CKA (Certified Kubernetes Administrator)/Kode Kloud

4.Application Lifecycle Management - Secrets

seulseul 2022. 1. 21. 11:20

Application Lifecycle Management

 
1)  Rolling Updates and Rollbacks
2) Commands and Arguments
6) Init Containers

1. How many Secrets exist on the system?

in the current(default) namespace

ask : 1

controlplane ~ ➜  kubectl get secrets
NAME                  TYPE                                  DATA   AGE
default-token-f8d9m   kubernetes.io/service-account-token   3      14m

2. How many secrets are defined in the default-token secret?

 

ask : 3

Run the command 
kubectl describe secrets default-token-<id>
and look at the data field.

There are three secrets - ca.crt, namespace and token.


controlplane ~ ➜  kubectl describe secrets default-token-f8d9m
Name:         default-token-f8d9m
Namespace:    default
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: default
              kubernetes.io/service-account.uid: 9458c5cd-cb17-43fb-8979-842095ebf4e6

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     566 bytes
namespace:  7 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IlNuOXMyV1VnNTkyRU8ycl9ZaE9qdEt5N2JPN1ZDVEtJc3dFQ3Itb1VmdXcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9rZW4tZjhkOW0iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6Ijk0NThjNWNkLWNiMTctNDNmYi04OTc5LTg0MjA5NWViZjRlNiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.xyY2Fr1MBckquFrkrOgycvnyvglRpS7zjnWpUvcWeKGMQDI1zYfc2beb7OFDGhGxICKdgOntiJcZ6mYZbCEsTWbDpaKwSbWnXFyU1wuF9TN-09VmG5MvAsLr_ibhxwWMDMs7hgouzQpqSrLRVts5le0IX4glai4EOC0IbyyyQrpzVaCZ0TeIRcgWQL_lDo4aeY8s9gY2bkzlRxZVYaG1fhdG3KACP5UUFdRqVaYit19IsbNh3U1hbppjQ4_NnceaEAsDr0h67Rn10e_l7TO91m5NxYQq1oLk5OhThkVkU24JcLCu6acoZUXPUn3JqaSZqocgWAqerplz9ayXCn6TaA

03. What is the type of the default-token secret?

ask : Type:  kubernetes.io/service-account-token

 

04. Which of the following is not a secret data defined in default-token secret?

ask : type

 

05. We are going to deploy an application with the below architecture

We have already deployed the required pods and services. Check out the pods and services created. Check out the web application using the Webapp MySQL link above your terminal, next to the Quiz Portal Link.

Ok

06. You may follow any one of the methods discussed in lecture to create the secret.

  • Secret Name: db-secret
  • Secret 1: DB_Host=sql01
  • Secret 2: DB_User=root
  • Secret 3: DB_Password=password123
# Hint
Secrets can be easily created using imperative commands.

Use the kubectl create secret command with the --from-literal to pass 
in the secret data in the form of key value pairs.

You may also create the secret using a YAML file.
Run the command: 

kubectl create secret generic db-secret --from-literal=DB_Host=sql01 --from-literal=DB_User=root --from-literal=DB_Password=password123

 

07. Configure webapp-pod to load environment variables from the newly created secret.

Delete and recreate the pod if required.

  • Pod name: webapp-pod
  • Image name: kodekloud/simple-webapp-mysql
  • Env From: Secret=db-secret

 

# Hint

Expose the secret as an environment variable to be used the webapp-pod pod.

Refer the documentation by clicking the tab called Use Secrets in a Pod

 

---
apiVersion: v1 
kind: Pod 
metadata:
  labels:
    name: webapp-pod
  name: webapp-pod
  namespace: default 
spec:
  containers:
  - image: kodekloud/simple-webapp-mysql
    imagePullPolicy: Always
    name: webapp
    envFrom:
    - secretRef:
        name: db-secret

 

08. View the web application to verify it can successfully connect to the database

 

Secret

특정DB에 암호와 계정 정보를 넣어두고싶다면 어떻게할까, 위의 ConfigMaps은 암호화 처리가 돼있지않아서 쉽게 유출될수있는 단점이 있다.
쿠버네티스에선 이러한 유출을 막기위해서 Secret이라는 타입도 제공한다.
데이터를 안에 들여다봐도(get 명령어) 암호화 처리가 되어있어서 쉽게 볼수가없다.
강의에서는 base64로 암호화가 되어있다고하는데, 다른 암호화방식도 가능할것같다.
 
또한, 다음과같은 특징이 있다
- 대응되는 Pod이 데이터 요청을할때 데이터를 전송해준다Ω
- 대응되는 Pod이 삭제될경우 Secret정보도 같이 삭제된다
- 디스크 저장소에 저장되는것이 아닌 tmpfs에 저장된다(tmpfs: 휘발성 메모리)

 

# Bookmark #

https://kubernetes.io/ko/docs/concepts/configuration/secret/

 

시크릿(Secret)

시크릿은 암호, 토큰 또는 키와 같은 소량의 중요한 데이터를 포함하는 오브젝트이다. 이를 사용하지 않으면 중요한 정보가 파드 명세나 컨테이너 이미지에 포함될 수 있다. 시크릿을 사용한다

kubernetes.io

https://kubernetes.io/ko/docs/tasks/configmap-secret/_print/

 

시크릿(Secret) 관리

시크릿을 사용하여 기밀 설정 데이터 관리.

kubernetes.io

 

저작자표시

'CKA (Certified Kubernetes Administrator) > Kode Kloud' 카테고리의 다른 글

04.Application Lifecycle Management - Init Containers  (0) 2022.01.21
4.Application Lifecycle Management - Multi Container PODs  (0) 2022.01.21
4.Application Lifecycle Management - Env Variables  (0) 2022.01.21
4.Application Lifecycle Management - Commands and Arguments  (0) 2022.01.20
4.Application Lifecycle Management - Rolling Updates and Rollbacks  (0) 2022.01.20

'CKA (Certified Kubernetes Administrator)/Kode Kloud'의 다른글

  • 현재글4.Application Lifecycle Management - Secrets

관련글

티스토리툴바