kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Tidy 'Distribute Credentials Securely Using Secrets' 

- Separate out short arguments to kubectl exec

  Make it explicit that "-i" and "-t" are separate arguments to
  "kubectl exec".

  Readers who know about aggregating short arguments can figure the
  aggregation out for themselves.

- Fix /tidy Markdown
pull/21167/head
Tim Bannister 2020-05-25 00:16:36 +01:00
parent b635757bc0
commit e6537e4043
1 changed files with 61 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

127
content/en/docs/tasks/inject-data-application/distribute-credentials-secure.md
View File

@ -15,11 +15,7 @@ encryption keys, into Pods.
{{< include "task-tutorial-prereqs.md" >}} {{< include "task-tutorial-prereqs.md" >}}
### Convert your secret data to a base-64 representation
<!-- steps -->
## Convert your secret data to a base-64 representation
Suppose you want to have two pieces of secret data: a username `my-app` and a password Suppose you want to have two pieces of secret data: a username `my-app` and a password
`39528$vdg7Jb`. First, use a base64 encoding tool to convert your username and password to a base64 representation. Here's an example using the commonly available base64 program: `39528$vdg7Jb`. First, use a base64 encoding tool to convert your username and password to a base64 representation. Here's an example using the commonly available base64 program:
@ -36,6 +32,8 @@ and the base-64 representation of your password is `Mzk1MjgkdmRnN0pi`.
Use a local tool trusted by your OS to decrease the security risks of external tools. Use a local tool trusted by your OS to decrease the security risks of external tools.
{{< /caution >}} {{< /caution >}}
<!-- steps -->
## Create a Secret ## Create a Secret
Here is a configuration file you can use to create a Secret that holds your Here is a configuration file you can use to create a Secret that holds your
@ -84,15 +82,19 @@ username and password:
username: 7 bytes username: 7 bytes
``` ```
{{< note >}} ### Create a Secret directly with kubectl
If you want to skip the Base64 encoding step, you can create a Secret
by using the `kubectl create secret` command: If you want to skip the Base64 encoding step, you can create the
{{< /note >}} same Secret using the `kubectl create secret` command. For example:
```shell ```shell
kubectl create secret generic test-secret --from-literal=username='my-app' --from-literal=password='39528$vdg7Jb' kubectl create secret generic test-secret --from-literal='username=my-app' --from-literal='password=39528$vdg7Jb'
``` ```
This is more convenient. The detailed approach shown earlier runs
through each step explicitly to demonstrate what is happening.
## Create a Pod that has access to the secret data through a Volume ## Create a Pod that has access to the secret data through a Volume
Here is a configuration file you can use to create a Pod: Here is a configuration file you can use to create a Pod:
@ -101,52 +103,51 @@ Here is a configuration file you can use to create a Pod:
1. Create the Pod: 1. Create the Pod:
```shell ```shell
kubectl apply -f https://k8s.io/examples/pods/inject/secret-pod.yaml kubectl apply -f https://k8s.io/examples/pods/inject/secret-pod.yaml
``` ```
1. Verify that your Pod is running: 1. Verify that your Pod is running:
```shell ```shell
kubectl get pod secret-test-pod kubectl get pod secret-test-pod
``` ```
Output: Output:
```shell ```
NAME READY STATUS RESTARTS AGE NAME READY STATUS RESTARTS AGE
secret-test-pod 1/1 Running 0 42m secret-test-pod 1/1 Running 0 42m
``` ```
1. Get a shell into the Container that is running in your Pod: 1. Get a shell into the Container that is running in your Pod:
```shell ```shell
kubectl exec -it secret-test-pod -- /bin/bash kubectl exec -i -t secret-test-pod -- /bin/bash
``` ```
1. The secret data is exposed to the Container through a Volume mounted under 1. The secret data is exposed to the Container through a Volume mounted under
`/etc/secret-volume`. In your shell, go to the directory where the secret data `/etc/secret-volume`.
is exposed:
```shell
root@secret-test-pod:/# cd /etc/secret-volume
```
1. In your shell, list the files in the `/etc/secret-volume` directory: In your shell, list the files in the `/etc/secret-volume` directory:
```shell ```shell
root@secret-test-pod:/etc/secret-volume# ls # Run this in the shell inside the container
``` ls /etc/secret-volume
The output shows two files, one for each piece of secret data: ```
```shell The output shows two files, one for each piece of secret data:
password username ```
``` password username
```
1. In your shell, display the contents of the `username` and `password` files: 1. In your shell, display the contents of the `username` and `password` files:
```shell ```shell
root@secret-test-pod:/etc/secret-volume# cat username; echo; cat password; echo # Run this in the shell inside the container
``` echo "$( cat /etc/secret-volume/username )"
The output is your username and password: echo "$( cat /etc/secret-volume/password )"
```shell ```
my-app The output is your username and password:
39528$vdg7Jb ```
``` my-app
39528$vdg7Jb
```
## Define container environment variables using Secret data ## Define container environment variables using Secret data
@ -171,13 +172,13 @@ is exposed:
* In your shell, display the content of `SECRET_USERNAME` container environment variable * In your shell, display the content of `SECRET_USERNAME` container environment variable
```shell ```shell
kubectl exec -it env-single-secret -- /bin/sh -c 'echo $SECRET_USERNAME' kubectl exec -i -t env-single-secret -- /bin/sh -c 'echo $SECRET_USERNAME'
``` ```
The output is The output is
```shell ```
backend-admin backend-admin
``` ```
### Define container environment variables with data from multiple Secrets ### Define container environment variables with data from multiple Secrets
@ -201,10 +202,10 @@ is exposed:
* In your shell, display the container environment variables * In your shell, display the container environment variables
```shell ```shell
kubectl exec -it envvars-multiple-secrets -- /bin/sh -c 'env | grep _USERNAME' kubectl exec -i -t envvars-multiple-secrets -- /bin/sh -c 'env | grep _USERNAME'
``` ```
The output is The output is
```shell ```
DB_USERNAME=db-admin DB_USERNAME=db-admin
BACKEND_USERNAME=backend-admin BACKEND_USERNAME=backend-admin
``` ```
@ -234,29 +235,23 @@ This functionality is available in Kubernetes v1.6 and later.
* In your shell, display `username` and `password` container environment variables * In your shell, display `username` and `password` container environment variables
````shell ```shell
kubectl exec -it envfrom-secret -- /bin/sh -c 'echo "username: $username\npassword: $password"' kubectl exec -i -t envfrom-secret -- /bin/sh -c 'echo "username: $username\npassword: $password\n"'
```` ```
The output is The output is
````shell ```
username: my-app username: my-app
password: 39528$vdg7Jb password: 39528$vdg7Jb
```` ```
### References
## {{% heading "whatsnext" %}}
* Learn more about [Secrets](/docs/concepts/configuration/secret/).
* Learn about [Volumes](/docs/concepts/storage/volumes/).
### Reference
* [Secret](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#secret-v1-core) * [Secret](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#secret-v1-core)
* [Volume](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#volume-v1-core) * [Volume](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#volume-v1-core)
* [Pod](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#pod-v1-core) * [Pod](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#pod-v1-core)
## {{% heading "whatsnext" %}}
* Learn more about [Secrets](/docs/concepts/configuration/secret/).
* Learn about [Volumes](/docs/concepts/storage/volumes/).