kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fix the case of Secrets wherever it refers to the Kubernetes object

pull/42550/head
Shannon Kularathna 2023-08-15 19:54:37 +00:00
parent 317df88b0d
commit f2cfc91486
1 changed files with 14 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
content/en/docs/concepts/configuration/secret.md
View File

@ -6,8 +6,8 @@ content_type: concept
feature: feature:
title: Secret and configuration management title: Secret and configuration management
description: > description: >
Deploy and update secrets and application configuration without rebuilding your image Deploy and update Secrets and application configuration without rebuilding your image
and without exposing secrets in your stack configuration. and without exposing Secrets in your stack configuration.
weight: 30 weight: 30
--- ---
@ -68,7 +68,7 @@ help automate node registration.
### Use case: dotfiles in a secret volume ### Use case: dotfiles in a secret volume
You can make your data "hidden" by defining a key that begins with a dot. You can make your data "hidden" by defining a key that begins with a dot.
This key represents a dotfile or "hidden" file. For example, when the following secret This key represents a dotfile or "hidden" file. For example, when the following Secret
is mounted into a volume, `secret-volume`, the volume will contain a single file, is mounted into a volume, `secret-volume`, the volume will contain a single file,
called `.secret-file`, and the `dotfile-test-container` will have this file called `.secret-file`, and the `dotfile-test-container` will have this file
present at the path `/etc/secret-volume/.secret-file`. present at the path `/etc/secret-volume/.secret-file`.
@ -135,8 +135,8 @@ Here are some of your options:
[ServiceAccount](/docs/reference/access-authn-authz/authentication/#service-account-tokens) [ServiceAccount](/docs/reference/access-authn-authz/authentication/#service-account-tokens)
and its tokens to identify your client. and its tokens to identify your client.
- There are third-party tools that you can run, either within or outside your cluster, - There are third-party tools that you can run, either within or outside your cluster,
that provide secrets management. For example, a service that Pods access over HTTPS, that provide Secrets management. For example, a service that Pods access over HTTPS,
that reveals a secret if the client correctly authenticates (for example, with a ServiceAccount that reveals a Secret if the client correctly authenticates (for example, with a ServiceAccount
token). token).
- For authentication, you can implement a custom signer for X.509 certificates, and use - For authentication, you can implement a custom signer for X.509 certificates, and use
[CertificateSigningRequests](/docs/reference/access-authn-authz/certificate-signing-requests/) [CertificateSigningRequests](/docs/reference/access-authn-authz/certificate-signing-requests/)
@ -505,7 +505,7 @@ data:
A bootstrap token Secret has the following keys specified under `data`: A bootstrap token Secret has the following keys specified under `data`:
- `token-id`: A random 6 character string as the token identifier. Required. - `token-id`: A random 6 character string as the token identifier. Required.
- `token-secret`: A random 16 character string as the actual token secret. Required. - `token-secret`: A random 16 character string as the actual token Secret. Required.
- `description`: A human-readable string that describes what the token is - `description`: A human-readable string that describes what the token is
used for. Optional. used for. Optional.
- `expiration`: An absolute UTC time using [RFC3339](https://datatracker.ietf.org/doc/html/rfc3339) specifying when the token - `expiration`: An absolute UTC time using [RFC3339](https://datatracker.ietf.org/doc/html/rfc3339) specifying when the token
@ -568,9 +568,9 @@ precedence.
#### Size limit {#restriction-data-size} #### Size limit {#restriction-data-size}
Individual secrets are limited to 1MiB in size. This is to discourage creation Individual Secrets are limited to 1MiB in size. This is to discourage creation
of very large secrets that could exhaust the API server and kubelet memory. of very large Secrets that could exhaust the API server and kubelet memory.
However, creation of many smaller secrets could also exhaust memory. You can However, creation of many smaller Secrets could also exhaust memory. You can
use a [resource quota](/docs/concepts/policy/resource-quotas/) to limit the use a [resource quota](/docs/concepts/policy/resource-quotas/) to limit the
number of Secrets (or other resources) in a namespace. number of Secrets (or other resources) in a namespace.
@ -708,17 +708,17 @@ LASTSEEN FIRSTSEEN COUNT NAME KIND SUBOBJECT
0s 0s 1 dapi-test-pod Pod Warning InvalidEnvironmentVariableNames kubelet, 127.0.0.1 Keys [1badkey, 2alsobad] from the EnvFrom secret default/mysecret were skipped since they are considered invalid environment variable names. 0s 0s 1 dapi-test-pod Pod Warning InvalidEnvironmentVariableNames kubelet, 127.0.0.1 Keys [1badkey, 2alsobad] from the EnvFrom secret default/mysecret were skipped since they are considered invalid environment variable names.
``` ```
### Container image pull secrets {#using-imagepullsecrets} ### Container image pull Secrets {#using-imagepullsecrets}
If you want to fetch container images from a private repository, you need a way for If you want to fetch container images from a private repository, you need a way for
the kubelet on each node to authenticate to that repository. You can configure the kubelet on each node to authenticate to that repository. You can configure
_image pull secrets_ to make this possible. These secrets are configured at the Pod _image pull Secrets_ to make this possible. These Secrets are configured at the Pod
level. level.
#### Using imagePullSecrets #### Using imagePullSecrets
The `imagePullSecrets` field is a list of references to secrets in the same namespace. The `imagePullSecrets` field is a list of references to Secrets in the same namespace.
You can use an `imagePullSecrets` to pass a secret that contains a Docker (or other) image registry You can use an `imagePullSecrets` to pass a Secret that contains a Docker (or other) image registry
password to the kubelet. The kubelet uses this information to pull a private image on behalf of your Pod. password to the kubelet. The kubelet uses this information to pull a private image on behalf of your Pod.
See the [PodSpec API](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#podspec-v1-core) See the [PodSpec API](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#podspec-v1-core)
for more information about the `imagePullSecrets` field. for more information about the `imagePullSecrets` field.
@ -787,7 +787,7 @@ Secrets it expects to interact with, other apps within the same namespace can
render those assumptions invalid. render those assumptions invalid.
A Secret is only sent to a node if a Pod on that node requires it. A Secret is only sent to a node if a Pod on that node requires it.
For mounting secrets into Pods, the kubelet stores a copy of the data into a `tmpfs` For mounting Secrets into Pods, the kubelet stores a copy of the data into a `tmpfs`
so that the confidential data is not written to durable storage. so that the confidential data is not written to durable storage.
Once the Pod that depends on the Secret is deleted, the kubelet deletes its local copy Once the Pod that depends on the Secret is deleted, the kubelet deletes its local copy
of the confidential data from the Secret. of the confidential data from the Secret.