forked from docs/doc-exports
Dong, Qiu Jian
6157284549
Reviewed-by: Eotvos, Oliver <oliver.eotvos@t-systems.com> Co-authored-by: Dong, Qiu Jian <qiujiandong1@huawei.com> Co-committed-by: Dong, Qiu Jian <qiujiandong1@huawei.com>
104 lines
7.2 KiB
HTML
104 lines
7.2 KiB
HTML
<a name="cce_bestpractice_0320"></a><a name="cce_bestpractice_0320"></a>
|
|
|
|
<h1 class="topictitle1">Secret Security</h1>
|
|
<div id="body8662426"><p id="cce_bestpractice_0320__en-us_topic_0000001226820653_p1417445419489">Currently, CCE has configured static encryption for secret resources. The secrets created by users will be encrypted and stored in etcd of the CCE cluster. Secrets can be used in two modes: environment variable and file mounting. No matter which mode is used, CCE still transfers the configured data to users. Therefore, it is recommended that:</p>
|
|
<ol id="cce_bestpractice_0320__en-us_topic_0000001226820653_ol1623210174919"><li id="cce_bestpractice_0320__en-us_topic_0000001226820653_li1723210024914">Do not record sensitive information in logs.</li><li id="cce_bestpractice_0320__en-us_topic_0000001226820653_li11631235175718">For the secret that uses the file mounting mode, the default file permission mapped in the container is 0644. Configure stricter permissions for the file. For example:<pre class="screen" id="cce_bestpractice_0320__en-us_topic_0000001226820653_screen5811165542417">apiversion: v1
|
|
kind: Pod
|
|
metadata:
|
|
name: mypod
|
|
spec:
|
|
containers:
|
|
- name: mypod
|
|
image: redis
|
|
volumeMounts:
|
|
- name: foo
|
|
mountPath: "/etc/foo"
|
|
volumes:
|
|
- name: foo
|
|
secret:
|
|
secretName: mysecret
|
|
defaultMode: 256</pre>
|
|
<p id="cce_bestpractice_0320__en-us_topic_0000001226820653_p5704161113526">In <strong id="cce_bestpractice_0320__en-us_topic_0000001226820653_b3442210171617">defaultMode: 256</strong>, <strong id="cce_bestpractice_0320__en-us_topic_0000001226820653_b621011134166">256</strong> is a decimal number, which corresponds to the octal number <strong id="cce_bestpractice_0320__en-us_topic_0000001226820653_b95878507176">0400</strong>.</p>
|
|
</li><li id="cce_bestpractice_0320__en-us_topic_0000001226820653_li7471855165910">When the file mounting mode is used, configure the secret file name to hide the file in the container.<pre class="screen" id="cce_bestpractice_0320__en-us_topic_0000001226820653_screen20995191015261">apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: dotfile-secret
|
|
data:
|
|
.secret-file: dmFsdWUtMg0KDQo=
|
|
---
|
|
apiVersion: v1
|
|
kind: Pod
|
|
metadata:
|
|
name: secret-dotfiles-pod
|
|
spec:
|
|
volumes:
|
|
- name: secret-volume
|
|
secret:
|
|
secretName: dotfile-secret
|
|
containers:
|
|
- name: dotfile-test-container
|
|
image: k8s.gcr.io/busybox
|
|
command:
|
|
- ls
|
|
- "-1"
|
|
- "/etc/secret-volume"
|
|
volumeMounts:
|
|
- name: secret-volume
|
|
readOnly: true
|
|
mountPath: "/etc/secret-volume"</pre>
|
|
<p id="cce_bestpractice_0320__en-us_topic_0000001226820653_p1714103816314">In this way, <strong id="cce_bestpractice_0320__en-us_topic_0000001226820653_b127162049111618">.secret-file</strong> cannot be viewed by running the <strong id="cce_bestpractice_0320__en-us_topic_0000001226820653_b9446555201616">ls -l</strong> command in the <strong id="cce_bestpractice_0320__en-us_topic_0000001226820653_b1320795914167">/etc/secret-volume/</strong> directory, but can be viewed by running the <strong id="cce_bestpractice_0320__en-us_topic_0000001226820653_b1172118121174">ls -al</strong> command.</p>
|
|
</li><li id="cce_bestpractice_0320__en-us_topic_0000001226820653_li97928435333">Encrypt sensitive information before creating a secret and decrypt the information when using it.</li></ol>
|
|
<div class="section" id="cce_bestpractice_0320__en-us_topic_0000001226820653_section6268104520397"><h4 class="sectiontitle">Using a Bound ServiceAccount Token to Access a Cluster</h4><p id="cce_bestpractice_0320__en-us_topic_0000001226820653_p12148028135412">The secret-based ServiceAccount token does not support expiration time or auto update. In addition, after the mounting pod is deleted, the token is still stored in the secret. Token leakage may incur security risks. A bound ServiceAccount token is recommended for CCE clusters of version 1.23 or later. In this mode, the expiration time can be set and is the same as the pod lifecycle, reducing token leakage risks. Example:</p>
|
|
<pre class="screen" id="cce_bestpractice_0320__en-us_topic_0000001226820653_screen17607650143219">apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: security-token-example
|
|
namespace: security-example
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: security-token-example
|
|
label: security-token-example
|
|
template:
|
|
metadata:
|
|
annotations:
|
|
seccomp.security.alpha.kubernetes.io/pod: runtime/default
|
|
labels:
|
|
app: security-token-example
|
|
label: security-token-example
|
|
spec:
|
|
<strong id="cce_bestpractice_0320__en-us_topic_0000001226820653_b1718111816218">serviceAccountName: test-sa</strong>
|
|
containers:
|
|
- image: ...
|
|
imagePullPolicy: Always
|
|
name: security-token-example
|
|
volumes:
|
|
<strong id="cce_bestpractice_0320__en-us_topic_0000001226820653_b99681052110">- name: test-projected</strong>
|
|
<strong id="cce_bestpractice_0320__en-us_topic_0000001226820653_b6123893115">projected:</strong>
|
|
<strong id="cce_bestpractice_0320__en-us_topic_0000001226820653_b17693131217116">defaultMode: 420</strong>
|
|
<strong id="cce_bestpractice_0320__en-us_topic_0000001226820653_b174941151418">sources:</strong>
|
|
<strong id="cce_bestpractice_0320__en-us_topic_0000001226820653_b71164196113">- serviceAccountToken:</strong>
|
|
<strong id="cce_bestpractice_0320__en-us_topic_0000001226820653_b25645221015">expirationSeconds: 1800</strong>
|
|
<strong id="cce_bestpractice_0320__en-us_topic_0000001226820653_b1033314277119">path: token</strong>
|
|
<strong id="cce_bestpractice_0320__en-us_topic_0000001226820653_b29893118119">- configMap:</strong>
|
|
<strong id="cce_bestpractice_0320__en-us_topic_0000001226820653_b52150341516">items:</strong>
|
|
<strong id="cce_bestpractice_0320__en-us_topic_0000001226820653_b194842381510">- key: ca.crt</strong>
|
|
<strong id="cce_bestpractice_0320__en-us_topic_0000001226820653_b122718541303">path: ca.crt</strong>
|
|
<strong id="cce_bestpractice_0320__en-us_topic_0000001226820653_b4171647207">name: kube-root-ca.crt</strong>
|
|
<strong id="cce_bestpractice_0320__en-us_topic_0000001226820653_b091414421010">- downwardAPI:</strong>
|
|
<strong id="cce_bestpractice_0320__en-us_topic_0000001226820653_b577510382012">items:</strong>
|
|
<strong id="cce_bestpractice_0320__en-us_topic_0000001226820653_b498812346012">- fieldRef:</strong>
|
|
<strong id="cce_bestpractice_0320__en-us_topic_0000001226820653_b1332012311018">apiVersion: v1</strong>
|
|
<strong id="cce_bestpractice_0320__en-us_topic_0000001226820653_b07851026407">fieldPath: metadata.namespace</strong>
|
|
<strong id="cce_bestpractice_0320__en-us_topic_0000001226820653_b12351221201">path: namespace</strong></pre>
|
|
<p id="cce_bestpractice_0320__en-us_topic_0000001226820653_p1978522112718">For details, visit https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/.</p>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="cce_bestpractice_0315.html">Security</a></div>
|
|
</div>
|
|
</div>
|
|
|