This is the second post about kubernetes secret, in the previous, I have list the 3 ways to create secrets. We can create as many secrets as we want. In this post, I will give the 3 practical ways to use the secrets in k8s deployment.
Let’s assume we have created a secret named my secret as following
1 | apiVersion: v1 |
3 ways to use k8s secrets
- As environments
- As volume files
- As Kubelet auth credentials to pull image
1 Used as environments
A secret is a dictionary, we can put it in a environment as key-values.
We can put the whole dictionary into the environment or we refer one of the keys and use its value
1.1 Use as a value of a user defined env var
1 | apiVersion: v1 |
The environment variable POSTGRES_USER
shall be the value admin
1.2 Use keys from secret directly as env, key word envFrom
1 | apiVersion: v1 |
The environment variable username
and password
shall be available in the container.
2 Used as volume files
We can use the secret keys to generate files in a volume, and mount it into a container. We have 2 keys in our secret, which means we will have two files (/username and /password) created in the volume.
2.1 Mount all keys
Two steps to mount a secret into a container.
2.2.1 Create a volume from a secret
1 | volumes: |
2.2.2 Mount the volume to a directory
1 | volumeMounts: |
Put them together in a pod yaml file
1 | apiVersion: v1 |
Since we mount the secret volume
(I call a volume created from a secret) to /etc/foo, we can use the values from the files created from the secret keys.
1 | $cat /etc/foo/username |
2.2 Mount subset of the secret keys to user defind subfolder
To select a specific key instead of mount all keys into the folder, we can add items
when creating the secret volume
2.2.1 Create a volume from a secret
1 | volumes: |
2.2.2 Mount the volume to a directory(which is the same as above)
1 | apiVersion: v1 |
Now you will find only username is projected.
1 | $cat /etc/foo/my-group/my-username |
2.3 File mode
0644 is used by default, which can be changed as following
1 | volumes: |
3 Kubelet auth to pull image
3.1 Use image pull secret in pod spec
When k8s is trying to pull image from image registry, it will check list of docker-registry
secrets in the same namespace
in the field imagePullSecrets
from your pod yaml specification.
To create a secret for docker authentication
1
kubectl create secret docker-registry myregistrykey --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL
Refer the secret in the pod spec
1
2
3
4
5
6
7
8
9
10
11apiVersion: v1
kind: Pod
metadata:
name: foo
namespace: awesomeapps
spec:
containers:
- name: foo
image: YOUR_PRIVATE_DOCKER_IMAGE
imagePullSecrets:
- name: myregistrykey
3.2 Use image pull secret in pod service account
Since each pod will be associated with an service account, we can also add the imagePullSecrets
to the service account
Usually if we don’t specify a service account when defining pod or deployment, the default
service account is used in that case.
3.2.1 Associate a secret to service account
To add a secret to a service account, add a field ‘imagePullSecrets’ to the sa spec.
Patch an existing service account
We can patch the service account as following1
kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "myregistrykey"}]}'
Create a new one service account with imagePullSecrets
1
2
3
4
5
6
7
8apiVersion: v1
kind: ServiceAccount
metadata:
name: my-pod-used-service-account
namespace: default
imagePullSecrets:
- name: myregistrykey
3.2.2 Config a pod to use the service account, field ‘serviceAccountName’ in Pod spec
1 | apiVersion: v1 |
When pod is created with service account my-pod-used-service-account
, the imagePullSecrets will be added automatically in the spec, we can verify
1 | kubectl get pod THE_POD_NAME -o=jsonpath='{.spec.imagePullSecrets[0].name}{"\n"}' |
Related:
https://kaichu.se/Kubernetes/2020/09/19/kubernetes-01-the-3-practical-ways-to-create-k8s-secret.html
References:
https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod
https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/