Q2
①以下のsecretを作成する
名前:secret1
key/valueの組み合わせ:server/web
②以下の条件に合うPodを起動する
作成したsecretの使用
secretを格納する変数:val1
使用するイメージ:nginx
Pod名:secretpod
A2
①kubectl create secretの使用
kubeuser@master01:~$ kubectl create secret generic secret1 --from-literal=server=web secret/secret1 created kubeuser@master01:~$ kubectl get secret NAME TYPE DATA AGE secret1 Opaque 1 5s kubeuser@master01:~$ kubectl describe secret secret1 Name: secret1 Namespace: default Labels: <none> Annotations: <none> Type: Opaque Data ==== server: 3 bytes
②kubectl run の実行
kubeuser@master01:~$ kubectl run secretpod --image=nginx --dry-run=client -o yaml > q2_pod.yaml kubeuser@master01:~$ cat q2_pod.yaml apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: secretpod name: secretpod spec: containers: - image: nginx name: secretpod resources: {} dnsPolicy: ClusterFirst restartPolicy: Always status: {} kubeuser@master01:~$ vi q2_pod.yaml kubeuser@master01:~$ cat q2_pod.yaml apiVersion: v1 kind: Pod metadata: labels: run: secretpod name: secretpod spec: containers: - image: nginx name: secretpod env: - name: val1 valueFrom: secretKeyRef: name: secret1 key: server kubeuser@master01:~$ kubectl apply -f q2_pod.yaml pod/secretpod created kubeuser@master01:~$ kubectl get pods NAME READY STATUS RESTARTS AGE secretpod 2/2 Running 0 10m
kubeuser@master01:~$ kubectl get pods secretpod -o yaml apiVersion: v1 kind: Pod metadata: annotations: cni.projectcalico.org/containerID: 12986f25f0ba6c4065424751c5e0e17f091ed85eeaaf4d9467c9dfb31b252c55 cni.projectcalico.org/podIP: 10.0.30.65/32 cni.projectcalico.org/podIPs: 10.0.30.65/32,fd12:b5e0:383e:0:7bf:50a7:b256:1e59/128 istio.io/rev: default kubectl.kubernetes.io/default-container: secretpod kubectl.kubernetes.io/default-logs-container: secretpod kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{},"labels":{"run":"secretpod"},"name":"secretpod","namespace":"default"},"spec":{"containers":[{"env":[{"name":"val1","valueFrom":{"secretKeyRef":{"key":"server","name":"secret1"}}}],"image":"nginx","name":"secretpod"}]}} prometheus.io/path: /stats/prometheus prometheus.io/port: "15020" prometheus.io/scrape: "true" sidecar.istio.io/status: '{"initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["workload-socket","credential-socket","workload-certs","istio-envoy","istio-data","istio-podinfo","istio-token","istiod-ca-cert"],"imagePullSecrets":null,"revision":"default"}' creationTimestamp: "2024-01-05T13:04:15Z" labels: run: secretpod security.istio.io/tlsMode: istio service.istio.io/canonical-name: secretpod service.istio.io/canonical-revision: latest name: secretpod namespace: default resourceVersion: "45268636" uid: 4875aee2-3ddb-4eef-a667-182f08d812c1 spec: containers: - env: - name: val1 valueFrom: secretKeyRef: key: server name: secret1 image: nginx imagePullPolicy: Always name: secretpod . . .
おまけ:削除
kubeuser@master01:~$ kubectl delete pods secretpod --force Warning: Immediate deletion does not wait for confirmation that the running resource has been terminated. The resource may continue to run on the cluster indefinitely. pod "secretpod" force deleted kubeuser@master01:~$ kubectl delete secrets secret1 secret "secret1" deleted
参照本家サイト
Distribute Credentials Securely Using Secrets
https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/
Secrets
https://kubernetes.io/docs/concepts/configuration/secret/