在kubernetes中创建SSH密钥文件 [英] Creating ssh secrets key file in kubernetes

问题描述

如果我使用kubectl从id_rsa文件中创建秘密，则为:

kubectl create secret generic hcom-secret --from-file=ssh-privatekey=./.ssh/id_rsa

然后将秘密安装到容器中

"volumeMounts": [
        {"name": "cfg", "readOnly": false, "mountPath": "/home/hcom/.ssh"}
      ]

"volumes": [
      {"name": "cfg", "secret": { "secretName": "hcom-ssh" }}
    ],

生成的文件不是id_rsa，而是ssh-privatekey，其上的许可不是ssh期望的600

这是正确的方法吗，还是任何人都可以详细说明应如何做?

解决方案

Kubernetes官方机密文档涵盖了

到目前为止，Kubernetes实际上还没有一种控制秘密文件权限的方法，但是最近的拉取请求" 确实增加了更改机密路径的支持.根据此评论 ，此支持已随1.3添加. >

以下是与权限相关的Github问题:

• https://github.com/kubernetes/kubernetes/issues/4789
• https://github.com/kubernetes/kubernetes/issues/28317

If i create a secret from an id_rsa file using kubectl as:

kubectl create secret generic hcom-secret --from-file=ssh-privatekey=./.ssh/id_rsa

And then mount the secret into the container

"volumeMounts": [
        {"name": "cfg", "readOnly": false, "mountPath": "/home/hcom/.ssh"}
      ]

"volumes": [
      {"name": "cfg", "secret": { "secretName": "hcom-ssh" }}
    ],

The resultant file is not id_rsa but ssh-privatekey and the permits that are on it are not 600 which ssh expects

Is this a correct approach, or can anyone please detail how this should be done?

解决方案

The official Kubernetes docs for secrets cover this exact use-case.

To create the secret, use:

$ kubectl create secret generic my-secret --from-file=ssh-privatekey=/path/to/.ssh/id_rsa --from-file=ssh-publickey=/path/to/.ssh/id_rsa.pub

To mount the secret in your containers, use the following Pod config:

{
  "kind": "Pod",
  "apiVersion": "v1",
  "metadata": {
    "name": "secret-test-pod",
    "labels": {
      "name": "secret-test"
    }
  },
  "spec": {
    "volumes": [
      {
        "name": "secret-volume",
        "secret": {
          "secretName": "my-secret"
        }
      }
    ],
    "containers": [
      {
        "name": "ssh-test-container",
        "image": "mySshImage",
        "volumeMounts": [
          {
            "name": "secret-volume",
            "readOnly": true,
            "mountPath": "/etc/secret-volume"
          }
        ]
      }
    ]
  }
}

Kubernetes doesn't actually have a way to control file permissions for a secret as of now, but a recent Pull Request did add support for changing the path of secrets. This support was added with 1.3 as per this comment

Here are the permissions related Github Issues:

• https://github.com/kubernetes/kubernetes/issues/4789
• https://github.com/kubernetes/kubernetes/issues/28317

这篇关于在kubernetes中创建SSH密钥文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！