Kubernetes Secrets
- 2021 年 4 月 21 日
- 筆記
- Kubernetes, secrets, 对象
Secrets
背景信息
Kubernetes版本
[09:08:04 yhf@test ~]$ kubectl version
Client Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.0", GitCommit:"c3dc785cf52536afd7b661728747292e848e74b7", GitTreeState:"clean", BuildDate:"2021-03-21T00:44:23Z", GoVersion:"go1.15.7", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.0+f173eb4", GitCommit:"f173eb4a83e55734ee6808a1ed7674be9a4cd0bf", GitTreeState:"clean", BuildDate:"2021-02-11T22:10:37Z", GoVersion:"go1.15.5", Compiler:"gc", Platform:"linux/amd64"}
定义
Secrets
是Kubernetes内置的资源对象,用于存储管理像密码、OAuth tokens、SSH Keys等敏感信息。Secrets
通过key-value对的形式将数据存储在data
或stringData
字段中。
注意:Secret中的数据是已base64编码格式存储的,对于具有访问API以及etcd权限的用户来说,其实相当于明文。用户可以对Secret启用REST加密以及配置RBAC访问策略进行限制。
概述
一个Pod可以通过以下3种方式使用Secret:
- Secret做为存储卷挂载到容器里面
- Secret中的数据可以做为容器的环境变量
- kubelet拉取镜像时使用Secret(针对Images Secret,拉取镜像时的认证信息)
Secret的name必须符合DNS Subdomain Names
RFC 1123的定义。
- 至多包含253字节
- 只能包含’小写字母或数字’,’-‘,’.’
- 以字母数字开头
- 以字母或数字结尾
Secret中的数据存放在data
或/和stringData
字段中,这两个字段是可选的,data
字段中的value需要使用base64编码,如果你不想使用base64编码,可以将你的内容存放到stringData
字段。data
和stringData
的key只能包含’字母或数字’,’-‘,’_’,’.’。stringData
中的内容在Kubernetes内部会merge到data
字段,如果有一个key同时出现在data
字段和stringData
字段,则优先使用stringData
字段的内容。
Secret的类型
创建Secret的时候,可以指定一个type
字段,该字段可以规范对Secret数据的处理。Kubernetes对一些场景提供了内置的类型。
Builtin Type | Usage |
---|---|
Opaque | arbitrary user-defined data(default) |
kubernetes.io/service-account-token | service account token |
kubernetes.io/dockercfg | serialized ~/.dockercfg file |
kubernetes.io/dockerconfigjson | serialized ~/.docker/config.json file |
kubernetes.io/basic-auth | credentials for basic authentication |
kubernetes.io/ssh-auth | credentials for SSH authentication |
kubernetes.io/tls | data for a TLS client or server |
bootstrap.kubernetes.io/token | bootstrap token data |
你也可以自己定义一个类型,填充到type
字段。
Opaque secrets
Opaque
是默认类型。
# Create a new secret named my-secret with keys for each file in folder bar
kubectl create secret generic my-secret --from-file=path/to/bar
# Create a new secret named my-secret with specified keys instead of names on disk
kubectl create secret generic my-secret --from-file=ssh-privatekey=path/to/id_rsa
--from-file=ssh-publickey=path/to/id_rsa.pub
# Create a new secret named my-secret with key1=supersecret and key2=topsecret
kubectl create secret generic my-secret --from-literal=key1=supersecret --from-literal=key2=topsecret
# Create a new secret named my-secret using a combination of a file and a literal
kubectl create secret generic my-secret --from-file=ssh-privatekey=path/to/id_rsa --from-literal=passphrase=topsecret
# Create a new secret named my-secret from an env file
kubectl create secret generic my-secret --from-env-file=path/to/bar.env
kubectl create secret generic empty-secret
kubectl get secret empty-secret
Service account token Secrets
kubernetes.io/service-account-token
类型的secret用于保存ServiceAccount的token,想用这种类型的secret,需要添加kubernetes.io/service-account.name
注释。
apiVersion: v1
kind: Secret
metadata:
name: secret-sa-sample
annotations:
kubernetes.io/service-account.name: "sa-name"
type: kubernetes.io/service-account-token
data:
# You can include additional key value pairs as you do with Opaque Secrets
extra: YmFyCg==
当创建一个Pod的时候,Kubernetes自动为该Pod创建一个Service account token Secret,用于Pod内部访问Kubernetes API的认证权限。你可以查看Pod的automountServiceAccountToken
和serviceAccountName
字段查看相关Secret的名字。
Docker config Secrets
你可以使用以下2种中的任一种添加一个镜像仓库的认证信息
- kubernetes.io/dockercfg
- kubernetes.io/dockerconfigjson
使用kubernetes.io/dockercfg
类型的secret可以为老版本的docker命令行提供~/.dockercfg
文件,你必须在data
中将key设置为.dockercfg
。
使用kubernetes.io/dockerconfigjson
类型的secret可以提供~/.docker/config.json
文件,你必须在data
中将key设置为.dockerconfigjson
。
apiVersion: v1
kind: Secret
metadata:
name: secret-dockercfg
type: kubernetes.io/dockercfg
data:
.dockercfg: |
"<base64 encoded ~/.dockercfg file>"
如果你没有一个docker json格式的配置文件,或者用kubectl来创建这种secret,使用以下命令
kubectl create secret docker-registry secret-tiger-docker \
--docker-username=tiger \
--docker-password=pass113 \
[email protected]
该命令创建一个kubernetes.io/dockerconfigjson
类型的secret。
Basic authentication Secret
kubernetes.io/basic-auth
类型的secret提供基于用户密码的认证信息,data中需要包含username
和password
两个key。
apiVersion: v1
kind: Secret
metadata:
name: secret-basic-auth
type: kubernetes.io/basic-auth
stringData:
username: admin
password: t0p-Secret
这种类型的secret也可以用Opaque
类型替代。
SSH authentication secrets
kubernetes.io/ssh-auth
类型的secret用于保存SSH认证秘钥对。
apiVersion: v1
kind: Secret
metadata:
name: secret-ssh-auth
type: kubernetes.io/ssh-auth
data:
# the data is abbreviated in this example
ssh-privatekey: |
MIIEpQIBAAKCAQEAulqb/Y ...
这种类型的secret也可以用Opaque
类型替代。使用这种类型的话,API Server会进行验证。
注意: 这样的SSH秘钥还需要像known_hosts文件才能访问。
TLS secrets
kubernetes.io/tls
类型的secret用于保存TLS证书,PEM格式。使用这种类型的secret,data中需要有tls.key
和tls.crt
两个key。
apiVersion: v1
kind: Secret
metadata:
name: secret-tls
type: kubernetes.io/tls
data:
# the data is abbreviated in this example
tls.crt: |
MIIC2DCCAcCgAwIBAgIBATANBgkqh ...
tls.key: |
MIIEpgIBAAKCAQEA7yn3bRHQ5FHMQ ...
这种类型的secret也可以用Opaque
类型替代。
使用kubectl命令创建tls类型的secret
kubectl create secret tls my-tls-secret \
--cert=path/to/cert/file \
--key=path/to/key/file
上面的两种方式中,数据中都不要包含PEM格式的首尾2行标识符(——–BEGIN CERTIFICATE—– and ——-END CERTIFICATE—-)。
Bootstrap token Secrets
bootstrap.kubernetes.io/token
类型的secret用于node bootstrap,它将token保存在固定格式的ConfigMap中。
这种类型的secret通常部署在kube-system
命名空间中,并且以bootstrap-token-<token-id>
格式命名,token-id
是6位字符串。
apiVersion: v1
kind: Secret
metadata:
name: bootstrap-token-5emitj
namespace: kube-system
type: bootstrap.kubernetes.io/token
data:
auth-extra-groups: c3lzdGVtOmJvb3RzdHJhcHBlcnM6a3ViZWFkbTpkZWZhdWx0LW5vZGUtdG9rZW4=
expiration: MjAyMC0wOS0xM1QwNDozOToxMFo=
token-id: NWVtaXRq
token-secret: a3E0Z2lodnN6emduMXAwcg==
usage-bootstrap-authentication: dHJ1ZQ==
usage-bootstrap-signing: dHJ1ZQ==
- token-id: A random 6 character string as the token identifier. Required.
- token-secret: A random 16 character string as the actual token secret. Required.
- description: A human-readable string that describes what the token is used for. Optional.
- expiration: An absolute UTC time using RFC3339 specifying when the token should be expired. Optional.
- usage-bootstrap-
: A boolean flag indicating additional usage for the bootstrap token. - auth-extra-groups: A comma-separated list of group names that will be authenticated as in addition to the system:bootstrappers group.
apiVersion: v1
kind: Secret
metadata:
# Note how the Secret is named
name: bootstrap-token-5emitj
# A bootstrap token Secret usually resides in the kube-system namespace
namespace: kube-system
type: bootstrap.kubernetes.io/token
stringData:
auth-extra-groups: "system:bootstrappers:kubeadm:default-node-token"
expiration: "2020-09-13T04:39:10Z"
# This token ID is used in the name
token-id: "5emitj"
token-secret: "kq4gihvszzgn1p0r"
# This token can be used for authentication
usage-bootstrap-authentication: "true"
# and it can be used for signing
usage-bootstrap-signing: "true"
创建Secret
kubectl命令创建
echo -n 'admin' > ./username.txt
echo -n '1f2d1e2e67df' > ./password.txt
注意:-n参数确保不会追加额外的换行符到文件中,否则base64编码的时候也会将换行符编译进去,可能会在使用的时候出现问题。
kubectl create secret generic db-user-pass \
--from-file=./username.txt \
--from-file=./password.txt
默认情况下key
即使文件名,你也可以指定key的名字,如下
kubectl create secret generic db-user-pass \
--from-file=username=./username.txt \
--from-file=password=./password.txt
--from-literal=<key>=<value>
可以直接指定key-value对。注意,像$
, \
, *
, =
, 以及!
等的特殊字符会被shell
给转义,因此需要将这些字符放到一个单引号中。如下
kubectl create secret generic dev-db-secret \
--from-literal=username=devuser \
--from-literal=password='S!B\*d$zDsb='
以下是验证secret的相关命令行
kubectl get secrets
kubectl describe secrets/db-user-pass
为了查看Secret中的数据,需要将data
中的内容解码。
kubectl get secret db-user-pass -o jsonpath='{.data}'
# base64解码
echo 'MWYyZDFlMmU2N2Rm' | base64 --decode
以下是在线修改Secret命令
kubectl edit secrets mysecret
删除Secret
kubectl delete secret db-user-pass
Config文件创建
首先创建一个YAML
或JSON
格式的Secret对象文件。data
字段中的value需要使用base64编码,stringData
字段的value则不需要。
base64编码如下
echo -n 'admin' | base64
echo -n '1f2d1e2e67df' | base64
注意:为了避免base64编码的时候出现不必要的换行符,base64命令在Darwin/macOS系统中不要带-b
参数,而在Linux环境中需要加上-w 0
,如果不支持-w参数,可以使用base64 | tr -d '\n'
去掉不必要的换行符。
然后可以创建一个Secret配置如下
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
username: YWRtaW4=
password: MWYyZDFlMmU2N2Rm
在某些场景中,你可以不想或不能使用base64编码,而直接使用stringData
字段存储数据,但是在创建或更新Secret对象的时候,Kubernetes会自动将这些数据转换为base64格式。
这方面的一个实际示例可能是,您正在部署一个使用Secret存储配置文件的应用程序,并且希望在部署过程中填充该配置文件的部分内容。
比如,如果你的应该需要用到以下内容
apiUrl: "//my.api.com/api/v1"
username: "<user>"
password: "<password>"
你可以使用以下Secret配置
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
stringData:
config.yaml: |
apiUrl: "//my.api.com/api/v1"
username: <user>
password: <password>
前面也说了,如果一个key同时出现在data
和stringData
字段,则是以stringData
字段的数据为准。
创建了配置文件之后,就可以部署Secret对象了。
kubectl apply -f ./secret.yaml
Kustomize创建
首先创建Kustomization文件。你可以创建一个带secretGenerator
字段的kustomization.yaml
文件。
secretGenerator:
- name: db-user-pass
files:
- username.txt
- password.txt
其中username.txt
和password.txt
是关联的前期目录下的文件./username.txt
和./password.txt
。
你也可以在secretGenerator
直接定义Secret的key-value对。
secretGenerator:
- name: db-user-pass
literals:
- username=admin
- password=1f2d1e2e67df
文件创建好之后,就可以创建Secret对象了。
kubectl apply -k .
使用Secrets
Secrets可以当做数据卷或者环境变量挂载到Pod中的容器中使用,也可以当成其它系统的认证信息使用。比如,Secret可以当成外部系统存储认证信息的对象。
以文件形式挂载到Pod的容器中使用
- 创建一个Secret对象或使用已有的,多个Pod可以挂载同一个Secret。
- 在你的Pod申明
.spec.volumes[]
字段中添加一个Volume,name
是自定义的,但是.spec.volumes[].secret.secretName
必须是Secret对象的名字。 - 在Pod的容器申明中添加一个
.spec.containers[].volumeMounts[]
,指定.spec.containers[].volumeMounts[].readOnly = true
和一个未被使用的目录.spec.containers[].volumeMounts[].mountPath
。 - 更新部署Pod
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mypod
image: redis
volumeMounts:
- name: foo
mountPath: "/etc/foo"
readOnly: true
volumes:
- name: foo
secret:
secretName: mysecret
将key映射到指定路径
以下配置表示mysecret
这个Secret对象中的keyusername
会被映射到容器的/etc/foo/my-group/my-username
文件。
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mypod
image: redis
volumeMounts:
- name: foo
mountPath: "/etc/foo"
readOnly: true
volumes:
- name: foo
secret:
secretName: mysecret
items:
- key: username
path: my-group/my-username
Secret文件权限
你可以给挂载到容器里的Secret文件赋予相应的权限,默认是0644
。你也可以给整个Volume赋予一个权限,而不是给每个Secret文件赋权。
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mypod
image: redis
volumeMounts:
- name: foo
mountPath: "/etc/foo"
volumes:
- name: foo
secret:
secretName: mysecret
defaultMode: 0400
注意:在json格式中不支持这种0400
八进制的数字,所以需要转换成十进制256
。如果是yaml格式可以支持八进制。
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mypod
image: redis
volumeMounts:
- name: foo
mountPath: "/etc/foo"
volumes:
- name: foo
secret:
secretName: mysecret
items:
- key: username
path: my-group/my-username
mode: 0777
自动更新Secret Volume数据
当Secrets对象中的数据变化之后,挂载它的Pod的容器中的数据也会自动发生变化。Kubelet组件会定时去检测secret是否有更新。但是Kubelet会在本地保存一个secret数据的缓存,Kubelet检测的时候从缓存中比对数据是否有更新,所以检测的时候可能会因为缓存未更新而有延迟。Kubelet参数ConfigMapAndSecretChangeDetectionStrategy
配置检测的策略,可以配置策略有基于缓存的watch(默认)、基于TTL、直接从API server获取数据。因此,Secret更新周期是Kubelet的检测周期+缓存过期时间(等于watch延迟、TTL缓存时间、0)。
注意:如果Pod使用的subPath
,则自动更新策略失效。
以环境变量形式注入Pod的容器
- 创建一个Secret对象或使用已有的,多个Pod可以挂载同一个Secret。
- 新增Pod申明环境变量
env[].valueFrom.secretKeyRef
。 - 更新部署Pod
apiVersion: v1
kind: Pod
metadata:
name: secret-env-pod
spec:
containers:
- name: mycontainer
image: redis
env:
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
name: mysecret
key: username
- name: SECRET_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: password
restartPolicy: Never
注意:Secret数据更新时,注入到Pod容器中的环境变量不会因此更新。
不可变的Secrets
FEATURE STATE: Kubernetes v1.21 [stable]
Kubernetes的feature特性 Immutable Secrets and ConfigMaps
可以设置不可变的Secrets和ConfigMaps对象。可以ImmutableEphemeralVolumes
设置为true
打开该特性,从Kubernetes v1.19之后默认开启。
不可变的Secrets和ConfigMaps有以下好处:
- 防止数据意外修改。
- 关闭Kubelet对API server的watch,提升API性能。
apiVersion: v1
kind: Secret
metadata:
...
data:
...
immutable: true
Pod的imagePullSecrets
字段是kubelet用于拉取私有镜像的认证信息的Secret对象存储。
其它注意信息
- Secret对象需要在使用它的Pod之前创建,否则Pod无法启动。
- Pod不能夸namespace使用Secret。
- 单个Secret对象限制1MB大小,这是为了防止API server和Kubelet缓存占用内存太大。当然创建大量的小容量的Secret同样会消耗API server和Kubelet大量内存。
- Secret到容器后只可在该容器可见,该Pod所在的其它容器是不可见的。
使用示例
做为容器环境变量
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
USER_NAME: YWRtaW4=
PASSWORD: MWYyZDFlMmU2N2Rm
apiVersion: v1
kind: Pod
metadata:
name: secret-test-pod
spec:
containers:
- name: test-container
image: k8s.gcr.io/busybox
command: [ "/bin/sh", "-c", "env" ]
envFrom:
- secretRef:
name: mysecret
restartPolicy: Never
SSH keys
kubectl create secret generic ssh-key-secret --from-file=ssh-privatekey=/path/to/.ssh/id_rsa --from-file=ssh-publickey=/path/to/.ssh/id_rsa.pub
apiVersion: v1
kind: Pod
metadata:
name: secret-test-pod
labels:
name: secret-test
spec:
volumes:
- name: secret-volume
secret:
secretName: ssh-key-secret
containers:
- name: ssh-test-container
image: mySshImage
volumeMounts:
- name: secret-volume
readOnly: true
mountPath: "/etc/secret-volume"
最佳实践
- 你应该设置合理的RBAC以限制访问Secret。
- 不要
watch
或list
所有的Secrets,应该加上相应的标签或名称过滤。最好使用get
安全属性
- Secret做为挂载卷时会在主机上创建一个
tmpfs
文件系统的临时卷,主机的root
用户有权限查看。 - 使用Secret的Pod有权查看该Secret的数据。
- 你可以启用encryption at rest,这样Secrets数据存储在etcd中是加密的。
Encrypting Secret Data at Rest
条件
- etcd v3.0或以上版本
- FEATURE STATE: Kubernetes v1.13 [beta]
配置
首先配置kube-apiserver
进程参数--encryption-provider-config
。示例如下
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
- secrets
providers:
- identity: {}
- aesgcm:
keys:
- name: key1
secret: c2VjcmV0IGlzIHNlY3VyZQ==
- name: key2
secret: dGhpcyBpcyBwYXNzd29yZA==
- aescbc:
keys:
- name: key1
secret: c2VjcmV0IGlzIHNlY3VyZQ==
- name: key2
secret: dGhpcyBpcyBwYXNzd29yZA==
- secretbox:
keys:
- name: key1
secret: YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY=
providers
是一个有序列表。加密的时候只有第一列有效,解密的时候会挨个尝试。
Name | Encryption | Strength | Speed | Key Length | Other Considerations |
---|---|---|---|---|---|
identity | None | N/A | N/A | N/A | Resources written as-is without encryption. When set as the first provider, the resource will be decrypted as new values are written. |
aescbc | AES-CBC with PKCS#7 padding | Strongest | Fast | 32-byte | The recommended choice for encryption at rest but may be slightly slower than secretbox. |
secretbox | XSalsa20 and Poly1305 | Strong | Faster | 32-byte | A newer standard and may not be considered acceptable in environments that require high levels of review. |
aesgcm | AES-GCM with random nonce | Must be rotated every 200k writes | Fastest | 16, 24, or 32-byte | Is not recommended for use except when an automated key rotation scheme is implemented. |
kms | Uses envelope encryption scheme: Data is encrypted by data encryption keys (DEKs) using AES-CBC with PKCS#7 padding, DEKs are encrypted by key encryption keys (KEKs) according to configuration in Key Management Service (KMS) | Strongest | Fast | 32-bytes | The recommended choice for using a third party tool for key management. Simplifies key rotation, with a new DEK generated for each encryption, and KEK rotation controlled by the user. Configure the KMS provider |
每一种provider支持多种keys。
示例
加密数据配置,第一个provider会被用来加密etcd数据。
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
- secrets
providers:
- aescbc:
keys:
- name: key1
secret: <BASE 64 ENCODED SECRET>
- identity: {}
根据以下步骤创建一个新Secret:
head -c 32 /dev/urandom | base64
- 将第1步获得的key填充到上面的
secret
字段中。 --encryption-provider-config
指定为上面的EncryptionConfiguration。- 重启
kube-apiserver
。
验证
配置完成后,所有新创建或者更新的Secrets对象都会以加密方式存储。
kubectl create secret generic secret1 -n default --from-literal=mykey=mydata
ETCDCTL_API=3 etcdctl get /registry/secrets/default/secret1 [...] | hexdump -C
# [...]是连接etcd的其它参数。
看到数据以k8s:enc:aescbc:v1:
开头的时候就是加密的了。
确保所有Secrets都是加密存储
kubectl get secrets --all-namespaces -o json | kubectl replace -f -
参考文档
//kubernetes.io/docs/concepts/configuration/secret/
//kubernetes.io/docs/tasks/configmap-secret/managing-secret-using-kubectl/
//kubernetes.io/docs/tasks/configmap-secret/managing-secret-using-kustomize/
//kubernetes.io/docs/tasks/configmap-secret/managing-secret-using-config-file/
//github.com/kubernetes/community/blob/master/contributors/design-proposals/auth/secrets.md
//kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#secret-v1-core
//kubernetes.io/docs/tasks/administer-cluster/encrypt-data/
//kubernetes.io/docs/concepts/overview/working-with-objects/names/#dns-subdomain-names
//kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#secret-v1-core
附录
Secret命令帮助
[08:43:55 yhf@test ~]$ kubectl create secret generic --help
Create a secret based on a file, directory, or specified literal value.
A single secret may package one or more key/value pairs.
When creating a secret based on a file, the key will default to the basename of the file, and the value will default to
the file content. If the basename is an invalid key or you wish to chose your own, you may specify an alternate key.
When creating a secret based on a directory, each file whose basename is a valid key in the directory will be packaged
into the secret. Any directory entries except regular files are ignored (e.g. subdirectories, symlinks, devices, pipes,
etc).
Examples:
# Create a new secret named my-secret with keys for each file in folder bar
kubectl create secret generic my-secret --from-file=path/to/bar
# Create a new secret named my-secret with specified keys instead of names on disk
kubectl create secret generic my-secret --from-file=ssh-privatekey=path/to/id_rsa
--from-file=ssh-publickey=path/to/id_rsa.pub
# Create a new secret named my-secret with key1=supersecret and key2=topsecret
kubectl create secret generic my-secret --from-literal=key1=supersecret --from-literal=key2=topsecret
# Create a new secret named my-secret using a combination of a file and a literal
kubectl create secret generic my-secret --from-file=ssh-privatekey=path/to/id_rsa --from-literal=passphrase=topsecret
# Create a new secret named my-secret from an env file
kubectl create secret generic my-secret --from-env-file=path/to/bar.env
Options:
--allow-missing-template-keys=true: If true, ignore any errors in templates when a field or map key is missing in
the template. Only applies to golang and jsonpath output formats.
--append-hash=false: Append a hash of the secret to its name.
--dry-run='none': Must be "none", "server", or "client". If client strategy, only print the object that would be
sent, without sending it. If server strategy, submit server-side request without persisting the resource.
--field-manager='kubectl-create': Name of the manager used to track field ownership.
--from-env-file='': Specify the path to a file to read lines of key=val pairs to create a secret (i.e. a Docker
.env file).
--from-file=[]: Key files can be specified using their file path, in which case a default name will be given to
them, or optionally with a name and file path, in which case the given name will be used. Specifying a directory will
iterate each named file in the directory that is a valid secret key.
--from-literal=[]: Specify a key and literal value to insert in secret (i.e. mykey=somevalue)
-o, --output='': Output format. One of:
json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file.
--save-config=false: If true, the configuration of current object will be saved in its annotation. Otherwise, the
annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.
--template='': Template string or path to template file to use when -o=go-template, -o=go-template-file. The
template format is golang templates [//golang.org/pkg/text/template/#pkg-overview].
--type='': The type of secret to create
--validate=true: If true, use a schema to validate the input before sending it
Usage:
kubectl create secret generic NAME [--type=string] [--from-file=[key=]source] [--from-literal=key1=value1]
[--dry-run=server|client|none] [options]
Use "kubectl options" for a list of global command-line options (applies to all commands).
[08:44:23 yhf@test ~]$ kubectl create secret tls --help
Create a TLS secret from the given public/private key pair.
The public/private key pair must exist before hand. The public key certificate must be .PEM encoded and match the given
private key.
Examples:
# Create a new TLS secret named tls-secret with the given key pair:
kubectl create secret tls tls-secret --cert=path/to/tls.cert --key=path/to/tls.key
Options:
--allow-missing-template-keys=true: If true, ignore any errors in templates when a field or map key is missing in
the template. Only applies to golang and jsonpath output formats.
--append-hash=false: Append a hash of the secret to its name.
--cert='': Path to PEM encoded public key certificate.
--dry-run='none': Must be "none", "server", or "client". If client strategy, only print the object that would be
sent, without sending it. If server strategy, submit server-side request without persisting the resource.
--field-manager='kubectl-create': Name of the manager used to track field ownership.
--key='': Path to private key associated with given certificate.
-o, --output='': Output format. One of:
json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file.
--save-config=false: If true, the configuration of current object will be saved in its annotation. Otherwise, the
annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.
--template='': Template string or path to template file to use when -o=go-template, -o=go-template-file. The
template format is golang templates [//golang.org/pkg/text/template/#pkg-overview].
--validate=true: If true, use a schema to validate the input before sending it
Usage:
kubectl create secret tls NAME --cert=path/to/cert/file --key=path/to/key/file [--dry-run=server|client|none]
[options]
Use "kubectl options" for a list of global command-line options (applies to all commands).
[08:45:04 yhf@test ~]$ kubectl create secret docker-registry --help
Create a new secret for use with Docker registries.
Dockercfg secrets are used to authenticate against Docker registries.
When using the Docker command line to push images, you can authenticate to a given registry by running:
'$ docker login DOCKER_REGISTRY_SERVER --username=DOCKER_USER --password=DOCKER_PASSWORD --email=DOCKER_EMAIL'.
That produces a ~/.dockercfg file that is used by subsequent 'docker push' and 'docker pull' commands to authenticate
to the registry. The email address is optional.
When creating applications, you may have a Docker registry that requires authentication. In order for the
nodes to pull images on your behalf, they have to have the credentials. You can provide this information
by creating a dockercfg secret and attaching it to your service account.
Examples:
# If you don't already have a .dockercfg file, you can create a dockercfg secret directly by using:
kubectl create secret docker-registry my-secret --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER
--docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL
Options:
--allow-missing-template-keys=true: If true, ignore any errors in templates when a field or map key is missing in
the template. Only applies to golang and jsonpath output formats.
--append-hash=false: Append a hash of the secret to its name.
--docker-email='': Email for Docker registry
--docker-password='': Password for Docker registry authentication
--docker-server='//index.docker.io/v1/': Server location for Docker registry
--docker-username='': Username for Docker registry authentication
--dry-run='none': Must be "none", "server", or "client". If client strategy, only print the object that would be
sent, without sending it. If server strategy, submit server-side request without persisting the resource.
--field-manager='kubectl-create': Name of the manager used to track field ownership.
--from-file=[]: Key files can be specified using their file path, in which case a default name will be given to
them, or optionally with a name and file path, in which case the given name will be used. Specifying a directory will
iterate each named file in the directory that is a valid secret key.
-o, --output='': Output format. One of:
json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file.
--save-config=false: If true, the configuration of current object will be saved in its annotation. Otherwise, the
annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.
--template='': Template string or path to template file to use when -o=go-template, -o=go-template-file. The
template format is golang templates [//golang.org/pkg/text/template/#pkg-overview].
--validate=true: If true, use a schema to validate the input before sending it
Usage:
kubectl create secret docker-registry NAME --docker-username=user --docker-password=password --docker-email=email
[--docker-server=string] [--from-literal=key1=value1] [--dry-run=server|client|none] [options]
Use "kubectl options" for a list of global command-line options (applies to all commands).