kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Clean up page distribute-credentials-secure

pull/39618/head
zhuzhenghao 2023-02-22 15:14:22 +08:00
parent 448e1fa0f6
commit a21e1f7aa9
1 changed files with 61 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
content/en/docs/tasks/inject-data-application/distribute-credentials-secure.md
View File

@ -6,13 +6,12 @@ min-kubernetes-server-version: v1.6
--- ---
<!-- overview --> <!-- overview -->
This page shows how to securely inject sensitive data, such as passwords and This page shows how to securely inject sensitive data, such as passwords and
encryption keys, into Pods. encryption keys, into Pods.
## {{% heading "prerequisites" %}} ## {{% heading "prerequisites" %}}
{{< include "task-tutorial-prereqs.md" >}} {{< include "task-tutorial-prereqs.md" >}}
### Convert your secret data to a base-64 representation ### Convert your secret data to a base-64 representation
@ -94,7 +93,6 @@ kubectl create secret generic test-secret --from-literal='username=my-app' --fro
This is more convenient. The detailed approach shown earlier runs This is more convenient. The detailed approach shown earlier runs
through each step explicitly to demonstrate what is happening. through each step explicitly to demonstrate what is happening.
## Create a Pod that has access to the secret data through a Volume ## Create a Pod that has access to the secret data through a Volume
Here is a configuration file you can use to create a Pod: Here is a configuration file you can use to create a Pod:
@ -125,7 +123,7 @@ Here is a configuration file you can use to create a Pod:
``` ```
1. The secret data is exposed to the Container through a Volume mounted under 1. The secret data is exposed to the Container through a Volume mounted under
`/etc/secret-volume`. `/etc/secret-volume`.
In your shell, list the files in the `/etc/secret-volume` directory: In your shell, list the files in the `/etc/secret-volume` directory:
```shell ```shell
@ -182,17 +180,17 @@ spec:
When you deploy this Pod, the following happens: When you deploy this Pod, the following happens:
* The `username` key from `mysecret` is available to the container at the path - The `username` key from `mysecret` is available to the container at the path
`/etc/foo/my-group/my-username` instead of at `/etc/foo/username`. `/etc/foo/my-group/my-username` instead of at `/etc/foo/username`.
* The `password` key from that Secret object is not projected. - The `password` key from that Secret object is not projected.
If you list keys explicitly using `.spec.volumes[].secret.items`, consider the If you list keys explicitly using `.spec.volumes[].secret.items`, consider the
following: following:
* Only keys specified in `items` are projected. - Only keys specified in `items` are projected.
* To consume all keys from the Secret, all of them must be listed in the - To consume all keys from the Secret, all of them must be listed in the
`items` field. `items` field.
* All listed keys must exist in the corresponding Secret. Otherwise, the volume - All listed keys must exist in the corresponding Secret. Otherwise, the volume
is not created. is not created.
### Set POSIX permissions for Secret keys ### Set POSIX permissions for Secret keys
@ -246,23 +244,23 @@ secrets change.
### Define a container environment variable with data from a single Secret ### Define a container environment variable with data from a single Secret
* Define an environment variable as a key-value pair in a Secret: - Define an environment variable as a key-value pair in a Secret:
```shell ```shell
kubectl create secret generic backend-user --from-literal=backend-username='backend-admin' kubectl create secret generic backend-user --from-literal=backend-username='backend-admin'
``` ```
* Assign the `backend-username` value defined in the Secret to the `SECRET_USERNAME` environment variable in the Pod specification. - Assign the `backend-username` value defined in the Secret to the `SECRET_USERNAME` environment variable in the Pod specification.
{{< codenew file="pods/inject/pod-single-secret-env-variable.yaml" >}} {{< codenew file="pods/inject/pod-single-secret-env-variable.yaml" >}}
* Create the Pod: - Create the Pod:
```shell ```shell
kubectl create -f https://k8s.io/examples/pods/inject/pod-single-secret-env-variable.yaml kubectl create -f https://k8s.io/examples/pods/inject/pod-single-secret-env-variable.yaml
``` ```
* In your shell, display the content of `SECRET_USERNAME` container environment variable - In your shell, display the content of `SECRET_USERNAME` container environment variable
```shell ```shell
kubectl exec -i -t env-single-secret -- /bin/sh -c 'echo $SECRET_USERNAME' kubectl exec -i -t env-single-secret -- /bin/sh -c 'echo $SECRET_USERNAME'
@ -275,24 +273,24 @@ secrets change.
### Define container environment variables with data from multiple Secrets ### Define container environment variables with data from multiple Secrets
* As with the previous example, create the Secrets first. - As with the previous example, create the Secrets first.
```shell ```shell
kubectl create secret generic backend-user --from-literal=backend-username='backend-admin' kubectl create secret generic backend-user --from-literal=backend-username='backend-admin'
kubectl create secret generic db-user --from-literal=db-username='db-admin' kubectl create secret generic db-user --from-literal=db-username='db-admin'
``` ```
* Define the environment variables in the Pod specification. - Define the environment variables in the Pod specification.
{{< codenew file="pods/inject/pod-multiple-secret-env-variable.yaml" >}} {{< codenew file="pods/inject/pod-multiple-secret-env-variable.yaml" >}}
* Create the Pod: - Create the Pod:
```shell ```shell
kubectl create -f https://k8s.io/examples/pods/inject/pod-multiple-secret-env-variable.yaml kubectl create -f https://k8s.io/examples/pods/inject/pod-multiple-secret-env-variable.yaml
``` ```
* In your shell, display the container environment variables - In your shell, display the container environment variables
```shell ```shell
kubectl exec -i -t envvars-multiple-secrets -- /bin/sh -c 'env | grep _USERNAME' kubectl exec -i -t envvars-multiple-secrets -- /bin/sh -c 'env | grep _USERNAME'
@ -303,30 +301,29 @@ secrets change.
BACKEND_USERNAME=backend-admin BACKEND_USERNAME=backend-admin
``` ```
## Configure all key-value pairs in a Secret as container environment variables ## Configure all key-value pairs in a Secret as container environment variables
{{< note >}} {{< note >}}
This functionality is available in Kubernetes v1.6 and later. This functionality is available in Kubernetes v1.6 and later.
{{< /note >}} {{< /note >}}
* Create a Secret containing multiple key-value pairs - Create a Secret containing multiple key-value pairs
```shell ```shell
kubectl create secret generic test-secret --from-literal=username='my-app' --from-literal=password='39528$vdg7Jb' kubectl create secret generic test-secret --from-literal=username='my-app' --from-literal=password='39528$vdg7Jb'
``` ```
* Use envFrom to define all of the Secret's data as container environment variables. The key from the Secret becomes the environment variable name in the Pod. - Use envFrom to define all of the Secret's data as container environment variables. The key from the Secret becomes the environment variable name in the Pod.
{{< codenew file="pods/inject/pod-secret-envFrom.yaml" >}} {{< codenew file="pods/inject/pod-secret-envFrom.yaml" >}}
* Create the Pod: - Create the Pod:
```shell ```shell
kubectl create -f https://k8s.io/examples/pods/inject/pod-secret-envFrom.yaml kubectl create -f https://k8s.io/examples/pods/inject/pod-secret-envFrom.yaml
``` ```
* In your shell, display `username` and `password` container environment variables - In your shell, display `username` and `password` container environment variables
```shell ```shell
kubectl exec -i -t envfrom-secret -- /bin/sh -c 'echo "username: $username\npassword: $password\n"' kubectl exec -i -t envfrom-secret -- /bin/sh -c 'echo "username: $username\npassword: $password\n"'
@ -340,11 +337,11 @@ This functionality is available in Kubernetes v1.6 and later.
### References ### References
* [Secret](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#secret-v1-core) - [Secret](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#secret-v1-core)
* [Volume](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#volume-v1-core) - [Volume](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#volume-v1-core)
* [Pod](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#pod-v1-core) - [Pod](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#pod-v1-core)
## {{% heading "whatsnext" %}} ## {{% heading "whatsnext" %}}
* Learn more about [Secrets](/docs/concepts/configuration/secret/). - Learn more about [Secrets](/docs/concepts/configuration/secret/).
* Learn about [Volumes](/docs/concepts/storage/volumes/). - Learn about [Volumes](/docs/concepts/storage/volumes/).