kubernetes How to use Secret

시크릿(Secret)

민감한 정보를 저장하기 위한 용도, 네임스페이스에 종속

시크릿 생성 방법

password=1q2w3e4r 라는 키-값을 저장하는 my-password 이름의 시크릿을 생성

vagrant@ubuntu:~$ kubectl create secret generic my-password --from-literal password=1q2w3e4r
secret/my-password created

vagrant@ubuntu:~$ kubectl get secrets
NAME                  TYPE                                  DATA   AGE
default-token-sh8hv   kubernetes.io/service-account-token   3      3d22h ⇐ ServiceAccount에 의해 네임스페이스별로 자동으로 생성된 시크릿
my-password           Opaque                                1      9s

파일로부터 시크릿을 생성

vagrant@ubuntu:~$ echo mypassword > pw1 && echo yourpassword > pw2
vagrant@ubuntu:~$ cat pw1
mypassword
vagrant@ubuntu:~$ cat pw2
yourpassword

vagrant@ubuntu:~$ kubectl create secret generic out-password --from-file pw1 --from-file pw2
secret/out-password created
vagrant@ubuntu:~$ kubectl get secrets
NAME                  TYPE                                  DATA   AGE
default-token-sh8hv   kubernetes.io/service-account-token   3      3d22h
my-password           Opaque                                1      5m29s
out-password          Opaque                                2      51s

시크릿 내용을 확인

vagrant@ubuntu:~$ kubectl describe secret my-password
Name:         my-password
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
password:  8 bytes        ⇐ password 키에 해당하는 값을 확인할 수 없음 (값의 크기(길이)만 출력)

vagrant@ubuntu:~$ kubectl get secret my-password -o yaml
apiVersion: v1
data:
  password: MXEydzNlNHI=    ⇐ BASE64로 인코딩
kind: Secret
metadata:
  creationTimestamp: "2020-09-22T04:49:44Z"
  managedFields:
  - apiVersion: v1
    fieldsType: FieldsV1
    fieldsV1:
      f:data:
        .: {}
        f:password: {}
      f:type: {}
    manager: kubectl-create
    operation: Update
    time: "2020-09-22T04:49:44Z"
  name: my-password
  namespace: default
  resourceVersion: "81153"
  selfLink: /api/v1/namespaces/default/secrets/my-password
  uid: e597d8d2-479e-464f-934d-5d2ae7f232c8
type: Opaque

vagrant@ubuntu:~$ echo MXEydzNlNHI= | base64 -d
1q2w3e4r

시크릿에 저장된 키-값 쌍을 파드로 가져오기

시크릿에 저장된 모든 키-값 쌍을 파드의 환경변수로 가져오기

vagrant@ubuntu:~$ vi env-from-secret.yml
apiVersion: v1
kind: Pod
metadata:
  name: secret-env-example
spec:
  containers:
    - name: my-container
      image: busybox
      args: ["tail", "-f", "/dev/null"]
      envFrom:
        - secretRef:
            name: my-password

vagrant@ubuntu:~$ kubectl apply -f env-from-secret.yml
pod/secret-env-example created

vagrant@ubuntu:~$ kubectl exec secret-env-example -- env
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=secret-env-example
password=1q2w3e4r
HOSTNAME_SVC_NODEPORT_SERVICE_PORT_WEB_PORT=8080
HOSTNAME_SVC_NODEPORT_PORT=tcp://10.111.29.91:8080
HOSTNAME_SVC_NODEPORT_PORT_8080_TCP_PORT=8080
KUBERNETES_SERVICE_PORT=443
HOSTNAME_SVC_NODEPORT_SERVICE_PORT=8080
KUBERNETES_PORT_443_TCP_PROTO=tcp
HOSTNAME_SVC_NODEPORT_PORT_8080_TCP_ADDR=10.111.29.91
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
HOSTNAME_SVC_NODEPORT_SERVICE_HOST=10.111.29.91
HOSTNAME_SVC_NODEPORT_PORT_8080_TCP=tcp://10.111.29.91:8080
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT=tcp://10.96.0.1:443
KUBERNETES_SERVICE_HOST=10.96.0.1
HOSTNAME_SVC_NODEPORT_PORT_8080_TCP_PROTO=tcp
HOME=/root