如何在StatefulSet管理的每个Pod中安装单个不同的Secret? [英] How can I mount a single distinct Secret into each Pod managed by a StatefulSet?

问题描述

我有3个不同的Kubernetes Secrets，我想将每个安装到由带有3个副本的StatefulSet管理的自己的Pod中.

I have 3 different Kubernetes Secrets and I want to mount each one into its own Pod managed by a StatefulSet with 3 replicas.

是否可以配置StatefulSet以便将每个Secret装入其自己的Pod中?

Is it possible to configure the StatefulSet such that each Secret is mounted into its own Pod?

推荐答案

不是.StatefulSet(以及与此相关的任何工作负载控制器)仅允许单个pod定义模板(它可以具有多个容器).问题在于，一个StatefulSet被设计为具有N个副本，因此您可以拥有N个秘密.它必须是SecretStatefulSet:另一个控制器.

Not really. A StatefulSet (and any workload controller for that matter) allows only a single pod definition template (it could have multiple containers). The issue with this is that a StatefulSet is designed to have N replicas so can you have an N number of secrets. It would have to be a SecretStatefulSet: a different controller.

一些解决方案:

• 您可以定义一个 Kubernetes机密您所有豆荚所需的秘密.缺点是您必须在各个Pod之间共享秘密.例如:

• You could define a single Kubernetes secret that contains all your required secrets for all of your pods. The downside is that you will have to share the secret between the pods. For example:

apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  pod1: xxx
  pod2: xxx
  pod3: xxx
  ...
  podN: xxx

使用诸如 Hashicorp的保险柜之类的东西，并使用诸如之类的密钥远程存储您的秘密.pod1 ， pod2 ， pod3 ，... podN .您还可以使用 HSM .这似乎是IMO更为可靠的解决方案，但实施起来可能需要更长的时间.

Use something like Hashicorp's Vault and store your secret remotely with keys such as pod1, pod2, pod3,...podN. You can also use an HSM. This seems to be the more solid solution IMO but it might take longer to implement.

在所有情况下，您都必须确保机密数量与StatefulSet中的Pod数量匹配.

In all cases, you will have to make sure that the number of secrets matches your number of pods in your StatefulSet.

这篇关于如何在StatefulSet管理的每个Pod中安装单个不同的Secret?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！