kubernetes secrets

using k8s secrets

SEAN K.H. LIAO

kubernetes secrets

using k8s secrets

using secrets

environment

mount all secret key-values as env

1# podspec
2spec:
3  containers:
4    - ...
5      envFrom:
6        - secretRef:
7            name: name-of-secret

mount as env, per key-value

 1# podspec
 2spec:
 3  containers:
 4    - ...
 5      env:
 6        - name: NAME_OF_ENV
 7          valueFrom:
 8            secretKeyRef:
 9              name: name-of-secret
10              key: key-in-secret

files

mount as files in dir

 1# podspec
 2spec:
 3  containers:
 4    - ...
 5      volumeMounts:
 6        - name: name-of-volume
 7          mountPath: /etc/foo
 8  volumes:
 9    - name: name-of-volume
10      secret:
11        secretName: name-of-secret

mount as files, per key-value

 1# podspec
 2spec:
 3  containers:
 4    - ...
 5      volumeMounts:
 6        - name: name-of-volume
 7          mountPath: /etc/foo
 8  volumes:
 9    - name: name-of-volume
10      secret:
11        secretName: name-of-secret
12        items:
13          - key: key-in-secret
14            path: path-to-mount-as

serviceaccounts

imagePullSecrets: useful for pulling private images

secrets: useless as far as i can tell

1apiVersion: v1
2kind: ServiceAccount
3metadata:
4  name: service-account-name
5secrets:
6  - name-of-secret
7imagePullSecrets:
8  - name-of-secret

pod presets

apply same config to all matching pods

see above for env / volume format

 1apiVersion: settings.k8s.io/v1alpha1
 2kind: PodPreset
 3metadata:
 4  name: allow-database
 5spec:
 6  selector:
 7    matchLabels:
 8      label-key: label-value
 9  env: ...
10  volumeMounts: ...
11  volume: ...

secret types

what types can we use, apparently they're (almost) all for use with the k8s api

data is base64 encoded values, replace with stringData (plaintext) for convenience

start with the source code

Opaque

default type

1apiVersion: v1
2kind: Secret
3metadata:
4  name: name-of-secret
5type: Opaque
6data:
7  user-defined-key: data

kubernetes.io/service-account-token

 1apiVersion: v1
 2kind: Secret
 3metadata:
 4  name: name-of-secret
 5  annotations:
 6    kubernetes.io/service-account.name: name of ServiceAccount
 7    kubernetes.io/service-account.uid: uid of ServiceAccount
 8type: kubernetes.io/service-account-token
 9data:
10  token: token
11  kubernetes.kubeconfig: kubeconfig (optional)
12  ca.crt: root certificate (optional)
13  namespace: default namespace (optional)

kubernetes.io/dockercfg

1apiVersion: v1
2kind: Secret
3metadata:
4  name: name-of-secret
5type: kubernetes.io/dockercfg
6data:
7  .dockercfg: ~/.dockercfg

kubernetes.io/dockerconfigjson

1apiVersion: v1
2kind: Secret
3metadata:
4  name: name-of-secret
5type: kubernetes.io/dockerconfigjson
6data:
7  .dockerconfigjson: ~/.docker/config.json

kubernetes.io/basic-auth

1apiVersion: v1
2kind: Secret
3metadata:
4  name: name-of-secret
5type: kubernetes.io/basic-auth
6data:
7  username: username
8  password: password

kubernetes.io/ssh-auth

1apiVersion: v1
2kind: Secret
3metadata:
4  name: name-of-secret
5type: kubernetes.io/ssh-auth
6data:
7  ssh-privatekey: private key

kubernetes.io/tls

1apiVersion: v1
2kind: Secret
3metadata:
4  name: name-of-secret
5type: kubernetes.io/tls
6data:
7  tls.crt: certificate (public)
8  tls.key: key (private)