文章目录
- 参考地址
- 一、TASK
- 二、问题解决过程
- 1.问题一解题
- 2.问题二解题
参考地址
etcdctl secret https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/encrypt-data/
一、TASK
Solve this question on: ssh cks7262
There is an existing Secret called database-access in Namespace team-green.
Read the complete Secret content directly from ETCD (using etcdctl) and store it into /opt/course/11/etcd-secret-content on cks7262
Write the plain and decoded Secret’s value of key “pass” into /opt/course/11/database-password on cks7262
中译
在以下位置解决此问题:ssh cks7262
在 team-green Namespace 中有一个名为database-access Secret 的现有 Secret。
1、直接从cks7262节点中通过 ETCDCTL 读取完整的 Secret 内容(使用 )并将其存储到 /opt/course/11/etcd-secret-content
2、将 plain 和 decoded 的 Secret 的 key “pass” 值写入cks7262节点的 /opt/course/11/database-password文件中
二、问题解决过程
1.问题一解题
过程如下(示例):
#按要求连接对应的集群
candidate@terminal:~$ ssh cks7262#切换到root用户下,防止普通用户操作写入文件没权限
candidate@cks7262:~$ sudo -i#获取etcd证书位置
root@cks7262: ~# grep etcd /etc/kubernetes/manifests/kube-apiserver.yaml- --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt- --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt- --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key- --etcd-servers=https://127.0.0.1:2379 # optional since we're on same node#使用etcdctl命令获取team-green命名空间下database-access的信息
root@cks7262: ~# ETCDCTL_API=3 etcdctl \
--cert /etc/kubernetes/pki/apiserver-etcd-client.crt \
--key /etc/kubernetes/pki/apiserver-etcd-client.key \
--cacert /etc/kubernetes/pki/etcd/ca.crt get /registry/secrets/team-green/database-access/registry/secrets/team-green/database-access
k8sv1Secretdatabase-access
team-green"*$a01ef408-0a40-4fee-bd26-7adf346b3d222bB
0kubectl.kubernetes.io/last-applied-configuration{"apiVersion":"v1","data":{"pass":"Y29uZmlkZW50aWFs"},"kind":"Secret","metadata":{"annotations":{},"name":"database-access","namespace":"team-green"}}kubectl-client-side-applyUpdatevFieldsV1:
{"f:data":{".":{},"f:pass":{}},"f:metadata":{"f:annotations":{".":{},"f:kubectl.kubernetes.io/last-applied-configuration":{}}},"f:type":{}}B
passconfidentialOpaque"#将上述返回的值复制粘贴到/opt/course/11/etcd-secret-content文件中
2.问题二解题
过程如下(示例):
#将键是pass的值进行解密并保存到对应的文件中
root@cks7262: ~# echo "Y29uZmlkZW50aWFs" |base64 -d >/opt/course/11/database-password