MCP HubMCP Hub
返回技能列表

manage-kubernetes-secrets

pjt222
更新于 2 days ago
15 次查看
17
2
17
在 GitHub 上查看
开发aiapi

关于

This skill implements secure secrets management for Kubernetes applications using SealedSecrets for GitOps workflows and External Secrets Operator for cloud integrations. It handles sensitive data like TLS certificates and API keys with encryption at rest, RBAC controls, and rotation strategies. Use it when version-controlling secrets in Git, integrating with AWS Secrets Manager/Azure Key Vault, or migrating from plaintext Kubernetes Secrets.

快速安装

Claude Code

推荐
主要方式
npx skills add pjt222/agent-almanac -a claude-code
插件命令备选方式
/plugin add https://github.com/pjt222/agent-almanac
Git 克隆备选方式
git clone https://github.com/pjt222/agent-almanac.git ~/.claude/skills/manage-kubernetes-secrets

在 Claude Code 中复制并粘贴此命令以安装该技能

技能文档

管 Kubernetes 密

以 SealedSecrets 於 GitOps、External Secrets Operator 於雲密管、並旋換之略施產線級 Kubernetes 密管,加密於靜、RBAC 之控。

用時

  • 為 Kubernetes 應存敏感配置(API 鍵、密碼、詞元)
  • 施 GitOps 工作流,密須入版本控制
  • 合 Kubernetes 於 AWS Secrets Manager、Azure Key Vault、GCP Secret Manager
  • 旋憑證與證書,應無停機
  • 施最小特權之密訪,跨名空間與團隊
  • 自明文 Secret 遷至加密或外管之解

  • 必要:具管訪之 Kubernetes 叢集
  • 必要:欲管之密(資料庫憑、API 鍵、TLS 證書)
  • 可選:雲密管(AWS Secrets Manager、Azure Key Vault、GCP Secret Manager)
  • 可選:為 TLS 證書生成之證書機構
  • 可選:SealedSecrets 用之 GitOps 倉
  • 可選:靜加密用之 key management service (KMS)

完整配置檔案與樣板,見 Extended Examples

第一步:啟 Kubernetes Secret 之靜加密

以 KMS 或本地加密為 Secret 設靜加密。

# For AWS EKS, enable secrets encryption with KMS
cat > encryption-config.yaml <<EOF
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
  - resources:
      - secrets
    providers:
      - aescbc:
          keys:
            - name: key1
              secret: $(head -c 32 /dev/urandom | base64)
      - identity: {}
EOF

# For self-hosted clusters, configure API server
# Add to kube-apiserver flags:
# --encryption-provider-config=/etc/kubernetes/encryption-config.yaml

# Verify encryption status
kubectl get secrets -A -o json | jq '.items[] | select(.metadata.name != "default-token") | .metadata.name'

# Encrypt existing secrets by reading and rewriting
kubectl get secrets --all-namespaces -o json | kubectl replace -f -

# Verify a secret is encrypted at rest
# Check etcd directly (requires etcd access)
ETCDCTL_API=3 etcdctl get /registry/secrets/default/my-secret --print-value-only | hexdump -C

雲管之 Kubernetes:

# AWS EKS - Create KMS key
aws kms create-key --description "EKS secrets encryption"
KMS_KEY_ARN=$(aws kms describe-key --key-id alias/eks-secrets --query 'KeyMetadata.Arn' --output text)

# Enable encryption on EKS cluster
aws eks associate-encryption-config \
  --cluster-name my-cluster \
  --encryption-config "resources=secrets,provider={keyArn=$KMS_KEY_ARN}"

# GKE - Enable application-layer secrets encryption
gcloud container clusters update my-cluster \
  --database-encryption-key projects/PROJECT_ID/locations/LOCATION/keyRings/RING_NAME/cryptoKeys/KEY_NAME

# AKS - Encryption enabled by default with platform-managed keys
# Optionally use customer-managed keys
az aks update \
  --name my-cluster \
  --resource-group my-rg \
  --enable-azure-keyvault-secrets-provider

**得:**Secret 於 etcd 靜加密。Hexdump 顯加密之資,非明文。雲管叢集之 KMS 合已設。既 Secret 之重加密無誤而成。

**敗則:**API 伺啟動敗,驗 encryption-config.yaml 之語法與鍵格(須 base64 編 32 位之鍵)。KMS 誤者,察 IAM 權限容 kms:Decrypt 與 kms:Encrypt。etcd 訪疑者,以備/復之規復加密誤配者。

第二步:裝並設 Sealed Secrets 以 GitOps

佈 Bitnami Sealed Secrets 控制器以加密密為 Git 存。

# Install Sealed Secrets controller
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml

# Verify controller is running
kubectl get pods -n kube-system -l name=sealed-secrets-controller

# Install kubeseal CLI
wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/kubeseal-0.24.0-linux-amd64.tar.gz
tar xfz kubeseal-0.24.0-linux-amd64.tar.gz
sudo install -m 755 kubeseal /usr/local/bin/kubeseal

# Fetch public key for offline sealing
kubeseal --fetch-cert \
  --controller-namespace=kube-system \
  --controller-name=sealed-secrets-controller \
  > pub-cert.pem

# Create a regular Secret (NOT applied to cluster yet)
kubectl create secret generic mysecret \
  --from-literal=username=admin \
  --from-literal=password='sup3rs3cr3t!' \
  --dry-run=client \
  -o yaml > mysecret.yaml

# Seal the secret
kubeseal --format=yaml --cert=pub-cert.pem < mysecret.yaml > mysealedsecret.yaml

# Inspect sealed secret (safe to commit to Git)
cat mysealedsecret.yaml

封之密似此:

apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  name: mysecret
  namespace: default
spec:
  encryptedData:
    username: AgA8V7f3q2... (encrypted data)
    password: AgBkXp9n1h... (encrypted data)
  template:
    metadata:
      name: mysecret
      namespace: default

施並驗:

# Apply sealed secret to cluster
kubectl apply -f mysealedsecret.yaml

# Verify regular Secret was created automatically
kubectl get secret mysecret -o yaml

# Decode secret to verify values
kubectl get secret mysecret -o jsonpath='{.data.username}' | base64 -d

# Commit sealed secret to Git (safe, encrypted)
git add mysealedsecret.yaml
git commit -m "Add database credentials as sealed secret"

**得:**Sealed Secrets 控制器運於 kube-system 名空間。公證已取。Kubeseal 以公鍵加密 Secret。Sealed Secret 施於叢集時自動建解密 Secret。唯控制器可解密(有私鍵)。

**敗則:**加密誤者,驗控制器運行而 pub-cert.pem 有效。解密敗者,以 kubectl logs -n kube-system -l name=sealed-secrets-controller 察控制器日誌。名空間不合誤者,封密預設為名空間作用域;跨名空間者用 --scope cluster-wide。私鍵失則封密不可解;以 kubectl get secret -n kube-system sealed-secrets-key -o yaml > sealed-secrets-backup.yaml 備控制器鍵。

第三步:佈 External Secrets Operator 以雲密管

合 Kubernetes 於 AWS Secrets Manager、Azure Key Vault、或 GCP Secret Manager。

# Install External Secrets Operator via Helm
helm repo add external-secrets https://charts.external-secrets.io
helm repo update

helm install external-secrets \
  external-secrets/external-secrets \
  --namespace external-secrets-system \
  --create-namespace

# Verify operator is running
kubectl get pods -n external-secrets-system

# Create IAM role for AWS Secrets Manager (EKS with IRSA)
cat > trust-policy.json <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::ACCOUNT_ID:oidc-provider/oidc.eks.REGION.amazonaws.com/id/OIDC_ID"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "oidc.eks.REGION.amazonaws.com/id/OIDC_ID:sub": "system:serviceaccount:default:external-secrets-sa"
        }
      }
    }
  ]
}
EOF

aws iam create-role \
  --role-name external-secrets-role \
  --assume-role-policy-document file://trust-policy.json

aws iam attach-role-policy \
  --role-name external-secrets-role \
  --policy-arn arn:aws:iam::aws:policy/SecretsManagerReadWrite

# Create SecretStore referencing AWS Secrets Manager
cat <<EOF | kubectl apply -f -
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: aws-secretsmanager
  namespace: default
spec:
  provider:
    aws:
      service: SecretsManager
      region: us-east-1
      auth:
        jwt:
          serviceAccountRef:
            name: external-secrets-sa
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: external-secrets-sa
  namespace: default
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNT_ID:role/external-secrets-role
EOF

# Create secret in AWS Secrets Manager
aws secretsmanager create-secret \
  --name myapp/database \
  --secret-string '{
    "username":"dbadmin",
    "password":"dbpass123",
    "endpoint":"db.example.com:5432",
    "database":"myapp"
  }'

# Create ExternalSecret to sync from AWS
cat <<EOF | kubectl apply -f -
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: myapp-database
  namespace: default
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: aws-secretsmanager
    kind: SecretStore
  target:
    name: myapp-db-secret
    creationPolicy: Owner
  data:
  - secretKey: username
    remoteRef:
      key: myapp/database
      property: username
  - secretKey: password
    remoteRef:
      key: myapp/database
      property: password
  - secretKey: endpoint
    remoteRef:
      key: myapp/database
      property: endpoint
EOF

# Verify ExternalSecret synced
kubectl get externalsecret myapp-database
kubectl get secret myapp-db-secret -o yaml

# Check synchronization status
kubectl describe externalsecret myapp-database

Azure Key Vault 者:

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: azure-keyvault
  namespace: default
spec:
  provider:
    azurekv:
      authType: ManagedIdentity
      vaultUrl: "https://my-keyvault.vault.azure.net"
      tenantId: "tenant-id"

**得:**External Secrets Operator 運。SecretStore 以雲供應商憑設。ExternalSecret 資源自雲密管拉而自動建 Kubernetes Secret。Secret 每時刷。雲密管之變播至叢集。

**敗則:**認證誤者,驗 IAM 角色/服務帳戶註與信任政策容 assume role。同步敗者,以 kubectl describe externalsecret 察 ExternalSecret 之態。雲中缺密者,驗密名與 JSON 屬性路徑合。以 aws secretsmanager get-secret-value --secret-id myapp/database 試 AWS 憑。

第四步:以 cert-manager 施證書管

以 cert-manager 自化 TLS 證書之配與續。

# Install cert-manager
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.0/cert-manager.yaml

# Verify installation
kubectl get pods -n cert-manager

# ... (see EXAMPLES.md for complete configuration)

入口註式之證書發:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: myapp-ingress
  annotations:
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
# ... (see EXAMPLES.md for complete configuration)

**得:**cert-manager 自 Let's Encrypt 得證書。TLS 密建,具有效證書與私鍵。證書於過期前自續。入口用證書為 HTTPS 終止。

**敗則:**ACME 挑戰敗者,http01 驗 DNS 指入口 LoadBalancer IP,dns01 驗 Route53 IAM 權限。速限誤者,試用 letsencrypt-staging 發行者。續敗者,以 kubectl logs -n cert-manager deployment/cert-manager 察 cert-manager 日誌。以 curl -v https://myapp.example.com 試證書。

第五步:施密旋策

以版管與應重啟自化密旋。

# Enable automatic Pod restarts on Secret changes with Reloader
kubectl apply -f https://raw.githubusercontent.com/stakater/Reloader/master/deployments/kubernetes/reloader.yaml

# Annotate Deployment to watch Secrets
cat <<EOF | kubectl apply -f -
apiVersion: apps/v1
# ... (see EXAMPLES.md for complete configuration)

驗旋工作流:

# Manually trigger rotation
kubectl create job --from=cronjob/secret-rotation manual-rotation-$(date +%s)

# Watch for Secret update
kubectl get secret myapp-db-secret -w

# Verify Reloader triggered Pod restart
kubectl get events --sort-by='.lastTimestamp' | grep Reloader

# Check new Pods are using updated secret
kubectl get pods -l app=myapp
kubectl exec -it <pod-name> -- env | grep DB_PASSWORD

**得:**Reloader 察 Secret/ConfigMap 並於變時重啟 Pod。密旋更 AWS Secrets Manager,External Secrets Operator 同至 Kubernetes,Reloader 觸滾動重啟。應無手介而取新憑。

**敗則:**Reloader 未觸者,驗註之語與 Reloader 運以 kubectl get pods -n default -l app=reloader-reloader。External Secrets 同延者,減 refreshInterval 或以 kubectl annotate externalsecret myapp-database force-sync="$(date +%s)" --overwrite 手觸。旋中應連敗者,於應碼施優雅密重載或以連池附重試邏輯。

第六步:以 RBAC 施密訪控

以 Kubernetes RBAC 以最小特權之則限密訪。

# Create namespace for sensitive workloads
apiVersion: v1
kind: Namespace
metadata:
  name: production
---
# ... (see EXAMPLES.md for complete configuration)

試 RBAC:

# Apply RBAC resources
kubectl apply -f rbac.yaml

# Test as application service account
kubectl auth can-i get secret myapp-db-secret --as=system:serviceaccount:production:myapp -n production
# Should return "yes"
# ... (see EXAMPLES.md for complete configuration)

**得:**服務帳戶經 resourceNames 僅讀特定密。開發者不可察產線名空間之密。唯 secret-admins 群可建/更/刪密。RBAC 拒記於審計日誌。

**敗則:**訪拒誤者,驗 RoleBinding 之主體配 ServiceAccount 名與名空間。權限過廣者,除萬用動詞並加 resourceNames 限。審計日誌隙者,於 API 伺器層啟 Kubernetes 審計日誌。佈變前以 kubectl auth can-i 試。

  • Secret 於 etcd 靜加密(以 etcdctl 或 KMS 驗)
  • Sealed Secrets 控制器運而公證已取
  • External Secrets Operator 自雲密管同步
  • TLS 證書由 cert-manager 發且自續
  • 密旋經 Reloader 自動化,附應重啟
  • RBAC 政策施最小特權之密訪
  • 無明文密於 Git 倉或容器鏡像
  • sealed-secrets 私鍵之備/復規已試
  • 密同步敗與過期之監告已設

  • Git 史中之密:提交明文密後除之不清 Git 史。用 git-filter-repo 或 BFG 重寫史,旋洩露之密

  • RBAC 過廣:於名空間諸密准 get secrets。用 resourceNames 僅限特定密之訪

  • 無旋策:密永不旋,增洩之爆半徑。以 External Secrets Operator 或 CronJob 施自動旋

  • 缺靜加密:密以明文存於 etcd。存敏資前啟加密供應商或 KMS 合

  • 應快取密:應啟時讀密一次而永不重載。施信號處(SIGHUP)或檔察於密檔之變

  • External Secrets 刷過慢:預設 1 小時刷意密變傳播需時至一小時。為關鍵密降 refreshInterval,用 webhook 為即更

  • sealed-secrets 鍵無備:控制器私鍵失則諸封密不可復。以 kubectl get secret -n kube-system sealed-secrets-key -o yaml > backup.yaml 備並安存

  • 證書續敗:cert-manager 因 DNS/防火牆之變不能續。以 Prometheus 指標與告監證書過期

  • deploy-to-kubernetes — 於 Deployment 與 StatefulSet 中用密
  • enforce-policy-as-code — 密訪驗之 OPA 政策
  • security-audit-codebase — 察應碼中之硬碼密
  • configure-ingress-networking — 入口資源中 TLS 證書之用
  • implement-gitops-workflow — ArgoCD/Flux 管線中之 Sealed Secrets

GitHub 仓库

pjt222/agent-almanac
路径: i18n/wenyan/skills/manage-kubernetes-secrets
0
agentsagentskillsai-assisted-developmentclaude-codeskillsteams

相关推荐技能

qmd

开发

这是一个本地搜索和索引的CLI工具,支持BM25、向量搜索和重排序功能。开发者可以用它快速索引本地文件(如Markdown文档)并进行混合搜索,特别适合代码库或文档的本地检索。它还提供MCP模式,能轻松集成到Claude开发环境中使用。

查看技能

subagent-driven-development

开发

该Skill用于在当前会话中执行包含独立任务的实施计划,它会为每个任务分派一个全新的子代理并在任务间进行代码审查。这种"全新子代理+任务间审查"的模式既能保障代码质量,又能实现快速迭代。适合需要在当前会话中连续执行独立任务,并希望在每个任务后都有质量把关的开发场景。

查看技能

mcporter

开发

mcporter Skill 让开发者能在Claude中直接管理和调用MCP服务器。它支持列出可用服务器、调用工具、处理OAuth认证以及管理服务器守护进程。开发者可以通过命令行式交互快速执行`mcporter list`查看服务器,或使用`mcporter call`直接调用工具,简化了MCP工作流程。

查看技能

adk-deployment-specialist

开发

这是一个用于部署和编排Google Vertex AI ADK智能体的Claude Skill,专为构建生产级多智能体系统而设计。它支持通过A2A协议进行智能体通信,提供代码执行沙箱和记忆库功能,并能处理智能体发现与任务提交。当开发者需要部署ADK智能体或编排多智能体协作时,可使用此Skill来简化Vertex AI Agent Engine的部署流程。

查看技能