堆栈内存溢出
  简体   繁体   English

Openshift / kubernetes:将serviceaccount机密映射到环境变量

[英]Openshift/kubernetes: map serviceaccount secret to an environment variable

 原文  2018-07-16 15:22:08       kubernetes/ openshift

问题描述

Is there a way to populate the serviceaccount secrets content to an environment variable? 有没有一种方法可以将serviceaccount机密内容填充到环境变量中?

Example: when a pod is started, it contains a /var/run/secrets/kubernetes.io/secrets/serviceaccount/ folder that contains token , ca.crt ... and other that is the result to map the serviceaccount sercret to a folder. 示例:启动Pod时,它包含一个/var/run/secrets/kubernetes.io/secrets/serviceaccount/文件夹,其中包含tokenca.crt ...以及其他将serviceaccount sercret映射到a的结果夹。

Is there anyway to map serviceaccountsecret.token to an environment variable? 无论如何,将serviceaccountsecret.token映射到环境变量?

EDIT 编辑

I'm deploying kubernetes/openshift objects using fabric8 maven plugin. 我正在使用fabric8 maven插件部署kubernetes / openshift对象。 Nevertheless, I was looking for a way of setting this information up on PodSpec. 不过,我一直在寻找一种在PodSpec上设置此信息的方法。

So, currently openshift/kubernetes is mapping service account information located into secrets and then it's automatically mapped to filesystem (`/var/run...). 因此,当前openshift / kubernetes会将服务帐户信息映射到机密信息中,然后将其自动映射到文件系统(`/ var / run ...)。

I'm looking for a way to map this "unknown" service account secret to environment variable (I mean, I don't know which is the name of this secret, when I'm creating PodSpec). 我正在寻找一种方法来将此“未知”服务帐户密码映射到环境变量(我的意思是,我在创建PodSpec时不知道此密码的名称)。 

$ oc get secrets
NAME                       TYPE                                  DATA      AGE
builder-dockercfg-hplx4    kubernetes.io/dockercfg               1         43m
builder-token-bkd8h        kubernetes.io/service-account-token   4         43m
builder-token-gpckp        kubernetes.io/service-account-token   4         43m
default-dockercfg-q2vpx    kubernetes.io/dockercfg               1         43m
default-token-hpr7l        kubernetes.io/service-account-token   4         43m
default-token-r5225        kubernetes.io/service-account-token   4         43m
deployer-dockercfg-6h7nw   kubernetes.io/dockercfg               1         43m
deployer-token-svmvf       kubernetes.io/service-account-token   4         43m
deployer-token-tmg9x       kubernetes.io/service-account-token   4         43m
vault-cert                 kubernetes.io/tls                     2         42m

As you can see, openshiftshift/kubernetes creates secrets regarding with each service account: 如您所见,openshiftshift / kubernetes创建与每个服务帐户有关的秘密: 

$ oc get sa
NAME       SECRETS   AGE
builder    2         44m
default    2         44m
deployer   2         44m

Each secret has a form like: 每个秘密的格式如下: 

$ oc describe secret default-token-hpr7l
Name:         default-token-hpr7l
Namespace:    ra-sec
Labels:       <none>
Annotations:  kubernetes.io/created-by=openshift.io/create-dockercfg-secrets
              kubernetes.io/service-account.name=default
              kubernetes.io/service-account.uid=82ae89d7-898a-11e8-8d35-f28ae3e0478e

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:          1070 bytes
namespace:       6 bytes
service-ca.crt:  2186 bytes
token:           eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJyYS1zZWMiLCJrdWJlcm5ldGVzLmlvL3Nl...

Each secret is mapped to filesystem automatically. 每个机密会自动映射到文件系统。 Nevertheless, I'd like to write into PodSpec: 不过,我想写PodSpec: 

env:
- name: KUBERNETES_TOKEN
  valueFrom:
    secretKeyRef:
      name: <unknown service account secret name>
      key: token

I hope I've explianed a bit better. 我希望我能好一点。

2 个解决方案

解决方案1
 2 已采纳  2018-07-17 11:54:40

You can create a secret annotated with kubernetes.io/service-account.name annotation. 您可以创建一个带有kubernetes.io/service-account.name批注的机密。

This annotation provides related service account information to current secret. 此批注提供当前机密的相关服务帐户信息。 

apiVersion: v1
kind: Secret
metadata:
  name: vault-auth-secret
  annotations:
    kubernetes.io/service-account.name: vault-auth
type: kubernetes.io/service-account-token

By this way, you are able to create a named secret with desired data. 这样,您便可以使用所需数据创建命名机密。 

- name: KUBERNETES_TOKEN
  valueFrom:
    secretKeyRef:
      name: vault-auth-secret
      key: token

解决方案2
 0  2018-07-16 21:07:13

How are you deploying your application, S2I? 您如何部署应用程序S2I?

If yes, you can use a custom .s2i/bin/run script to set it yourself from the contents of the file and then run the original S2I run script. 如果是,则可以使用自定义.s2i/bin/run脚本从文件内容中.s2i/bin/run设置它,然后运行原始的S2I run脚本。

See the chapter 'Customizing Source-to-Image Builds' in the free eBook: 请参阅免费电子书中的“自定义源到图像构建”一章:

for more details. 更多细节。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Kube.netes 秘密环境变量 - 2+ 部署不相等 - Kubernetes Secret Environment Variable - 2+ deployments not equal 环境变量中 Kube.netes secret 的值似乎不正确 - Value of Kubernetes secret in environment variable seems incorrect 从文件创建秘密时使用 Kube.netes 秘密作为环境变量 - Use Kubernetes Secret as Environment Variable when secret is create from a file 如何设置 Kubernetes 配置 map 和 mongodb 环境变量的秘密 - How to set Kubernetes config map and secret to mongodb environment variables 用于在 openshift/kubernetes 中打印当前命名空间的简单命令或环境变量 - Simple command or environment variable to print the current namespace in openshift/kubernetes Kubernetes 从秘密映射时未更新 pod 环境变量 - Kubernetes pod environment variable not updated when mapped from secret 如何使用 Spring Boot 将来自 Google Secret Manager 的秘密作为环境变量注入 Kubernetes Pod? - How to inject secret from Google Secret Manager into Kubernetes Pod as environment variable with Spring Boot? 在 Openshift 中,我如何使用 CLI 创建具有值为机密的环境变量的新构建? - In Openshift, how can I create a new build with an environment variable that's value is a secret using the CLI? 如何将来自 Google Secret Manager 的秘密作为环境变量注入 Kubernetes Pod? - How to inject secrets from Google Secret Manager into Kubernetes Pod as environment variable? 使用环境变量时Kubernetes不能作为Secret非法base64数据处理 - Kubernetes cannot be handled as a Secret illegal base64 data when using environment variable
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM