☸️ K8s 生态全景

主题

Secrets 管理最佳实践

Secret 的安全问题

K8s Secret 默认只是 Base64 编码,不是加密。需要额外措施保护:

  1. etcd 静态加密
  2. 外部 Secret 管理系统(Vault、AWS Secrets Manager)
  3. RBAC 限制访问
  4. 审计日志

etcd 静态加密

yaml
# /etc/kubernetes/encryption-config.yaml
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
  - secrets
  providers:
  - aescbc:
      keys:
      - name: key1
        secret: <base64-encoded-32-byte-key>
  - identity: {}  # 回退到明文(用于迁移)
bash
# 启用加密
kube-apiserver --encryption-provider-config=/etc/kubernetes/encryption-config.yaml

# 重新加密所有 Secret
kubectl get secrets --all-namespaces -o json | kubectl replace -f -

HashiCorp Vault 集成

bash
# 安装 Vault
helm repo add hashicorp https://helm.releases.hashicorp.com
helm install vault hashicorp/vault \
  --namespace vault \
  --set "server.ha.enabled=true" \
  --set "server.ha.replicas=3"

# 安装 Vault Agent Injector
# Vault 会自动向 Pod 注入 Secret
yaml
# Pod 注解触发 Vault 注入
spec:
  template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/role: "my-app"
        vault.hashicorp.com/agent-inject-secret-db-creds: "secret/data/my-app/db"
        vault.hashicorp.com/agent-inject-template-db-creds: |
          {{- with secret "secret/data/my-app/db" -}}
          export DB_PASSWORD="{{ .Data.data.password }}"
          {{- end }}

External Secrets Operator

bash
# 安装
helm repo add external-secrets https://charts.external-secrets.io
helm install external-secrets external-secrets/external-secrets \
  --namespace external-secrets \
  --create-namespace
yaml
# 配置 AWS Secrets Manager
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: aws-secretsmanager
spec:
  provider:
    aws:
      service: SecretsManager
      region: us-east-1
      auth:
        jwt:
          serviceAccountRef:
            name: external-secrets-sa
            namespace: external-secrets

---
# 同步 Secret
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: db-credentials
  namespace: production
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: aws-secretsmanager
    kind: ClusterSecretStore
  target:
    name: db-credentials
    creationPolicy: Owner
  data:
  - secretKey: password
    remoteRef:
      key: prod/myapp/database
      property: password
  - secretKey: username
    remoteRef:
      key: prod/myapp/database
      property: username

Sealed Secrets(GitOps 友好)

bash
# 安装 Sealed Secrets Controller
helm install sealed-secrets sealed-secrets/sealed-secrets \
  --namespace kube-system

# 安装 kubeseal CLI
wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.26.0/kubeseal-0.26.0-linux-amd64.tar.gz

# 加密 Secret(可以安全提交到 Git)
kubectl create secret generic db-secret \
  --from-literal=password=mypassword \
  --dry-run=client -o yaml | \
  kubeseal --format yaml > sealed-db-secret.yaml

# 提交 sealed-db-secret.yaml 到 Git
# Controller 自动解密并创建真正的 Secret

本站内容由 褚成志 整理编写,仅供学习参考

Copyright © 2024-present 褚成志 · All Rights Reserved