列出 K8s 中某些 pod 使用的秘密
List secrets used by certain pod in K8s
我想知道 kubectl 是否提供了一种简单的方法来列出某个 pod/deployment/statefulset 正在使用的所有秘密,或者是否有某种方法可以干净地检索此信息。在为 pod 执行 kubectl describe 时,我看到我可以获得已安装卷的列表,其中包括来自我可以使用 jq 等提取的秘密的卷,但这种方式感觉有点笨拙。我一直在寻找无济于事。你知道周围有没有这样的东西?也许直接使用 API?
至 List all Secrets 当前正被 pod 使用:
kubectl get pods -o json | jq '.items[].spec.containers[].env[]?.valueFrom.secretKeyRef.name' | grep -v null | sort | uniq
另一方面,如果您想访问 API 中存储的秘密:
Kubernetes Secrets are, by default, stored unencrypted in the API
server's underlying data store (etcd). Anyone with API access can
retrieve or modify a Secret, and so can anyone with access to etcd.
Additionally, anyone who is authorized to create a Pod in a namespace
can use that in order to safely use Secrets, take at least the
following steps:
- Enable Encryption at Rest for Secrets.
- Enable or configure RBAC rules that restrict reading data in Secrets (including via indirect means).
- Where appropriate, also use mechanisms such as RBAC to limit which principals are allowed to create new Secrets or replace existing
ones.access to read any Secret in that namespace; this includes
indirect access such as the ability to create a Deployment.
如果您想了解更多关于 kubernetes 秘密的信息,follow this link.
我想知道 kubectl 是否提供了一种简单的方法来列出某个 pod/deployment/statefulset 正在使用的所有秘密,或者是否有某种方法可以干净地检索此信息。在为 pod 执行 kubectl describe 时,我看到我可以获得已安装卷的列表,其中包括来自我可以使用 jq 等提取的秘密的卷,但这种方式感觉有点笨拙。我一直在寻找无济于事。你知道周围有没有这样的东西?也许直接使用 API?
至 List all Secrets 当前正被 pod 使用:
kubectl get pods -o json | jq '.items[].spec.containers[].env[]?.valueFrom.secretKeyRef.name' | grep -v null | sort | uniq
另一方面,如果您想访问 API 中存储的秘密:
Kubernetes Secrets are, by default, stored unencrypted in the API server's underlying data store (etcd). Anyone with API access can retrieve or modify a Secret, and so can anyone with access to etcd. Additionally, anyone who is authorized to create a Pod in a namespace can use that in order to safely use Secrets, take at least the following steps:
- Enable Encryption at Rest for Secrets.
- Enable or configure RBAC rules that restrict reading data in Secrets (including via indirect means).
- Where appropriate, also use mechanisms such as RBAC to limit which principals are allowed to create new Secrets or replace existing
ones.access to read any Secret in that namespace; this includes
indirect access such as the ability to create a Deployment.
如果您想了解更多关于 kubernetes 秘密的信息,follow this link.