Opensourcetechブログ

OpensourcetechによるNGINX/Kubernetes/Zabbix/Neo4j/Linuxなどオープンソース技術に関するブログです。

CKAD対策 Q2&A2


Q2
①以下のsecretを作成する
 名前:secret1
 key/valueの組み合わせ:server/web
②以下の条件に合うPodを起動する
 作成したsecretの使用
 secretを格納する変数:val1
 使用するイメージ:nginx
 Pod名:secretpod


A2
kubectl create secretの使用

kubeuser@master01:~$ kubectl create secret generic secret1 --from-literal=server=web
secret/secret1 created

kubeuser@master01:~$ kubectl get secret
NAME      TYPE     DATA   AGE
secret1   Opaque   1      5s

kubeuser@master01:~$ kubectl describe secret secret1
Name:         secret1
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
server:  3 bytes

kubectl run の実行

kubeuser@master01:~$ kubectl run secretpod --image=nginx --dry-run=client -o yaml > q2_pod.yaml

kubeuser@master01:~$ cat q2_pod.yaml 
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: secretpod
  name: secretpod
spec:
  containers:
  - image: nginx
    name: secretpod
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

kubeuser@master01:~$ vi q2_pod.yaml 

kubeuser@master01:~$ cat q2_pod.yaml 
apiVersion: v1
kind: Pod
metadata:
  labels:
    run: secretpod
  name: secretpod
spec:
  containers:
  - image: nginx
    name: secretpod
    env:
    - name: val1
      valueFrom:
        secretKeyRef:
          name: secret1
          key: server

kubeuser@master01:~$ kubectl apply -f q2_pod.yaml 
pod/secretpod created

kubeuser@master01:~$ kubectl get pods
NAME                             READY   STATUS                   RESTARTS       AGE
secretpod                        2/2     Running                  0              10m


kubeuser@master01:~$ kubectl get pods secretpod -o yaml
apiVersion: v1
kind: Pod
metadata:
  annotations:
    cni.projectcalico.org/containerID: 12986f25f0ba6c4065424751c5e0e17f091ed85eeaaf4d9467c9dfb31b252c55
    cni.projectcalico.org/podIP: 10.0.30.65/32
    cni.projectcalico.org/podIPs: 10.0.30.65/32,fd12:b5e0:383e:0:7bf:50a7:b256:1e59/128
    istio.io/rev: default
    kubectl.kubernetes.io/default-container: secretpod
    kubectl.kubernetes.io/default-logs-container: secretpod
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{},"labels":{"run":"secretpod"},"name":"secretpod","namespace":"default"},"spec":{"containers":[{"env":[{"name":"val1","valueFrom":{"secretKeyRef":{"key":"server","name":"secret1"}}}],"image":"nginx","name":"secretpod"}]}}
    prometheus.io/path: /stats/prometheus
    prometheus.io/port: "15020"
    prometheus.io/scrape: "true"
    sidecar.istio.io/status: '{"initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["workload-socket","credential-socket","workload-certs","istio-envoy","istio-data","istio-podinfo","istio-token","istiod-ca-cert"],"imagePullSecrets":null,"revision":"default"}'
  creationTimestamp: "2024-01-05T13:04:15Z"
  labels:
    run: secretpod
    security.istio.io/tlsMode: istio
    service.istio.io/canonical-name: secretpod
    service.istio.io/canonical-revision: latest
  name: secretpod
  namespace: default
  resourceVersion: "45268636"
  uid: 4875aee2-3ddb-4eef-a667-182f08d812c1
spec:
  containers:
  - env:
    - name: val1
      valueFrom:
        secretKeyRef:
          key: server
          name: secret1
    image: nginx
    imagePullPolicy: Always
    name: secretpod
.
.
.


おまけ:削除

kubeuser@master01:~$ kubectl delete pods secretpod --force
Warning: Immediate deletion does not wait for confirmation that the running resource has been terminated. The resource may continue to run on the cluster indefinitely.
pod "secretpod" force deleted

kubeuser@master01:~$ kubectl delete secrets secret1 
secret "secret1" deleted


参照本家サイト
Distribute Credentials Securely Using Secrets
https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/
Secrets
https://kubernetes.io/docs/concepts/configuration/secret/

 

Opensourcetech by Takahiro Kujirai