Creating ssh secrets key file in kubernetes

前端 未结 2 503
星月不相逢
星月不相逢 2021-02-04 14:44

If i create a secret from an id_rsa file using kubectl as:

kubectl create secret generic hcom-secret --from-file=ssh-privatekey=./.ssh/id_rsa

A

相关标签:
2条回答
  • 2021-02-04 15:08

    Since kubernetes-1.4 things got simpler. Here's my take how to improve the official Kubernetes howto.

    To create the secret, use:

    kubectl create secret generic ssh-keys --from-file=id_rsa=/path/to/.ssh/id_rsa --from-file=id_rsa.pub=/path/to/.ssh/id_rsa.pub
    

    To mount the secret in your containers, use the following Pod config:

    apiVersion: v1
    kind: Pod
    metadata:
      name: secret-test-pod
      labels:
        name: secret-test
    spec:
      volumes:
      - name: ssh-keys-v
        secret:
          secretName: ssh-keys
          defaultMode: 0600 
      containers:
      - name: ssh-test-container
        image: mySshImage
        volumeMounts:
        - name: ssh-keys-v
          readOnly: true
          # container will see /root/.ssh/id_rsa as usual:
          mountPath: "/root/.ssh"
    

    Also nitpick: the id_rsa.pub is hardly ever used, I wouldn't bother to secretize it until required.

    0 讨论(0)
  • 2021-02-04 15:15

    The official Kubernetes docs for secrets cover this exact use-case.

    To create the secret, use:

    $ kubectl create secret generic my-secret --from-file=ssh-privatekey=/path/to/.ssh/id_rsa --from-file=ssh-publickey=/path/to/.ssh/id_rsa.pub
    

    To mount the secret in your containers, use the following Pod config:

    {
      "kind": "Pod",
      "apiVersion": "v1",
      "metadata": {
        "name": "secret-test-pod",
        "labels": {
          "name": "secret-test"
        }
      },
      "spec": {
        "volumes": [
          {
            "name": "secret-volume",
            "secret": {
              "secretName": "my-secret"
            }
          }
        ],
        "containers": [
          {
            "name": "ssh-test-container",
            "image": "mySshImage",
            "volumeMounts": [
              {
                "name": "secret-volume",
                "readOnly": true,
                "mountPath": "/etc/secret-volume"
              }
            ]
          }
        ]
      }
    }
    

    Kubernetes doesn't actually have a way to control file permissions for a secret as of now, but a recent Pull Request did add support for changing the path of secrets. This support was added with 1.3 as per this comment

    Here are the permissions related Github Issues:

    • https://github.com/kubernetes/kubernetes/issues/4789
    • https://github.com/kubernetes/kubernetes/issues/28317
    0 讨论(0)
提交回复
热议问题