溫馨提示×
您好,登錄后才能下訂單哦!
點擊 登錄注冊 即表示同意《億速云用戶服務條款》
您好,登錄后才能下訂單哦!
今天就跟大家聊聊有關如何使用Vault與Kubernetes為密碼提供強有力的保障,可能很多人都不太了解,為了讓大家更加了解,小編給大家總結了以下內容,希望大家根據這篇文章可以有所收獲。
Kubernetes 已經成為了容器編排方案的工業標準,而來自 HashiCorp 的 Vault 則是密碼管理的工業標準。那問題來了: 怎樣將這兩項技術結合使用從而可以讓你在 Kubernetes 的應用程序中使用來自于 Vault 中心實例的密碼呢?
一種解決方法是使用AppRole認證。Boostport為 AppRoles 在 Kubernetes 上的使用提供了完美的集成。另一個可行的方法是使用Kubernetes 認證。這種認證機制為 Vault 和 Kubernetes 集群創建一個可信的聯系因而你可以使用一個服務賬號到 Vault 進行認證。后期你可以使用Kubernetes 的 Vault 節點獲取和更新認證令牌。
這篇實踐的文章中,我會向你展示如何使用一些 Go 助手工具實現諸如認證更新令牌這些相同的工作,并且還會進一步實現-從 Vault 到 Kubernetes 同步預定義的密碼子集。
等級: 高級
簡單起見我有一些選項:
用多種不同的方法啟動一個 Kubernetes 集群。通常來說,minikube用來測試或者開發。我會使用kubeadm因為它非常簡單的就可以啟動一個真正的集群。
在 Kubernetes 中,會使用default命名空間。
Vault 會在開發模式下運行。_不要像在生產環境下那樣使用它!_確保在環境變量中設置了VAULT_ADDR。
代碼示例中會使用 Ubuntu。這些已經在 GCE 上配置為 2 vCPU 和 7.5 GB 的 Ubuntu 18.10 VM 上進行了測試。(可以看看 GCP 上 $300 的免費套餐,就是說說而已哈…)
除非另有說明,將會使用 Bash。
讓我們從一個簡單的測試集群開始。下面的代碼你會看到一個簡單節點的安裝步驟是什么樣的。
# 1) Install Kubernetes on a Ubuntu machine sudo -i curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add - echo 'deb http://apt.kubernetes.io/ kubernetes-xenial main' >> /etc/apt/sources.list.d/kubernetes.list apt update && apt install -y docker.io kubelet kubeadm kubectl sudo systemctl enable docker.service kubeadm init --pod-network-cidr=10.244.0.0/16 # Flannel pod network, see below exit # 2) Prepare kubectl mkdir -p $HOME/.kube sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown $(id -u):$(id -g) $HOME/.kube/config echo "source <(kubectl completion bash); alias k=kubectl; complete -F __start_kubectl k" >> .bashrc && exec $SHELL # 3) Finalize K8s config kubectl cluster-info kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml kubectl taint nodes --all node-role.kubernetes.io/master- kubectl get nodes -o wide # For details, see: # - https://kubernetes.io/docs/setup/independent/install-kubeadm/ # - https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/
Vault 的安裝非常的直接: 下載解壓二進制包即可:
# Install Vault sudo apt install -y zip curl -OL https://releases.hashicorp.com/vault/1.1.1/vault_1.1.1_linux_amd64.zip unzip vault_1.1.1_linux_amd64.zip sudo mv vault /usr/local/bin/ vault -autocomplete-install && exec $SHELL
我們會以開發模式運行一個 Vault 服務器。同樣,這也非常的簡單。請記住,當啟動一個開發服務器的時候,一個 root 令牌會被寫入到$HOME/.vault-token中,對 root 用戶來說同樣如此。使用&符號會讓 Vault 進程在后臺運行因此我們可以繼續使用相同的 shell。
$ vault server -dev -dev-listen-address=0.0.0.0:8200 & ==> Vault server configuration: Api Address: http://0.0.0.0:8200 Cgo: disabled Cluster Address: https://0.0.0.0:8201 Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled") Log Level: info Mlock: supported: true, enabled: false Storage: inmem Version: Vault v1.1.1 Version Sha: a3dcd63451cf6da1d04928b601bbe9748d53842e
現在我們必須確保 Kubernetes 可以通過 Kubernetes 認證與 Vault 進行通信。這將會在 Kubernetes 和 Vault 之間建立一個信任的聯系。預命名的vault-demo-role將會映射策略以及定義一個 TTL。
因為我們使用kubeadm啟動的 Kubernetes 集群,它非常輕松的就可以找到kubernetes_ca_cert參數的證書頒發機構(CA)存儲的值。如果使用一個在云安裝的 Kubernetes 該過程會比較困難一些。
# NOTE: You may need to set these addresses differently.
export INTERNAL_IP=$(dig +short `hostname -f`)
export VAULT_ADDR=http://${INTERNAL_IP}:8200
# Enable and configure the Kubernetes auth method.
# For details, see:
# - https://www.vaultproject.io/docs/auth/kubernetes.html
# - https://www.vaultproject.io/api/auth/kubernetes/index.html
vault auth enable kubernetes
vault write auth/kubernetes/config \
kubernetes_host=https://${INTERNAL_IP}:6443 \
kubernetes_ca_cert=@/etc/kubernetes/pki/ca.crt
vault write auth/kubernetes/role/vault-demo-role \
bound_service_account_names=vault-serviceaccount \
bound_service_account_namespaces=default \
policies=vault-demo-policy \
ttl=1h
# Create a policy for demo purposes
cat <<EOF | vault policy write vault-demo-policy -
path "sys/mounts" { capabilities = ["read"] }
path "secret/data/demo/*" { capabilities = ["read"] }
path "secret/metadata/demo/*" { capabilities = ["list"] }
EOF
# Write some demo secret
vault kv put secret/demo/most-used-password password=123456
vault kv put secret/demo/first one=1234567890 two=2345678901
vault kv put secret/demo/second green=lantern poison=ivy
vault kv put secret/demo/greek/alpha philosopher=plato
vault kv put secret/demo/greek/beta god=zeus
vault kv put secret/demo/greek/gamma mountain=olympus在 Kubernetes 這邊,我們現在需要安裝設置相匹配的 RBAC。首先我們創建一個名稱為vault-serviceaccount的服務賬號。然后我們會添加一個叫做vault-closterrolebinding的集群角色綁定,因而我們新創建的服務賬號可以被允許使用默認的集群角色system:auth-delegator發送認證請求。角色vault-secrectadmin-role和角色綁定vault-secretadmin-rolebinding也綁定到了vault-serviceaccount上這樣我們就可以同步密碼了。
--- apiVersion: v1 kind: ServiceAccount metadata: name: vault-serviceaccount --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: vault-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:auth-delegator subjects: - kind: ServiceAccount name: vault-serviceaccount namespace: default --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: vault-secretadmin-role rules: - apiGroups: [""] resources: ["secrets"] verbs: ["*"] --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: vault-secretadmin-rolebinding subjects: - kind: ServiceAccount name: vault-serviceaccount roleRef: kind: Role name: vault-secretadmin-role apiGroup: rbac.authorization.k8s.io
讓我們應用下面的配置:
$ k apply -f vault-rbac.yaml serviceaccount/vault-serviceaccount created clusterrolebinding.rbac.authorization.k8s.io/vault-clusterrolebinding created role.rbac.authorization.k8s.io/vault-secret-admin-role created rolebinding.rbac.authorization.k8s.io/vault-demo-secret-admin-rolebinding created
準備工作完成了。現在我們可以移步到我們的用例上了。
我們將會覆蓋下面的這三個用例:
第一個例子會演示怎樣認證到 Vault 然后使用一個初始化的容器獲取一個認證令牌。
第二個例子會演示怎樣使用 sidecar 容器更新這個令牌。
第三個例子將會演示怎樣從 Vault 到 Kubernetes 同步密碼。
所有這三個用例均由我在 PostFinance 的同事構建的三個 Docker 鏡像上運行的。特別感謝 Marc Sauter,他在Seth Vargo工作的啟發下編纂了最初的實現方案。創建的這三個鏡像-在Docker Hub上均可獲取到-包括了一點 Go 的助手工具,代碼均可以從GitHub上找到。
第一個例子會展示vault-kubernetes-authenticator(簡稱 *auther*)鏡像的用法。auther 在一個初始容器中運行,使用服務賬號vault-serviceaccount向 Vault 進行認證然后將 Vault 的認證令牌寫入到/home/vault/.vault-token中。
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: vault-kubernetes-authenticator-demo
labels:
appl: vault-kubernetes-authenticator-demo
spec:
replicas: 1
selector:
matchLabels:
appl: vault-kubernetes-authenticator-demo
template:
metadata:
labels:
appl: vault-kubernetes-authenticator-demo
spec:
serviceAccountName: vault-serviceaccount
volumes:
- name: vault-token
emptyDir:
medium: Memory
initContainers:
- name: vault-kubernetes-authenticator
image: postfinance/vault-kubernetes-authenticator
imagePullPolicy: Always
volumeMounts:
- name: vault-token
mountPath: /home/vault
env:
- name: VAULT_ADDR
value: ${VAULT_ADDR}
- name: VAULT_ROLE
value: vault-demo-role
- name: VAULT_TOKEN_PATH
value: /home/vault/.vault-token
containers:
- name: kuard
image: gcr.io/kuar-demo/kuard-amd64:blue
volumeMounts:
- name: vault-token
mountPath: /home/vault我們應用這些配置然后執行一些測試來驗證所有配置都能成功運行。
$ envsubst < vault-kubernetes-authenticator-demo.yaml | k apply -f -
deployment.apps/vault-kubernetes-authenticator-demo created
$ k get all
NAME READY STATUS RESTARTS AGE
pod/vault-kubernetes-authenticator-demo-fc49b957c-b5bnx 1/1 Running 0 81s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 20h
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/vault-kubernetes-authenticator-demo 1/1 1 1 81s
NAME DESIRED CURRENT READY AGE
replicaset.apps/vault-kubernetes-authenticator-demo-fc49b957c 1 1 1 81s
$ k logs vault-kubernetes-authenticator-demo-fc49b957c-b5bnx -c vault-kubernetes-authenticator
2019/04/16 04:45:23 successfully authenticated to vault
2019/04/16 04:45:23 successfully stored vault token at /home/vault/.vault-token
$ k exec vault-kubernetes-authenticator-demo-fc49b957c-b5bnx -- sh -c "VAULT_ADDR=${VAULT_ADDR} sh"
~ $ cat /home/vault/.vault-token; echo
s.xrrJoCARIC0Z84vcvcwuH5XG
~ $ wget --header="X-Vault-Token: $(cat /home/vault/.vault-token)" -q -O - ${VAULT_ADDR}/v1/secret/data/demo/most-used-password
{"request_id":"12660a6b-7ad0-85bc-8841-d21c7cc8248a","lease_id":"","renewable":false,"lease_duration":0,"data":{"data":{"password":"123456"},"metadata":{"created_time":"2019-04-16T05:11:44.651116748Z","deletion_time":"","destroyed":false,"version":1}},"wrap_info":null,"warnings":null,"auth":null}
~ $ wget --header="X-Vault-Token: $(cat /home/vault/.vault-token)" -q -O - ${VAULT_ADDR}/v1/secret/data/sensitive-password
wget: server returned error: HTTP/1.1 403 Forbidden第二個例子將向你展示vault-kubernetes-token-renewer(簡稱 *renewer*)鏡像的使用。renewer 運行在一個 sidecar 容器中,周期性地檢查 TTL 然后根據檢查的情況更新認證令牌。
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: vault-kubernetes-token-renewer-demo
labels:
appl: vault-kubernetes-token-renewer-demo
spec:
replicas: 1
selector:
matchLabels:
appl: vault-kubernetes-token-renewer-demo
template:
metadata:
labels:
appl: vault-kubernetes-token-renewer-demo
spec:
shareProcessNamespace: true
serviceAccountName: vault-serviceaccount
volumes:
- name: vault-token
emptyDir:
medium: Memory
initContainers:
- name: vault-kubernetes-authenticator
image: postfinance/vault-kubernetes-authenticator
imagePullPolicy: Always
volumeMounts:
- name: vault-token
mountPath: /home/vault
env:
- name: VAULT_ADDR
value: ${VAULT_ADDR}
- name: VAULT_ROLE
value: vault-demo-role
- name: VAULT_TOKEN_PATH
value: /home/vault/.vault-token
containers:
- name: vault-kubernetes-token-renewer
image: postfinance/vault-kubernetes-token-renewer
imagePullPolicy: Always
volumeMounts:
- name: vault-token
mountPath: /home/vault
env:
- name: VAULT_ADDR
value: ${VAULT_ADDR}
- name: VAULT_ROLE
value: vault-demo-role
- name: VAULT_TOKEN_PATH
value: /home/vault/.vault-token
- name: kuard
image: gcr.io/kuar-demo/kuard-amd64:blue
volumeMounts:
- name: vault-token
mountPath: /home/vault我們也同樣應用一下這些配置然后做一些驗證。(我刪除了先前的 deployment。)
$ envsubst < vault-kubernetes-token-renewer-demo.yaml | k apply -f - deployment.apps/vault-kubernetes-token-renewer-demo created $ k get all NAME READY STATUS RESTARTS AGE pod/vault-kubernetes-token-renewer-demo-694cc7dbbd-rkbbs 2/2 Running 0 4s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 31h NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/vault-kubernetes-token-renewer-demo 1/1 1 1 4s NAME DESIRED CURRENT READY AGE replicaset.apps/vault-kubernetes-token-renewer-demo-694cc7dbbd 1 1 1 4s $ k logs vault-kubernetes-token-renewer-demo-694cc7dbbd-rkbbs -c vault-kubernetes-authenticator 2019/04/16 15:40:55 successfully authenticated to vault 2019/04/16 15:40:55 successfully stored vault token at /home/vault/.vault-token $ k logs vault-kubernetes-token-renewer-demo-694cc7dbbd-rkbbs -c vault-kubernetes-token-renewer 2019/04/16 15:40:56 start renewer loop 2019/04/16 15:40:56 token renewed
第三個例子將向你展示vault-kubernetes-synchronizer(簡稱 *syncer*)的用法。syncer 可以用在多個方面。在這個 demo 里面,一個 Kubernetes 任務將被用來從預定義的路徑一次性同步 Vault 密碼。這些 Vault 密碼將會被寫入到相應的 Kubernetes 密碼中。
---
apiVersion: batch/v1
kind: Job
metadata:
name: vault-kubernetes-synchronizer-demo
spec:
backoffLimit: 0
template:
spec:
serviceAccountName: vault-serviceaccount
restartPolicy: Never
volumes:
- name: vault-token
emptyDir:
medium: Memory
initContainers:
- name: vault-kubernetes-authenticator
image: postfinance/vault-kubernetes-authenticator
imagePullPolicy: Always
volumeMounts:
- name: vault-token
mountPath: /home/vault
env:
- name: VAULT_ADDR
value: ${VAULT_ADDR}
- name: VAULT_ROLE
value: vault-demo-role
- name: VAULT_TOKEN_PATH
value: /home/vault/.vault-token
containers:
- name: vault-kubernetes-synchronizer
image: postfinance/vault-kubernetes-synchronizer
imagePullPolicy: Always
volumeMounts:
- name: vault-token
mountPath: /home/vault
env:
- name: VAULT_ADDR
value: ${VAULT_ADDR}
- name: VAULT_ROLE
value: vault-demo-role
- name: VAULT_TOKEN_PATH
value: /home/vault/.vault-token
- name: VAULT_SECRETS
value: secret/demo/first,secret/demo/second,secret/demo/first:third,secret/demo/greek/同樣,我們也應用一下這些配置然后看看所有的配置是否如預期一樣運行正常:
$ envsubst < vault-kubernetes-synchronizer-demo.yaml | k apply -f - job.batch/vault-kubernetes-synchronizer-demo created $ k get all NAME READY STATUS RESTARTS AGE pod/vault-kubernetes-synchronizer-demo-m2xnz 1/1 Running 0 4s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 3d5h NAME COMPLETIONS DURATION AGE job.batch/vault-kubernetes-synchronizer-demo 0/1 4s 4s $ k logs pod/vault-kubernetes-synchronizer-demo-m2xnz -c vault-kubernetes-authenticator 2019/04/18 14:29:42 successfully authenticated to vault 2019/04/18 14:29:42 successfully stored vault token at /home/vault/.vault-token $ k logs pod/vault-kubernetes-synchronizer-demo-m2xnz 2019/04/18 14:29:43 read secret/demo/first from vault 2019/04/18 14:29:43 update secret third from vault secret secret/demo/first 2019/04/18 14:29:43 read secret/demo/greek/alpha from vault 2019/04/18 14:29:43 update secret alpha from vault secret secret/demo/greek/alpha 2019/04/18 14:29:43 read secret/demo/greek/beta from vault 2019/04/18 14:29:43 update secret beta from vault secret secret/demo/greek/beta 2019/04/18 14:29:43 read secret/demo/greek/gamma from vault 2019/04/18 14:29:43 update secret gamma from vault secret secret/demo/greek/gamma 2019/04/18 14:29:43 read secret/demo/first from vault 2019/04/18 14:29:43 update secret first from vault secret secret/demo/first 2019/04/18 14:29:43 read secret/demo/second from vault 2019/04/18 14:29:43 update secret second from vault secret secret/demo/second 2019/04/18 14:29:44 secrets successfully synchronized $ k get secrets NAME TYPE DATA AGE alpha Opaque 1 2m43s beta Opaque 1 2m43s default-token-ssd7f kubernetes.io/service-account-token 3 3d5h first Opaque 2 2m43s gamma Opaque 1 2m43s second Opaque 2 2m43s third Opaque 2 2m43s vault-serviceaccount-token-f6tnw kubernetes.io/service-account-token 3 2d20h $ k describe secret first Name: first Namespace: default Labels: <none> Annotations: vault-secret: secret/demo/first Type: Opaque Data ==== one: 10 bytes two: 10 bytes $ k describe secret alpha Name: alpha Namespace: default Labels: <none> Annotations: vault-secret: secret/demo/greek/alpha Type: Opaque Data ==== philosopher: 5 bytes
syncer 同樣可以用在 Kubernetes 的 cron 任務中從 Vault 周期性同步密碼或者同步到另一個 Kubernetes deployment 的初始容器中,這樣密碼就會保持最新狀態。
需要注意的是 Kubernetes 密碼保護不是很好。Seth Vargo 在最近的 FOSDEM訪談中指出,默認情況下,它們僅做了 base64 編碼和存儲,就像在 etcd 中那樣。你應該允許數據的靜態加密。也請確保你只同步那些你的 Kubernetes 應用程序使用的那些密碼,這些密碼由相應的 Vault 策略以及命名角色保護。除此之外,該方法還允許你以云原生行為使用密碼。你的應用程序不能直接訪問 Vault 密碼可以被注入到環境變量中。
Kubernetes 和 Vault 這兩項技術在結合使用或者集成它們使用時均是很棒的組合。集成的方案看似不簡單但是依舊可行。
看完上述內容,你們對如何使用Vault與Kubernetes為密碼提供強有力的保障有進一步的了解嗎?如果還想了解更多知識或者相關內容,請關注億速云行業資訊頻道,感謝大家的支持。
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。
