如何解决如何阅读牧场主的秘密?
我正在使用牧场主,并且使用牧场主的GUI设置了一个秘密。我试图使我的应用程序读取此机密。假设这个秘密叫做pass,我想读一下。被docker所知,我编写了以下代码:
readDockerSecret: function(secretName) {
return fs.readFileSync(`/run/secrets/${secretName}`,'utf8');
}
// code
// read secret
try {
var secretName = "pass";
var pass = utils.readDockerSecret(pass);
} catch (err) {
if (err.code !== 'ENOENT') {
logger.error(`An error occurred while trying to read the secret: ${secretName}. Err: ${err}`);
} else {
logger.debug(`Could not find the secret: ${secretName}. Err: ${err}`);
}
}
但是当我在牧场主中使用它时,它永远找不到秘密。在GUI的rancher shell中,我可以看到我有以下异端:
ls -la /run/secrets
total 0
drwxr-xr-x 1 root root 27 Aug 10 11:02 .
drwxr-xr-x 1 root root 21 Aug 10 10:53 ..
drwxr-xr-x 2 root root 40 Aug 10 11:02 credentials.d
drwxr-xr-x 3 root root 28 Aug 10 11:02 kubernetes.io
credentials.d为空。但是kubernetes.io包含:
/run/secrets/kubernetes.io
total 0
drwxr-xr-x 3 root root 28 Aug 10 11:02 .
drwxr-xr-x 1 root root 27 Aug 10 11:02 ..
drwxrwxrwt 3 root root 140 Aug 10 11:02 serviceaccount
ls -la /run/secrets/kubernetes.io/serviceaccount/
total 0
drwxrwxrwt 3 root root 140 Aug 10 11:02 .
drwxr-xr-x 3 root root 28 Aug 10 11:02 ..
drwxr-xr-x 2 root root 100 Aug 10 11:02 ..2020_08_10_11_02_18.157580662
lrwxrwxrwx 1 root root 31 Aug 10 11:02 ..data -> ..2020_08_10_11_02_18.157580662
lrwxrwxrwx 1 root root 13 Aug 10 11:02 ca.crt -> ..data/ca.crt
lrwxrwxrwx 1 root root 16 Aug 10 11:02 namespace -> ..data/namespace
lrwxrwxrwx 1 root root 12 Aug 10 11:02 token -> ..data/token
pass在任何地方都没有符号。也尝试过grep,但没有任何运气。我应该如何看待牧场主的秘密?
编辑:屏幕截图:
在Yaml中,我们有:
spec:
containers:
- envFrom:
- prefix: pass
secretRef:
name: pass
optional: false
image: <image-url>
imagePullPolicy: Always
name: <app-name>
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities: {}
privileged: false
readOnlyRootFilesystem: false
runAsNonRoot: false
stdin: true
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
tty: true
dnsPolicy: ClusterFirst
imagePullSecrets:
- name: pass
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
status:
解决方法
要能够从Pod内部使用机密,首先需要将该机密作为环境变量或文件“装载”到Pod中。 secrets docs详细描述了该操作。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。