Kubernetes CKS 2021【12】---Microservice 漏洞-Manage secrets

网友投稿 232 2022-09-10

Kubernetes CKS 2021【12】---Microservice 漏洞-Manage secrets

文章目录

​​1. 介绍​​​​2. Create Simple Secret Scenario​​​​3. Hack Secrets in Docker​​​​4. Hack Secrets in ETCD​​​​5. ETCD Encryption​​​​6. Practice - Encrypt ETCD​​

1. 介绍

2. Create Simple Secret Scenario

root@master:~# k create secret generic secret1 --from-literal user=adminsecret/secret1 createdroot@master:~# k create secret generic secret2 --from-literal pass=12345678secret/secret2 createdroot@master:~# k run pod --image=nginx -oyaml --dry-run=clientapiVersion: v1kind: Podmetadata: creationTimestamp: null labels: run: pod name: podspec: containers: - image: nginx name: pod resources: {} dnsPolicy: ClusterFirst restartPolicy: Alwaysstatus: {}root@master:~# k run pod --image=nginx -oyaml --dry-run=client > pod.yamlroot@master:~# vim pod.yaml apiVersion: v1kind: Podmetadata: creationTimestamp: null labels: run: pod name: podspec: containers: - image: nginx name: pod resources: {} env: - name: PASSWORD valueFrom: secretKeyRef: name: secret2 key: pass volumeMounts: - name: secret1 mountPath: "/etc/secret1" readOnly: true volumes: - name: secret1 secret: secretName: secret1 dnsPolicy: ClusterFirst restartPolicy: Alwaysstatus: {}root@master:~# k -f pod.yaml createpod/pod createdroot@master:~# k get podsNAME READY STATUS RESTARTS AGEpod 1/1 Running 0 52sroot@master:~# k exec pod -- env |grep PASSPASSWORD=12345678root@master:~# k exec pod -- mount |grep secret1tmpfs on /etc/secret1 type tmpfs (ro,relatime)root@master:~# k exec pod -- ls /etc/secret1userroot@master:~# k exec pod -- cat /etc/secret1/useradmin

3. Hack Secrets in Docker

root@master:~# k get pod -owideNAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATESpod 1/1 Running 0 5m28s 10.244.166.137 node1 root@node1:~# docker ps |grep nginxa3c39ce6e40e nginx "/docker-entrypoint.…" 5 minutes ago Up 5 minutes k8s_pod_pod_default_31010eac-76fe-463d-a20a-c18aec88c174_0root@node1:~# docker inspect a3.... "Env": [ "PASSWORD=12345678", "KUBERNETES_PORT_443_TCP_PORT=443", "KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1", "KUBERNETES_SERVICE_HOST=10.96.0.1", "KUBERNETES_SERVICE_PORT=443", "KUBERNETES_SERVICE_PORT_HTTPS=443", "KUBERNETES_PORT=tcp://10.96.0.1:443", "KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443", "KUBERNETES_PORT_443_TCP_PROTO=tcp", "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "NGINX_VERSION=1.19.10", "NJS_VERSION=0.5.3", "PKG_RELEASE=1~buster" ],....root@node1:~# docker cp a3:/etc/secret1 secret1root@node1:~# cat secret1/user admin

4. Hack Secrets in ETCD

root@master:~# ETCDCTL_API=3 etcdctl --endpoints --cert /etc/kubernetes/pki/etcd/server.crt --key /etc/kubernetes/pki/etcd/server.key --cacert /etc/kubernetes/pki/etcd/ca.crt endpoint healthis healthy: successfully committed proposal: took = 19.341929msroot@master:~# ETCDCTL_API=3 etcdctl --endpoints --cert /etc/kubernetes/pki/etcd/server.crt --key /etc/kubernetes/pki/etcd/server.key --cacert /etc/kubernetes/pki/etcd/ca.crt get /registry/secrets/default/secret1/registry/secrets/default/secret1k8sv1SecretƁ® secret1default"*$82fd120e-dccd-4ac5-99c9-d2e5ff2915a12̣z_kubectl-createUpdateṿFieldsV1:-+{"f:data":{".":{},"f:user":{}},"f:type":{}} useradminOpaque"Xshellroot@master:~# ETCDCTL_API=3 etcdctl --endpoints --cert /etc/kubernetes/pki/etcd/server.crt --key ubernetes/pki/etcd/server.key --cacert /etc/kubernetes/pki/etcd/ca.crt get /registry/secrets/default/secret2/registry/secrets/default/secret2k8sv1SecretɁ® secret2default"*$4cf99bbb-3980-40bc-9138-8b23f2a7e2132⣞z_kubectl-createUpdatev⣞FieldsV1:-+{"f:data":{".":{},"f:pass":{}},"f:type":{}} pas12345678Opaque"

5. ETCD Encryption

6. Practice - Encrypt ETCD

root@master:~# cd /etc/kubernetes/root@master:/etc/kubernetes# lsadmin.conf controller-manager.conf kubelet.conf manifests pki scheduler.confroot@master:/etc/kubernetes# mkdir etcdroot@master:/etc/kubernetes# cd etcd/root@master:/etc/kubernetes/etcd# lsroot@master:/etc/kubernetes/etcd# echo password | base64cGFzc3dvcmQKroot@master:/etc/kubernetes/etcd# echo passwordpasswordroot@master:/etc/kubernetes/etcd# echo -n passwordpasswordroot@master:/etc/kubernetes/etcd# echo -n password | base64cGFzc3dvcmQ=root@master:/etc/kubernetes/etcd# vim ec.yamlapiVersion: apiserver.config.k8s.io/v1kind: EncryptionConfigurationresources: - resources: - secrets providers: - aescbc: keys: - name: key1 secret: cGFzc3dvcmQ= - identity: {}root@master:/etc/kubernetes/etcd# cd ../manifests/root@master:/etc/kubernetes/manifests# lsetcd.yaml kube-apiserver.yaml kube-controller-manager.yaml kube-scheduler.yamlroot@master:/etc/kubernetes/manifests# vim kube-apiserver.yaml apiVersion: v1kind: Podmetadata: annotations: kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 192.168.211.40:6443 creationTimestamp: null labels: component: kube-apiserver tier: control-plane name: kube-apiserver namespace: kube-systemspec: containers: - command: - kube-apiserver - --encryption-provider-config=/etc/kubernetes/etcd/ec.yaml #添加 - --advertise-address=192.168.211.40 - --allow-privileged=true - --authorization-mode=Node,RBAC - --client-ca-file=/etc/kubernetes/pki/ca.crt - --enable-admission-plugins=NodeRestriction - --enable-bootstrap-token-auth=true - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt - --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key - --etcd-servers= - --insecure-port=0 - --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt - --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname - --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt - --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key - --requestheader-allowed-names=front-proxy-client - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt - --requestheader-extra-headers-prefix=X-Remote-Extra- - --requestheader-group-headers=X-Remote-Group - --requestheader-username-headers=X-Remote-User - --secure-port=6443 - --service-account-issuer= - --service-account-key-file=/etc/kubernetes/pki/sa.pub - --service-account-signing-key-file=/etc/kubernetes/pki/sa.key - --service-cluster-ip-range=10.96.0.0/12 - --tls-cert-file=/etc/kubernetes/pki/apiserver.crt - --tls-private-key-file=/etc/kubernetes/pki/apiserver.key image: k8s.gcr.io/kube-apiserver:v1.20.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 8 host: 192.168.211.40 path: /livez port: 6443 scheme: HTTPS initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 15 name: kube-apiserver readinessProbe: failureThreshold: 3 host: 192.168.211.40 path: /readyz port: 6443 scheme: HTTPS periodSeconds: 1 timeoutSeconds: 15 resources: requests: cpu: 250m startupProbe: failureThreshold: 24 host: 192.168.211.40 path: /livez port: 6443 scheme: HTTPS initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 15 volumeMounts: - mountPath: /etc/ssl/certs name: ca-certs readOnly: true - mountPath: /etc/ca-certificates name: etc-ca-certificates readOnly: true - mountPath: /etc/kubernetes/pki name: k8s-certs readOnly: true - mountPath: /etc/kubernetes/etcd #添加 name: etcd #添加 readOnly: true #添加 - mountPath: /usr/local/share/ca-certificates name: usr-local-share-ca-certificates readOnly: true - mountPath: /usr/share/ca-certificates name: usr-share-ca-certificates readOnly: true hostNetwork: true priorityClassName: system-node-critical volumes: - hostPath: path: /etc/ssl/certs type: DirectoryOrCreate name: ca-certs - hostPath: path: /etc/ca-certificates type: DirectoryOrCreate name: etc-ca-certificates - hostPath: path: /etc/kubernetes/pki type: DirectoryOrCreate name: k8s-certs - hostPath: #添加 path: /etc/kubernetes/etcd #添加 type: DirectoryOrCreate #添加 name: etcd #添加 - hostPath: path: /usr/local/share/ca-certificates type: DirectoryOrCreate name: usr-local-share-ca-certificates - hostPath: path: /usr/share/ca-certificates type: DirectoryOrCreate name: usr-share-ca-certificatesstatus: {}root@master:/etc/kubernetes/manifests# ps aux |grep apiserverroot 63152 0.0 0.0 14424 1092 pts/1 S+ 02:07 0:00 grep --color=auto apiserverroot@master:/etc/kubernetes/manifests# cd /var/log/pods/root@master:/var/log/pods# lskube-system_calico-node-ngbm8_837fbf7e-0060-4f5c-bd62-fdecf5f7e334kube-system_etcd-master_77699ae6105937dbb48c0a720843ce8ekube-system_kube-apiserver-master_ae8926e93b50c0469bb29e747b4c459fkube-system_kube-controller-manager-master_360cd07520ba8dce55b5d403c66acf83kube-system_kube-proxy-lfkn9_08f4f57e-d10b-4efe-99d7-33509c6492b0kube-system_kube-scheduler-master_81d2d21449d64d5e6d5e9069a7ca99edroot@master:/var/log/pods# tail -f kube-system_kube-apiserver-master_ae8926e93b50c0469bb29e747b4c459f/kube-apiserver/4.log {"log":"Flag --insecure-port has been deprecated, This flag has no effect now and will be removed in v1.24.\n","stream":"stderr","time":"2021-04-27T09:07:15.165954784Z"}{"log":"I0427 09:07:15.166039 1 server.go:632] external host was not specified, using 192.168.211.40\n","stream":"stderr","time":"2021-04-27T09:07:15.166135424Z"}{"log":"I0427 09:07:15.166569 1 server.go:182] Version: v1.20.0\n","stream":"stderr","time":"2021-04-27T09:07:15.166680164Z"}{"log":"Error: error while parsing encryption provider configuration file \"/etc/kubernetes/etcd/ec.yaml\": error while parsing file: resources[0].providers[0].aescbc.keys[0].secret: Invalid value: \"REDACTED\": secret is not of the expected length, got 8, expected one of [16 24 32]\n","stream":"stderr","time":"2021-04-27T09:07:15.713401195Z"} #密文长度不合规范root@master:/var/log/pods# cd /etc/kubernetes/etcd/root@master:/etc/kubernetes/etcd# lsec.yamlroot@master:/etc/kubernetes/etcd# echo -n passwordpassword | base64cGFzc3dvcmRwYXNzd29yZA==root@master:/etc/kubernetes/etcd# vim ec.yaml root@master:/etc/kubernetes/etcd# cat ec.yamlapiVersion: apiserver.config.k8s.io/v1kind: EncryptionConfigurationresources: - resources: - secrets providers: - aescbc: keys: - name: key1 secret: cGFzc3dvcmRwYXNzd29yZA== #修改此行 - identity: {}root@master:/etc/kubernetes/etcd# cd ../manifests/root@master:/etc/kubernetes/manifests# mv kube-apiserver.yaml ..root@master:/etc/kubernetes/manifests# ps aux |grep apiserverroot 68173 0.0 0.0 14424 1040 pts/1 S+ 02:10 0:00 grep --color=auto apiserverroot@master:/etc/kubernetes/manifests# mv ../kube-apiserver.yaml .root@master:/etc/kubernetes/manifests# ps aux |grep apiserverroot 69304 0.0 0.0 14424 1108 pts/1 S+ 02:11 0:00 grep --color=auto apiserverroot@master:~# k get secret NAME TYPE DATA AGEdefault-token-2xr8c kubernetes.io/service-account-token 3 2d15hroot@master:~# k get secret default-token-2xr8c -o yamlroot@master:~# ETCDCTL_API=3 etcdctl --endpoints --cert /etc/kubernetes/pki/etcd/server.crt --key /etc/kubernetes/pki/etcd/server.key --cacert /etc/kubernetes/pki/etcd/ca.crt get /registry/secrets/default/default-token-2xr8c/registry/secrets/default/default-token-2xr8ck8sv1Secret كdefault-token-2xr8cdefault"*$530bbfe5-0397-4526-8b97-995654fb0c792µ¦b-"kubernetes.io/service-account.namedefaultbI!kubernetes.io/service-account.uid$8b32bf2f-09c3-4066-bf32-981a3da16aeez kube-controller-managerUpdatevµ¦FieldsV1:ǁā{"f:data":{".":{},"f:ca.crt":{},"f:namespace":{},"f:token":{}},"f:metadata":{"f:annotations":{".":{},"f:kubernetes.io/service-account.name":{},"f:kubernetes.io/service-account.uid":{}}},"f:type":{}}µca.crt-----BEGIN CERTIFICATE-----MIIC5zCCAc+gAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJlcm5ldGVzMB4XDTIxMDQyNTExMzEzN1oXDTMxMDQyMzExMzEzN1owFTETMBEGA1UEAxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANP+TEuItY/ZoGFW5WNzPIMLxYwUR/TlNN5M8A2+p8tigekLtzHuioVt5sL/1yEZvjYreE63SBv1/KLIbnav12GeAkhRKo7DRu16Z0JglQgncZGXciAL9/sQ08UaNZeRpGak9b42YET1eU4rNn2K+uRq1k71rOpAj+2SRnhi0P6knMfo51pAtlbg4IlKLCv5WHBkzEKtufWaxjANwy74EtR6fxzRCRwVJlbxlKKX/zOyStruTPFKuMn1T7pvf1BpyVop0Y+R4Uq72z3EFfJ+nX2DrOBKdnyccQ1VPCSMSP42jIe2IljMfnbXxhYjCfW4yOBBn2jDaADDbEENk5vqXeMCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFPNvWidCN48MhgVQ3tLD/RrO5pI9MA0GCSqGSIb3DQEBCwUAA4IBAQDN6JnxMaV9qgn4e4XK8pxaIXSy8CJrYW6sQ0EK1BHeaAHLuTm0l0O8XP+xELeV1hPrwPG24tfiSnWj71Rjma/cXSHTRpSvtROo2rGkpEUMufnPqo9+kKORg1k6ajTpJPxsakIBzUXLu6ei7t/jzp6pTIXS1Q/dIEgU0ovKTQ1KgWe3pomHfJAUfbmkOiO7IwluTlDpckx53FGfFB4f5Goi0qb+u6EitXCim98ikzZaHPAqkDc+ZXdn+9x474sljnUsoZJZICwyraOCiWdOCuB5R7taHirTi3R2vsj1lkRavC5ydZd22lSe8x57cpdghjXKMXgK04VD73zG9UXzzA74-----END CERTIFICATE----- namespacedefault tokeneyJhbGciOiJSUzI1NiIsImtpZCI6IktRNXFhRW5OLW5tdjhVX3Y2SnhuYXNocVF6WXF0ZFdTX0hIdWQwVkphYjgifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9rZW4tMnhyOGMiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjhiMzJiZjJmLTA5YzMtNDA2Ni1iZjMyLTk4MWEzZGExNmFlZSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.lzHD6W-xBuiqf9CHPB4LIbpRdoJmMv7wSGt0fnp7p-slYEtSpk4ax2kQNQ8j-eEFFWahZpzZhHlanIBsG5LTNcqZP_N9hxK5YgxIz4kJ-nbDvqeqBICM8SVL3C3kID1wb32I0zpXr3BDq33NbKh1e0-19T5zsKFWsnahfhd2HHuV4bnr7zEZYtjIv5Taeyu28F79929a80bQykG5v1Si5xibPP-xPpwXizbdGS-nwbqre4lSgjyFjoNZrjYEUVkYTsfxBmWmdqiCv1EvgFftTQ2RMVSk0e-qpbWowg-uGcYHLmyzx_R4QM0wPnDIwkxtxZIZdV7cVQv11Fw9kQVzeQ#kubernetes.io/service-account-token"root@master:~# k create secret generic very-secure --from-literal cc=1234secret/very-secure createdroot@master:~# ETCDCTL_API=3 etcdctl --endpoints --cert /etc/kubernetes/pki/etcd/server.crt --key /etc/kubernetes/pki/etcd/server.key --cacert /etc/kubernetes/pki/etcd/ca.crt get /registry/secrets/default/very-secure

root@master:~# k get secret very-secure -oyamlapiVersion: v1data: cc: MTIzNA==kind: Secretmetadata: creationTimestamp: "2021-04-28T02:55:39Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:cc: {} f:type: {} manager: kubectl-create operation: Update time: "2021-04-28T02:55:39Z" name: very-secure namespace: default resourceVersion: "14227" uid: f175c1d7-83f7-4cd7-8601-64bd814feeabtype: Opaqueroot@master:~# echo MTIzNA== | base64 -d1234root@master:~# k get secretNAME TYPE DATA AGEdefault-token-2xr8c kubernetes.io/service-account-token 3 2d15hvery-secure Opaque 1 4m28sroot@master:~# k delete secret default-token-2xr8csecret "default-token-2xr8c" deletedroot@master:~# k get secretNAME TYPE DATA AGEdefault-token-s446z kubernetes.io/service-account-token 3 1svery-secure Opaque 1 4m43s

root@master:/etc/kubernetes/etcd# cat ec.yamlapiVersion: apiserver.config.k8s.io/v1kind: EncryptionConfigurationresources: - resources: - secrets providers: - aescbc: keys: - name: key1 secret: cGFzc3dvcmRwYXNzd29yZA== #修改此行# - identity: {} #注释掉root@master:/etc/kubernetes/etcd# cd ../manifests/root@master:/etc/kubernetes/manifests# mv kube-apiserver.yaml ..root@master:/etc/kubernetes/manifests# ps aux |grep apiserverroot 68173 0.0 0.0 14424 1040 pts/1 S+ 02:10 0:00 grep --color=auto apiserverroot@master:/etc/kubernetes/manifests# mv ../kube-apiserver.yaml .

root@master:/etc/kubernetes/etcd# cat ec.yamlapiVersion: apiserver.config.k8s.io/v1kind: EncryptionConfigurationresources: - resources: - secrets providers: - aescbc: keys: - name: key1 secret: cGFzc3dvcmRwYXNzd29yZA== #修改此行 - identity: {} #取消注释root@master:/etc/kubernetes/etcd# cd ../manifests/root@master:/etc/kubernetes/manifests# mv kube-apiserver.yaml ..root@master:/etc/kubernetes/manifests# ps aux |grep apiserverroot 68173 0.0 0.0 14424 1040 pts/1 S+ 02:10 0:00 grep --color=auto apiserverroot@master:/etc/kubernetes/manifests# mv ../kube-apiserver.yaml .root@master:~# k -n kube-system get secretNAME TYPE DATA AGEattachdetach-controller-token-lgjcx kubernetes.io/service-account-token 3 2d15hbootstrap-signer-token-fm96m kubernetes.io/service-account-token 3 2d15hbootstrap-token-twmwqd bootstrap.kubernetes.io/token 7 2d15hcalico-kube-controllers-token-km9zk kubernetes.io/service-account-token 3 2d15hcalico-node-token-zjqnp kubernetes.io/service-account-token 3 2d15hcertificate-controller-token-2n29x kubernetes.io/service-account-token 3 2d15hclusterrole-aggregation-controller-token-ws62f kubernetes.io/service-account-token 3 2d15hcoredns-token-r4r2k kubernetes.io/service-account-token 3 2d15hcronjob-controller-token-djsb6 kubernetes.io/service-account-token 3 2d15hdaemon-set-controller-token-q4zwx kubernetes.io/service-account-token 3 2d15hdefault-token-8lqmr kubernetes.io/service-account-token 3 2d15hdeployment-controller-token-5ll65 kubernetes.io/service-account-token 3 2d15hdisruption-controller-token-mptgf kubernetes.io/service-account-token 3 2d15hendpoint-controller-token-5x9bl kubernetes.io/service-account-token 3 2d15hendpointslice-controller-token-gcjz8 kubernetes.io/service-account-token 3 2d15hendpointslicemirroring-controller-token-pbrwx kubernetes.io/service-account-token 3 2d15hexpand-controller-token-hv5lv kubernetes.io/service-account-token 3 2d15hgeneric-garbage-collector-token-kvdq6 kubernetes.io/service-account-token 3 2d15hhorizontal-pod-autoscaler-token-z2kw4 kubernetes.io/service-account-token 3 2d15hjob-controller-token-rzd44 kubernetes.io/service-account-token 3 2d15hkube-proxy-token-tfljg kubernetes.io/service-account-token 3 2d15hnamespace-controller-token-cqf85 kubernetes.io/service-account-token 3 2d15hnode-controller-token-hlfq7 kubernetes.io/service-account-token 3 2d15hpersistent-volume-binder-token-s5l7q kubernetes.io/service-account-token 3 2d15hpod-garbage-collector-token-2bxvk kubernetes.io/service-account-token 3 2d15hpv-protection-controller-token-knqrm kubernetes.io/service-account-token 3 2d15hpvc-protection-controller-token-h25mp kubernetes.io/service-account-token 3 2d15hreplicaset-controller-token-vd8x7 kubernetes.io/service-account-token 3 2d15hreplication-controller-token-2zq5m kubernetes.io/service-account-token 3 2d15hresourcequota-controller-token-cxsdh kubernetes.io/service-account-token 3 2d15hroot-ca-cert-publisher-token-65d6b kubernetes.io/service-account-token 3 2d15hservice-account-controller-token-ktjjn kubernetes.io/service-account-token 3 2d15hservice-controller-token-ljjb8 kubernetes.io/service-account-token 3 2d15hstatefulset-controller-token-9c25f kubernetes.io/service-account-token 3 2d15htoken-cleaner-token-lspdd kubernetes.io/service-account-token 3 2d15httl-controller-token-6vv9d kubernetes.io/service-account-token 3 2d15hroot@master:~# k get secret -A -oyaml | kubectl replace -f -secret/default-token-s446z replacedsecret/very-secure replacedsecret/default-token-wt6q2 replacedsecret/default-token-nh879 replacedsecret/attachdetach-controller-token-lgjcx replacedsecret/bootstrap-signer-token-fm96m replacedsecret/bootstrap-token-twmwqd replacedsecret/calico-kube-controllers-token-km9zk replacedsecret/calico-node-token-zjqnp replacedsecret/certificate-controller-token-2n29x replacedsecret/clusterrole-aggregation-controller-token-ws62f replacedsecret/coredns-token-r4r2k replacedsecret/cronjob-controller-token-djsb6 replacedsecret/daemon-set-controller-token-q4zwx replacedsecret/default-token-8lqmr replacedsecret/deployment-controller-token-5ll65 replacedsecret/disruption-controller-token-mptgf replacedsecret/endpoint-controller-token-5x9bl replacedsecret/endpointslice-controller-token-gcjz8 replacedsecret/endpointslicemirroring-controller-token-pbrwx replacedsecret/expand-controller-token-hv5lv replacedsecret/generic-garbage-collector-token-kvdq6 replacedsecret/horizontal-pod-autoscaler-token-z2kw4 replacedsecret/job-controller-token-rzd44 replacedsecret/kube-proxy-token-tfljg replacedsecret/namespace-controller-token-cqf85 replacedsecret/node-controller-token-hlfq7 replacedsecret/persistent-volume-binder-token-s5l7q replacedsecret/pod-garbage-collector-token-2bxvk replacedsecret/pv-protection-controller-token-knqrm replacedsecret/pvc-protection-controller-token-h25mp replacedsecret/replicaset-controller-token-vd8x7 replacedsecret/replication-controller-token-2zq5m replacedsecret/resourcequota-controller-token-cxsdh replacedsecret/root-ca-cert-publisher-token-65d6b replacedsecret/service-account-controller-token-ktjjn replacedsecret/service-controller-token-ljjb8 replacedsecret/statefulset-controller-token-9c25f replacedsecret/token-cleaner-token-lspdd replacedsecret/ttl-controller-token-6vv9d replaced

版权声明:本文内容由网络用户投稿,版权归原作者所有,本站不拥有其著作权,亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容,请联系我们jiasou666@gmail.com 处理,核实后本网站将在24小时内删除侵权内容。

标签:API
上一篇:Kubernetes CKS 2021【4】---Cluster Setup - Secure Ingress
下一篇:Kubernetes CKS 2021【6】---Cluster Setup - CIS Benchmarks
相关文章

 发表评论

暂时没有评论,来抢沙发吧~