Q2
①以下のsecretを作成する
名前:secret1
key/valueの組み合わせ:server/web
②以下の条件に合うPodを起動する
作成したsecretの使用
secretを格納する変数:val1
使用するイメージ:nginx
Pod名:secretpod
A2
①kubectl create secretの使用
kubeuser@master01:~$ kubectl create secret generic secret1 --from-literal=server=web secret/secret1 created kubeuser@master01:~$ kubectl get secret NAME TYPE DATA AGE secret1 Opaque 1 5s kubeuser@master01:~$ kubectl describe secret secret1 Name: secret1 Namespace: default Labels: <none> Annotations: <none> Type: Opaque Data ==== server: 3 bytes
②kubectl run の実行
kubeuser@master01:~$ kubectl run secretpod --image=nginx --dry-run=client -o yaml > q2_pod.yaml
kubeuser@master01:~$ cat q2_pod.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: secretpod
name: secretpod
spec:
containers:
- image: nginx
name: secretpod
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
kubeuser@master01:~$ vi q2_pod.yaml
kubeuser@master01:~$ cat q2_pod.yaml
apiVersion: v1
kind: Pod
metadata:
labels:
run: secretpod
name: secretpod
spec:
containers:
- image: nginx
name: secretpod
env:
- name: val1
valueFrom:
secretKeyRef:
name: secret1
key: server
kubeuser@master01:~$ kubectl apply -f q2_pod.yaml
pod/secretpod created
kubeuser@master01:~$ kubectl get pods
NAME READY STATUS RESTARTS AGE
secretpod 2/2 Running 0 10m
kubeuser@master01:~$ kubectl get pods secretpod -o yaml
apiVersion: v1
kind: Pod
metadata:
annotations:
cni.projectcalico.org/containerID: 12986f25f0ba6c4065424751c5e0e17f091ed85eeaaf4d9467c9dfb31b252c55
cni.projectcalico.org/podIP: 10.0.30.65/32
cni.projectcalico.org/podIPs: 10.0.30.65/32,fd12:b5e0:383e:0:7bf:50a7:b256:1e59/128
istio.io/rev: default
kubectl.kubernetes.io/default-container: secretpod
kubectl.kubernetes.io/default-logs-container: secretpod
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{},"labels":{"run":"secretpod"},"name":"secretpod","namespace":"default"},"spec":{"containers":[{"env":[{"name":"val1","valueFrom":{"secretKeyRef":{"key":"server","name":"secret1"}}}],"image":"nginx","name":"secretpod"}]}}
prometheus.io/path: /stats/prometheus
prometheus.io/port: "15020"
prometheus.io/scrape: "true"
sidecar.istio.io/status: '{"initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["workload-socket","credential-socket","workload-certs","istio-envoy","istio-data","istio-podinfo","istio-token","istiod-ca-cert"],"imagePullSecrets":null,"revision":"default"}'
creationTimestamp: "2024-01-05T13:04:15Z"
labels:
run: secretpod
security.istio.io/tlsMode: istio
service.istio.io/canonical-name: secretpod
service.istio.io/canonical-revision: latest
name: secretpod
namespace: default
resourceVersion: "45268636"
uid: 4875aee2-3ddb-4eef-a667-182f08d812c1
spec:
containers:
- env:
- name: val1
valueFrom:
secretKeyRef:
key: server
name: secret1
image: nginx
imagePullPolicy: Always
name: secretpod
.
.
.
おまけ:削除
kubeuser@master01:~$ kubectl delete pods secretpod --force Warning: Immediate deletion does not wait for confirmation that the running resource has been terminated. The resource may continue to run on the cluster indefinitely. pod "secretpod" force deleted kubeuser@master01:~$ kubectl delete secrets secret1 secret "secret1" deleted
参照本家サイト
Distribute Credentials Securely Using Secrets
https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/
Secrets
https://kubernetes.io/docs/concepts/configuration/secret/
