2.7. Providing sensitive data to pods by using secrets
As an administrator, you can use Secret objects to provide sensitive information, such as passwords and user names, to applications without exposing that information in plain text that developers could see.
2.7.1. Understanding secrets 复制链接链接已复制到粘贴板!
You can mount secrets into containers by using a volume plugin or the system can use secrets to perform actions on behalf of a pod.
The Secret object type provides a mechanism to hold sensitive information such as passwords, OpenShift Container Platform client configuration files, private source repository credentials, and so on. Secrets decouple sensitive content from the pods.
Key properties include:
- Secret data can be referenced independently from its definition.
- Secret data volumes are backed by temporary file-storage facilities (tmpfs) and never come to rest on a node.
- Secret data can be shared within a namespace.
YAML Secret object definition
apiVersion: v1
kind: Secret
metadata:
name: test-secret
namespace: my-namespace
type: Opaque
data:
username: <username>
password: <password>
stringData:
hostname: myapp.mydomain.com
where:
type- Specifies the structure of the secret’s key names and values.
data-
Specifies the allowable format for the keys in the
datafield must meet the guidelines in the DNS_SUBDOMAIN value as described in "Identifiers and Names in Kubernetes" in the Kubernetes documentation. data.username-
Specifies the value associated with keys in the
datamap. This value must be base64 encoded. data.password-
Specifies the value associated with keys in the
datamap. This value must be base64 encoded. stringData.hostname-
Specifies the value associated with keys in the
datamap. The value associated with keys in thestringDatamap is made up of plain text strings. Entries in thestringDatamap are converted to base64 and the entry will then be moved to thedatamap automatically. This field is write-only; the value will only be returned via thedatafield.
You must create a secret before creating the pods that depend on that secret.
When creating secrets:
- Create a secret object with secret data.
- Update the pod’s service account to allow the reference to the secret.
-
Create a pod, which consumes the secret as an environment variable or as a file (using a
secretvolume).
2.7.1.1. Types of secrets 复制链接链接已复制到粘贴板!
The value in the type field indicates the structure of the secret’s key names and values. The type can be used to enforce the presence of user names and keys in the secret object. If you do not want validation, use the opaque type, which is the default.
Specify one of the following types to trigger minimal server-side validation to ensure the presence of specific key names in the secret data:
-
kubernetes.io/basic-auth: Use with Basic authentication -
kubernetes.io/dockercfg: Use as an image pull secret -
kubernetes.io/dockerconfigjson: Use as an image pull secret -
kubernetes.io/service-account-token: Use to obtain a legacy service account API token -
kubernetes.io/ssh-auth: Use with SSH key authentication -
kubernetes.io/tls: Use with TLS certificate authorities
Specify type: Opaque if you do not want validation, which means the secret does not claim to conform to any convention for key names or values. An opaque secret, allows for unstructured key:value pairs that can contain arbitrary values.
You can specify other arbitrary types, such as example.com/my-secret-type. These types are not enforced server-side, but indicate that the creator of the secret intended to conform to the key/value requirements of that type.
For examples of creating different types of secrets, see Understanding how to create secrets.
2.7.1.2. Secret data keys 复制链接链接已复制到粘贴板!
Secret keys must be in a DNS subdomain.
2.7.1.3. Automatically generated image pull secrets 复制链接链接已复制到粘贴板!
OpenShift Container Platform automatically creates image pull secrets for each service account to integrate the internal image registry with user authentication.
Prior to OpenShift Container Platform 4.16, a long-lived service account API token secret was also generated for each service account that was created. Starting with OpenShift Container Platform 4.16, this service account API token secret is no longer created.
After upgrading to 4.21, any existing long-lived service account API token secrets are not deleted and will continue to function. For information about detecting long-lived API tokens that are in use in your cluster or deleting them if they are not needed, see "Long-lived service account API tokens in OpenShift Container Platform (Red Hat Knowledgebase)".
This image pull secret is necessary to integrate the OpenShift image registry into the cluster’s user authentication and authorization system.
However, if you do not enable the ImageRegistry capability or if you disable the integrated OpenShift image registry in the Cluster Image Registry Operator’s configuration, an image pull secret is not generated for each service account.
When the integrated OpenShift image registry is disabled on a cluster that previously had it enabled, the previously generated image pull secrets are deleted automatically.