kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Move YAML snippets to examples directory and include with code shortcode

This commit is contained in:
Shannon Kularathna 2023-08-15 20:11:43 +00:00
parent f2cfc91486
commit cc62cbfda3
10 changed files with 148 additions and 143 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

154
content/en/docs/concepts/configuration/secret.md
View File

@ -24,7 +24,7 @@ Because Secrets can be created independently of the Pods that use them, there
is less risk of the Secret (and its data) being exposed during the workflow of is less risk of the Secret (and its data) being exposed during the workflow of
creating, viewing, and editing Pods. Kubernetes, and applications that run in creating, viewing, and editing Pods. Kubernetes, and applications that run in
your cluster, can also take additional precautions with Secrets, such as avoiding your cluster, can also take additional precautions with Secrets, such as avoiding
writing secret data to nonvolatile storage. writing sensitive data to nonvolatile storage.
Secrets are similar to {{< glossary_tooltip text="ConfigMaps" term_id="configmap" >}} Secrets are similar to {{< glossary_tooltip text="ConfigMaps" term_id="configmap" >}}
but are specifically intended to hold confidential data. but are specifically intended to hold confidential data.
@ -78,35 +78,7 @@ Files beginning with dot characters are hidden from the output of `ls -l`;
you must use `ls -la` to see them when listing directory contents. you must use `ls -la` to see them when listing directory contents.
{{< /note >}} {{< /note >}}
```yaml {{% code language="yaml" file="secret/dotfile-secret.yaml" %}}
apiVersion: v1
kind: Secret
metadata:
name: dotfile-secret
data:
.secret-file: dmFsdWUtMg0KDQo=
---
apiVersion: v1
kind: Pod
metadata:
name: secret-dotfiles-pod
spec:
volumes:
- name: secret-volume
secret:
secretName: dotfile-secret
containers:
- name: dotfile-test-container
image: registry.k8s.io/busybox
command:
- ls
- "-l"
- "/etc/secret-volume"
volumeMounts:
- name: secret-volume
readOnly: true
mountPath: "/etc/secret-volume"
```
### Use case: Secret visible to one container in a Pod ### Use case: Secret visible to one container in a Pod
@ -135,7 +107,7 @@ Here are some of your options:
[ServiceAccount](/docs/reference/access-authn-authz/authentication/#service-account-tokens) [ServiceAccount](/docs/reference/access-authn-authz/authentication/#service-account-tokens)
and its tokens to identify your client. and its tokens to identify your client.
- There are third-party tools that you can run, either within or outside your cluster, - There are third-party tools that you can run, either within or outside your cluster,
that provide Secrets management. For example, a service that Pods access over HTTPS, that manage sensitive data. For example, a service that Pods access over HTTPS,
that reveals a Secret if the client correctly authenticates (for example, with a ServiceAccount that reveals a Secret if the client correctly authenticates (for example, with a ServiceAccount
token). token).
- For authentication, you can implement a custom signer for X.509 certificates, and use - For authentication, you can implement a custom signer for X.509 certificates, and use
@ -251,18 +223,7 @@ fills in some other fields such as the `kubernetes.io/service-account.uid` annot
The following example configuration declares a ServiceAccount token Secret: The following example configuration declares a ServiceAccount token Secret:
```yaml {{% code language="yaml" file="secret/serviceaccount-token-secret.yaml" %}}
apiVersion: v1
kind: Secret
metadata:
name: secret-sa-sample
annotations:
kubernetes.io/service-account.name: "sa-name"
type: kubernetes.io/service-account-token
data:
# You can include additional key value pairs as you do with Opaque Secrets
extra: YmFyCg==
```
After creating the Secret, wait for Kubernetes to populate the `token` key in the `data` field. After creating the Secret, wait for Kubernetes to populate the `token` key in the `data` field.
@ -290,16 +251,7 @@ you must use one of the following `type` values for that Secret:
Below is an example for a `kubernetes.io/dockercfg` type of Secret: Below is an example for a `kubernetes.io/dockercfg` type of Secret:
```yaml {{% code language="yaml" file="secret/dockercfg-secret.yaml" %}}
apiVersion: v1
kind: Secret
metadata:
name: secret-dockercfg
type: kubernetes.io/dockercfg
data:
.dockercfg: |
"<base64 encoded ~/.dockercfg file>"
```
{{< note >}} {{< note >}}
If you do not want to perform the base64 encoding, you can choose to use the If you do not want to perform the base64 encoding, you can choose to use the
@ -369,16 +321,7 @@ Secret manifest.
The following manifest is an example of a basic authentication Secret: The following manifest is an example of a basic authentication Secret:
```yaml {{% code language="yaml" file="secret/basicauth-secret.yaml" %}}
apiVersion: v1
kind: Secret
metadata:
name: secret-basic-auth
type: kubernetes.io/basic-auth
stringData:
username: admin # required field for kubernetes.io/basic-auth
password: t0p-Secret # required field for kubernetes.io/basic-auth
```
The basic authentication Secret type is provided only for convenience. The basic authentication Secret type is provided only for convenience.
You can create an `Opaque` type for credentials used for basic authentication. You can create an `Opaque` type for credentials used for basic authentication.
@ -397,17 +340,7 @@ as the SSH credential to use.
The following manifest is an example of a Secret used for SSH public/private The following manifest is an example of a Secret used for SSH public/private
key authentication: key authentication:
```yaml {{% code language="yaml" file="secret/ssh-auth-secret.yaml" %}}
apiVersion: v1
kind: Secret
metadata:
name: secret-ssh-auth
type: kubernetes.io/ssh-auth
data:
# the data is abbreviated in this example
ssh-privatekey: |
MIIEpQIBAAKCAQEAulqb/Y ...
```
The SSH authentication Secret type is provided only for convenience. The SSH authentication Secret type is provided only for convenience.
You can create an `Opaque` type for credentials used for SSH authentication. You can create an `Opaque` type for credentials used for SSH authentication.
@ -440,21 +373,7 @@ the base64 encoded certificate and private key. For details, see
The following YAML contains an example config for a TLS Secret: The following YAML contains an example config for a TLS Secret:
```yaml {{% code language="yaml" file="secret/tls-auth-secret.yaml" %}}
apiVersion: v1
kind: Secret
metadata:
name: secret-tls
type: kubernetes.io/tls
stringData:
# the data is abbreviated in this example
tls.crt: |
--------BEGIN CERTIFICATE-----
MIIC2DCCAcCgAwIBAgIBATANBgkqh ...
tls.key: |
-----BEGIN RSA PRIVATE KEY-----
MIIEpgIBAAKCAQEA7yn3bRHQ5FHMQ ...
```
The TLS Secret type is provided only for convenience. The TLS Secret type is provided only for convenience.
You can create an `Opaque` type for credentials used for TLS authentication. You can create an `Opaque` type for credentials used for TLS authentication.
@ -486,21 +405,7 @@ string of the token ID.
As a Kubernetes manifest, a bootstrap token Secret might look like the As a Kubernetes manifest, a bootstrap token Secret might look like the
following: following:
```yaml {{% code language="yaml" file="secret/bootstrap-token-secret-base64.yaml" %}}
apiVersion: v1
kind: Secret
metadata:
name: bootstrap-token-5emitj
namespace: kube-system
type: bootstrap.kubernetes.io/token
data:
auth-extra-groups: c3lzdGVtOmJvb3RzdHJhcHBlcnM6a3ViZWFkbTpkZWZhdWx0LW5vZGUtdG9rZW4=
expiration: MjAyMC0wOS0xM1QwNDozOToxMFo=
token-id: NWVtaXRq
token-secret: a3E0Z2lodnN6emduMXAwcg==
usage-bootstrap-authentication: dHJ1ZQ==
usage-bootstrap-signing: dHJ1ZQ==
```
A bootstrap token Secret has the following keys specified under `data`: A bootstrap token Secret has the following keys specified under `data`:
@ -518,26 +423,7 @@ A bootstrap token Secret has the following keys specified under `data`:
You can alternatively provide the values in the `stringData` field of the Secret You can alternatively provide the values in the `stringData` field of the Secret
without base64 encoding them: without base64 encoding them:
```yaml {{% code language="yaml" file="secret/bootstrap-token-secret-literal.yaml" %}}
apiVersion: v1
kind: Secret
metadata:
# Note how the Secret is named
name: bootstrap-token-5emitj
# A bootstrap token Secret usually resides in the kube-system namespace
namespace: kube-system
type: bootstrap.kubernetes.io/token
stringData:
auth-extra-groups: "system:bootstrappers:kubeadm:default-node-token"
expiration: "2020-09-13T04:39:10Z"
# This token ID is used in the name
token-id: "5emitj"
token-secret: "kq4gihvszzgn1p0r"
# This token can be used for authentication
usage-bootstrap-authentication: "true"
# and it can be used for signing
usage-bootstrap-signing: "true"
```
## Working with Secrets ## Working with Secrets
@ -613,25 +499,7 @@ When you reference a Secret in a Pod, you can mark the Secret as _optional_,
such as in the following example. If an optional Secret doesn't exist, such as in the following example. If an optional Secret doesn't exist,
Kubernetes ignores it. Kubernetes ignores it.
```yaml {{% code language="yaml" file="secret/optional-secret.yaml" %}}
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mypod
image: redis
volumeMounts:
- name: foo
mountPath: "/etc/foo"
readOnly: true
volumes:
- name: foo
secret:
secretName: mysecret
optional: true
```
By default, Secrets are required. None of a Pod's containers will start until By default, Secrets are required. None of a Pod's containers will start until
all non-optional Secrets are available. all non-optional Secrets are available.

8
content/en/examples/secret/basicauth-secret.yaml Normal file
View File

@ -0,0 +1,8 @@
apiVersion: v1
kind: Secret
metadata:
name: secret-basic-auth
type: kubernetes.io/basic-auth
stringData:
username: admin # required field for kubernetes.io/basic-auth
password: t0p-Secret # required field for kubernetes.io/basic-auth

13
content/en/examples/secret/bootstrap-token-secret-base64.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: v1
kind: Secret
metadata:
name: bootstrap-token-5emitj
namespace: kube-system
type: bootstrap.kubernetes.io/token
data:
auth-extra-groups: c3lzdGVtOmJvb3RzdHJhcHBlcnM6a3ViZWFkbTpkZWZhdWx0LW5vZGUtdG9rZW4=
expiration: MjAyMC0wOS0xM1QwNDozOToxMFo=
token-id: NWVtaXRq
token-secret: a3E0Z2lodnN6emduMXAwcg==
usage-bootstrap-authentication: dHJ1ZQ==
usage-bootstrap-signing: dHJ1ZQ==

18
content/en/examples/secret/bootstrap-token-secret-literal.yaml Normal file
View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Secret
metadata:
# Note how the Secret is named
name: bootstrap-token-5emitj
# A bootstrap token Secret usually resides in the kube-system namespace
namespace: kube-system
type: bootstrap.kubernetes.io/token
stringData:
auth-extra-groups: "system:bootstrappers:kubeadm:default-node-token"
expiration: "2020-09-13T04:39:10Z"
# This token ID is used in the name
token-id: "5emitj"
token-secret: "kq4gihvszzgn1p0r"
# This token can be used for authentication
usage-bootstrap-authentication: "true"
# and it can be used for signing
usage-bootstrap-signing: "true"

8
content/en/examples/secret/dockercfg-secret.yaml Normal file
View File

@ -0,0 +1,8 @@
apiVersion: v1
kind: Secret
metadata:
name: secret-dockercfg
type: kubernetes.io/dockercfg
data:
.dockercfg: |
eyJhdXRocyI6eyJodHRwczovL2V4YW1wbGUvdjEvIjp7ImF1dGgiOiJvcGVuc2VzYW1lIn19fQo=

27
content/en/examples/secret/dotfile-secret.yaml Normal file
View File

@ -0,0 +1,27 @@
apiVersion: v1
kind: Secret
metadata:
name: dotfile-secret
data:
.secret-file: dmFsdWUtMg0KDQo=
---
apiVersion: v1
kind: Pod
metadata:
name: secret-dotfiles-pod
spec:
volumes:
- name: secret-volume
secret:
secretName: dotfile-secret
containers:
- name: dotfile-test-container
image: registry.k8s.io/busybox
command:
- ls
- "-l"
- "/etc/secret-volume"
volumeMounts:
- name: secret-volume
readOnly: true
mountPath: "/etc/secret-volume"

17
content/en/examples/secret/optional-secret.yaml Normal file
View File

@ -0,0 +1,17 @@
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mypod
image: redis
volumeMounts:
- name: foo
mountPath: "/etc/foo"
readOnly: true
volumes:
- name: foo
secret:
secretName: mysecret
optional: true

9
content/en/examples/secret/serviceaccount-token-secret.yaml Normal file
View File

@ -0,0 +1,9 @@
apiVersion: v1
kind: Secret
metadata:
name: secret-sa-sample
annotations:
kubernetes.io/service-account.name: "sa-name"
type: kubernetes.io/service-account-token
data:
extra: YmFyCg==

9
content/en/examples/secret/ssh-auth-secret.yaml Normal file
View File

@ -0,0 +1,9 @@
apiVersion: v1
kind: Secret
metadata:
name: secret-ssh-auth
type: kubernetes.io/ssh-auth
data:
# the data is abbreviated in this example
ssh-privatekey: |
UG91cmluZzYlRW1vdGljb24lU2N1YmE=

28
content/en/examples/secret/tls-auth-secret.yaml Normal file
View File

@ -0,0 +1,28 @@
apiVersion: v1
kind: Secret
metadata:
name: secret-tls
type: kubernetes.io/tls
data:
# values are base64 encoded, which obscures them but does NOT provide
# any useful level of confidentiality
tls.crt: |
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNVakNDQWJzQ0FnMytNQTBHQ1NxR1NJYjNE
UUVCQlFVQU1JR2JNUXN3Q1FZRFZRUUdFd0pLVURFT01Bd0cKQTFVRUNCTUZWRzlyZVc4eEVEQU9C
Z05WQkFjVEIwTm9kVzh0YTNVeEVUQVBCZ05WQkFvVENFWnlZVzVyTkVSRQpNUmd3RmdZRFZRUUxF
dzlYWldKRFpYSjBJRk4xY0hCdmNuUXhHREFXQmdOVkJBTVREMFp5WVc1ck5FUkVJRmRsCllpQkRR
VEVqTUNFR0NTcUdTSWIzRFFFSkFSWVVjM1Z3Y0c5eWRFQm1jbUZ1YXpSa1pDNWpiMjB3SGhjTk1U
TXcKTVRFeE1EUTFNVE01V2hjTk1UZ3dNVEV3TURRMU1UTTVXakJMTVFzd0NRWURWUVFHREFKS1VE
RVBNQTBHQTFVRQpDQXdHWEZSdmEzbHZNUkV3RHdZRFZRUUtEQWhHY21GdWF6UkVSREVZTUJZR0Ex
VUVBd3dQZDNkM0xtVjRZVzF3CmJHVXVZMjl0TUlHYU1BMEdDU3FHU0liM0RRRUJBUVVBQTRHSUFE
Q0JoQUo5WThFaUhmeHhNL25PbjJTbkkxWHgKRHdPdEJEVDFKRjBReTliMVlKanV2YjdjaTEwZjVN
Vm1UQllqMUZTVWZNOU1vejJDVVFZdW4yRFljV29IcFA4ZQpqSG1BUFVrNVd5cDJRN1ArMjh1bklI
QkphVGZlQ09PekZSUFY2MEdTWWUzNmFScG04L3dVVm16eGFLOGtCOWVaCmhPN3F1TjdtSWQxL2pW
cTNKODhDQXdFQUFUQU5CZ2txaGtpRzl3MEJBUVVGQUFPQmdRQU1meTQzeE15OHh3QTUKVjF2T2NS
OEtyNWNaSXdtbFhCUU8xeFEzazlxSGtyNFlUY1JxTVQ5WjVKTm1rWHYxK2VSaGcwTi9WMW5NUTRZ
RgpnWXcxbnlESnBnOTduZUV4VzQyeXVlMFlHSDYyV1hYUUhyOVNVREgrRlowVnQvRGZsdklVTWRj
UUFEZjM4aU9zCjlQbG1kb3YrcE0vNCs5a1h5aDhSUEkzZXZ6OS9NQT09Ci0tLS0tRU5EIENFUlRJ
RklDQVRFLS0tLS0K
# In this example, the key data is not a real PEM-encoded private key
tls.key: |
RXhhbXBsZSBkYXRhIGZvciB0aGUgVExTIGNydCBmaWVsZA==