Task weight: 7%
Use context: kubectl config use-context workload-prod
There is an existing Secret called database-access in Namespace team-green.
Read the complete Secret content directly from ETCD (using etcdctl) and store it into /opt/course/11/etcd-secret-content. Write the plain and decoded Secret's value of key "pass" into /opt/course/11/database-password.
译文
任务权重:7%。
使用环境:kubectl config use-context workload-prod
在命名空间 team-green 中有一个名为 data-access 的现有 Secret。
直接从 ETCD 读取完整的 Secret 内容(使用 etcdctl ),并将其存储到 /opt/course/11/etcd-secret-content 。在 /opt/course/11/database-password 中写入纯文本和解码的Secret的密钥 "pass "的值。
解答
进入控制节点,然后检查是否安装了etcdctl
ssh cluster1-controlplane1
etcdctl
查询证书密钥相关的文件
cat /etc/kubernetes/manifests/kube-apiserver.yaml | grep etcd
输出结果
- --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
- --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
- --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
- --etcd-servers=https://127.0.0.1:2379 # optional since we're on same node
通过上面的结果进行secret的查询
ETCDCTL_API=3 etcdctl \
--cert /etc/kubernetes/pki/apiserver-etcd-client.crt \
--key /etc/kubernetes/pki/apiserver-etcd-client.key \
--cacert /etc/kubernetes/pki/etcd/ca.crt get /registry/secrets/team-green/database-access
查询路径 /registry/{type}/{namespace}/{name}
把结果写入文件
# /opt/course/11/etcd-secret-content
/registry/secrets/team-green/database-access
k8s
v1Secret
database-access
team-green"*$3e0acd78-709d-4f07-bdac-d5193d0f2aa32bB
0kubectl.kubernetes.io/last-applied-configuration{"apiVersion":"v1","data":{"pass":"Y29uZmlkZW50aWFs"},"kind":"Secret","metadata":{"annotations":{},"name":"database-access","namespace":"team-green"}}
z
kubectl-client-side-applyUpdatevFieldsV1:
{"f:data":{".":{},"f:pass":{}},"f:metadata":{"f:annotations":{".":{},"f:kubectl.kubernetes.io/last-applied-configuration":{}}},"f:type":{}}
pass
confidentialOpaque"
解码pass的值并写入文件
echo Y29uZmlkZW50aWFs | base64 -d > /opt/course/11/database-password