当前位置: 代码迷 >> 综合 >> 最小化微服务漏洞 Secret存储敏感数据
  详细解决方案

最小化微服务漏洞 Secret存储敏感数据

热度:59   发布时间:2023-09-30 13:30:07.0
Secret是一个用于存储敏感数据的资源,所有的数据要经过base64编码,数据实际会存储在K8s中Etcd, 然后通过创建Pod时引用该数据。
应用场景:凭据
Pod使用configmap数据有两种方式:
? 变量注入
? 数据卷挂载
kubectl create secret 支持三种数据类型:
? docker-registry:存储镜像仓库认证信息
? generic:从文件、目录或者字符串创建,例如存储用户名密码
? tls:存储证书,例如HTTPS证书

示例:将Mysql用户密码保存到Secret中存储 (敏感的数据可以存储在secret当中)

下面就是123456经过base64位编码,-n是去掉换行符

[root@k8s-master ~]# echo -n 123456 | base64
MTIzNDU2

 通过这种方式在yaml文件里面来指定mysql的密码现然是不安全的,mysql可以读取注入的变量MYSQL_ROOT_PASSWORD值作为其密码,以为describe一下就能够看得到。

        env:- name: MYSQL_ROOT_PASSWORDvalue: 123456
[root@k8s-master ~]# cat mysql.yaml 
apiVersion: v1
kind: Secret
metadata:name: mysql
type: Opaque
data:mysql-root-password: "MTIzNDU2"
---
apiVersion: apps/v1
kind: Deployment
metadata:name: mysql
spec:selector:matchLabels:app: mysqltemplate:metadata:labels:app: mysqlspec:containers:- name: dbimage: mysql:5.7.30env:- name: MYSQL_ROOT_PASSWORDvalueFrom:secretKeyRef:name: mysqlkey: mysql-root-password[root@k8s-master ~]# kubectl get secret
NAME                  TYPE                                  DATA   AGE
default-token-j9294   kubernetes.io/service-account-token   3      239d
mysql                 Opaque                                1      7m24s
[root@k8s-master ~]# kubectl describe secret mysql
Name:         mysql
Namespace:    default
Labels:       <none>
Annotations:  <none>Type:  OpaqueData
====
mysql-root-password:  6 bytes[root@k8s-master ~]# kubectl get pod
NAME                     READY   STATUS    RESTARTS   AGE
mysql-5467bf5d7d-g67dm   1/1     Running   0          6m27s
[root@k8s-master ~]# kubectl exec -it mysql-5467bf5d7d-g67dm bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
root@mysql-5467bf5d7d-g67dm:/# echo $MYSQL_ROOT_PASSWORD
123456root@mysql-5467bf5d7d-g67dm:/# mysql -rroot -p123456
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.7.30 MySQL Community Server (GPL)Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.mysql> 

要查看具体的值可以使用如下: 

[root@k8s-master ~]# kubectl get secret mysql -n default -o jsonpath={.data.mysql-root-password} | base64 -d
123456