Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

kubernetes secret items not mounted as file path

I have the following yaml:

        volumeMounts:
        - name: app-secret
          mountPath: /app
          readOnly: true
      volumes:
      - name: app-secret
        secret:
          secretName: app-secret
          items:
          - key: app-secret.json
            path: appsettings.secret.json

I expect the secret is mounted on /app/appsettings.secret.json but it isn't. I don't know where it is mounted and the container crashes and I don't have a chance to kubectl exec into the container to inspect where the secret is mounted. My guess is that it wipes out the content of /app. Any advice and insight is appreciated.

like image 594
Kok How Teh Avatar asked Jul 19 '19 02:07

Kok How Teh


People also ask

Where do I mount secrets Kubernetes?

Secret files permissions If you don't specify any permissions, 0644 is used by default. You can also set a default mode for the entire Secret volume and override per key if needed. The secret is mounted on /etc/foo ; all the files created by the secret volume mount have permission 0400 .

How are Kubernetes secrets stored inside a container?

By default, data in Kubernetes secrets is stored in Base64 encoding, which is practically the same as plaintext. However, secrets give you more control over access and usage of passwords, keys, etc. Kubernetes can either mount secrets separately from the pods that use them, or save them as environment variables.

How do I make Kubernetes secrets from a file?

Create Kubernetes Secrets To create a Kubernetes secret, apply one of the following methods: Use kubectl for a command-line based approach. Create a configuration file for the secret. Use a generator, such as Kustomize to generate the secret.

Which file system do Secrets use in Kubernetes?

When using definition files, you can add the data in a base64 encoded format or plain text form. Kubernetes encodes the Secret data in base64 format. When you need to reveal a Secret text, you must base64-decode it. To enable containers to access Secrets, you have the option to mount the Secret as a volume.


1 Answers

This works:

 volumeMounts:
        - name: app-secret
          mountPath: /app/appsettings.secret.json
          subPath: appsettings.secret.json
          readOnly: true
      volumes:
      - name: app-secret
        secret:
          secretName: app-secret
          items:
          - key: app-secret.json
            path: appsettings.secret.json
like image 139
Kok How Teh Avatar answered Oct 19 '22 21:10

Kok How Teh