我想知道 kubectl 是否提供了一种简单的方法来列出某个 pod/deployment/statefulset 正在使用的所有 secret ,或者是否有某种方法可以干净地检索此信息。当为 Pod 执行 kubectl 描述时,我发现我可以获得已安装卷的列表,其中包括来 self 可以使用 jq 等提取的 secret 的卷,但是这种方式感觉有点笨拙。我一直在寻找一点结果没有结果。你知道周围有没有类似的东西吗?也许直接使用 API?
最佳答案
致List all Secrets当前由 pod 使用:
kubectl get pods -o json | jq '.items[].spec.containers[].env[]?.valueFrom.secretKeyRef.name' | grep -v null | sort | uniq
另一方面,如果您想访问 API 中存储的 secret :
Kubernetes Secrets are, by default, stored unencrypted in the API server's underlying data store (etcd). Anyone with API access can retrieve or modify a Secret, and so can anyone with access to etcd. Additionally, anyone who is authorized to create a Pod in a namespace can use that in order to safely use Secrets, take at least the following steps:
- Enable Encryption at Rest for Secrets.
- Enable or configure RBAC rules that restrict reading data in Secrets (including via indirect means).
- Where appropriate, also use mechanisms such as RBAC to limit which principals are allowed to create new Secrets or replace existing
ones.access to read any Secret in that namespace; this includes
indirect access such as the ability to create a Deployment.
如果您想了解有关 kubernetes 中 secret 的更多信息,follow this link.
关于kubernetes - 列出 K8s 中某些 pod 使用的 Secret,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/69978994/