kubernetes - 写入 pod 中的 Secret 文件

Question

我定义了一个 secret :

apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
stringData:
  config.yaml: |-
    apiUrl: "https://my.api.com/api/v1"
    username: Administrator
    password: NewPasswdTest11

然后在 Deployment 中创建卷挂载:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: k8s-webapp-test
  labels:
    name: k8s-webapp-test
    version: 1.0.4
spec:
  replicas: 2
  selector:
    matchLabels:
      name: k8s-webapp-test
      version: 1.0.4
  template:
    metadata:
      labels:
        name: k8s-webapp-test
        version: 1.0.4
    spec:
      nodeSelector:
        kubernetes.io/os: windows
      volumes:
      - name: secret-volume
        secret:
          secretName: string-data-secret
      containers:
      - name: k8s-webapp-test
        image: dockerstore/k8s-webapp-test:1.0.4
        ports:
        - containerPort: 80
        volumeMounts:
        - name: secret-volume
          mountPath: "/secrets"
          readOnly: false

因此，在部署之后，我在 C:\secrets 中有 2 个带有卷挂载的 pod(我确实使用 Windows 节点)。当我尝试编辑位于 C:\secrets 文件夹中的 config.yaml 时，出现以下错误:

Access to the path 'c:\secrets\config.yaml' is denied.

尽管我将文件标记为 readOnly false 我无法写入它。如何修改文件？

Answer 1

如您所见here这是不可能的:

Secret, configMap, downwardAPI and projected volumes will be mounted as read-only volumes. Applications that attempt to write to these volumes will receive read-only filesystem errors. Previously, applications were allowed to make changes to these volumes, but those changes were reverted at an arbitrary interval by the system. Applications should be re-configured to write derived files to another location

您可以查看使用 init container它映射 secret ，然后将其复制到您可以修改它的所需位置。

作为初始化容器的替代方案，您也可以使用 container lifecycle hook即 PostStart -hook 在容器创建后立即执行。

lifecycle:
  postStart:
    exec:
      command:
      - "/bin/sh"
      - "-c"
      - >
        cp -r /secrets ~/secrets;