我想访问多个远程注册表来提取图像。在 k8s文档中他们说:
(如果您需要访问多个注册表,您可以为每个注册表创建一个密钥。Kubelet 会将任何 imagePullSecret 合并到单个虚拟 .docker/config.json 中)
所以 POD 定义应该是这样的:
apiVersion: v1
kind: Pod
spec:
containers:
- name: ...
imagePullSecrets:
- name: secret1
- name: secret2
- ....
- name: secretN
现在我不确定K8S如何为每张图像选择正确的秘密?所有秘密每次都会被一一验证吗?K8S如何处理失败的重试?如果特定数量的未经授权的重试可能会导致 k8sor docker 注册表中出现某种锁定状态?
/ 谢谢
I'm looking for a possible way to reference the secrets in my deployment.yaml (1 liner)
Currently I'm using the
containers:
- name: {{ template "myapp.name" . }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: Always
env:
- name: COUCHDB_USER
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-secrets
key: COUCHDB_USER
- name: COUCHDB_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-secrets
key: COUCHDB_PASSWORD
With the minimal modification possible, I want to achieve something like this:
containers:
- name: {{ template "myapp.name" . }}
image: "{{ …想象一个这样的秘密:
apiVersion: v1
kind: Secret
metadata:
name: {{ include "test-cicd.fullname" . }}
labels:
app.kubernetes.io/name: {{ include "test-cicd.name" . }}
helm.sh/chart: {{ include "test-cicd.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
type: Opaque
data:
secret.yaml: |
{{ if eq .Values.env "prod" }}
foo: bar-prod
foo2: bar2_prod
{{ else if eq .Values.evn "dev" }}
foo: bar-dev
{{ end }}
是否可以使用Kubeseal进行密封?现在这样做,我得到invalid map key: map[interface {}]interface {}{"include \"test-cicd.fullname\" .":interface {}(nil)}这可能是因为它不是“有效”的 yaml 文件。
我尝试过的一件事是:1. 移除 helm 模板行 2. …
我正在使用 kubernetes 及其资源(例如秘密)。在部署过程中,已创建一个机密(例如测试机密),其中包含一些值。现在我需要在同一命名空间内重命名此秘密(dev-secret)。如何重命名机密或如何将 test-secret 值复制到 dev-secret。
请让我知道正确的方法。
在 Azure Kubernetes 中,我希望在默认命名空间中有一个包含 jenkins 的 pod,它需要从我的应用程序工作区读取机密。
当我尝试时,出现下一个错误:
Error from server (Forbidden): secrets "myapp-mongodb" is forbidden: User "system:serviceaccount:default:jenkinspod" cannot get resource "secrets" in API group "" in the namespace "myapp"
我如何才能访问此 jenkisn pod 来读取“myapp”命名空间中的秘密
我创建了一个在 kubernetes 中完美运行的服务。
然后我将连接字符串移至 kubernetes 秘密;这是我的 yaml 配置:
env:
- name: AZURE_CONNECTION
valueFrom:
secretKeyRef:
name: azure
key: connection-string
但此后 Pod 的调度失败
错误:无法启动容器“myservice-api-host”:来自守护程序的错误响应:oci 运行时错误:container_linux.go:247:启动容器进程导致“process_linux.go:295:为就绪进程设置 oom 分数导致\”写入/proc/22658/oom_score_adj:无效参数\""
我正在尝试从 Kubernetes 作业生成 Kubernetes 秘密。秘密是TLS证书,对于elasticsearch传输,我尝试了这个工作:
apiVersion: batch/v1
kind: Job
metadata:
name: conso-security-tls-gen-certs
spec:
template:
spec:
containers:
- name: generator
volumeMounts:
- name: certs
mountPath: "/certs"
image: "docker.elastic.co/elasticsearch/elasticsearch:7.4.2"
command: ["/bin/sh", "-c"]
args:
- "bin/elasticsearch-certutil ca (...) --silent -out /certs/bundle.p12"
restartPolicy: Never
volumes:
- name: certs
secret:
secretName: conso-security-tls-certs
backoffLimit: 4
但正如https://github.com/kubernetes/kubernetes/issues/62099所说,该卷/certs是只读的。有没有办法像这样创建/编辑这个秘密?
我不确定我是否正确解释了容器的输出,但我在日志中看到了 sequelize 的以下输出:
Nates-MacBook-Pro:k8s natereed$ docker logs 1a3e6141d050
...
(node:36) UnhandledPromiseRejectionWarning: SequelizeConnectionError: password authentication failed for user
"postgres
"
它似乎有在用户名,这应该是“Postgres的”额外的换行符。数据库配置了环境变量 $POSTGRESS_USERNAME (是的,我知道它拼写错误,它来自另一位作者)。
src/config/config.ts: "username": process.env.POSTGRESS_USERNAME
我进入正在运行的容器并检查环境变量是否设置正确:
root@backend-feed-75c4f97d6-9tp2f:/usr/src/app# echo $POSTGRESS_USERNAME
postgres
root@backend-feed-75c4f97d6-9tp2f:/usr/src/app# echo $POSTGRESS_PASSWORD
...
root@backend-feed-75c4f97d6-9tp2f:/usr/src/app# echo $POSTGRESS_DB
mydb
...
为了创建秘密然后应用,我运行了:
echo "postgres" | openssl base64
(edit env-secret.yaml)
kubectl apply -f env-secret.yaml
秘籍内容:
apiVersion: v1
kind: Secret
metadata:
name: env-secret
type: Opaque
data:
POSTGRESS_USERNAME: cG9zdGdyZXMK
POSTGRESS_PASSWORD: ...
这不是创建 k8s 秘密的正确方法吗?
下面是我使用azure csi store provider 的应用程序定义。不幸的是,这个定义抛出了Error: secret 'my-kv-secrets' not found为什么呢?
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
name: my-app-dev-spc
spec:
provider: azure
secretObjects:
- secretName: my-kv-secrets
type: Opaque
data:
- objectName: DB-HOST
key: DB-HOST
parameters:
keyvaultName: my-kv-name
objects: |
array:
- |
objectName: DB-HOST
objectType: secret
tenantId: "xxxxx-yyyy-zzzz-rrrr-vvvvvvvv"
apiVersion: v1
kind: Pod
metadata:
labels:
run: debug
name: debug
spec:
containers:
- args:
- sleep
- 1d
name: debug
image: alpine
env:
- name: DB_HOST
valueFrom:
secretKeyRef:
name: …我有一个 ClusterIssuer 正在等待secretName,我在 中看到ClusterIssuer spec,我可以指定secretName:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: postgres-operator-ca-certificate-cluster-issuer
spec:
ca:
secretName: postgres-operator-ca-certificate # <---- Here
但如何提供对秘密命名空间的引用呢?这个秘密是使用以下命令创建的Certificate:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: postgres-operator-self-signed-ca-certificate
namespace: postgres # <---- This namespace can not be changed to cert-manager
spec:
isCA: true
commonName: postgres-operator-ca-certificate
secretName: postgres-operator-ca-certificate
issuerRef:
name: postgres-operator-selfsigned-clusterissuer
kind: ClusterIssuer
因为这是namespaced建议使用Issuer而不是ClusterIssuer? 默认情况下是否ClusterIssuer在命名空间中查找cert-manager?
我在将 Kubernetes Secret 的值注入 Pod env 时遇到问题。我有以下内容pg-secrets.yml:
apiVersion: v1
kind: Secret
metadata:
name: pg-secrets
type: Opaque
data:
POSTGRES_USER: cG9zdGdyZXMK
POSTGRES_PASSWORD: cGFzc3dvcmQK
# postgres & password
然后我将 POSTGRES_PASSWORD 从它注入到application-deployment.ymlENV:
apiVersion: apps/v1
kind: Deployment
...
spec:
containers:
- name: realo
image: abialiauski/realo
imagePullPolicy: Always
ports:
- containerPort: 8080
env:
- name: PG_USERNAME
valueFrom:
configMapKeyRef:
name: realo-configmap
key: PG_USERNAME
- name: PG_PASSWORD
valueFrom:
secretKeyRef:
name: pg-secrets
key: POSTGRES_PASSWORD
- name: PG_HOST
value: postgres
并有这个application.yml:
spring:
application:
name: …kubernetes ×11
azure-aks ×1
ca ×1
cert-manager ×1
java ×1
postgresql ×1
sequelize.js ×1
spring-boot ×1
yaml ×1