更新kubernetes机密不会更新正在运行的容器环境变量 [英] Update kubernetes secrets doesn't update running container env vars
问题描述
目前,在更新kubernetes机密文件时,为了应用更改,我需要运行kubectl apply -f my-secrets.yaml.如果有一个正在运行的容器,它仍将使用旧的秘密.为了将新的机密应用到正在运行的容器中,我目前运行命令kubectl replace -f my-pod.yaml.
我想知道这是否是更新正在运行的容器机密的最佳方法,还是我遗漏了某些东西.
Currenly when updating a kubernetes secrets file, in order to apply the changes, I need to run kubectl apply -f my-secrets.yaml. If there was a running container, it would still be using the old secrets. In order to apply the new secrets on the running container, I currently run the command kubectl replace -f my-pod.yaml .
I was wondering if this is the best way to update a running container secret, or am I missing something.
谢谢.
推荐答案
安装的机密会自动更新
当卷中已经消耗的机密被更新时,投影的密钥最终也会被更新.更新时间取决于kubelet同步时间.
Mounted Secrets are updated automatically
When a secret being already consumed in a volume is updated, projected keys are eventually updated as well. The update time depends on the kubelet syncing period. 已安装的机密已更新.问题是何时.万一机密内容被更新并不意味着您的应用程序会自动使用它.在这种情况下,监视文件更改以采取相应的措施是您应用程序的工作.考虑到这一点,您当前需要做更多的工作.我现在想到的一种方法是在Kubernetes中运行预定作业与Kubernetes API对话,以启动您的部署.这样,您理论上就可以实现想要更新秘密的目标.这有点不优雅,但这是我目前唯一想到的方法.我仍然需要亲自检查有关Kubernetes概念的更多信息.所以,请忍受我. Mounted secrets are updated. The question is when. In case a the content of a secret is updated does not mean that your application automatically consumes it. It is the job of your application to watch file changes in this scenario to act accordingly. Having this in mind you currently need to do a little bit more work. One way I have in mind right now would be to run a scheduled job in Kubernetes which talks to the Kubernetes API to initiate a new rollout of your deployment. That way you could theoretically achieve what you want to renew your secrets. It is somehow not elegant, but this is the only way I have in mind at the moment. I still need to check more on the Kubernetes concepts myself. So please bear with me. 这篇关于更新kubernetes机密不会更新正在运行的容器环境变量的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
