Kubernetes Secrets管理
Kubernetes Secrets管理
什么是Secrets
Kubernetes Secrets用于存储敏感信息,如密码、令牌、证书等。
创建Secret
命令行创建
# 从字面值创建
kubectl create secret generic mysecret \
--from-literal=username=admin \
--from-literal=password=secret123
# 从文件创建
kubectl create secret generic mysecret \
--from-file=./username.txt \
--from-file=./password.txt
# TLS Secret
kubectl create secret tls my-tls-secret \
--cert=./tls.crt \
--key=./tls.key
YAML创建
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
username: YWRtaW4= # base64编码
password: c2VjcmV0MTIz
stringData:
api-key: "my-api-key" # 自动base64编码
解码Secret
kubectl get secret mysecret -o jsonpath='{.data.username}' | base64 -d
使用Secret
环境变量
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp
spec:
template:
spec:
containers:
- name: myapp
env:
- name: DB_USERNAME
valueFrom:
secretKeyRef:
name: db-secret
key: username
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: db-secret
key: password
卷挂载
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp
spec:
template:
spec:
containers:
- name: myapp
volumeMounts:
- name: secrets
mountPath: /etc/secrets
readOnly: true
volumes:
- name: secrets
secret:
secretName: mysecret
外部Secrets管理
External Secrets Operator
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: db-secret
spec:
refreshInterval: 1h
secretStoreRef:
name: aws-secrets-manager
kind: ClusterSecretStore
target:
name: db-secret
data:
- secretKey: username
remoteRef:
key: prod/database
property: username
- secretKey: password
remoteRef:
key: prod/database
property: password
HashiCorp Vault
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: db-secret
spec:
vaultAuthRef: default
mount: secret
path: prod/database
destination:
name: db-secret
create: true
Sealed Secrets
# 安装Sealed Secrets
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.20.0/controller.yaml
# 安装kubeseal
brew install kubeseal
# 创建Sealed Secret
kubectl create secret generic mysecret \
--from-literal=password=secret123 \
--dry-run=client -o yaml | kubeseal -o yaml > sealed-secret.yaml
# sealed-secret.yaml
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: mysecret
spec:
encryptedData:
password: AgBy3i4OJSWK+PiTySYZZA9rO43cGDEq...
实践:Secret管理策略
# 1. 外部Secret配置
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: aws-secrets-manager
spec:
provider:
aws:
service: SecretsManager
region: us-west-2
auth:
secretRef:
accessKeyIDSecretRef:
name: aws-credentials
key: access-key
secretAccessKeySecretRef:
name: aws-credentials
key: secret-key
---
# 2. 应用Secret配置
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: app-secrets
namespace: production
spec:
refreshInterval: 1h
secretStoreRef:
name: aws-secrets-manager
kind: ClusterSecretStore
target:
name: app-secrets
data:
- secretKey: db-password
remoteRef:
key: production/database
property: password
- secretKey: api-key
remoteRef:
key: production/api
property: key
最佳实践
- 不要在Git中存储明文Secret
- 使用外部Secret管理器
- 限制Secret的访问权限
- 定期轮换Secret
- 使用RBAC控制访问
总结
Secrets管理是Kubernetes安全的重要组成部分。使用External Secrets Operator、Sealed Secrets等工具,可以安全地管理敏感信息。