<ruby id="bdb3f"></ruby>

    <p id="bdb3f"><cite id="bdb3f"></cite></p>

      <p id="bdb3f"><cite id="bdb3f"><th id="bdb3f"></th></cite></p><p id="bdb3f"></p>
        <p id="bdb3f"><cite id="bdb3f"></cite></p>

          <pre id="bdb3f"></pre>
          <pre id="bdb3f"><del id="bdb3f"><thead id="bdb3f"></thead></del></pre>

          <ruby id="bdb3f"><mark id="bdb3f"></mark></ruby><ruby id="bdb3f"></ruby>
          <pre id="bdb3f"><pre id="bdb3f"><mark id="bdb3f"></mark></pre></pre><output id="bdb3f"></output><p id="bdb3f"></p><p id="bdb3f"></p>

          <pre id="bdb3f"><del id="bdb3f"><progress id="bdb3f"></progress></del></pre>

                <ruby id="bdb3f"></ruby>

                ??一站式輕松地調用各大LLM模型接口,支持GPT4、智譜、豆包、星火、月之暗面及文生圖、文生視頻 廣告
                [TOC] 原來沒有加密secret數據直接存儲在etcd數據庫上的,這樣子存在一定的風險。 kubernetes 提供靜態加密 Secret 數據的方法。 > **重要**: 如果通過加密配置無法讀取資源(因為密鑰已更改),唯一的方法是直接從底層 etcd 中刪除該密鑰。 任何嘗試讀取資源的調用將會失敗,直到它被刪除或提供有效的解密密鑰。 ## 加密數據 1. 創建新的加密配置文件 ```yaml apiVersion: apiserver.config.k8s.io/v1 kind: EncryptionConfiguration resources: - resources: - secrets providers: - secretbox: keys: - name: key1 secret: <BASE 64 ENCODED SECRET> - identity: {} ``` > - `head -c 32 /dev/urandom | base64` 生成一個 32 字節的隨機密鑰并進行 base64 編碼,將這個值放入到 secret 字段中。 > - 【重要】secret 字段不能被改,或者該文件不能丟失 2. 修改 kube-apiserver 的配置文件 設置 kube-apiserver 的 --experimental-encryption-provider-config 參數,將其指向 配置文件所在位置。 > 示例:--encryption-provider-config=/root/secret.yml 3. 重啟 kube-apiserver ```shell systemctl restart kube-apiserver.service ``` 4. 驗證 ```shell $ kubectl create secret generic secret1 -n default --from-literal=mykey=mydata secret/secret1 created # 新建的secret,不合protobuf格式,所以解析不到。由于被加密的原因 $ etcdhelper get /registry/secrets/default/secret1 WARN: unable to decode /registry/secrets/default/secret1: yaml: control characters are not allowed # 新建的secret,呈現亂碼 etcdctl --cacert /data/etcd/certs/ca.pem --cert /data/etcd/certs/etcd.pem --key /data/etcd/certs/etcd-key.pem --endpoints=https://192.168.31.95:2379,https://192.168.31.78:2379,https://192.168.31.253:2379 get /registry/secrets/default/secret1 /registry/secrets/default/secret1 k8s:enc:secretbox:v1:key1:uKAE+G>\$e29&u/9oisX_]s#!9-=?D4?02 # 以前的secret,還可以正常解析 $ etcdhelper get /registry/secrets/default/app-v1-tls /v1, Kind=Secret { "kind": "Secret", "apiVersion": "v1", "metadata": { "name": "app-v1-tls", "namespace": "default", "uid": "55d3ce46-1f18-4b7a-9e6a-8dff6f49ea9b", "creationTimestamp": "2022-01-12T06:18:06Z", "managedFields": [ ... } ``` 5. 確保所有 Secret 都被加密 ```shell kubectl get secrets --all-namespaces -o json | kubectl replace -f - ``` ## 解密數據 1. 修改加密配置文件 請將 identity provider 作為配置中的第一個條目。 ```yaml apiVersion: apiserver.config.k8s.io/v1 kind: EncryptionConfiguration resources: - resources: - secrets providers: - identity: {} # 將此項移動到 provider 第一項 - secretbox: keys: - name: key1 secret: uXl5US+HQCIGZL6IRvLXgq11O9dZbbqODJ8onZINhaA= ``` > 其他內部都不變 2. 重啟kube-apiserver ```shell systemctl restart kube-apiserver.service ``` 3. 確保所有 Secret 都被解密 ```shell kubectl get secrets --all-namespaces -o json | kubectl replace -f - ``` 4. 驗證 ```shell $ etcdhelper get /registry/secrets/default/secret1 /v1, Kind=Secret { "kind": "Secret", "apiVersion": "v1", "metadata": { "name": "secret1", "namespace": "default", "uid": "2171177e-4392-4ce3-9391-2aea38364a0e", "creationTimestamp": "2022-01-28T09:03:35Z", "managedFields": [ { "manager": "kubectl", "operation": "Update", "apiVersion": "v1", "time": "2022-01-28T09:03:35Z", "fieldsType": "FieldsV1", "fieldsV1": {"f:data":{".":{},"f:mykey":{}},"f:type":{}} } ] }, "data": { "mykey": "bXlkYXRh" }, "type": "Opaque" } $ kubectl get secrets NAME TYPE DATA AGE app-v1-tls kubernetes.io/tls 2 16d app-v2-tls-ca Opaque 1 11d app-v2-tls-server Opaque 2 11d default-token-zmhtw kubernetes.io/service-account-token 3 144d jiaxzeng-token-fwk7j kubernetes.io/service-account-token 3 174m secret1 Opaque 1 19m ``` 5. 修改 kube-apiserver 的配置文件 移除 kube-apiserver 的 --experimental-encryption-provider-config 參數。 6. 重啟kube-apiserver ```shell systemctl restart kube-apiserver.service ``` ## 參考文章 https://kubernetes.io/zh/docs/tasks/administer-cluster/encrypt-data/
                  <ruby id="bdb3f"></ruby>

                  <p id="bdb3f"><cite id="bdb3f"></cite></p>

                    <p id="bdb3f"><cite id="bdb3f"><th id="bdb3f"></th></cite></p><p id="bdb3f"></p>
                      <p id="bdb3f"><cite id="bdb3f"></cite></p>

                        <pre id="bdb3f"></pre>
                        <pre id="bdb3f"><del id="bdb3f"><thead id="bdb3f"></thead></del></pre>

                        <ruby id="bdb3f"><mark id="bdb3f"></mark></ruby><ruby id="bdb3f"></ruby>
                        <pre id="bdb3f"><pre id="bdb3f"><mark id="bdb3f"></mark></pre></pre><output id="bdb3f"></output><p id="bdb3f"></p><p id="bdb3f"></p>

                        <pre id="bdb3f"><del id="bdb3f"><progress id="bdb3f"></progress></del></pre>

                              <ruby id="bdb3f"></ruby>

                              哎呀哎呀视频在线观看