问题描述
很明显,此行为是由ServiceAccount
引起的: https://kubernetes .io/docs/reference/access-authn-authz/service-accounts-admin/#service-account-admission-controller
Apparenlty this behavior is caused by ServiceAccount
:https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#service-account-admission-controller
哪个使用称为AdmissionController
的名称.我想我正在寻找的是以下之一:
Which uses something called an AdmissionController
. I guess what I'm looking for is one of the following:
-
在
AdmissionController
中找到一个设置,该设置在我的情况下跳过给定容器(initContainer)的秘密装入
Find a setting in
AdmissionController
which skips the secrets mount for a given container (initContainer) in my case
找到具有这种灵活性的AdmissionController
的实现
Find an implementation of AdmissionController
which has this flexibility
将秘密的位置从/var/run/secrets更改为其他地方
Change the location of secrets from /var/run/secrets to somewhere else
我有一个initContainer,它是pod的一部分,是statefulset的一部分.我正在安装一些直接的卷(以便我可以在我的应用程序容器启动之前创建路径/权限).但是,一旦我检查了文件系统,就会看到一个嵌套的路径,其中似乎是kubernetes的秘密.
I have an initContainer which is a part of a pod a part of statefulset. I am mounting some straight forward volumes (so I can create paths/permissions before my app container starts). However as soon as I check the file system, I see a nested path with what seems to be kubernetes secrets.
这是如何安装的?这是我们自己做的吗?为什么要走这条路?我可以阻止秘密泄露吗?我可以更改安装路径吗?
How did this get mounted? Is this our own doing? Why this path? Can I stop the secrets from being mounted? Can i change the mount path?
$ kubectl logs nmnode-0-0 -n test -c prep-hadoop-paths
drwxrwsrwt 4 root root 80 Aug 21 03:52 /run
/run:
total 0
drwxrwsr-x 2 1000 root 40 Aug 21 03:52 configmaps
drwxr-sr-x 3 root root 60 Aug 21 03:52 secrets
/run/configmaps:
total 0
/run/secrets:
total 0
drwxr-sr-x 3 root root 60 Aug 21 03:52 kubernetes.io
/run/secrets/kubernetes.io:
total 0
drwxrwsrwt 3 root root 140 Aug 21 03:51 serviceaccount
/run/secrets/kubernetes.io/serviceaccount:
total 0
lrwxrwxrwx 1 root root 13 Aug 21 03:51 ca.crt -> ..data/ca.crt
lrwxrwxrwx 1 root root 16 Aug 21 03:51 namespace -> ..data/namespace
lrwxrwxrwx 1 root root 12 Aug 21 03:51 token -> ..data/token
initContainers:
- command:
- sh
- -c
- umask 002; ls -ld /run; ls -lR /run; mkdir -p /var/run/secrets/credentials
; mkdir -p /var/opt/hdfs ; mkdir -p /var/run/configmaps ; mkdir -p /var/run/secrets/certificates
; ls -lR /var;
image: ubuntu:16.04
imagePullPolicy: IfNotPresent
name: prep-hadoop-paths
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/opt
name: data
subPath: hadoop/var/opt
- mountPath: /var/log
name: logs
subPath: hadoop
- mountPath: /var/run
name: var-run
subPath: hadoop
从initContainer规范中可以看到,没有地方可以指定或要求安装任何机密信息.但是无论如何它们都会出现
As you can see from the initContainer spec, there is nowhere that I specify or require any secrets to be mounted. However they show up regardless
以下是该容器的卷列表.
The following is the volumes listing for the pod.
volumes:
- name: mssql-master-pool-secret
secret:
defaultMode: 420
secretName: mssql-master-pool-secret
- name: controller-internal-secret
secret:
defaultMode: 420
secretName: controller-internal-secret
- emptyDir:
medium: Memory
name: var-run
- configMap:
defaultMode: 420
name: mssql-hadoop-storage-0-configmap
name: hadoop-config-volume
- name: nmnode-0-agent-secret
secret:
defaultMode: 420
secretName: nmnode-0-agent-secret
- configMap:
defaultMode: 420
name: cluster-configmap
name: cluster-config-volume
如果您需要更多的Yaml,请告诉我.
If you need more parts of the yaml please let me know.
推荐答案
您的做法正确,就像访问控制器是通过Kubernetes API实现各种功能的主要贡献者.如上所述,服务帐户还随Kubernetes集群中的某些准入功能一起传播,最初绑定到名为ServiceAccount
的特定准入插件.
You are on a right way, as Admission controller is the main contributor for implementing various features via Kubernetes API. As you mentioned above Service Account is also propagated with some admission features in Kubernetes cluster, initially bounded to the particular admission plugin called ServiceAccount
.
根据官方的Kubernetes 文档,在kube-apiserver
配置可分别用于启用或禁用准入插件.
According to the official Kubernetes documentation, there are special flags--enable-admission-plugins
and --disable-admission-plugins
included in kube-apiserver
configuration that can be used to enable or disable admission plugins respectively.
默认情况下,启用ServiceAccount
准入控制器插件,如此处.除其他操作外,此插件还将带有令牌数据和CA证书的卷装入跨K8s集群的每个Pod中,用于身份验证.
By default, ServiceAccount
admission controller plugin is enabled like described here. Besides other actions, this plugin mounts volume with token data and CA certificate into the each Pod across K8s cluster for authentication to the apiserver purposes.
为了停用ServiceAccount
准入插件,您可以将--disable-admission-plugins=ServiceAccount
注入到kube-apiserver
配置中.
In order to deactivate ServiceAccount
admission plugin, you can inject --disable-admission-plugins=ServiceAccount
into the kube-apiserver
configuration.
否则,如果您想
这是您可以在其中将路径更改为所需的任意位置
This is where you can change the path to whatever you want
这篇关于如何安装kubernetes机密?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!