Retrieving secrets via files

Let's see how to read secrets from files inside a pod first:

// example for how a Pod retrieve secret
# cat 3-2-3_pod_vol_secret.yaml
apiVersion: v1
kind: Pod
metadata:
  name: secret-access
spec:
  containers:
  - name: centos
    image: centos
    command: ["/bin/sh", "-c", "while : ;do cat /secret/password-example; sleep 10; done"]
    volumeMounts:
      - name: secret-vol
        mountPath: /secret
        readOnly: true
  volumes:
    - name: secret-vol
      secret:
        secretName: mypassword
        items:
        - key: mypassword
          path: password-example

// create the pod 
# kubectl create -f 3-2-3_pod_vol_secret.yaml 
pod "secret-access" created

The secret file will be mounted in /<mount_point>/<secret_name> without specifying itemskeypath, or /<mount_point>/<path> in the pod. In this case, the file path is /secret/password-example. If we describe the pod, we find that there are two mount points in this pod: the read-only volume that stores our secret and the one that stores the credentials to communicate with the API servers, which is created and managed by Kubernetes. We'll learn more about this in Chapter 6, Kubernetes Network:

# kubectl describe pod secret-access
...
Mounts:
      /secret from secret-vol (ro)
      /var/run/secrets/kubernetes.io/serviceaccount from default-token-jd1dq (ro)
...

We can delete a secret using the kubectl delete secret <secret_name> command.

After describing the pod, we can find a FailedMount event, since the volume no longer exists:

# kubectl describe pod secret-access
...
FailedMount  MountVolume.SetUp failed for volume 
"kubernetes.io/secret/28889b1d-5015-11e7-9c45-080027cafd37-secret-vol" (spec.Name: "secret-vol") pod "28889b1d-5015-11e7-9c45-080027cafd37" (UID: "28889b1d-5015-11e7-9c45-080027cafd37") with: secrets "mypassword" not found
...

If the pod is generated before a secret is created, the pod will encounter failure as well. 

We'll now learn how to create a secret using the command line. We'll briefly introduce its spec format:

// secret example
# cat 3-2-3_secret.yaml 
apiVersion: v1 
kind: Secret 
metadata:  
  name: mypassword 
type: Opaque 
data:  
  mypassword: bXlwYXNzd29yZA==

Since the spec is plain text, we need to encode the secret by our own echo -n <password> | base64 command. Please note that the type here becomes Opaque. This should work in the same way as the one we create via the command line.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset