我正在阅读Core Kubernetes by Vyas和Love。第8.3.1节有以下2个yaml文件。我们称它们为secret.yaml:
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
val1: YXNkZgo=
val2: YXNkZjIK
stringData:
val1: asdf
和secret-pod.yaml:
apiVersion: v1
kind: Pod
metadata:
name: mysecretpod
spec:
containers:
- name: mypod
image: nginx
volumeMounts:
- name: myval
mountPath: /etc/myval
readOnly: true
volumes:
- name: myval
secret:
secretName: val1
当我运行kubectl apply -f secret-pod.yaml时,它出错了。使用describe,我可以看到:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 3s default-scheduler Successfully assigned default/mysecretpod to minikube
Warning FailedMount 0s (x4 over 3s) kubelet MountVolume.SetUp failed for volume "myval" : secret "val1" not found
这有点道理。使用kubectl get secrets,我只能看到以下内容:
NAME TYPE DATA AGE
default-token-vhllg kubernetes.io/service-account-token 3 5d3h
mysecret Opaque 2 19m
所以我对secret-pod.yaml做了以下更改:
volumes:
- name: myval
secret:
secretName: mysecret
这让kubectl很高兴,它立即创建mysecretpod,没有任何问题。然而,使用kubectl exec -it mysecretpod -- ls -l /etc/myval查看pod,我得到:
total 0
lrwxrwxrwx 1 root root 11 Dec 12 08:08 val1 -> ..data/val1
lrwxrwxrwx 1 root root 11 Dec 12 08:08 val2 -> ..data/val2
因此mysecret的内容被加载到该文件夹中,val1和val2是文件。我认为作者打算将val1挂载为该pod中的/etc/myval文件。如何编写secret-pod.yaml来实现这一目标?我试过了,但是失败了:
volumes:
- name: myval
secret:
secretName: mysecret/val1
另外,为什么我看到val1和val2都是多余的-> ..data/val...?它们是什么?
因此,为了使其正常工作,secret-pod.yaml必须按如下方式指定subPath:
apiVersion: v1
kind: Pod
metadata:
name: mysecretpod
spec:
containers:
- name: mypod
image: nginx
volumeMounts:
- name: myval
mountPath: /etc/myval
subPath: myval
readOnly: true
volumes:
- name: myval
secret:
secretName: mysecret
items:
- key: val1
path: myval