Secrets test/Encrypting Confidential Data at Rest
2025. 1. 9. 10:30ㆍ쿠버네티스/쿠버네티스
728x90
반응형
The reason the application is failed is because we have not created the secrets yet. Create a new secret named db-secret with the data given below.
You may follow any one of the methods discussed in lecture to create the secret.
- Secret Name: db-secret
- Secret 1: DB_Host=sql01
- Secret 2: DB_User=root
- Secret 3: DB_Password=password123
kubectl create secret generic --help
# Create a new secret named my-secret with key1=supersecret and key2=topsecret
kubectl create secret generic my-secret --from-literal=key1=supersecret --from-literal=key2=topsecret
k create secret generic db-secret --from-literal=DB_host=sql01 --from-literal=DB_User=root --from-literal=DB_Password=password123
Configure webapp-pod to load environment variables from the newly created secret.
apiVersion: v1
kind: Pod
metadata:
name: envfrom-secret
spec:
containers:
- name: envars-test-container
image: nginx
envFrom:
- secretRef:
name: test-secrethttps://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/
Distribute Credentials Securely Using Secrets
This page shows how to securely inject sensitive data, such as passwords and encryption keys, into Pods. Before you begin You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is re
kubernetes.io
https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/
Encrypting Confidential Data at Rest
All of the APIs in Kubernetes that let you write persistent API resource data support at-rest encryption. For example, you can enable at-rest encryption for Secrets. This at-rest encryption is additional to any system-level encryption for the etcd cluster
kubernetes.io
Encrypting Confidential Data at Rest
$$$ kubectl create secret generic my-secret --from-literal=key1=supersecret
secret/my-secret created
$$$ kubectl get secret my-secret -o yaml
apiVersion: v1
data:
key1: c3VwZXJzZWNyZXQ=
kind: Secret
metadata:
creationTimestamp: "2025-01-09T00:13:34Z"
name: my-secret
namespace: default
resourceVersion: "618434"
uid: 00fe1b20-129d-4272-aa8c-7de9e48b7bfd
type: Opaque
$$$ kubectl get secret my-secret
NAME TYPE DATA AGE
my-secret Opaque 1 35s
kubectl describe secrets my-secret
Name: my-secret
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
key1: 11 bytes
$$$ echo "c3VwZXJzZWNyZXQ=" | base64 --decode
supersecretETCDCTL_API=3 etcdctl \
--cacert=/etc/kubernetes/pki/ca.crt \
--cert=/etc/kubernetes/pki/server.crt \
--key=/etc/kubernetes/pki/server.key \
get /registry/secrets/default/my-secret | hexdump -CEncrypt your data
kube spray로 설치시 경로가 달라짐
etcd도 systemd 아래에 설치되어 운영됨
/etc/ssl/etcd/ssl/ 디렉토리에 있는 각 파일의 역할은 다음과 같습니다:
- ca.pem:
- etcd 클러스터에서 사용하는 CA 인증서입니다.
- --cacert 옵션에 사용됩니다.
- ca-key.pem:
- CA 인증서를 생성하기 위한 키 파일입니다. 일반적으로 클라이언트 명령어에는 필요하지 않습니다.
- admin-master.pem:
- etcd 클러스터 관리용 클라이언트 인증서입니다.
- --cert 옵션에 사용됩니다.
- admin-master-key.pem:
- admin-master.pem에 대한 개인 키입니다.
- --key 옵션에 사용됩니다.
- member-master-key.pem, node-master-key.pem, 등:
- etcd 멤버 노드와 관련된 키 파일입니다. 일반적으로 클라이언트 명령어에는 필요하지 않습니다.
ETCDCTL_API=3 etcdctl --endpoints=https://127.0.0.1:2379 --cacert=/etc/ssl/etcd/ssl/ca.pem --cert=/etc/ssl/etcd/ssl/admin-master.pem --key=/etc/ssl/etcd/ssl/admin-master-key.pem get / --prefix --keys-only | head
/registry/apiextensions.k8s.io/customresourcedefinitions/bgpconfigurations.crd.projectcalico.org
/registry/apiextensions.k8s.io/customresourcedefinitions/bgpfilters.crd.projectcalico.org
/registry/apiextensions.k8s.io/customresourcedefinitions/bgppeers.crd.projectcalico.org
/registry/apiextensions.k8s.io/customresourcedefinitions/blockaffinities.crd.projectcalico.org
/registry/apiextensions.k8s.io/customresourcedefinitions/caliconodestatuses.crd.projectcalico.org
.
.
.
.
.ETCDCTL_API=3 etcdctl \
--endpoints=https://127.0.0.1:2379 \
--cacert=/etc/ssl/etcd/ssl/ca.pem \
--cert=/etc/ssl/etcd/ssl/admin-master.pem \
--key=/etc/ssl/etcd/ssl/admin-master-key.pem \
get /registry/secrets/default/my-secret | hexdump -C
00000000 2f 72 65 67 69 73 74 72 79 2f 73 65 63 72 65 74 |/registry/secret|
00000010 73 2f 64 65 66 61 75 6c 74 2f 6d 79 2d 73 65 63 |s/default/my-sec|
00000020 72 65 74 0a 6b 38 73 3a 65 6e 63 3a 61 65 73 63 |ret.k8s:enc:aesc|
00000030 62 63 3a 76 31 3a 6b 65 79 31 3a 58 70 28 1d e4 |bc:v1:key1:Xp(..|
00000040 b7 ff 4a 79 aa f5 fb 08 b6 c7 57 e5 dd 92 04 5e |..Jy......W....^|
00000050 a5 95 ef d7 46 96 55 c7 b9 e2 96 91 82 d4 3f 3c |....F.U.......?<|
00000060 fd cd 25 81 c0 ff 84 50 63 f5 99 d3 dc 7c 9e 9f |..%....Pc....|..|
00000070 a8 56 56 e9 62 d0 0c 3c 29 27 49 8b d9 b4 93 48 |.VV.b..<)'I....H|
00000080 8e c9 9a 03 02 32 d5 61 ff 6e f1 e6 a0 73 f0 af |.....2.a.n...s..|
00000090 d0 1e 6c d0 22 34 d3 46 0d 75 7e 2a 27 42 fd 9d |..l."4.F.u~*'B..|
000000a0 96 28 f2 c9 0d 77 ad fc 82 db 4e e4 8f c9 bf 11 |.(...w....N.....|
000000b0 0f 88 75 e9 bc 56 9e ef 1d 18 0c 18 49 cf a5 04 |..u..V......I...|
000000c0 7e 56 a0 e4 f5 51 fb 8d 44 f2 99 24 e0 bc e0 d6 |~V...Q..D..$....|
000000d0 6d 4a c7 1e 78 ec e1 bd 54 6f e9 7a 2c 5d 26 ef |mJ..x...To.z,]&.|
000000e0 2c c3 2b 56 b8 6a 69 1c 4a 62 f5 58 6b ef 12 92 |,.+V.ji.Jb.Xk...|
000000f0 47 08 fc 61 a1 01 00 8d 98 92 e0 72 52 75 73 a8 |G..a.......rRus.|
00000100 cd 8d df 22 0a db 24 4a e8 6c f1 33 0b 60 4b 94 |..."..$J.l.3.`K.|
00000110 4b e8 c2 3c 39 45 9e d2 48 39 ba dd 01 b6 6d 93 |K..<9E..H9....m.|
00000120 22 d4 04 fa 2f ba ac 84 ce f4 63 af 31 28 b5 f0 |".../.....c.1(..|
00000130 0c a1 ab 9f 86 6d dd 3c 1f 4a f8 0a |.....m.<.J..|
0000013c
[root@master ~]# ETCDCTL_API=3 etcdctl --endpoints=https://127.0.0.1:2379 --cacert=/etc/ssl/etcd/ssl/ca.pem --cert=/etc/ssl/etcd/ssl/admin-master.pem --key=/etc/ssl/etcd/ssl/admin-master-key.pem get /registry/secrets/default/my-secret4 | hexdump -C
00000000 2f 72 65 67 69 73 74 72 79 2f 73 65 63 72 65 74 |/registry/secret|
00000010 73 2f 64 65 66 61 75 6c 74 2f 6d 79 2d 73 65 63 |s/default/my-sec|
00000020 72 65 74 34 0a 6b 38 73 3a 65 6e 63 3a 61 65 73 |ret4.k8s:enc:aes|
00000030 63 62 63 3a 76 31 3a 6b 65 79 31 3a f4 d4 08 f8 |cbc:v1:key1:....|
00000040 76 dd e0 ce 4a c7 81 47 4e 21 44 7f 80 5b bc 6c |v...J..GN!D..[.l|
00000050 ec 1c a6 2a dc 05 e3 64 bb 8d dd c9 7c de ed 08 |...*...d....|...|
00000060 e7 88 9c 9d 28 c3 e8 1d b4 f4 bd 04 d8 b2 04 c0 |....(...........|
00000070 fd ac 7e 4b af d0 31 ef 7b 79 37 85 a9 15 99 68 |..~K..1.{y7....h|
00000080 30 d4 52 54 39 1d 93 94 b7 c5 ac 45 c9 ff 39 1b |0.RT9......E..9.|
00000090 c9 c6 dc 08 5c 67 42 eb 07 8b 8a 78 dd 5f 74 05 |....\gB....x._t.|
000000a0 2f 1f 05 35 cc d0 68 5f 4b 1a 82 2f a7 03 bd a3 |/..5..h_K../....|
000000b0 83 26 70 5b 21 25 55 5f 48 ad 17 c9 bb b2 25 cf |.&p[!%U_H.....%.|
000000c0 4b 76 3b 8e 01 5d 2f 21 c9 55 0b fd f7 49 3e 15 |Kv;..]/!.U...I>.|
000000d0 bb e2 02 78 4f 6b ea 3d e1 f6 46 a6 31 64 bf d9 |...xOk.=..F.1d..|
000000e0 95 6d b7 38 03 22 26 43 7b 0d ce 53 6b 3f a0 c7 |.m.8."&C{..Sk?..|
000000f0 b7 f8 04 e9 53 74 f9 88 cd 16 30 bd 7e ac 5a 8d |....St....0.~.Z.|
00000100 e9 a3 ef e9 f6 b3 43 01 66 d5 9c 28 4c d4 b8 93 |......C.f..(L...|
00000110 62 fd 7f 13 84 9e 07 68 84 fb ef c6 81 1e e4 a4 |b......h........|
00000120 64 5e da 07 13 72 6b 01 5c 4c 20 e5 36 51 5e 60 |d^...rk.\L .6Q^`|
00000130 9c 5c 52 9e fb b6 7c c4 12 81 d5 89 0a |.\R...|......|
0000013d반응형
'쿠버네티스 > 쿠버네티스' 카테고리의 다른 글
| Storage - Container Storage Interface (CSI) (0) | 2025.01.13 |
|---|---|
| Storage - Introduction to Docker Storage (0) | 2025.01.13 |
| Scheduling-Configuring Scheduler Profiles (1) | 2025.01.01 |
| Scheduling-Multiple Schedulers (1) | 2024.12.31 |
| Scheduling-Static Pods (0) | 2024.12.31 |