@@ -181,45 +181,6 @@ If you want to access data from a Secret in a Pod, one way to do that is to
181181have Kubernetes make the value of that Secret be available as a file inside
182182the filesystem of one or more of the Pod's containers.
183183
184- To configure that, you:
185-
186- 1 . Create a secret or use an existing one. Multiple Pods can reference the same secret.
187- 1 . Modify your Pod definition to add a volume under ` .spec.volumes[] ` . Name the volume anything,
188- and have a ` .spec.volumes[].secret.secretName ` field equal to the name of the Secret object.
189- 1 . Add a ` .spec.containers[].volumeMounts[] ` to each container that needs the secret. Specify
190- ` .spec.containers[].volumeMounts[].readOnly = true ` and
191- ` .spec.containers[].volumeMounts[].mountPath ` to an unused directory name where you would like the
192- secrets to appear.
193- 1 . Modify your image or command line so that the program looks for files in that directory. Each
194- key in the secret ` data ` map becomes the filename under ` mountPath ` .
195-
196- This is an example of a Pod that mounts a Secret named ` mysecret ` in a volume:
197-
198- ``` yaml
199- apiVersion : v1
200- kind : Pod
201- metadata :
202- name : mypod
203- spec :
204- containers :
205- - name : mypod
206- image : redis
207- volumeMounts :
208- - name : foo
209- mountPath : " /etc/foo"
210- readOnly : true
211- volumes :
212- - name : foo
213- secret :
214- secretName : mysecret
215- optional : false # default setting; "mysecret" must exist
216- ` ` `
217-
218- Each Secret you want to use needs to be referred to in ` .spec.volumes`.
219-
220- If there are multiple containers in the Pod, then each container needs its
221- own `volumeMounts` block, but only one `.spec.volumes` is needed per Secret.
222-
223184{{< note >}}
224185Versions of Kubernetes before v1.22 automatically created credentials for accessing
225186the Kubernetes API. This older mechanism was based on creating token Secrets that
@@ -238,123 +199,6 @@ You can use the [`kubectl create token`](/docs/reference/generated/kubectl/kubec
238199command to obtain a token from the ` TokenRequest ` API.
239200{{< /note >}}
240201
241- # ### Projection of Secret keys to specific paths
242-
243- You can also control the paths within the volume where Secret keys are projected.
244- You can use the `.spec.volumes[].secret.items` field to change the target path of each key :
245-
246- ` ` ` yaml
247- apiVersion: v1
248- kind: Pod
249- metadata:
250- name: mypod
251- spec:
252- containers:
253- - name: mypod
254- image: redis
255- volumeMounts:
256- - name: foo
257- mountPath: "/etc/foo"
258- readOnly: true
259- volumes:
260- - name: foo
261- secret:
262- secretName: mysecret
263- items:
264- - key: username
265- path: my-group/my-username
266- ` ` `
267-
268- What will happen :
269-
270- * the `username` key from `mysecret` is available to the container at the path
271- ` /etc/foo/my-group/my-username` instead of at `/etc/foo/username`.
272- * the `password` key from that Secret object is not projected.
273-
274- If `.spec.volumes[].secret.items` is used, only keys specified in `items` are projected.
275- To consume all keys from the Secret, all of them must be listed in the `items` field.
276-
277- If you list keys explicitly, then all listed keys must exist in the corresponding Secret.
278- Otherwise, the volume is not created.
279-
280- # ### Secret files permissions
281-
282- You can set the POSIX file access permission bits for a single Secret key.
283- If you don't specify any permissions, `0644` is used by default.
284- You can also set a default mode for the entire Secret volume and override per key if needed.
285-
286- For example, you can specify a default mode like this :
287-
288- ` ` ` yaml
289- apiVersion: v1
290- kind: Pod
291- metadata:
292- name: mypod
293- spec:
294- containers:
295- - name: mypod
296- image: redis
297- volumeMounts:
298- - name: foo
299- mountPath: "/etc/foo"
300- volumes:
301- - name: foo
302- secret:
303- secretName: mysecret
304- defaultMode: 0400
305- ` ` `
306-
307- The secret is mounted on `/etc/foo`; all the files created by the
308- secret volume mount have permission `0400`.
309-
310- {{< note >}}
311- If you're defining a Pod or a Pod template using JSON, beware that the JSON
312- specification doesn't support octal notation. You can use the decimal value
313- for the `defaultMode` (for example, 0400 in octal is 256 in decimal) instead.
314- If you're writing YAML, you can write the `defaultMode` in octal.
315- {{< /note >}}
316-
317- # ### Consuming Secret values from volumes
318-
319- Inside the container that mounts a secret volume, the secret keys appear as
320- files. The secret values are base64 decoded and stored inside these files.
321-
322- This is the result of commands executed inside the container from the example above :
323-
324- ` ` ` shell
325- ls /etc/foo/
326- ` ` `
327-
328- The output is similar to :
329-
330- ` ` `
331- username
332- password
333- ` ` `
334-
335- ` ` ` shell
336- cat /etc/foo/username
337- ` ` `
338-
339- The output is similar to :
340-
341- ` ` `
342- admin
343- ` ` `
344-
345- ` ` ` shell
346- cat /etc/foo/password
347- ` ` `
348-
349- The output is similar to :
350-
351- ` ` `
352- 1f2d1e2e67df
353- ` ` `
354-
355- The program in a container is responsible for reading the secret data from these
356- files, as needed.
357-
358202#### Mounted Secrets are updated automatically
359203
360204When a volume contains data from a Secret, and that Secret is updated, Kubernetes tracks
0 commit comments