-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathSecrets_volumes
283 lines (227 loc) · 9.99 KB
/
Secrets_volumes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
Secrets
Secrets provide a way in Kubernetes to distribute credentials, keys, passords, or
secret data to the pods.
Kubernetes itself uses Secrets as a mechanism to provide the credentials to access the internal API
You can use the same mechanisn to provide secrets to your application
Secrets s one way to proice secrests, native to Kebernetes
- There are other ways your container can get is seccrets if you don't want to
use Secrets (e.g. using an external ault service in your app).
Secrets can be used as:
- environment variables
- use secrets as a file in a pod
-- this setup uses volumes to be mounted in a container
-- in this volume you have files
-- Can be used for instance for dotenv files or your app can just read this file.
- Use an external iage to pull secrets (from a private image registry)
To generate secrets using files:
kubectl create secret geneic <name> --from-file=name.txt
SSH key or SSL Certificate
kubectl create secret generic ssl-certificate --from-file=ssh-priagtekey=~/.ssh/id-ras --ssl-cert=mysslcert.crt.
Secrets using yaml definitions
1. Create the yaml file.
2. Use a base64 encoder to change the values to base 64
3. Then deploye using kubectl create -f secrets secrets-db-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: helloworld-secrets
type: Opaque
data:
username: aGVsbG93b3JsZA==
password: cGFzc3dvcmQ=
rootPassword: cm9vdHBhc3N3b3Jk
database: aGVsbG93b3JsZA==
To create the base 64 values
echo -n "username" | base64
>aGVsbG93b3JsZA==
To use:
1. Create a pod that exposes the secrets as environment variables.
apiVersion: v1
kind: Pod
metadata:
name: nodehelloworld.example.com
labels:
app: helloworld
spec:
containers:
- name: k8s-demo
image: wardviaene/k8s-demo
ports:
- name: nodejs-port
containerPort: 3000 # add below this line =======
env:
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
name: db-secret
key: username
- names: SECRET_PASSWORD
etc....
2. Or you can put the secrets in a file
apiVersion: v1
kind: Pod
metadata:
name: nodehelloworld.example.com
labels:
app: helloworld
spec:
containers:
- name: k8s-demo
image: wardviaene/k8s-demo
ports:
containerPort: 3000 # add below this line =======
volumeMounts:
-name: credvolume
mountPath: /etc/creds
readOnly: true
volumes:
-name: credvolume
secret:
secretName: db-secrets
DEMO: This is titled Credentials using Volumes
cat deployment/helloworld-secrets.yml
apiVersion: v1
kind: Secret
metadata:
name: db-secrets
type: Opaque
data:
username: cm9vdA==
password: cGFzc3dvcmQ=
kubectl create -f deployment/helloworld-secrets.yml
secret "db-secrets" created
cat deployment/helloworld-secrets-volumes.yml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: helloworld-deployment
spec:
replicas: 3
template:
metadata:
labels:
app: helloworld
spec:
containers:
- name: k8s-demo
image: wardviaene/k8s-demo
ports:
- name: nodejs-port
containerPort: 3000
volumeMounts:
- name: cred-volume
mountPath: /etc/creds
readOnly: true
volumes:
- name: cred-volume
secret:
secretName: db-secrets
kubectl create -f deployment/helloworld-secrets-volumes.yml
deployment "helloworld-deployment" created
kubectl get pods
NAME READY STATUS RESTARTS AGE
helloworld-deployment-d9ff6d944-9tmtp 1/1 Running 0 1m
helloworld-deployment-d9ff6d944-czvtt 1/1 Running 0 1m
helloworld-deployment-d9ff6d944-mq4dz 1/1 Running 0 1m
nodehelloworld.example.com 1/1 Running 0 4d
kubectl describe pod helloworld-deployment-d9ff6d944-9tmtp
Name: helloworld-deployment-d9ff6d944-9tmtp
Namespace: default
Node: minikube/192.168.99.100
Start Time: Wed, 27 Dec 2017 21:46:15 -0500
Labels: app=helloworld
pod-template-hash=859928500
Annotations: kubernetes.io/created-by={"kind":"SerializedReference","apiVersion":"v1","reference":{"kind":"ReplicaSet","namespace":"default","name":"helloworld-deployment-d9ff6d944","uid":"462821c3-eb79-11e7-9ced-...
Status: Running
IP: 172.17.0.4
Created By: ReplicaSet/helloworld-deployment-d9ff6d944
Controlled By: ReplicaSet/helloworld-deployment-d9ff6d944
Containers:
k8s-demo:
Container ID: docker://40c996ef2c6e31435409d4ee6c65e704feab76017bd882550c83b3e049183304
Image: wardviaene/k8s-demo
Image ID: docker-pullable://wardviaene/k8s-demo@sha256:2c050f462f5d0b3a6430e7869bcdfe6ac48a447a89da79a56d0ef61460c7ab9e
Port: 3000/TCP
State: Running
Started: Wed, 27 Dec 2017 21:46:22 -0500
Ready: True
Restart Count: 0
Environment: <none>
Mounts:
/etc/creds from cred-volume (ro)
/var/run/secrets/kubernetes.io/serviceaccount from default-token-n9twd (ro)
Conditions:
Type Status
Initialized True
Ready True
PodScheduled True
Volumes:
cred-volume:
Type: Secret (a volume populated by a Secret)
SecretName: db-secrets
Optional: false
default-token-n9twd:
Type: Secret (a volume populated by a Secret)
SecretName: default-token-n9twd
Optional: false
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: <none>
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 2m default-scheduler Successfully assigned helloworld-deployment-d9ff6d944-9tmtp to minikube
Normal SuccessfulMountVolume 2m kubelet, minikube MountVolume.SetUp succeeded for volume "cred-volume"
Normal SuccessfulMountVolume 2m kubelet, minikube MountVolume.SetUp succeeded for volume "default-token-n9twd"
Normal Pulling 2m kubelet, minikube pulling image "wardviaene/k8s-demo"
Normal Pulled 2m kubelet, minikube Successfully pulled image "wardviaene/k8s-demo"
Normal Created 2m kubelet, minikube Created container
Normal Started 2m kubelet, minikube Started container
important parameterMounts:
/etc/creds from cred-volume (ro)
/var/run/secrets/kubernetes.io/serviceaccount from default-token-n9twd (ro)
cat /etc/creds/username
rootroot@helloworld-deployment-d9ff6d944-9tmtp:/app#
mount
overlay on / type overlay (rw,relatime,lowerdir=/var/lib/docker/overlay2/l/PBMVQKVPK3MOSOMOJXIUR2MBJW:/var/lib/docker/overlay2/l/UHA6R6MYEFEBDVUTJDIMR2AR4D:/var/lib/docker/overlay2/l/AR2FCPYW4BRA5SXMWVIE3ZCHNM:/var/lib/docker/overlay2/l/FSZSP2T37NI27FU4KP56ZZ7ED2:/var/lib/docker/overlay2/l/GJHOSVMPSITALNPGUXOQMUBJC3:/var/lib/docker/overlay2/l/L5ZJHWLGCQXWW7SYISRNDBLDKP:/var/lib/docker/overlay2/l/DQIKHFTUQCYZI45TJVF4VB5ZJC:/var/lib/docker/overlay2/l/2VNUJV6DL6AFCYZGS7MIHRPIQZ:/var/lib/docker/overlay2/l/MKQYRWGKPB7S23AMOISNU4JZGQ:/var/lib/docker/overlay2/l/KYBIEJL2UEXZFNW6Z7H4CB7PJ5:/var/lib/docker/overlay2/l/I5CA4QJI56EX7VEKEUHCZ22MW4,upperdir=/var/lib/docker/overlay2/09d261ca06eaf666f3fffa44f4b939587efd400fd947af318c26c99176e0dc2f/diff,workdir=/var/lib/docker/overlay2/09d261ca06eaf666f3fffa44f4b939587efd400fd947af318c26c99176e0dc2f/work)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev type tmpfs (rw,nosuid,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666)
sysfs on /sys type sysfs (ro,nosuid,nodev,noexec,relatime)
tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,relatime,mode=755)
cgroup on /sys/fs/cgroup/systemd type cgroup (ro,nosuid,nodev,noexec,relatime,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd)
cgroup on /sys/fs/cgroup/cpuset type cgroup (ro,nosuid,nodev,noexec,relatime,cpuset)
cgroup on /sys/fs/cgroup/blkio type cgroup (ro,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/memory type cgroup (ro,nosuid,nodev,noexec,relatime,memory)
cgroup on /sys/fs/cgroup/perf_event type cgroup (ro,nosuid,nodev,noexec,relatime,perf_event)
cgroup on /sys/fs/cgroup/hugetlb type cgroup (ro,nosuid,nodev,noexec,relatime,hugetlb)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (ro,nosuid,nodev,noexec,relatime,cpu,cpuacct)
cgroup on /sys/fs/cgroup/freezer type cgroup (ro,nosuid,nodev,noexec,relatime,freezer)
cgroup on /sys/fs/cgroup/net_cls type cgroup (ro,nosuid,nodev,noexec,relatime,net_cls)
cgroup on /sys/fs/cgroup/devices type cgroup (ro,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/pids type cgroup (ro,nosuid,nodev,noexec,relatime,pids)
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)
tmpfs on /etc/creds type tmpfs (ro,relatime)
/dev/sda1 on /dev/termination-log type ext4 (rw,relatime,data=ordered)
/dev/sda1 on /etc/resolv.conf type ext4 (rw,relatime,data=ordered)
/dev/sda1 on /etc/hostname type ext4 (rw,relatime,data=ordered)
/dev/sda1 on /etc/hosts type ext4 (rw,relatime,data=ordered)
shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,size=65536k)
tmpfs on /run/secrets/kubernetes.io/serviceaccount type tmpfs (ro,relatime)
proc on /proc/asound type proc (ro,relatime)
proc on /proc/bus type proc (ro,relatime)
proc on /proc/fs type proc (ro,relatime)
proc on /proc/irq type proc (ro,relatime)
proc on /proc/sys type proc (ro,relatime)
proc on /proc/sysrq-trigger type proc (ro,relatime)
tmpfs on /proc/kcore type tmpfs (rw,nosuid,mode=755)
tmpfs on /proc/timer_list type tmpfs (rw,nosuid,mode=755)
tmpfs on /proc/timer_stats type tmpfs (rw,nosuid,mode=755)
tmpfs on /sys/firmware type tmpfs (ro,relatime)
The mount points above are:
tmpfs on /etc/creds type tmpfs (ro,relatime)
tmpfs on /run/secrets/kubernetes.io/serviceaccount type tmpfs (ro,relatime)
ls /run/secrets/kubernetes.io/serviceaccount
> ca.crt namespace token
exit exits the shell...
.