Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Creating ssh secrets key file in kubernetes

Tags:

ssh

kubernetes

If i create a secret from an id_rsa file using kubectl as:

kubectl create secret generic hcom-secret --from-file=ssh-privatekey=./.ssh/id_rsa

And then mount the secret into the container

"volumeMounts": [
        {"name": "cfg", "readOnly": false, "mountPath": "/home/hcom/.ssh"}
      ]

"volumes": [
      {"name": "cfg", "secret": { "secretName": "hcom-ssh" }}
    ],

The resultant file is not id_rsa but ssh-privatekey and the permits that are on it are not 600 which ssh expects

Is this a correct approach, or can anyone please detail how this should be done?

like image 446
Kevin Taylor Avatar asked Sep 19 '16 08:09

Kevin Taylor


2 Answers

Since kubernetes-1.4 things got simpler. Here's my take how to improve the official Kubernetes howto.

To create the secret, use:

kubectl create secret generic ssh-keys --from-file=id_rsa=/path/to/.ssh/id_rsa --from-file=id_rsa.pub=/path/to/.ssh/id_rsa.pub

To mount the secret in your containers, use the following Pod config:

apiVersion: v1
kind: Pod
metadata:
  name: secret-test-pod
  labels:
    name: secret-test
spec:
  volumes:
  - name: ssh-keys-v
    secret:
      secretName: ssh-keys
      defaultMode: 0600 
  containers:
  - name: ssh-test-container
    image: mySshImage
    volumeMounts:
    - name: ssh-keys-v
      readOnly: true
      # container will see /root/.ssh/id_rsa as usual:
      mountPath: "/root/.ssh"

Also nitpick: the id_rsa.pub is hardly ever used, I wouldn't bother to secretize it until required.

like image 118
kubanczyk Avatar answered Nov 15 '22 12:11

kubanczyk


The official Kubernetes docs for secrets cover this exact use-case.

To create the secret, use:

$ kubectl create secret generic my-secret --from-file=ssh-privatekey=/path/to/.ssh/id_rsa --from-file=ssh-publickey=/path/to/.ssh/id_rsa.pub

To mount the secret in your containers, use the following Pod config:

{
  "kind": "Pod",
  "apiVersion": "v1",
  "metadata": {
    "name": "secret-test-pod",
    "labels": {
      "name": "secret-test"
    }
  },
  "spec": {
    "volumes": [
      {
        "name": "secret-volume",
        "secret": {
          "secretName": "my-secret"
        }
      }
    ],
    "containers": [
      {
        "name": "ssh-test-container",
        "image": "mySshImage",
        "volumeMounts": [
          {
            "name": "secret-volume",
            "readOnly": true,
            "mountPath": "/etc/secret-volume"
          }
        ]
      }
    ]
  }
}

Kubernetes doesn't actually have a way to control file permissions for a secret as of now, but a recent Pull Request did add support for changing the path of secrets. This support was added with 1.3 as per this comment

Here are the permissions related Github Issues:

  • https://github.com/kubernetes/kubernetes/issues/4789
  • https://github.com/kubernetes/kubernetes/issues/28317
like image 17
ffledgling Avatar answered Nov 15 '22 13:11

ffledgling