k8s 管理/处理容器内的机密
[英]k8s management/handling of secrets inside container
问题描述
I'm currently migrating my docker deployment to k8s manifests and I was wondering about the handling of secretes.
我目前正在将我的 docker 部署迁移到 k8s 清单,我想知道秘密的处理。 Currently my docker container fetches /run/secrets/app_secret_key to get the sensitive information inside the container as env var.目前,我的 docker 容器获取 /run/secrets/app_secret_key 以获取容器内的敏感信息作为 env var。 but does that have any benefit in comparison to k8s secrets handling as on the other side I can also do something like this in my manifest.yaml:但这与 k8s 机密处理相比有什么好处吗?另一方面,我也可以在 manifest.yaml 中执行类似的操作:
env:
- name: MYSQL_PASSWORD
valueFrom:
secretKeyRef:
name: mysql-password
key: password
which than directly brings the secret as a env-variable inside the container ... The only difference I was able to notice is that if I fetch /run/secrets/app_secret_key inside the container like so (docker-entrypoint.sh):这比直接将秘密作为容器内的环境变量......我能注意到的唯一区别是,如果我像这样在容器内获取 /run/secrets/app_secret_key (docker-entrypoint.sh):
export APP_SECRET_KEY="$(cat /run/secrets/app_secret_key)"
the env var is not visible when I access the container after deployment, it seems that the env var is only available at the "session" where docker-entrypoint.sh gets initially triggered (at container/pod startup).当我在部署后访问容器时,env var 不可见,似乎 env var 仅在 docker-entrypoint.sh 最初被触发的“会话”中可用(在容器/pod 启动时)。
So my question now is what does make more sense here: simply go with the env: statement shown above or stay with manual fetching /run/secrets/app_secret_key inside the container ...所以我现在的问题是什么在这里更有意义:只需使用上面显示的 env: 语句或继续手动获取容器内的 /run/secrets/app_secret_key ...
Thanks in advance提前致谢
2 个解决方案
解决方案1
2 已采纳 2020-11-06 17:20:25
To be frank both are different implementation of same thing you can choose either one but I will prefer kubernetes approch as mounting secret than container reading at run time simply because of visibility.坦率地说,两者都是同一事物的不同实现,您可以选择其中任何一个,但我更喜欢 kubernetes approch 作为安装秘密,而不是仅仅因为可见性而在运行时读取容器。
Won't matter if you look for one container but when we have 30-40+ microservice running accross 4-5+ environment and have like 100 or even 200 secret.如果您寻找一个容器并不重要,但是当我们有 30-40 多个微服务在 4-5+ 环境中运行并且拥有 100 甚至 200 个秘密时。 In this case one deployment go wrong we can look at deployments manifest and can figure out entire application.在这种情况下,一个部署出错了,我们可以查看部署清单并找出整个应用程序。 We don't have to search for docker file to understand what happening.我们不必搜索 docker 文件来了解发生了什么。
解决方案2
1 2020-11-06 13:30:58
Exposing secret as env var or file is just a flavor to use the secret the k8s way.将秘密公开为 env var 或文件只是一种以 k8s 方式使用秘密的方式。
Some secret like password is just a one line long string, so it's convenient to use it as env var.一些像密码这样的秘密只是一行长的字符串,因此将其用作 env var 很方便。 Other secret like ssh private key or TLS certificate can be multiple line, that's why you can mount the secret as volume instead.其他机密(如 ssh 私钥或 TLS 证书)可以是多行,这就是您可以将机密安装为卷的原因。
Still, it's recommended to declare your secret as k8s secret resources.不过,建议将您的秘密声明为 k8s 秘密资源。 That way you can fetch the value needed via kubectl without having to go inside the container.这样您就可以通过 kubectl 获取所需的值,而无需进入容器内部。 You can also make a template like helm chart that generate the secret manifests at deployment.您还可以制作像 helm chart 这样的模板,在部署时生成秘密清单。 With RBAC, you can also control who can read the secret manifests.使用 RBAC,您还可以控制谁可以读取机密清单。
As per your comments, yes any user that can go inside the container will have access to the resource available to the shell user.根据您的评论,是的,任何可以进入容器的用户都可以访问 shell 用户可用的资源。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.