Search
โ“

[CKA] 30. Configure Secrets

Date
2025/01/01
Category
Devops
Tag
Kubernetes
CKA
Management
๋ชฉ์ฐจ

ย Secrets

ConfigMap์€ ์ผ๋ฐ˜ ํ…์ŠคํŠธ ํ˜•์‹์œผ๋กœ Configuration ๋ฐ์ดํ„ฐ๋ฅผ ์ €์žฅํ•œ๋‹ค. ๋•Œ๋ฌธ์— ๋ฐ์ดํ„ฐ๋ฒ ์ด์Šค ๊ตฌ์„ฑ ๊ฐ™์€ ๋ฏผ๊ฐ ์ •๋ณด๋ฅผ ๋‹ค๋ฃฐ ๋•Œ ํ˜ธ์ŠคํŠธ ๋„ค์ž„๊ณผ ์œ ์ € ๋„ค์ž„์„ ConfigMap์— ๊ตฌ์„ฑํ•˜๋Š” ๊ฒƒ์€ ๊ดœ์ฐฎ์ง€๋งŒ ํŒจ์Šค์›Œ๋“œ๋ฅผ ์ €์žฅํ•˜๊ธฐ์—” ์ ์ ˆํ•˜์ง€ ์•Š๋‹ค. Secret์€ ํŒจ์Šค์›Œ๋“œ๋‚˜ ํ‚ค ๊ฐ™์€ ๋ฏผ๊ฐ ์ •๋ณด๋ฅผ ์ €์žฅํ•˜๋Š” ๋ฐ ์‚ฌ์šฉ๋˜๋ฉฐ, ๋ฐ์ดํ„ฐ๋ฅผ ์ธ์ฝ”๋”ฉ๋œ ํ˜•์‹์œผ๋กœ ์ €์žฅํ•œ๋‹ค. ConfigMap๊ณผ ๋น„์Šทํ•˜๋ฉฐ, โ€˜Create Secretโ€™, โ€˜Inject into Podโ€™ ๋‘ ๋‹จ๊ณ„๋ฅผ ๊ฐ€์ง„๋‹ค.

ย Create Secrets

Imperative

kubectl create secret generic <secret-name> --from-literal=<key>=<value> # kubectl create secret generic \ # app-secret --from-literal=DB_Host=mysql \ # --from-literal-DB_User=root \ # --from-literal-DB_Password=passwrd
Bash
๋ณต์‚ฌ
โ€ข
--from-literal: ๋ช…๋ น ์ž์ฒด์—์„œ ํ‚ค ๊ฐ’ ์Œ์„ ์ง€์ •ํ•˜๋Š”๋ฐ ์‚ฌ์šฉ๋˜๋Š” ์˜ต์…˜
kubectl create secret generic <secret-name> --from-file=<path-to-file>
Bash
๋ณต์‚ฌ

Declarative

Secret์—์„œ ๋ฏผ๊ฐ ๋ฐ์ดํ„ฐ๋Š” ์ธ์ฝ”๋”ฉ๋œ ํฌ๋งท์œผ๋กœ ์ €์žฅํ•œ๋‹ค. ๋ฐ์ดํ„ฐ๋ฅผ ์ผ๋ฐ˜ ํ…์ŠคํŠธ๋กœ ๋ช…์‹œํ•˜๋ฉด ์•ˆ์ „ํ•˜์ง€ ์•Š๊ฒŒ ๋•Œ๋ฌธ์— ๋ช…๋ น์  ์ ‘๊ทผ์œผ๋กœ Secret์„ ๋งŒ๋“ค ๋•Œ ์ธ์ฝ”๋”ฉ๋œ ํ˜•์‹์˜ ๊ฐ’์„ ์ง€์ •ํ•ด์•ผ ํ•œ๋‹ค.
Linux์—์„œ echo -n ์„ ์‹คํ–‰ํ•˜๋ฉด ๋ณ€ํ™˜์‹œํ‚ค๊ณ ์ž ํ•˜๋Š” ํ…์ŠคํŠธ๊ฐ€ ์ถœ๋ ฅ๋œ๋‹ค
$ echo -n 'mysql' | base64 bXlzcWw= $ echo -n 'root' | base64 cm9vdA== $ echo -n 'passwrd' | base64 cGFzd3Jk
Bash
๋ณต์‚ฌ
# secret-data.yaml apiVersion: v1 kind: Secret metadata: name: app-secret data: DB_Host: bXlzcWw= DB_User: cm9vdA== DB_Password: cGFzd3Jk
YAML
๋ณต์‚ฌ

ย View Secrets

์ƒ์„ฑ๋œ secrets๋ฅผ ํ™•์ธํ•˜๊ธฐ ์œ„ํ•ด kubectl get secrets ๋ช…๋ น์„ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๋‹ค. kubectl describe secrets ๋ช…๋ น์„ ์‚ฌ์šฉํ•˜๋ฉด ์†์„ฑ๊ฐ’์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ์ง€๋งŒ, key์— ๋Œ€์‘๋˜๋Š” value๋“ค์„ ํ™•์ธ ํ•  ์ˆ˜๋Š” ์—†๋‹ค.
๋”ฐ๋ผ์„œ ๊ฐ’์„ ํ™•์ธํ•˜๊ธฐ ์œ„ํ•ด์„œ๋Š” yaml ํฌ๋งท์œผ๋กœ secret์„ ํ™•๋ณดํ•ด์•ผ ํ•œ๋‹ค.
kubectl get secret app-secret -o yaml

Decode Secrets

๊ฐ’์„ ๋””์ฝ”๋”ฉํ•˜๊ธฐ ์œ„ํ•ด์„œ๋Š” ์ธ์ฝ”๋”ฉ์— ์‚ฌ์šฉํ–ˆ๋˜ base64 ์ปค๋งจ๋“œ๋ฅผ ์‚ฌ์šฉํ•˜๋ฉด ๋œ๋‹ค
$ echo -n 'bXlzcWw=' | base64 --decode mysql
Bash
๋ณต์‚ฌ

ย Inject into Pod

Pod์˜ ํ™˜๊ฒฝ ๋ณ€์ˆ˜๋ฅผ ์‚ฝ์ž…ํ•˜๊ธฐ ์œ„ํ•ด ์ปจํ…Œ์ด๋„ˆ์— envFrom์ด๋ผ๋Š” ์†์„ฑ์„ ์ถ”๊ฐ€ํ•œ๋‹ค. envFrom์€ list๋กœ ํ•„์š”ํ•œ๋งŒํผ ๋งŽ์€ ํ™˜๊ฒฝ ๋ณ€์ˆ˜๋ฅผ ์„ค์ •ํ•  ์ˆ˜ ์žˆ๋‹ค. envFrom.secretRef.name์˜ ๊ฐ’์œผ๋กœ ์ƒ์„ฑํ•œ Secret์˜ ์ด๋ฆ„์„ ์ž…๋ ฅํ•œ๋‹ค.
# pod-definition.yaml apiVersion: v1 kind: Pod metadata: name: simple-webapp-color spec: containers: - name: simple-webapp-color image: simple-webapp-color ports: - containerPort: 8080 envFrom: - secretRef: name: app-secret
YAML
๋ณต์‚ฌ

Secrets in Pods

Secret์€ Pod์— ํ™˜๊ฒฝ ๋ณ€์ˆ˜๋กœ ์ฃผ์ž…ํ•  ์ˆ˜ ์žˆ๊ณ , ๋‹จ์ผ ํ™˜๊ฒฝ ๋ณ€์ˆ˜ ์ฃผ์ž…๋„ ๊ฐ€๋Šฅํ•˜๋ฉฐ ํŒŒ์ผ๋กœ์„œ ์ „์ฒด Secret์„ ๋ณผ๋ฅจ์— ๋„ฃ์„ ์ˆ˜๋„ ์žˆ๋‹ค.
ENV
envFrom: - secretRef: name: app-secret
YAML
๋ณต์‚ฌ
SINGLE ENV
env: - name: DB_Password valueFrom: secretKeyRef: name: app-secret key: DB_Password
YAML
๋ณต์‚ฌ
VOLUME
volumes: - name: app-secret-volume secret: secretName: app-secret
YAML
๋ณต์‚ฌ
โ€ข
Pod์˜ Volume์œผ๋กœ Secret์ด ์ฃผ์ž…๋˜๋ฉด Secret์˜ ๊ฐ๊ฐ์˜ ์†์„ฑ์€ value๋ฅผ ์ฝ˜ํ…์ธ ๋กœ ํ•˜๋Š” ํŒŒ์ผ๋กœ ์ƒ์„ฑ๋œ๋‹ค.
$ ls /opt/app-secrets-volumes DB_Host DB_Password DB_User $ cat /opt/app-secrets-volumes/DB_Password passwrd
Bash
๋ณต์‚ฌ

ย How to handle

โ€ข
Secret์€ Secret์ด ํ•„์š”ํ•œ Pod๊ฐ€ ์žˆ์„ ๋•Œ ํ•ด๋‹น Pod์˜ Node๋กœ ์ „์†ก๋œ๋‹ค.
โ€ข
Kubelet์€ Secret์„ tmpfs์— ์ €์žฅํ•˜์—ฌ ๋””์Šคํฌ ์ €์žฅ์†Œ์— ๊ธฐ๋ก๋˜์ง€ ์•Š๋„๋ก ํ•œ๋‹ค.
โ€ข
Secret์— ์˜์กดํ•˜๋˜ Pod๊ฐ€ ์‚ญ์ œ๋˜๋ฉด kubelet์€ ํ•ด๋‹น secret ๋ฐ์ดํ„ฐ๋ฅผ ๋กœ์ปฌ์—์„œ ์‚ญ์ œํ•œ๋‹ค.

ย Note on Secrets

ย Secrets are not Encrypted. Only encoded.

Secret์€ ์•”ํ˜ธํ™”๋œ ๊ฒƒ์ด ์•„๋‹ˆ๋ผ ์ธ์ฝ”๋”ฉ๋œ ๊ฒƒ์ผ ๋ฟ์ด๊ธฐ ๋•Œ๋ฌธ์— ๋ˆ„๊ตฌ๋“  ํŒŒ์ผ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ๊ณ  ๋””์ฝ”๋”ฉํ•˜์—ฌ ๋ฐ์ดํ„ฐ๋ฅผ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค.
๋”ฐ๋ผ์„œ Github ๊ฐ™์€ SCM์— ํ‘ธ์‹œํ•  ๋•Œ Secret ํŒŒ์ผ์„ ํ•จ๊ป˜ ํ‘ธ์‹œํ•˜๋ฉด ์•ˆ๋œ๋‹ค.

ย Secrets are not encrypted in ETCD

Secret์€ ETCD์— ์ €์žฅ๋˜๋Š”๋ฐ ๊ธฐ๋ณธ์ ์œผ๋กœ ETCD๋Š” ๋ฐ์ดํ„ฐ๋ฅผ ์•”ํ˜ธํ™”ํ•˜์ง€ ์•Š๋Š”๋‹ค. ๋”ฐ๋ผ์„œ ๋ณด์•ˆ์„ฑ์„ ์œ„ํ•ด ์•”ํ˜ธํ™”๋ฅผ ์‚ฌ์šฉํ•˜๋Š” ๊ฒƒ์„ ๊ณ ๋ คํ•ด์•ผ ํ•œ๋‹ค.
Encrypting Confidential Data at Rest
All of the APIs in Kubernetes that let you write persistent API resource data support at-rest encryption. For example, you can enable at-rest encryption for Secrets. This at-rest encryption is additional to any system-level encryption for the etcd cluster or for the filesystem(s) on hosts where you are running the kube-apiserver. This page shows how to enable and configure encryption of API data at rest. Note:This task covers encryption for resource data stored using the Kubernetes API.
https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/

ย Anyone able to create pods/deployments in the same namespace can access the secrets

๊ฐ™์€ ๋„ค์ž„์ŠคํŽ˜์ด์Šค์—์„œ Pod๋ฅผ ๋งŒ๋“ค ์ˆ˜ ์žˆ๋Š” ์‚ฌ๋žŒ์€ ๋ˆ„๊ตฌ๋‚˜ Secret์— ์ ‘๊ทผ์ด ๊ฐ€๋Šฅํ•˜๊ธฐ ๋•Œ๋ฌธ์— RBAC(์—ญํ•  ๊ธฐ๋ฐ˜ ์•ก์„ธ์Šค ์ œ์–ด)์„ ๊ตฌ์„ฑํ•˜์—ฌ ์•ก์„ธ์Šค ์ œํ•œ์„ ๋‘์–ด์•ผ ํ•œ๋‹ค.

ย Consider third-party secrets store providers

AWS, Azure, GCP, Valut ๋“ฑ์˜ Provider๋ฅผ ์‚ฌ์šฉํ•˜๋ฉด Secret์ด ETCD๊ฐ€ ์•„๋‹Œ ์™ธ๋ถ€์— ์ €์žฅ๋˜๊ณ  ๋ณด์•ˆ ์ฒ˜๋ฆฌ๊ฐ€ ๋˜๊ธฐ ๋•Œ๋ฌธ์— ์‚ฌ์šฉํ•˜๋Š” ๊ฒƒ์„ ๊ณ ๋ คํ•˜๋Š” ๊ฒƒ์ด ์ข‹๋‹ค.
Secret Store CSI Driver Tutorial | Kubernetes Secrets | AWS Secrets Manager | KodeKloud
Dive deep into the world of Kubernetes security with our comprehensive guide to Secret Store CSI Driver. Discover why this tool is essential for safeguarding sensitive information, learn how it compares to alternatives like ESO and Sealed Secrets, and master the process of setting it up for your Kubernetes cluster. With insightful demos showcasing the creation of secrets in AWS Secret Manager and the seamless integration of Secret Store CSI Driver, this video is your ultimate resource for enhancing security in your DevOps environment. Join us on this journey to strengthen your Kubernetes security posture and protect your valuable data. ๐Ÿš€Grab Your Black Friday Offers Now: https://kode.wiki/3CzuOnc โฌ‡๏ธBelow are the topics we are going to discuss in this video: 00:00 - Introduction 00:48 - Why do we need Secret Store CSI Driver? 03:03 - What is Secret Store CSI Driver? 04:01- Secret Store CSI Driver vs ESO vs Sealed Secrets 05:25 - How does Secret Store CSI Driver works? 08:14 - Demo - Creating Secret in AWS Secret Manager 09:30 - Demo - Setting up Secret Store CSI Driver for Kubernetes Cluster 30:56 - Conclusion โœ…Start your Kubernetes Career Now - https://bit.ly/KubernetesLearningPath Check out our learning paths at KodeKloud to get started: โ–ถ๏ธ Cloud Computing: https://kode.wiki/CloudLearningPath_YT โ–ถ๏ธ Kubernetes: https://bit.ly/KubernetesLearningPath โ–ถ๏ธAWS: https://kode.wiki/awslearningpath_yt โ–ถ๏ธAzure: https://kode.wiki/azurelearningpath_yt โ–ถ๏ธGoogle Cloud Platform: https://kode.wiki/GCPlearningpath_YT โ–ถ๏ธ Linux: https://bit.ly/LinuxLearningPath โ–ถ๏ธ DevOps Learning Path: https://bit.ly/DevOpsLearningPath-YT #Kubernetes #DevOps #SecretStoreCSIDriver #K8sSecurity #AWS #sealedsecrets #awssecrets #DevOpsTools #CyberSecurity #CloudComputing #kodekloud For more updates on courses and tips, follow us on: ๐ŸŒ Website: https://kodekloud.com/ ๐ŸŒ LinkedIn: https://www.linkedin.com/company/kodekloud/ ๐ŸŒ Twitter: https://twitter.com/KodeKloudHQ ๐ŸŒ Facebook: https://www.facebook.com/KodeKloudHQ ๐ŸŒ Instagram: https://www.instagram.com/kodekloud/ ๐ŸŒ Blog: https://kodekloud.com/blog/
https://www.youtube.com/watch?v=MTnQW9MxnRI