Kubernetes 通过 Sealed Secrets 实现加密部署
翁心思
“Sealed Secrets” 的目的(保留英文原滋原味)
Problem: “I can manage all my K8s config in git, except Secrets.”
Solution: Encrypt your Secret into a SealedSecret, which is safe to store - even inside a public repository. The SealedSecret can be decrypted only by the controller running in the target cluster and nobody else (not even the original author) is able to obtain the original Secret from the SealedSecret.
“Sealed Secrets” for Kubernetes 的 Github地址
https://github.com/bitnami-labs/sealed-secrets
安装 kubeseal 命令行工具
cd /tmp
wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.19.4/kubeseal-0.19.4-linux-amd64.tar.gz
tar zxvf kubeseal-0.19.4-linux-amd64.tar.gz;
chmod +x kubeseal
sudo mv kubeseal /usr/local/bin
# sudo install -m 755 kubeseal /usr/local/bin/kubeseal
安装 Krew 工具和 view-secret 插件
Krew is the package manager for kubectl plugins,
安装Krew,
(
set -x; cd "$(mktemp -d)" &&
OS="$(uname | tr '[:upper:]' '[:lower:]')" &&
ARCH="$(uname -m | sed -e 's/x86_64/amd64/' -e 's/\(arm\)\(64\)\?.*/\1\2/' -e 's/aarch64$/arm64/')" &&
KREW="krew-${OS}_${ARCH}" &&
curl -fsSLO "https://github.com/kubernetes-sigs/krew/releases/latest/download/${KREW}.tar.gz" &&
tar zxvf "${KREW}.tar.gz" &&
./"${KREW}" install krew
)
设置Path,
echo 'export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH"' >> ~/.bashrc
source ~/.bashrc
安装 view-secret 插件,
kubectl krew install view-secret
安装 sealed-secrets Controller到Kubernetes集群
helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets
helm repo update
helm install sealed-secrets -n kube-system --set-string fullnameOverride=sealed-secrets-controller sealed-secrets/sealed-secrets
输出日志,
You should now be able to create sealed secrets.
1. Install the client-side tool (kubeseal) as explained in the docs below:
https://github.com/bitnami-labs/sealed-secrets#installation-from-source
2. Create a sealed secret file running the command below:
kubectl create secret generic secret-name --dry-run=client --from-literal=foo=bar -o [json|yaml] | \
kubeseal \
--controller-name=sealed-secrets-controller \
--controller-namespace=kube-system \
--format yaml > mysealedsecret.[json|yaml]
The file mysealedsecret.[json|yaml] is a commitable file.
If you would rather not need access to the cluster to generate the sealed secret you can run:
kubeseal \
--controller-name=sealed-secrets-controller \
--controller-namespace=kube-system \
--fetch-cert > mycert.pem
to retrieve the public cert used for encryption and store it locally. You can then run 'kubeseal --cert mycert.pem' instead to use the local cert e.g.
kubectl create secret generic secret-name --dry-run=client --from-literal=foo=bar -o [json|yaml] | \
kubeseal \
--controller-name=sealed-secrets-controller \
--controller-namespace=kube-system \
--format [json|yaml] --cert mycert.pem > mysealedsecret.[json|yaml]
3. Apply the sealed secret
kubectl create -f mysealedsecret.[json|yaml]
Running 'kubectl get secret secret-name -o [json|yaml]' will show the decrypted secret that was generated from the sealed secret.
Both the SealedSecret and generated Secret must have the same name and namespace.
使用 “Sealed Secrets”
示例中,加密/home/oracle/.docker/config.json文件的内容,
kubectl create secret generic secret-name --dry-run=client --from-file=/home/oracle/.docker/config.json -o yaml | \
kubeseal \
--controller-name=sealed-secrets-controller \
--controller-namespace=kube-system \
--format yaml > mysealedsecret.yaml
查看mysealedsecret.yaml,
cat mysealedsecret.yaml
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: secret-name
namespace: default
spec:
encryptedData:
config.json: AgBrVAioqrf3bsgLhuM4QTczes0T/KagzaN9+huWhNMcnwowqZ5KzjoK9cQoyT0TKlYdrNsprJ3FHXXxG0Xcb8L4yhc8TeCuxf4ODVpZ5cHbeBEZHs6k4buHTQD7m0+71U6eRMACdxmCyqZ+RvqOxbZGS2YPkz6F9BFLp2PUhOpW16CEZzb//a2dYbODsZ5KgJcDfVAY7dL4gjb4MT+0HUG5QZ/tv6qvs/GMkEVElecjRJZDmX5EdSGvg/ny83N3+JgEhCHEH40+6xSDyIv3KsFidG10SePffidBgalvVQoCaEFwPeBPbDvj/Gku/2vIPhyQzUSD6qfEEPT76suReUkabptqo0WyK6CFcksDmk2Tg5voWhN3gexCOIgLUsQFVxa9Zs3IBBCzBNG6QB01gzLRqWcs3fdH2qkbPaZrQkql4M8miBqgD4lA1nF1CMLzpdpLIs5Lry5j0JeH/pnqlrYBwK/AQO53VKDPbmPe/ku1I2GvbvZOrAUi7za0S6QlLYWyk+3iuGE2ocZNycfMLzKR1D4G8Myu51/oNvsXEHp8X9TksZ/IldULofBkv7y2t42t84FsQH9kHpHFN++h5QBhsiS5Bwwl6lAJjpIsHLbkKc1fNmXddI3BLlL30Az0P+Dj0ts/dN1hAk46Y1tjc6DUsgIav0X/VmSS0V+aUuW1IFxhuPfv/73VM2u66ufiSe5oJnicMBYqGQOsItaOw0OkBxBN4WK819fM+rtOfdn1cyyrTj9S/k+a5RN0/AVLL540hIGVqygDGPVrRJ3aNRxcBey+dsRWsqWSDzzf9wFNFw2eFgstepQnEGeNvnVdwo2XU53PX2bmVnliQw==
template:
metadata:
creationTimestamp: null
name: secret-name
namespace: default
发布mysealedsecret.yaml,
kubectl apply -f mysealedsecret.yaml
查看 Secret
kubectl view-secret secret-name
Choosing key: config.json
{
"auths": {
"https://index.docker.io/v1/": {
"auth": "<your_base64_string>"
}
}
}
其他安全措施
一旦Secret被复原到Secret资源中,就可以用kubectl describe来检查,可以结合下面的措施进一步提高安全性,
- 设置RBAC,创建一个不允许访问Secret的Role,并优先使用不允许获得Secret的用户。
- 当使用Secret时,优先以volumeMounts的形式使用它。
- 对于使用Secret的Container Image,禁用cat、sh、vim等命令。
完结!
类似资料: