github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-06 18:54:06 +00:00
Code Issues Projects Releases Wiki Activity

Add docs about dotfiles in secret volumes

Browse Source
This commit is contained in:
Paul Morie 2016-01-30 09:51:25 -05:00
parent 34f4a03f62
commit c2063833f2
1 changed files with 62 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
docs/user-guide/secrets.md
View File

@ -57,6 +57,7 @@ a docker image. See [Secrets design document](../design/secrets.md) for more inf
- [Use cases](#use-cases) - [Use cases](#use-cases)
- [Use-Case: Pod with ssh keys](#use-case-pod-with-ssh-keys) - [Use-Case: Pod with ssh keys](#use-case-pod-with-ssh-keys)
- [Use-Case: Pods with prod / test credentials](#use-case-pods-with-prod--test-credentials) - [Use-Case: Pods with prod / test credentials](#use-case-pods-with-prod--test-credentials)
- [Use-case: Dotfiles in secret volume](#use-case-dotfiles-in-secret-volume)
- [Use-case: Secret visible to one container in a pod](#use-case-secret-visible-to-one-container-in-a-pod) - [Use-case: Secret visible to one container in a pod](#use-case-secret-visible-to-one-container-in-a-pod)
- [Security Properties](#security-properties) - [Security Properties](#security-properties)
- [Protections](#protections) - [Protections](#protections)
@ -473,6 +474,67 @@ one called, say, `prod-user` with the `prod-db-secret`, and one called, say,
} }
``` ```
### Use-case: Dotfiles in secret volume
In order to make piece of data 'hidden' (ie, in a file whose name begins with a dot character), simply
make that key begin with a dot. For example, when the following secret secret is mounted into a volume:
```json
{
"kind": "Secret",
"apiVersion": "v1",
"metadata": {
"name": "dotfile-secret"
},
"data": {
".secret-file": "dmFsdWUtMg0KDQo=",
}
}
{
"kind": "Pod",
"apiVersion": "v1",
"metadata": {
"name": "secret-dotfiles-pod",
},
"spec": {
"volumes": [
{
"name": "secret-volume",
"secret": {
"secretName": "dotfile-secret"
}
}
],
"containers": [
{
"name": "dotfile-test-container",
"image": "gcr.io/google_containers/busybox",
"command": "ls -l /etc/secret-volume"
"volumeMounts": [
{
"name": "secret-volume",
"readOnly": true,
"mountPath": "/etc/secret-volume"
}
]
}
]
}
}
```
The `secret-volume` will contain a single file, called `.secret-file`, and
the `dotfile-test-container` will have this file present at the path
`/etc/secret-volume/.secret-file`.
**NOTE**
Files beginning with dot characters are hidden from the output of `ls -l`;
you must use `ls -la` to see them when listing directory contents.
### Use-case: Secret visible to one container in a pod ### Use-case: Secret visible to one container in a pod
<a name="use-case-two-containers"></a> <a name="use-case-two-containers"></a>