Task weight: 7%

Use context: kubectl config use-context workload-prod

There is an existing Secret called database-access in Namespace team-green .

Read the complete Secret content directly from ETCD (using etcdctl ) and store it into /opt/course/11/etcd-secret-content . Write the plain and decoded Secret’s value of key “pass” into /opt/course/11/database-password .

译文

任务权重:7%。

使用环境:kubectl config use-context workload-prod

在命名空间 team-green 中有一个名为 data-access 的现有 Secret。

直接从 ETCD 读取完整的 Secret 内容(使用 etcdctl ),并将其存储到 /opt/course/11/etcd-secret-content 。在/opt/course/11/database-password 中写入纯文本和解码的Secret的密钥 “pass “的值。

解答

进入控制节点,然后检查是否安装了etcdctl

ssh cluster1-controlplane1

etcdctl

查询证书密钥相关的文件

cat /etc/kubernetes/manifests/kube-apiserver.yaml | grep etcd
输出结果
    - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
    - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
    - --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
    - --etcd-servers=https://127.0.0.1:2379 # optional since we're on same node

通过上面的结果进行secret的查询

ETCDCTL_API=3 etcdctl \
--cert /etc/kubernetes/pki/apiserver-etcd-client.crt \
--key /etc/kubernetes/pki/apiserver-etcd-client.key \
--cacert /etc/kubernetes/pki/etcd/ca.crt get /registry/secrets/team-green/database-access

查询路径 /registry/{type}/{namespace}/{name}

把结果写入文件

# /opt/course/11/etcd-secret-content
/registry/secrets/team-green/database-access
k8s

v1Secret

database-access
team-green"*$3e0acd78-709d-4f07-bdac-d5193d0f2aa32bB
0kubectl.kubernetes.io/last-applied-configuration{"apiVersion":"v1","data":{"pass":"Y29uZmlkZW50aWFs"},"kind":"Secret","metadata":{"annotations":{},"name":"database-access","namespace":"team-green"}}
z
kubectl-client-side-applyUpdatevFieldsV1:
{"f:data":{".":{},"f:pass":{}},"f:metadata":{"f:annotations":{".":{},"f:kubectl.kubernetes.io/last-applied-configuration":{}}},"f:type":{}}
pass
    confidentialOpaque"

解码pass的值并写入文件

echo Y29uZmlkZW50aWFs | base64 -d > /opt/course/11/database-password