본문 바로가기
IT 잡지식/DevOps

[CKA] KodeKloud - Secrets

by 쯀리♥️ 2024. 7. 4.

 

 

안녕하세요, 쯀리입니다.

오늘은 k8s에서 Secret에 대해 알아보겠습니다. 

 

https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/

 

Distribute Credentials Securely Using Secrets

This page shows how to securely inject sensitive data, such as passwords and encryption keys, into Pods. Before you begin You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is re

kubernetes.io

 


 

Secret이란

Kubernetes(쿠버네티스)에서 "Secret"은 민감한 정보를 저장하고 관리하기 위해 사용되는 객체입니다. 여기에는 비밀번호, OAuth 토큰, SSH 키 등과 같은 민감한 데이터가 포함될 수 있습니다. Secret 객체를 사용하면 이러한 민감한 정보를 안전하게 저장하고, 이를 필요로 하는 파드(Pod) 또는 컨테이너에 안전하게 전달할 수 있습니다.


Quiz.

1. How many Secrets exist on the system?

controlplane ~ ➜  k get secret
NAME              TYPE                                  DATA   AGE
dashboard-token   kubernetes.io/service-account-token   3      18s

1개

2. How many secrets are defined in thedashboard-tokensecret?
3개
의 데이터를 가지고 있습니다. 

3. What is the type of the dashboard-tokensecret?
kubernetes.io/service-account-token

4. Which of the following is not a secret data defined indashboard-tokensecret?

controlplane ~ ➜  k describe secret dashboard-token
Name:         dashboard-token
Namespace:    default
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: dashboard-sa
              kubernetes.io/service-account.uid: e699d6bd-fb89-4304-affb-d016f003e4a3

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     566 bytes
namespace:  7 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6ImlyenNCWlNkVkE5MzlzZ
....

type은 지정되어있지 않습니다. 

5. We are going to deploy an application with the below architecture
We have already deployed the required pods and services. Check out the pods and services created. Check out the web application using the Webapp MySQL link above your terminal, next to the Quiz Portal Link.

 controlplane ~ ➜  k get pods
NAME         READY   STATUS    RESTARTS   AGE
webapp-pod   1/1     Running   0          73s
mysql        1/1     Running   0          73s

controlplane ~ ➜  k get svc
NAME             TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)          AGE
kubernetes       ClusterIP   10.43.0.1       <none>        443/TCP          13m
webapp-service   NodePort    10.43.242.190   <none>        8080:30080/TCP   77s
sql01            ClusterIP   10.43.232.27    <none>        3306/TCP         77s

Sql이 연결되지 않고 있는 문제입니다!

6. The reason the application is failed is because we have not created the secrets yet. Create a new secret named db-secret with the data given below.
You may follow any one of the methods discussed in lecture to create the secret.

Secret Name: db-secret
Secret 1: DB_Host=sql01
Secret 2: DB_User=root
Secret 3: DB_Password=password123

저는 base64로 변환해서 메니페스트 파일로 secret을 만드는 방법을 선택했습니다.

controlplane ~ ➜  echo -n 'sql01' | base64
				 echo -n 'root' | base64
                 echo -n 'password123' | base64

c3FsMDE=
cm9vdA==
cGFzc3dvcmQxMjM=

controlplane ~ ➜  vi db-secret.yaml 
#### 
apiVersion: v1
kind: Secret
metadata:
  name: db-secret
data:
  DB_Host : c3FsMDE=
  DB_User : cm9vdA==
  DB_Password: cGFzc3dvcmQxMjM= 
  ###

또는 아래와같은 명령어로 생성가능합니다. 

kubectl create secret generic db-secret --from-literal=DB_Host=sql01 --from-literal=DB_User=root --from-literal=DB_Password=password123

 

7. Configure webapp-pod to load environment variables from the newly created secret.
Delete and recreate the pod if required.

Pod name: webapp-pod
Image name: kodekloud/simple-webapp-mysql
Env From: Secret=db-secret
---
apiVersion: v1 
kind: Pod 
metadata:
  labels:
    name: webapp-pod
  name: webapp-pod
  namespace: default 
spec:
  containers:
  - image: kodekloud/simple-webapp-mysql
    imagePullPolicy: Always
    name: webapp
    envFrom:
    - secretRef:
        name: db-secret

 

 

다시 웹으로 들어가보면 성공입니다!!


오늘은 각 파드들의 보안을 설정하는 방법을 알아보았습니다. 
직접 코드에 작성하는것이 아닌 secret을 사용해서 접근하는것이 보안성에 좋아보입니다. 

다음시간에는 Multi Container PODs에 관해 알아볼게요

 


참조

 Udemy Labs - Certified Kubernetes Administrator with Practice Tests