Creating ssh secrets key file in kubernetes

The official Kubernetes docs for secrets cover this exact use-case.

To create the secret, use:

$ kubectl create secret generic my-secret --from-file=ssh-privatekey=/path/to/.ssh/id_rsa --from-file=ssh-publickey=/path/to/.ssh/id_rsa.pub

To mount the secret in your containers, use the following Pod config:

{
  "kind": "Pod",
  "apiVersion": "v1",
  "metadata": {
    "name": "secret-test-pod",
    "labels": {
      "name": "secret-test"
    }
  },
  "spec": {
    "volumes": [
      {
        "name": "secret-volume",
        "secret": {
          "secretName": "my-secret"
        }
      }
    ],
    "containers": [
      {
        "name": "ssh-test-container",
        "image": "mySshImage",
        "volumeMounts": [
          {
            "name": "secret-volume",
            "readOnly": true,
            "mountPath": "/etc/secret-volume"
          }
        ]
      }
    ]
  }
}

Kubernetes doesn't actually have a way to control file permissions for a secret as of now, but a recent Pull Request did add support for changing the path of secrets. This support was added with 1.3 as per this comment

Here are the permissions related Github Issues:

  • https://github.com/kubernetes/kubernetes/issues/4789
  • https://github.com/kubernetes/kubernetes/issues/28317

Since kubernetes-1.4 things got simpler. Here's my take how to improve the official Kubernetes howto.

To create the secret, use:

kubectl create secret generic ssh-keys --from-file=id_rsa=/path/to/.ssh/id_rsa --from-file=id_rsa.pub=/path/to/.ssh/id_rsa.pub

To mount the secret in your containers, use the following Pod config:

apiVersion: v1
kind: Pod
metadata:
  name: secret-test-pod
  labels:
    name: secret-test
spec:
  volumes:
  - name: ssh-keys-v
    secret:
      secretName: ssh-keys
      defaultMode: 0600 
  containers:
  - name: ssh-test-container
    image: mySshImage
    volumeMounts:
    - name: ssh-keys-v
      readOnly: true
      # container will see /root/.ssh/id_rsa as usual:
      mountPath: "/root/.ssh"

Also nitpick: the id_rsa.pub is hardly ever used, I wouldn't bother to secretize it until required.

Tags:

Ssh

Kubernetes