54s
root@ip-172-31-4-27:~/pv# kubectl -n test-ns describe po test-pod
Name: test-pod
Namespace: test-ns
Priority: 0
Node: ip-172-31-13-180/172.31.13.180
Start Time: Wed, 02 Dec 2020 07:43:58 +0000
Labels: run=test-pod
Annotations: cni.projectcalico.org/podIP: 192.168.82.32/32
cni.projectcalico.org/podIPs: 192.168.82.32/32
Status: Running
IP: 192.168.82.32
IPs:
IP: 192.168.82.32
Containers:
test-pod:
Container ID: docker://686218b8475872970576022ba56cbfa0d50cd957d2ada837c3ce5315a5f5175d
Image: nginx
Image ID: docker-pullable://nginx@sha256:6b1daa9462046581ac15be20277a7c75476283f969cb3a61c8725ec38d3b01c3
Port: <none>
Host Port: <none>
State: Running
Started: Wed, 02 Dec 2020 07:44:03 +0000
Ready: True
Restart Count: 0
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from default-token-k8s47 (ro)
Conditions:
Type Status
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
default-token-k8s47:
Type: Secret (a volume populated by a Secret)
SecretName: default-token-k8s47
Optional: false
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 2m18s default-scheduler Successfully assigned test-ns/test-pod to ip-172-31-13-180
Normal Pulling 2m17s kubelet Pulling image "nginx"
Normal Pulled 2m13s kubelet Successfully pulled image "nginx" in 3.440920104s
Normal Created 2m13s kubelet Created container test-pod
Normal Started 2m13s kubelet Started container test-pod
root@ip-172-31-4-27:~/pv# kubectl -n test-ns get secrets
NAME TYPE DATA AGE
default-token-k8s47 kubernetes.io/service-account-token 3 5m19s
root@ip-172-31-4-27:~/pv# kubectl -n test-ns get secrets default-token-k8s47
NAME TYPE DATA AGE
default-token-k8s47 kubernetes.io/service-account-token 3 5m42s
root@ip-172-31-4-27:~/pv# kubectl describe -n test-ns get secrets default-token-k8s47
error: the server doesn't have a resource type "get"
root@ip-172-31-4-27:~/pv# kubectl describe -n test-ns secrets default-token-k8s47
Name: default-token-k8s47
Namespace: test-ns
Labels: <none>
Annotations: kubernetes.io/service-account.name: default
kubernetes.io/service-account.uid: 79168c03-f9b2-4747-9f64-014de6d49d31
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1066 bytes
namespace: 7 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6ImxoZEdBYnhGY2I2Y2k5N2RYcHBSOThYODNMb1E0ZkpORS1IU2h5Vy0xUU0ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJ0ZXN0LW5zIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9rZW4tazhzNDciLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6Ijc5MTY4YzAzLWY5YjItNDc0Ny05ZjY0LTAxNGRlNmQ0OWQzMSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDp0ZXN0LW5zOmRlZmF1bHQifQ.fbSTWDIFsO2PkfWEJv9B-vFsBNFjMJTwkO4JFOYhqek0vVoRtRzFrYEVarHxw2YE4iUbL4tecFM5AEiuD3HgZGBzr5H73ZgG3ExwPIlzsOnVEg49MAB0wp5oZuH0ANUJXhR1SYyymOdHRAPEqHGIXhM8-PKYJUrXBrVVVozhoRFykxVrROIxaRr6Acg7HeScSOVG7_PaP5xnrBcjwOA29Tvn-KdG6VV4FaAKAY170qlR74ebykGW0urd9III9z1BbQDobi6Y1oOEs4BCO65xz6t4k9tiTp9MLS7SkZ4Mva-O4rxbo56U2HEdvfkUB33OnLRW6hJ3RXWwSZJtts7uJQ