目录
使用环境变量方式创建带有secret的pod
创建username为bob的secret
kubectl create secret generic super-secret --from-literal=username=bob
创建带有secret的pod
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: pod-secrets-via-env name: pod-secrets-via-env spec: volumes: - name: super-secret secret: secretName: super-secret containers: - image: redis name: pod-secrets-via-env resources: {} env: - name: CREDENTIALS valueFrom: secretKeyRef: name: super-secret key: username dnsPolicy: ClusterFirst restartPolicy: Always status: {}
返回信息
$ kubectl describe pod pod-secrets-via-env Name: pod-secrets-via-env Namespace: default Priority: 0 Node: minikube/172.17.0.10 Start Time: Tue, 28 Apr 2020 08:53:31 +0000 Labels: run=pod-secrets-via-env Annotations: kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{},"creationTimestamp":null,"labels":{"run":"pod-secrets-via-env"},"name":"pod-s... Status: Running IP: 172.18.0.4 IPs: IP: 172.18.0.4 Containers: pod-secrets-via-env: Container ID: docker://6175f7ac701a68852609a1d4a023153033929b24d1fbbab45ca639ea36c054d6 Image: redis Image ID: docker-pullable://redis@sha256:157a95b41b0dca8c308a33489dfdb28019e033110320414b4b16fad7d28c0f9f Port: <none> Host Port: <none> State: Running Started: Tue, 28 Apr 2020 08:53:41 +0000 Ready: True Restart Count: 0 Environment: CREDENTIALS: <set to the key 'username' in secret 'super-secret'> Optional: false Mounts: /var/run/secrets/kubernetes.io/serviceaccount from default-token-5qltp (ro) Conditions: Type Status Initialized True Ready True ContainersReady True PodScheduled True Volumes: super-secret: Type: Secret (a volume populated by a Secret) SecretName: super-secret Optional: false default-token-5qltp: Type: Secret (a volume populated by a Secret) SecretName: default-token-5qltp Optional: false QoS Class: BestEffort Node-Selectors: <none> Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s node.kubernetes.io/unreachable:NoExecute for 300s Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Scheduled 12m default-scheduler Successfully assigned default/pod-secrets-via-env to minikube Normal Pulling 12m kubelet, minikube Pulling image "redis" Normal Pulled 12m kubelet, minikube Successfully pulled image "redis" Normal Created 12m kubelet, minikube Created container pod-secrets-via-env Normal Started 12m kubelet, minikube Started container pod-secrets-via-env
解释 <set to the key '' in secret ''> Optional: false
要将secret作为环境变量使用在pod中,除非将secret标记为可选,否则必须先创建secret。
引用不存在的secret将阻止容器启动。
- name: ENV_NAME valueFrom: secretKeyRef: name: <secrets name> key: <secrets key> optional: true
源码说明
// SecretKeySelector selects a key of a Secret. type SecretKeySelector struct { // The name of the secret in the pod's namespace to select from. LocalObjectReference // The key of the secret to select from. Must be a valid secret key. Key string // Specify whether the Secret or it's key must be defined // +optional Optional *bool }
在kubernetes中将secret标记为可选或必选?
optional设置为false或 true即可,默认是false
参考链接:
