如何阅读牧场主的秘密?

时间:2020-08-12 08:34:18

标签: docker kubernetes rancher

我正在使用牧场主,并且使用牧场主的GUI设置了一个秘密。我试图使我的应用程序读取此机密。假设这个秘密叫做pass,我想读一下。被docker所知,我编写了以下代码:

    readDockerSecret: function(secretName) {
        return fs.readFileSync(`/run/secrets/${secretName}`, 'utf8');
    }
    // code

    // read secret
    try {
        var secretName = "pass";
        var pass = utils.readDockerSecret(pass);
    } catch (err) {
        if (err.code !== 'ENOENT') {
            logger.error(`An error occurred while trying to read the secret: ${secretName}. Err: ${err}`);
        } else {
            logger.debug(`Could not find the secret: ${secretName}. Err: ${err}`);
        }
    }

但是当我在牧场主中使用它时,它永远找不到秘密。在GUI的rancher shell中,我可以看到我有以下异端:

ls -la /run/secrets
total 0
drwxr-xr-x 1 root root 27 Aug 10 11:02 .
drwxr-xr-x 1 root root 21 Aug 10 10:53 ..
drwxr-xr-x 2 root root 40 Aug 10 11:02 credentials.d
drwxr-xr-x 3 root root 28 Aug 10 11:02 kubernetes.io

credentials.d为空。但是kubernetes.io包含:

/run/secrets/kubernetes.io
total 0
drwxr-xr-x 3 root root  28 Aug 10 11:02 .
drwxr-xr-x 1 root root  27 Aug 10 11:02 ..
drwxrwxrwt 3 root root 140 Aug 10 11:02 serviceaccount

 ls -la  /run/secrets/kubernetes.io/serviceaccount/
total 0
drwxrwxrwt 3 root root 140 Aug 10 11:02 .
drwxr-xr-x 3 root root  28 Aug 10 11:02 ..
drwxr-xr-x 2 root root 100 Aug 10 11:02 ..2020_08_10_11_02_18.157580662
lrwxrwxrwx 1 root root  31 Aug 10 11:02 ..data -> ..2020_08_10_11_02_18.157580662
lrwxrwxrwx 1 root root  13 Aug 10 11:02 ca.crt -> ..data/ca.crt
lrwxrwxrwx 1 root root  16 Aug 10 11:02 namespace -> ..data/namespace
lrwxrwxrwx 1 root root  12 Aug 10 11:02 token -> ..data/token

pass在任何地方都没有符号。也尝试过grep,但没有任何运气。我应该如何看待牧场主的秘密?

编辑:屏幕截图:

enter image description here

在Yaml中,我们有:

   spec:
      containers:
      - envFrom:
        - prefix: pass
          secretRef:
            name: pass
            optional: false
        image: <image-url>
        imagePullPolicy: Always
        name: <app-name>
        resources: {}
        securityContext:
          allowPrivilegeEscalation: false
          capabilities: {}
          privileged: false
          readOnlyRootFilesystem: false
          runAsNonRoot: false
        stdin: true
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        tty: true
      dnsPolicy: ClusterFirst
      imagePullSecrets:
      - name: pass
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      terminationGracePeriodSeconds: 30
status:

1 个答案:

答案 0 :(得分:1)

要能够从Pod内部使用机密,首先需要将该机密作为环境变量或文件“装载”到Pod中。 secrets docs详细描述了该操作。

相关问题
最新问题