kubernetes - 将 secret 附加到正在运行的 pod

Question

如何给正在运行的 pod 添加 secret？

我有一个正在运行的 pod，我想附加一个 secret 。

我不想终止正在运行的 pod 实例。

我知道 pod 应该作为无状态运行。

Answer 1

根据documentation :

Secrets can be mounted as data volumes or be exposed as environment variables to be used by a container in a pod.

This is an example of a pod that mounts a secret in a volume:

apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
  - name: mypod
    image: redis
    volumeMounts:
    - name: foo
      mountPath: "/etc/foo"
      readOnly: true
  volumes:
  - name: foo
    secret:
      secretName: mysecret

Mounted Secrets are updated automatically

When a secret being already consumed in a volume is updated, projected keys are eventually updated as well. Kubelet is checking whether the mounted secret is fresh on every periodic sync. However, it is using its local cache for getting the current value of the Secret. The type of the cache is configurable using the (ConfigMapAndSecretChangeDetectionStrategy field in KubeletConfiguration struct). It can be either propagated via watch (default), ttl-based, or simply redirecting all requests to directly kube-apiserver. As a result, the total delay from the moment when the Secret is updated to the moment when new keys are projected to the Pod can be as long as kubelet sync period + cache propagation delay, where cache propagation delay depends on the chosen cache type (it equals to watch propagation delay, ttl of cache, or zero corespondingly).

Note: A container using a Secret as a subPath volume mount will not receive Secret updates.

This is an example of a pod that uses secrets from environment variables:

apiVersion: v1
kind: Pod
metadata:
  name: secret-env-pod
spec:
  containers:
  - name: mycontainer
    image: redis
    env:
      - name: SECRET_USERNAME
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: username
      - name: SECRET_PASSWORD
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: password
  restartPolicy: Never

对于这两种情况，您都需要更改 pod 规范。您可以通过使用 kubectl edit 编辑 Pod 或 Deployment 来完成此操作:

$ kubectl edit pod <pod_name> -n <namespace_name>
$ kubectl edit deployment <deployment_name> -n <namespace_name>

或者，您可以在 YAML 文件中进行更改并应用它:

$ vi MyPod.yaml
$ kubectl apply -f MyPod.yaml

您需要知道的最重要的事情是，如果您更改 Pod 规范，您的 Pod 将重新启动以应用更改。在部署滚动更新的情况下会发生。在大多数情况下是可以的。如果您需要保存应用程序的状态，最好的方法是使用卷存储有值(value)的信息。

如果你仍然想在 Pod 不重启的情况下添加 secrets，你可以使用像 NFS 这样的共享存储。当您更改已安装到 Pod 中的 NFS 卷的内容时，更改将立即在 Pod 中可见。在某些情况下，您可以在 pod 内执行 shell 并手动安装 NFS 卷。

或者，您可以使用 ksd 将 secret 内容导出到文件中程序
(或 base64 -d)解码 Secret 中的 base64 编码值:

kubectl get secret mysecret -o yaml | ksd > filename.yaml

和copy使用以下命令将其发送到 pod:

kubectl cp filename.yaml <some-namespace>/<some-pod>:/tmp/secret.yaml