如何安装kubernetes机密? [英] How are kubernetes secrets mounted?

问题描述

很明显，此行为是由ServiceAccount引起的: https://kubernetes .io/docs/reference/access-authn-authz/service-accounts-admin/#service-account-admission-controller

Apparenlty this behavior is caused by ServiceAccount: https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#service-account-admission-controller

哪个使用称为AdmissionController的名称.我想我正在寻找的是以下之一:

Which uses something called an AdmissionController. I guess what I'm looking for is one of the following:

• 在AdmissionController中找到一个设置，该设置在我的情况下跳过给定容器(initContainer)的秘密装入

• Find a setting in AdmissionController which skips the secrets mount for a given container (initContainer) in my case

找到具有这种灵活性的AdmissionController的实现

Find an implementation of AdmissionController which has this flexibility

将秘密的位置从/var/run/secrets更改为其他地方

Change the location of secrets from /var/run/secrets to somewhere else

我有一个initContainer，它是pod的一部分，是statefulset的一部分.我正在安装一些直接的卷(以便我可以在我的应用程序容器启动之前创建路径/权限).但是，一旦我检查了文件系统，就会看到一个嵌套的路径，其中似乎是kubernetes的秘密.

I have an initContainer which is a part of a pod a part of statefulset. I am mounting some straight forward volumes (so I can create paths/permissions before my app container starts). However as soon as I check the file system, I see a nested path with what seems to be kubernetes secrets.

这是如何安装的?这是我们自己做的吗?为什么要走这条路?我可以阻止秘密泄露吗?我可以更改安装路径吗?

How did this get mounted? Is this our own doing? Why this path? Can I stop the secrets from being mounted? Can i change the mount path?

$ kubectl logs nmnode-0-0 -n test -c prep-hadoop-paths
drwxrwsrwt 4 root root 80 Aug 21 03:52 /run
/run:
total 0
drwxrwsr-x 2 1000 root 40 Aug 21 03:52 configmaps
drwxr-sr-x 3 root root 60 Aug 21 03:52 secrets

/run/configmaps:
total 0

/run/secrets:
total 0
drwxr-sr-x 3 root root 60 Aug 21 03:52 kubernetes.io

/run/secrets/kubernetes.io:
total 0
drwxrwsrwt 3 root root 140 Aug 21 03:51 serviceaccount

/run/secrets/kubernetes.io/serviceaccount:
total 0
lrwxrwxrwx 1 root root 13 Aug 21 03:51 ca.crt -> ..data/ca.crt
lrwxrwxrwx 1 root root 16 Aug 21 03:51 namespace -> ..data/namespace
lrwxrwxrwx 1 root root 12 Aug 21 03:51 token -> ..data/token

      initContainers:
      - command:
        - sh
        - -c
        - umask 002; ls -ld /run; ls -lR /run; mkdir -p /var/run/secrets/credentials
          ; mkdir -p /var/opt/hdfs ; mkdir -p /var/run/configmaps ; mkdir -p /var/run/secrets/certificates
          ; ls -lR /var;
        image: ubuntu:16.04
        imagePullPolicy: IfNotPresent
        name: prep-hadoop-paths
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /var/opt
          name: data
          subPath: hadoop/var/opt
        - mountPath: /var/log
          name: logs
          subPath: hadoop
        - mountPath: /var/run
          name: var-run
          subPath: hadoop

从initContainer规范中可以看到，没有地方可以指定或要求安装任何机密信息.但是无论如何它们都会出现

As you can see from the initContainer spec, there is nowhere that I specify or require any secrets to be mounted. However they show up regardless

以下是该容器的卷列表.

The following is the volumes listing for the pod.

      volumes:
      - name: mssql-master-pool-secret
        secret:
          defaultMode: 420
          secretName: mssql-master-pool-secret
      - name: controller-internal-secret
        secret:
          defaultMode: 420
          secretName: controller-internal-secret
      - emptyDir:
          medium: Memory
        name: var-run
      - configMap:
          defaultMode: 420
          name: mssql-hadoop-storage-0-configmap
        name: hadoop-config-volume
      - name: nmnode-0-agent-secret
        secret:
          defaultMode: 420
          secretName: nmnode-0-agent-secret
      - configMap:
          defaultMode: 420
          name: cluster-configmap
        name: cluster-config-volume

如果您需要更多的Yaml，请告诉我.

If you need more parts of the yaml please let me know.

推荐答案

您的做法正确，就像服务帐户还随Kubernetes集群中的某些准入功能一起传播，最初绑定到名为ServiceAccount的特定准入插件.

You are on a right way, as Admission controller is the main contributor for implementing various features via Kubernetes API. As you mentioned above Service Account is also propagated with some admission features in Kubernetes cluster, initially bounded to the particular admission plugin called ServiceAccount.

根据官方的Kubernetes 文档，在kube-apiserver

According to the official Kubernetes documentation, there are special flags--enable-admission-plugins and --disable-admission-plugins included in kube-apiserver configuration that can be used to enable or disable admission plugins respectively.

默认情况下，启用ServiceAccount准入控制器插件，如此处.除其他操作外，此插件还将带有令牌数据和CA证书的卷装入跨K8s集群的每个Pod中，用于

By default, ServiceAccount admission controller plugin is enabled like described here. Besides other actions, this plugin mounts volume with token data and CA certificate into the each Pod across K8s cluster for authentication to the apiserver purposes.

为了停用ServiceAccount准入插件，您可以将--disable-admission-plugins=ServiceAccount注入到kube-apiserver配置中.

In order to deactivate ServiceAccount admission plugin, you can inject --disable-admission-plugins=ServiceAccount into the kube-apiserver configuration.

否则，如果您想

将秘密的位置从/var/run/secrets更改为其他地方

Change the location of secrets from /var/run/secrets to somewhere else

这是您可以在其中将路径更改为所需的任意位置

This is where you can change the path to whatever you want

这篇关于如何安装kubernetes机密?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！