Volumes
In Kubernetes' world, volume management becomes critical, since pods might run on any node. Also, ensuring that containers in the same pod could share the same files becomes extremely hard.
Secrets
Secret, just like its name, is an object that stores the secrets in key-value format for providing sensitive information to pods, which could be a password, access key, or token. Secret is not landed to the disk; instead, it's stored in a per-node tmpfs filesystem. Kubelet on the mode will create a 1tmpfs1 filesystem to store secret. Secret is not designed to store large amounts of data due to storage management consideration. The current size limit of one secret is 1MB.
We can create a secret based on a file, directory, or specified literal value by launching kubectl to create a secret command or by spec. There are three types of secret format: generic (or opaque, if encoded), docker registry, and TLS.
We'll start with a generic-type of example to show how it works
cat << EOF > mypassword.txt
passwordispassword
EOF
kubectl create secret generic mypassword --from-file=./mypassword.txt
secret "mypassword" created
Get the detailed info of the secret
kubectl get secret mypassword -o yaml
apiVersion: v1
data:
mypassword.txt: cGFzc3dvcmRpc3Bhc3N3b3JkCg==
kind: Secret
metadata:
creationTimestamp: 2018-06-14T06:50:11Z
name: mypassword
namespace: default
resourceVersion: "17233"
selfLink: /api/v1/namespaces/default/secrets/mypassword
uid: 2ef8df68-6f9f-11e8-b209-baddb597dfcc
type: Opaque
We can see the type of the secret becomes Opaque since the text has been encrypted by kubectl. It's base64 encoded. We could use a simple bash command to decode it:
echo "cGFzc3dvcmRpc3Bhc3N3b3JkCg==" | base64 --decode
passwordispassword
Retrieving secret via files
Secret should always be created before the pods that need it. Otherwise the pods won't get launched successfully.
cat << EOF > 3-2-3_pod_vol_secret.yaml
apiVersion: v1
kind: Pod
metadata:
name: secret-access
spec:
containers:
- name: centos
image: centos
command: ["/bin/sh", "-c", "while : ;do cat /secret/password-example; sleep 10; done"]
volumeMounts:
- name: secret-vol
mountPath: /secret
readOnly: true
volumes:
- name: secret-vol
secret:
secretName: mypassword
items:
- key: mypassword
path: password-example
EOF
kubectl create -f 3-2-3_pod_vol_secret.yaml
pod "secret-access" created
kubectl describe pod secret-access
...
Mounts:
/secret from secret-vol (ro)
/var/run/secrets/kubernetes.io/serviceaccount from default-token-5crjd (ro)
...
We can find there are two mount points in this pod. First is the read-only volume storing our secret, the second one stores the credentials to communicate with API servers, which is created and managed by Kubernetes.
Retrieving secret via environment variables
cat << EOF > 3-2-3_pod_ev_secret.yaml
apiVersion: v1
kind: Pod
metadata:
name: secret-access-ev
spec:
containers:
- name: centos
image: centos
command: ["/bin/sh", "-c", "while : ;do echo $MY_PASSWORD; sleep 10; done"]
env:
- name: MY_PASSWORD
valueFrom:
secretKeyRef:
name: mypassword
key: mypassword
EOF
kubectl create -f 3-2-3_pod_ev_secret.yaml
pod "secret-access-ev" created
kubectl describe pod secret-access-ev
...
State: Waiting
Reason: CreateContainerConfigError
...
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 57s default-scheduler Successfully assigned secret-access-ev to do5
Normal SuccessfulMountVolume 56s kubelet, do5 MountVolume.SetUp succeeded for volume "default-token-5crjd"
Normal Pulled 14s (x4 over 52s) kubelet, do5 Successfully pulled image "centos"
Warning Failed 14s (x4 over 52s) kubelet, do5 Error: Couldn't find key mypassword in Secret default/mypassword
Normal Pulling 2s (x5 over 56s) kubelet, do5 pulling image "centos"