我用以下命令创建秘密的redis-secret。
kubectl create secret generic redis-secret --from-literal=password=0123456
此后,我使用 redis 镜像创建了一个 secrets-via-file 荚,该镜像将秘密名称 redis-secret 安装在/ secrets
kubectl run secret-via-file --image=redis --dry-run=client -o yaml > pod.yaml
我编辑了创建的 pod.yaml 文件。
apiVersion: v1
kind: Pod
metadata:
labels:
run: secret-via-file
name: secret-via-file
spec:
containers:
- image: redis
name: secret-via-file
volumeMounts:
- name: redis-secret
mountPath: /secrets
volumes:
- name: redis-secret
secret:
secretName: redis-secret
我使用 redis 图片创建了第二个Pod名称 secret-via-env ,该图片将密码导出为 PASSWORD 。
kubectl run secret-via-env --image=redis --dry-run=client -o yaml > pod2.yaml
我编辑了 pod2.yaml 文件。
apiVersion: v1
kind: Pod
metadata:
labels:
run: secrets-via-env
name: secrets-via-env
spec:
containers:
- image: redis
name: secrets-via-env
env:
- name: PASSWORD
valueFrom:
secretKeyRef:
name: redis-secret
key: password
我使用以下命令连接到Pod secrets-via-env 。
kubectl exec -it secret-via-file -- redis-cli
我尝试验证机密是否已安装到吊舱。在第二个窗格中,我想使用变量PASSWORD检索分配的值(0123456)。我使用了下面的命令,但是它不起作用。
SECRET GET PASSWORD
答案 0 :(得分:2)
尝试如下。我看到PASSWORD机密在pod内被列为env
# create secret
kubectl create secret generic redis-secret --from-literal=password=0123456
# create pod
apiVersion: v1
kind: Pod
metadata:
labels:
run: secrets-via-env
name: secrets-via-env
spec:
containers:
- image: redis
name: secrets-via-env
env:
- name: PASSWORD
valueFrom:
secretKeyRef:
name: redis-secret
key: password
# check PASSWORD secret
master $ kubectl exec -it secrets-via-env sh
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl kubectl exec [POD] -- [COMMAND] instead.
# echo $PASSWORD
0123456
# from first pod
---
apiVersion: v1
kind: Pod
metadata:
labels:
run: secret-via-file
name: secret-via-file
spec:
containers:
- image: redis
name: secret-via-file
volumeMounts:
- name: redis-secret
mountPath: /secrets
volumes:
- name: redis-secret
secret:
secretName: redis-secret
controlplane $ kubectl exec -it secret-via-file sh
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl kubectl exec [POD] -- [COMMAND] instead.
# ls -l /secrets
total 0
lrwxrwxrwx 1 root root 15 Jul 22 09:45 password -> ..data/password
# cat /secrets/password
0123456#