在Kubernetes Pod中克隆一个安全的git repo [英] Clone a secure git repo in Kubernetes pod
问题描述
我遇到了一个有趣的情况,我需要将一个私有github存储库克隆到一个我在Kubernetes中运行的docker容器中.最初,我尝试使用gitRepo挂载,但是,在我的部署清单中使用OAuth密钥是不可接受的,我想使用repo部署密钥,而不是附加到GitHub帐户的OAuth密钥.
I've run into an interesting situation where I need to clone a private github repo into a docker container that I'm running in Kubernetes. Originally I tried using a gitRepo mount, however, having an OAuth key in my deployment manifest is unacceptable and I would like to use a repo deploy key rather an OAuth key attached to my GitHub account.
理想情况下,我会使用gitRepo挂载来使用秘密进行身份验证,但是在编写本文时此功能不可用.
Ideally I would use a gitRepo mount that auths using a secret, but this feature isn't available at the time of writing.
我需要以下内容:
- 容器内的一个回购库,可以在容器运行时间歇地拉出
- 必须使用GitHub部署密钥访问存储库
- 密钥必须保持安全(在Kubernetes机密中),并且不能存储在Docker映像中
- 该回购协议必须在同一容器中的两个容器之间共享-一个容器可写入,而另一个容器可读取
我尝试使用在单独的pod中运行的bash脚本将存储库克隆到一个emptydir中(无论如何该脚本都必须运行,我也将其用于其他用途),但是随后我遇到了获取ssh的问题钥匙插入吊舱. 此问题与该问题有关,但似乎没有有办法做到这一点.我可以通过秘密挂载获得密钥,但是然后将权限设置为777.要解决此问题,我将密钥装入了/test/目录,然后尝试将cp放入了/root/.ssh/.这给了我这些奇怪的错误:
I tried cloning the repo into an emptydir with a bash script running in a separate pod (this script has to run anyway, I'm using it for other things as well), however I then ran into the issue of getting ssh keys into the pod. This question is about this issue, however it doesn't seem to have a way to do it. I was able to get the keys in with a secret mount, but then the permissions are set to 777. To get around this, I mounted the keys into a /test/ directory and then tried to cp them into /root/.ssh/. This gave me these strange errors:
cp: '/test/id_rsa' and '/root/.ssh/id_rsa' are the same file
cp: '/test/id_rsa.pub' and '/root/.ssh/id_rsa.pub' are the same file
我也尝试使用cat并将它们管道传输到他们的文件,但这没有用.最初,当我遇到错误的路径时,它给了我这些错误:
I also tried using cat and piping them to their files but that didn't work. At first it gave me these errors when I had the paths wrong:
cat: /keys/id_rsa: input file is output file
cat: /keys/id_rsa.pub: input file is output file
一旦我修复了路径,它什么也没做,并且默默地失败了. kubectl exec进入容器后,显示/root/.ssh/中没有文件.
Once I fixed the paths, it did nothing and silently failed. kubectl execing into the containter showed no files in /root/.ssh/.
我认为我已经走到了这条路的尽头,所以我认为这不是解决方案.
I think I've pretty much reached the bottom of this path so I don't think it will be the solution.
如果SSH可以忽略密钥的权限(我相信默认情况下它会强制执行644或更少),那么上述解决方案是可能的.令我感到惊讶的是,我还没有找到任何方法来执行此操作,但是我的google-fu总是显示结果,说您只需要正确设置权限即可.
If SSH has a way to ignore the permissions on keys—by default it enforces 644 or less I believe—then the above solution could be possible. I'm surprised I haven't found any ways to do this, but my google-fu always turned up results saying that you just have to set the permissions properly.
理想情况下,我想在容器中拥有一把钥匙,以便使用其他存储库对该项目进行将来的扩展.可能还有其他我没有想到或尝试过的方法.
Ideally, I would like to have a key in the container for potential future expansions of this project using other repos. There could be some other way of doing this that I haven't thought of or tried.
我已经考虑过尝试在环境变量中使用OAuth密钥,然后使用该密钥通过HTTPS克隆存储库.这不是理想的,但是如果可行,我会接受.阻止我现在执行此操作的唯一原因是我无法使用部署密钥.如果可以通过部署密钥使用OAuth,我还没有找到它,但是如果有人知道更多信息,这可能就是解决方案.
I've thought about trying to use an OAuth key in an environment variable and then using that to clone the repo by HTTPS. This is less than ideal but if it works I'll take it. The only thing preventing me from doing this now is that I can't use a deploy key. If there is a way to use OAuth with a deploy key, I haven't found it yet but it could be the solution if someone knows more.
在仓库中没有什么让我不满意的东西,所以我可以走这条路.问题在于,我需要能够将更新下拉至存储库.如果将其放在容器中,没有钥匙我将无法拉动.可能有一些我没有尝试过的解决方法.
There isn't anything in the repo that I would be uncomfortable having in the docker image so I could go this route. The problem with this is that I need to be able to pull down updates to the repo. If I put it in the container, I won't be able to pull without my keys. There could be some workaround to this that I haven't tried.
我正处于无所事事的地步,因此任何建议都值得一试.
I'm at the point where I feel like I have nothing left to try so any suggestions could be worth a shot.
此问题与我的问题非常相似我尝试这样做,但是我觉得由于他们并没有使用Kubernetes,因此,由于机密和挂载文件的方法不同,值得单独发布.
This question is very similar to what I'm trying to do, however I feel that since they aren't using Kubernetes and I am, it's worth posting separately because of secrets and the different methods of mounting files.
此问题讨论了如何将SSH密钥放入Kubernetes的容器中,但是我对在SSH上使用git并没有犹豫,所以我认为这应该是自己的问题.
This question talks about getting SSH keys into containers in Kubernetes, however I'm not dead-set on using git over SSH so I think this should be it's own question.
推荐答案
尝试安装包含部署密钥的秘密,如下所示:
Try to mount your secret containing your deploy key like this:
volumeMounts:
- mountPath: /root/.ssh
name: ssh-key
volumes:
- name: ssh-key
secret:
secretName: ssh-key
defaultMode: 256
这是我如何使用它的完整示例:
Here is the full example of how I'm using it:
apiVersion: batch/v2alpha1
kind: ScheduledJob
metadata:
name: transporter
spec:
schedule: 0 5 * * *
jobTemplate:
spec:
template:
spec:
nodeSelector:
role: mysqldump
containers:
- name: transporter
image: camil/mysqldump
command: ["/bin/bash", "-c"]
args:
- ssh-keyscan -t rsa $TARGET_HOST > ~/.ssh/known_hosts && ssh -i /root/.ssh/private/id_rsa $LINUX_USER@$TARGET_HOST 'mkdir mysqldump || true' && scp -i /root/.ssh/private/id_rsa /mysqldump/* $LINUX_USER@$TARGET_HOST:/home/$LINUX_USER/mysqldump
env:
- name: TARGET_HOST
valueFrom:
configMapKeyRef:
name: transporter
key: target.host
- name: LINUX_USER
valueFrom:
configMapKeyRef:
name: transporter
key: linux.user
imagePullPolicy: Always
volumeMounts:
- mountPath: /mysqldump
name: mysqldump
- mountPath: /root/.ssh/private
name: ssh-key
volumes:
- name: mysqldump
hostPath:
path: /home/core/mysqldump
- name: ssh-key
secret:
secretName: ssh-key
defaultMode: 256
restartPolicy: OnFailure
这篇关于在Kubernetes Pod中克隆一个安全的git repo的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
