Kube.netes:使用 kubectl 修改秘密?
[英]Kubernetes: modify a secret using kubectl?
问题描述
How can I modify the values in a Kube.netes secret using kubectl ?
如何使用kubectl修改 Kube.netes secret中的值?
I created the secret with kube.netes create secret generic , but there does not seem to be a way to modify a secret.我使用kube.netes create secret generic了秘密,但似乎没有办法修改秘密。 For example, to add a new secret-value to it, or to change a secret-value in it.例如,向其中添加新的秘密值,或更改其中的秘密值。
I assume i can go 'low-level', and write the yaml-file and do a kubectl edit but I hope there is a simpler way.我假设我可以 go '低级',然后编写 yaml 文件并进行kubectl edit ,但我希望有更简单的方法。
(I'm using kube.netes 1.2.x ) (我正在使用kube.netes 1.2.x )
14 个解决方案
解决方案1
53 2016-05-12 10:28:54
The most direct (and interactive) way should be to execute kubectl edit secret <my secret> .最直接(和交互)的方式应该是执行kubectl edit secret <my secret> 。 Run kubectl get secrets if you'd like to see the list of secrets managed by Kubernetes.如果您想查看 Kubernetes 管理的机密列表,请运行kubectl get secrets 。
解决方案2
38 2018-09-12 06:12:55
In case you prefer a non-interactive update, this is one way of doing it:如果您更喜欢非交互式更新,这是一种方法:
kubectl get secret mysecret -o json | jq '.data["foo"]="YmFy"' | kubectl apply -f -
Note that YmFy is a base64-encoded bar string.请注意, YmFy是 base64 编码的bar字符串。 If you want to pass the value as an argument, jq allows you to do that:如果你想将值作为参数传递, jq允许你这样做:
kubectl get secret mysecret -o json | jq --arg foo "$(echo bar | base64)" '.data["foo"]=$foo' | kubectl apply -f -
I'm more comfortable using jq but yq should also do the job if you prefer yaml format.我更喜欢使用jq但如果您更喜欢 yaml 格式, yq也应该完成这项工作。
解决方案3
29 2019-02-26 07:06:59
As I found myself in the need of modifying a secret, I landed up here.当我发现自己需要修改一个秘密时,我来到了这里。
Here is the most convenient way I found for editing a (one-line) secret.这是我发现的用于编辑(单行)机密的最方便的方法。
This elaborates on kubectl edit secret <my secret> of Timo Reimann above.这详细说明了上面 Timo Reimann 的kubectl edit secret <my secret> 。
kubectl edit secret <my secret> will (in my case) invoke vi. kubectl edit secret <my secret>将(在我的情况下)调用 vi。
Now I move the cursor to the space after the colon of the secret I want to edit.现在,我将光标移动到要编辑的密码的冒号后面的空间。
Then I press r and [enter] which will put the base64 encoded value onto a line of its own.然后我按下r和[enter] ,这会将 base64 编码的值放到它自己的一行上。
Now I enter :. ! base64 -D现在我输入:. ! base64 -D :. ! base64 -D :. ! base64 -D which will decode the current line. :. ! base64 -D将解码当前行。
After making my changes to the value, I enter :. ! base64对值进行更改后,我输入:. ! base64 :. ! base64 :. ! base64 which will encode the changed value. :. ! base64将对更改的值进行编码。
Pressing k [shift]J will rejoin the secret name and its new value.按k [shift]J将重新加入秘密名称及其新值。
:wq will write the new secretfile and quit vi. :wq将写入新的秘密文件并退出 vi。
PS If the secret has a multi-line value, switch on line numbers ( :set nu ) and, after changing the decoded value, use A,B ! base64 PS如果秘密有一个多行值,打开行号( :set nu ),并在更改解码值后,使用A,B ! base64 A,B ! base64 where A and B are the line numbers of the first and last line of the value. A,B ! base64其中 A 和 B 是值的第一行和最后一行的行号。
PPS I just learned the hard way that base64 will receive the text to encode with an appended newline :( If this is no issue for your values - fine. Otherwise my current solution is to filter this out with: .!perl -pe chomp | base64 PPS我刚刚学到了base64将接收文本以附加换行符进行编码的艰难方式:(如果这对您的值没有问题-很好。否则我当前的解决方案是使用以下方法过滤掉它: .!perl -pe chomp | base64
解决方案4
17 2019-12-27 11:16:33
Deriving from 'Skeeves' answer:源自“Skeeves”的答案:
Base64 encode your value: Base64 编码您的值:
echo -n 'encode_My_Password' | base64
Open the secret in edit mode:在编辑模式下打开秘密:
kubectl edit secret my-secret
The default editor will open, replace the value of an exiting key or add a new line and a new key with the encoded value.默认编辑器将打开,替换现有键的值或使用编码值添加新行和新键。 Save and close the file.保存并关闭文件。 The updated value or new key-value pair has now been added to the secret.更新的值或新的键值对现已添加到密钥中。
解决方案5
15 2020-05-28 16:50:51
The easiest way from the command line:从命令行最简单的方法:
echo "This is my secret" | base64 | read output;kubectl patch secret my_secret_name -p="{\"data\":{\"secret_key\": \"$output\"}}" -v=1
It will encode value This is my secret and update your my_secret_name secret by adding secret_key key and encoded values as a last key-value pair in that secret.它将编码 value This is my secret ,并通过添加secret_key密钥和编码值作为该秘密中的最后一个键值对来更新您的my_secret_name秘密。
解决方案6
9 2019-12-05 07:47:07
解决方案7
7 2020-11-15 00:11:18
The Easy Way : Delete and recreate the secret最简单的方法:删除并重新创建秘密
After looking at all these answers, for my needs the best solution was to delete and recreate :查看所有这些答案后,根据我的需要,最好的解决方案是删除并重新创建:
kubectl delete secret generic
kubectl create secret generic # or whatever ..
If you want to do it the hard way :如果您想以艰难的方式做到这一点:
Using edit to change a docker-registry secret使用edit更改docker-registry密码
I came to this question looking to modify a "docker-registry" style secret.我来这个问题是为了修改“docker-registry”风格的秘密。
Simply editing it using kubectl edit secret seemed fraught as I didn't know what the secret value looked like.简单地使用kubectl edit secret编辑它似乎令人担忧,因为我不知道秘密值是什么样的。
I had created it with a command like kubectl create secret docker-registry generic-registry-secret --docker-server=docker.server --docker-username='my-cloud-usernname' --docker-password='my-auth-token' --docker-email='my@email.com'我使用kubectl create secret docker-registry generic-registry-secret --docker-server=docker.server --docker-username='my-cloud-usernname' --docker-password='my-auth-token' --docker-email='my@email.com'这样的命令创建了它kubectl create secret docker-registry generic-registry-secret --docker-server=docker.server --docker-username='my-cloud-usernname' --docker-password='my-auth-token' --docker-email='my@email.com'
I could have edited it, I figured out after looking at the other various answers here how that could be done - I'm including my notes here in case they help others.我本可以对其进行编辑,在查看了此处的其他各种答案后,我想出了如何做到这一点-我将我的笔记包括在此处,以防它们对其他人有所帮助。
List secrets : kubectl get secrets列出秘密: kubectl get secrets
Details of specific secret : kubectl describe secrets/generic-registry-secret特定秘密的详细信息: kubectl describe secrets/generic-registry-secret
Get value of secret : kubectl get secret generic-registry-secret -o jsonpath={.data}获取秘密值: kubectl get secret generic-registry-secret -o jsonpath={.data}
Decode secret value : First get everything between "map[.dockerconfigjson:" and "]" and then do :解码秘密值:首先获取“map[.dockerconfigjson:”和“]”之间的所有内容,然后执行:
echo "x9ey_the_secret_encoded_value_here_X0b3=" | base64 --decode
I could then take from that the specific auth token value I was seeking, and replace it with a new one.然后,我可以从中获取我正在寻找的特定身份验证令牌值,并将其替换为新值。 And then run that new full entire string through a | base 64然后通过| base 64运行新的完整字符串| base 64 to get the base 64 encoding, and now I could finally, confidently, change the value by using kubectl edit secret generic-registry-secret and put in the new correct value. | base 64来获得 base 64 编码,现在我终于可以自信地使用kubectl edit secret generic-registry-secret更改值并输入新的正确值。
But a delete and recreate is the simpler option.但是删除并重新创建是更简单的选择。
References :参考 :
解决方案8
2 2020-03-13 15:47:13
The fastest way I found:我发现的最快方法:
# You need a version of micro that includes this commit https://github.com/zyedidia/micro/commit/9e8d76f2fa91463be660737d1de3bff61258c90d
kubectl get secrets my-secret -o json | jq -r .data.config | base64 -d | micro | base64 -w 0 | xclip -selection clipboard && kubectl edit secrets my-secret
And using a bash function that you can put in your profile:并使用可以放入个人资料的 bash 函数:
function ks-edit { kubectl -n $1 get secrets $2 -o json | jq -r '.data."'$3'"' | base64 -d | micro | base64 -w 0 | xclip -selection clipboard && kubectl -n $1 edit secrets $2; }
You can call it like this:你可以这样称呼它:
ks-edit <namespace> <secret> <key>
解决方案9
1 2022-01-09 21:16:05
Before editing secrets with kubectl...在使用 kubectl 编辑机密之前...
I would highly recommend on using k9s (not only for this purpose, but also as a lightweight k8s CLI management tool).我强烈推荐使用k9s (不仅为此目的,而且作为轻量级的 k8s CLI 管理工具)。
As you can see below (ignore all white rectangles), when your cluster's context is set on terminal you just type k9s and you will hit a nice terminal where you can inspect all cluster resources.正如您在下面看到的(忽略所有白色矩形),当您在终端上设置集群的上下文时,您只需键入k9s ,您将点击一个不错的终端,您可以在其中检查所有集群资源。
Just type ":" and enter the resource name ( secrets in this case) which will appear in the middle of screen.只需键入":"并输入将出现在屏幕中间的资源名称(在本例中为秘密)。
Then you can choose a secret with the up and down arrows and type e to edit it (green arrow):然后您可以使用向上和向下箭头选择一个密钥并输入e进行编辑(绿色箭头):
解决方案10
0 2022-07-15 16:50:40
Add a new key to an existing secret.将新密钥添加到现有密钥。
kubectl patch secret $SECRET_NAME --type=json \
-p='[{
"op" : "add" ,
"path" : "/data/'$KEY'" ,
"value" : "'$(base64 <<< "$VALUE")'"
}]'
Update an existing key in a secret更新密钥中的现有密钥
kubectl patch secret $SECRET_NAME --type=json \
-p='[{
"op" : "replace" ,
"path" : "/data/'$KEY'" ,
"value" : "'$(base64 <<< "$VALUE")'"
}]'
I was only able to find the replace operation in documentation, with no mention of the add operation.我只能在文档中找到replace操作,没有提到add操作。 However, it looked like it was RFC 6902 compliant, so I tested with add and it works fine.但是,它看起来符合RFC 6902 ,所以我使用add进行了测试,它工作正常。 I would expect other operations defined by RFC 6902 to work as well, though I haven't tested them.我希望 RFC 6902 定义的其他操作也能正常工作,尽管我还没有测试过它们。
解决方案11
0 2022-11-19 20:31:23
By far the easiest way to do this is to mantain a local .env file for each of your secrets.到目前为止,最简单的方法是为每个秘密维护一个本地.env文件。
eg例如
MY_SECRET=something
PASSWORD=anotherthing
Just run赶紧跑
kubectl create secret generic <name> --from-env-file=.env
And when you need to change it - just delete it and run the above command again.当你需要改变它时——只需删除它并再次运行上面的命令。
No messing with base64不要乱用base64
解决方案12
0 2023-01-17 11:16:08
Always get the copy of secrets before editing it - kubectl get secrets <your-secret-name> -n <namespace> -o yaml > mysecret.yaml在编辑之前总是获取秘密的副本 - kubectl get secrets <your-secret-name> -n <namespace> -o yaml > mysecret.yaml
Now you can edit run edit command to edit your secret - kubectl edit secrets <your-secret-name> -n <namespace>现在你可以编辑运行编辑命令来编辑你的秘密 - kubectl edit secrets <your-secret-name> -n <namespace>
or you can make copy of your mysecret.yaml file & exit the secrets inside that & run -或者你可以复制你的mysecret.yaml文件并退出其中的秘密并运行 -
kubectl apply -f mysecret.yaml
Make sure you are decoding & encoding with base64 for viewing & adding secrets respectively.确保您使用 base64 进行解码和编码,以分别查看和添加秘密。
解决方案13
0 2023-01-23 02:07:20
Here's my one liner:这是我的一个班轮:
$ kubectl get secrets/my-secret -o yaml | yq '.dataStrings = (.data | map_values(@base64d)) | del(.data)' | vipe | yq '.data = (.dataStrings | map_values(@base64)) | del(.dataStrings)' | kubectl apply -f -
解决方案14
-1 2022-11-27 20:13:20
In case you're wondering how to do this with k9s , I am adding here instructions on how to do this step by step:如果您想知道如何使用k9s执行此操作,我将在此处添加有关如何逐步执行此操作的说明:
Install krew from here https://krew.sigs.k8s.io/docs/user-guide/setup/install/ (skip this step in case you have already it)
从这里安装 krew https://krew.sigs.k8s.io/docs/user-guide/setup/install/ (如果您已经安装,请跳过此步骤)Install modify-secret plugin:
安装修改秘密插件:kubectl krew install modify-secretRun the following command or add it to
~/.zshrcor~/.bashrc:运行以下命令或将其添加到~/.zshrc或~/.bashrc:export XDG_CONFIG_HOME=~/Add the following to ~/k9s/plugin.yml
将以下内容添加到 ~/k9s/plugin.yml
plugin:
edit-secret:
shortCut: Ctrl-X
confirm: false
description: "Edit Decoded Secret"
scopes:
- secrets
command: kubectl
background: false
args:
- modify-secret
- --namespace
- $NAMESPACE
- --context
- $CONTEXT
- $NAME
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.