If i create a secret from an id_rsa file using kubectl as:
kubectl create secret generic hcom-secret --from-file=ssh-privatekey=./.ssh/id_rsa
And then mount the secret into the container
"volumeMounts": [
{"name": "cfg", "readOnly": false, "mountPath": "/home/hcom/.ssh"}
]
"volumes": [
{"name": "cfg", "secret": { "secretName": "hcom-ssh" }}
],
The resultant file is not id_rsa but ssh-privatekey and the permits that are on it are not 600 which ssh expects
Is this a correct approach, or can anyone please detail how this should be done?
The official Kubernetes docs for secrets cover this exact use-case.
To create the secret, use:
$ kubectl create secret generic my-secret --from-file=ssh-privatekey=/path/to/.ssh/id_rsa --from-file=ssh-publickey=/path/to/.ssh/id_rsa.pub
To mount the secret in your containers, use the following Pod config:
{
"kind": "Pod",
"apiVersion": "v1",
"metadata": {
"name": "secret-test-pod",
"labels": {
"name": "secret-test"
}
},
"spec": {
"volumes": [
{
"name": "secret-volume",
"secret": {
"secretName": "my-secret"
}
}
],
"containers": [
{
"name": "ssh-test-container",
"image": "mySshImage",
"volumeMounts": [
{
"name": "secret-volume",
"readOnly": true,
"mountPath": "/etc/secret-volume"
}
]
}
]
}
}
Kubernetes doesn't actually have a way to control file permissions for a secret as of now, but a recent Pull Request did add support for changing the path of secrets. This support was added with 1.3
as per this comment
Here are the permissions related Github Issues:
Since kubernetes-1.4 things got simpler. Here's my take how to improve the official Kubernetes howto.
To create the secret, use:
kubectl create secret generic ssh-keys --from-file=id_rsa=/path/to/.ssh/id_rsa --from-file=id_rsa.pub=/path/to/.ssh/id_rsa.pub
To mount the secret in your containers, use the following Pod config:
apiVersion: v1
kind: Pod
metadata:
name: secret-test-pod
labels:
name: secret-test
spec:
volumes:
- name: ssh-keys-v
secret:
secretName: ssh-keys
defaultMode: 0600
containers:
- name: ssh-test-container
image: mySshImage
volumeMounts:
- name: ssh-keys-v
readOnly: true
# container will see /root/.ssh/id_rsa as usual:
mountPath: "/root/.ssh"
Also nitpick: the id_rsa.pub
is hardly ever used, I wouldn't bother to secretize it until required.