如何将用户凭据传递到Kubernetes Pod内部的(用户限制的)已安装卷? [英] How to pass user credentials to (user-restricted) mounted volume inside Kubernetes Pod?

问题描述

我正在尝试通过Kubernetes机密将用户凭据传递到Kubernetes Pod中已安装的受密码保护的目录.NFS文件夹/mount/protected 具有用户访问限制，即，仅某些用户可以访问此文件夹.

I am trying to pass user credentials via Kubernetes secret to a mounted, password protected directory inside a Kubernetes Pod. The NFS folder /mount/protected has user access restrictions, i.e. only certain users can access this folder.

这是我的Pod配置:

apiVersion: v1
kind: Pod
metadata:
  name: my-pod
spec:
  volumes:
  - name: my-volume
    hostPath:
      path: /mount/protected
      type: Directory
    secret:
      secretName: my-secret
  containers:
  - name: my-container
    image: <...>
    command: ["/bin/sh"]
    args: ["-c", "python /my-volume/test.py"]
    volumeMounts:
    - name: my-volume
      mountPath: /my-volume

应用它时，出现以下错误:

When applying it, I get the following error:

The Pod "my-pod" is invalid:
* spec.volumes[0].secret: Forbidden: may not specify more than 1 volume type
* spec.containers[0].volumeMounts[0].name: Not found: "my-volume"

我根据以下指南创建了我的秘密:
https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#create-a-secret
所以基本上:

I created my-secret according to the following guide:
https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#create-a-secret
So basically:

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
data:
  username: bXktYXBw
  password: PHJlZGFjdGVkPg==

但是当我使用以下方式装载文件夹/mount/protected 时:

But when I mount the folder /mount/protected with:

spec:
  volumes:
  - name: my-volume
    hostPath:
      path: /mount/protected
      type: Directory

我得到一个权限被拒绝的错误 python:无法打开文件'/my-volume/test.py':[Errno 13]权限被拒绝，当该Pod安装了该卷路径时.

I get a permission denied error python: can't open file '/my-volume/test.py': [Errno 13] Permission denied when running a Pod that mounts this volume path.

我的问题是如何告诉我的Pod，该Pod应该使用特定的用户凭据来访问此已装载的文件夹?

My question is how can I tell my Pod that it should use specific user credentials to gain access to this mounted folder?

推荐答案

我最终想出了如何通过使用Kubernetes的CIFS Flexvolume插件(

I eventually figured out how to pass user credentials to a mounted directory within a Pod by using CIFS Flexvolume Plugin for Kubernetes (https://github.com/fstab/cifs). With this Plugin, every user can pass her/his credentials to the Pod. The user only needs to create a Kubernetes secret (cifs-secret), storing the username/password and use this secret for the mount within the Pod. The volume is then mounted as follows:

  (...)
  volumes:
  - name: test
    flexVolume:
      driver: "fstab/cifs"
      fsType: "cifs"
      secretRef:
        name: "cifs-secret"
      options:
        networkPath: "//server/share"
        mountOptions: "dir_mode=0755,file_mode=0644,noperm"

这篇关于如何将用户凭据传递到Kubernetes Pod内部的(用户限制的)已安装卷?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！