是否使用服务帐户挂载client.crt，client.key，ca.crt? [英] Mounting client.crt, client.key, ca.crt with a service-account or otherwise?

问题描述

以前有没有人使用服务帐户挂载ssl证书来从正在运行的作业中访问aws集群?我们如何做到这一点?我创建了作业，这是来自导致容器Pod处于错误状态的故障容器的输出.

Has anyone used service-accounts to mount ssl certificates to access the aws cluster from within a running job before? How do we do this? I created the job and this is the from the the output of the failing container which is causing the Pod to be in error state.

Error in configuration:
* unable to read client-cert /client.crt for test-user due to open /client.crt: no such file or directory
* unable to read client-key /client.key for test-user due to open /client.key: no such file or directory
* unable to read certificate-authority /ca.crt for test-cluster due to open /ca.crt: no such file or director

推荐答案

解决方案是创建一个包含证书的Secret，然后获得引用它的工作.

The solution is to create a Secret containing the certs, and then getting the job to reference it.

第1步.创建机密:

kubectl create secret generic job-certs --from-file=client.crt --from-file=client.key --from-file=ca.crt

第2步.作业清单中的参考秘密.您必须在作业中插入volumes和volumeMounts.

Step 2. Reference secret in job's manifest. You have to insert the volumes and volumeMounts in the job.

spec:
  volumes:
  - name: ssl
    secret:
      secretName: job-certs
  containers:
    volumeMounts:
    - mountPath: "/etc/ssl"
      name: "ssl"

这篇关于是否使用服务帐户挂载client.crt，client.key，ca.crt?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！