目录
使用环境变量方式创建带有secret的pod
创建username为bob的secret
kubectl create secret generic super-secret --from-literal=username=bob
创建带有secret的pod
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: pod-secrets-via-env
name: pod-secrets-via-env
spec:
volumes:
- name: super-secret
secret:
secretName: super-secret
containers:
- image: redis
name: pod-secrets-via-env
resources: {}
env:
- name: CREDENTIALS
valueFrom:
secretKeyRef:
name: super-secret
key: username
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
返回信息
$ kubectl describe pod pod-secrets-via-env
Name: pod-secrets-via-env
Namespace: default
Priority: 0
Node: minikube/172.17.0.10
Start Time: Tue, 28 Apr 2020 08:53:31 +0000
Labels: run=pod-secrets-via-env
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{},"creationTimestamp":null,"labels":{"run":"pod-secrets-via-env"},"name":"pod-s...
Status: Running
IP: 172.18.0.4
IPs:
IP: 172.18.0.4
Containers:
pod-secrets-via-env:
Container ID: docker://6175f7ac701a68852609a1d4a023153033929b24d1fbbab45ca639ea36c054d6
Image: redis
Image ID: docker-pullable://redis@sha256:157a95b41b0dca8c308a33489dfdb28019e033110320414b4b16fad7d28c0f9f
Port: <none>
Host Port: <none>
State: Running
Started: Tue, 28 Apr 2020 08:53:41 +0000
Ready: True
Restart Count: 0
Environment:
CREDENTIALS: <set to the key 'username' in secret 'super-secret'> Optional: false
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from default-token-5qltp (ro)
Conditions:
Type Status
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
super-secret:
Type: Secret (a volume populated by a Secret)
SecretName: super-secret
Optional: false
default-token-5qltp:
Type: Secret (a volume populated by a Secret)
SecretName: default-token-5qltp
Optional: false
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s
node.kubernetes.io/unreachable:NoExecute for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 12m default-scheduler Successfully assigned default/pod-secrets-via-env to minikube
Normal Pulling 12m kubelet, minikube Pulling image "redis"
Normal Pulled 12m kubelet, minikube Successfully pulled image "redis"
Normal Created 12m kubelet, minikube Created container pod-secrets-via-env
Normal Started 12m kubelet, minikube Started container pod-secrets-via-env
解释 <set to the key '' in secret ''> Optional: false
要将secret作为环境变量使用在pod中,除非将secret标记为可选,否则必须先创建secret。
引用不存在的secret将阻止容器启动。
- name: ENV_NAME
valueFrom:
secretKeyRef:
name: <secrets name>
key: <secrets key>
optional: true
源码说明
// SecretKeySelector selects a key of a Secret.
type SecretKeySelector struct {
// The name of the secret in the pod's namespace to select from.
LocalObjectReference
// The key of the secret to select from. Must be a valid secret key.
Key string
// Specify whether the Secret or it's key must be defined
// +optional
Optional *bool
}
在kubernetes中将secret标记为可选或必选?
optional设置为false或 true即可,默认是false
参考链接: