Reputation: 1481
How to specify yaml file to use secret as intended?
I am reading Core Kubernetes by Vyas and Love. Section 8.3.1 has the following 2 yaml files. Let's call them secret.yaml:
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
val1: YXNkZgo=
val2: YXNkZjIK
stringData:
val1: asdf
and secret-pod.yaml:
apiVersion: v1
kind: Pod
metadata:
name: mysecretpod
spec:
containers:
- name: mypod
image: nginx
volumeMounts:
- name: myval
mountPath: /etc/myval
readOnly: true
volumes:
- name: myval
secret:
secretName: val1
When I run kubectl apply -f secret-pod.yaml, it errors out. Using describe, I can see this:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 3s default-scheduler Successfully assigned default/mysecretpod to minikube
Warning FailedMount 0s (x4 over 3s) kubelet MountVolume.SetUp failed for volume "myval" : secret "val1" not found
This kinda makes sense. Using kubectl get secrets, I can only see the following:
NAME TYPE DATA AGE
default-token-vhllg kubernetes.io/service-account-token 3 5d3h
mysecret Opaque 2 19m
So I make the following change to secret-pod.yaml:
volumes:
- name: myval
secret:
secretName: mysecret
That makes kubectl happy and it promptly creates mysecretpod without any issue. However looking into that pod using kubectl exec -it mysecretpod -- ls -l /etc/myval, I get:
total 0
lrwxrwxrwx 1 root root 11 Dec 12 08:08 val1 -> ..data/val1
lrwxrwxrwx 1 root root 11 Dec 12 08:08 val2 -> ..data/val2
So the content of mysecret is loaded into that folder with val1 and val2 being files. I think the authors intend to mount val1 to be the /etc/myval files in that pod. How should secret-pod.yaml be written to achieve that? I have tried this but it fails:
volumes:
- name: myval
secret:
secretName: mysecret/val1
Also, why am I seeing the extraneous -> ..data/val... for both val1 and val2? What are they?
Upvotes: 0
Views: 1294
Answers (1)
Reputation: 1481
So for it to work as intended, secret-pod.yaml must specify subPath as follows:
apiVersion: v1
kind: Pod
metadata:
name: mysecretpod
spec:
containers:
- name: mypod
image: nginx
volumeMounts:
- name: myval
mountPath: /etc/myval
subPath: myval
readOnly: true
volumes:
- name: myval
secret:
secretName: mysecret
items:
- key: val1
path: myval
Upvotes: 1
Related Questions
- Set environment variable in kubernetes secret
- How to set secret files to kubernetes secrets by yaml?
- Sealed secrets with YAML list
- Automatically generated strings for secrets using yaml config
- pass default.yaml secret env's to deployment
- How to create a secret file in kubernetes
- Specify a secret in YML WITH a namespace
- How to set secret data to kubernetes secrets by yaml?
- Kubernetes storing key-value pair in Secret.yml
- Is there a way to put Kubernetes secret value in args field of yaml file