如何将用户凭据传递到Kubernetes Pod内部的(用户限制的)已安装卷? [英] How to pass user credentials to (user-restricted) mounted volume inside Kubernetes Pod?
问题描述
我正在尝试通过Kubernetes机密将用户凭据传递到Kubernetes Pod中已安装的受密码保护的目录.NFS文件夹/mount/protected
具有用户访问限制,即,仅某些用户可以访问此文件夹.
I am trying to pass user credentials via Kubernetes secret to a mounted, password protected directory inside a Kubernetes Pod.
The NFS folder /mount/protected
has user access restrictions, i.e. only certain users can access this folder.
这是我的Pod配置:
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
volumes:
- name: my-volume
hostPath:
path: /mount/protected
type: Directory
secret:
secretName: my-secret
containers:
- name: my-container
image: <...>
command: ["/bin/sh"]
args: ["-c", "python /my-volume/test.py"]
volumeMounts:
- name: my-volume
mountPath: /my-volume
应用它时,出现以下错误:
When applying it, I get the following error:
The Pod "my-pod" is invalid:
* spec.volumes[0].secret: Forbidden: may not specify more than 1 volume type
* spec.containers[0].volumeMounts[0].name: Not found: "my-volume"
我根据以下指南创建了我的秘密:
https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#create-a-secret
所以基本上:
I created my-secret according to the following guide:
https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#create-a-secret
So basically:
apiVersion: v1
kind: Secret
metadata:
name: my-secret
data:
username: bXktYXBw
password: PHJlZGFjdGVkPg==
但是当我使用以下方式装载文件夹/mount/protected
时:
But when I mount the folder /mount/protected
with:
spec:
volumes:
- name: my-volume
hostPath:
path: /mount/protected
type: Directory
我得到一个权限被拒绝的错误 python:无法打开文件'/my-volume/test.py':[Errno 13]权限被拒绝
,当该Pod安装了该卷路径时.
I get a permission denied error python: can't open file '/my-volume/test.py': [Errno 13] Permission denied
when running a Pod that mounts this volume path.
我的问题是如何告诉我的Pod,该Pod应该使用特定的用户凭据来访问此已装载的文件夹?
My question is how can I tell my Pod that it should use specific user credentials to gain access to this mounted folder?
推荐答案
我最终想出了如何通过使用Kubernetes的CIFS Flexvolume插件(
I eventually figured out how to pass user credentials to a mounted directory within a Pod by using CIFS Flexvolume Plugin for Kubernetes (https://github.com/fstab/cifs).
With this Plugin, every user can pass her/his credentials to the Pod.
The user only needs to create a Kubernetes secret (cifs-secret
), storing the username/password and use this secret for the mount within the Pod.
The volume is then mounted as follows:
(...)
volumes:
- name: test
flexVolume:
driver: "fstab/cifs"
fsType: "cifs"
secretRef:
name: "cifs-secret"
options:
networkPath: "//server/share"
mountOptions: "dir_mode=0755,file_mode=0644,noperm"
这篇关于如何将用户凭据传递到Kubernetes Pod内部的(用户限制的)已安装卷?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!