You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Kubernetes Secrets are, by default, stored as unencrypted base64-encoded
51
+
strings. By default they can be retrieved - as plain text - by anyone with API
52
+
access, or anyone with access to Kubernetes' underlying data store, etcd. In
53
+
order to safely use Secrets, we recommend you (at a minimum):
54
+
55
+
1. [Enable Encryption at Rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/) for Secrets.
56
+
2. [Enable RBAC rules that restrict reading and writing the Secret](https://kubernetes.io/docs/reference/access-authn-authz/authorization/). Be aware that secrets can be obtained implicitly by anyone with the permission to create a Pod.
57
+
-->
58
+
Kubernetes Secret 默认情况下存储为 base64-编码的、非加密的字符串。
59
+
默认情况下,能够访问 API 的任何人,或者能够访问 Kubernetes 下层数据存储(etcd)
The `imagePullSecrets` field is a list of references to secrets in the same namespace.
1244
1264
You can use an `imagePullSecrets` to pass a secret that contains a Docker (or other) image registry
1245
1265
password to the kubelet. The kubelet uses this information to pull a private image on behalf of your Pod.
1246
-
See the [PodSpec API](/docs/reference/generated/kubernetes-api/{{< latest-version >}}/#podspec-v1-core) for more information about the `imagePullSecrets` field.
1266
+
See the [PodSpec API](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#podspec-v1-core) for more information about the `imagePullSecrets` field.
1247
1267
1248
1268
#### Manually specifying an imagePullSecret
1249
1269
@@ -1254,7 +1274,8 @@ You can learn how to specify `ImagePullSecrets` from the [container images docum
@@ -486,7 +542,6 @@ but cannot be controlled from there.
486
542
487
543
<!--
488
544
* Learn about the [lifecycle of a Pod](/docs/concepts/workloads/pods/pod-lifecycle/).
489
-
* Learn about [PodPresets](/docs/concepts/workloads/pods/podpreset/).
490
545
* Learn about [RuntimeClass](/docs/concepts/containers/runtime-class/) and how you can use it to
491
546
configure different Pods with different container runtime configurations.
492
547
* Read about [Pod topology spread constraints](/docs/concepts/workloads/pods/pod-topology-spread-constraints/).
@@ -497,7 +552,6 @@ but cannot be controlled from there.
497
552
* [The Distributed System Toolkit: Patterns for Composite Containers](https://kubernetes.io/blog/2015/06/the-distributed-system-toolkit-patterns) explains common layouts for Pods with more than one container.
@@ -510,7 +564,7 @@ but cannot be controlled from there.
510
564
中解释了在同一 Pod 中包含多个容器时的几种常见布局。
511
565
512
566
<!--
513
-
To understand the context for why Kubernetes wraps a common Pod API in other resources (such as {{< glossary_tooltip text="StatefulSets" term_id="statefulset" >}} or {{< glossary_tooltip text="Deployments" term_id="deployment" >}}, you can read about the prior art, including:
567
+
To understand the context for why Kubernetes wraps a common Pod API in other resources (such as {{< glossary_tooltip text="StatefulSets" term_id="statefulset" >}} or {{< glossary_tooltip text="Deployments" term_id="deployment" >}}), you can read about the prior art, including:
## Is there a recommended set of admission controllers to use?
1352
1339
1353
-
Yes. For Kubernetes version 1.10 and later, the recommended admission controllers are enabled by default (shown [here](/docs/reference/command-line-tools-reference/kube-apiserver/#options)), so you do not need to explicitly specify them. You can enable additional admission controllers beyond the default set using the `--enable-admission-plugins` flag (**order doesn't matter**).
1340
+
Yes. The recommended admission controllers are enabled by default (shown [here](/docs/reference/command-line-tools-reference/kube-apiserver/#options)), so you do not need to explicitly specify them. You can enable additional admission controllers beyond the default set using the `--enable-admission-plugins` flag (**order doesn't matter**).
For Kubernetes 1.9 and earlier, we recommend running the following set of admission controllers using the `--admission-control` flag (**order matters**).
0 commit comments