Creating ssh secrets key file in kubernetes
The official Kubernetes docs for secrets cover this exact use-case.
To create the secret, use:
$ kubectl create secret generic my-secret --from-file=ssh-privatekey=/path/to/.ssh/id_rsa --from-file=ssh-publickey=/path/to/.ssh/id_rsa.pub
To mount the secret in your containers, use the following Pod config:
{
"kind": "Pod",
"apiVersion": "v1",
"metadata": {
"name": "secret-test-pod",
"labels": {
"name": "secret-test"
}
},
"spec": {
"volumes": [
{
"name": "secret-volume",
"secret": {
"secretName": "my-secret"
}
}
],
"containers": [
{
"name": "ssh-test-container",
"image": "mySshImage",
"volumeMounts": [
{
"name": "secret-volume",
"readOnly": true,
"mountPath": "/etc/secret-volume"
}
]
}
]
}
}
Kubernetes doesn't actually have a way to control file permissions for a secret as of now, but a recent Pull Request did add support for changing the path of secrets. This support was added with 1.3 as per this comment
Here are the permissions related Github Issues:
- https://github.com/kubernetes/kubernetes/issues/4789
- https://github.com/kubernetes/kubernetes/issues/28317
Since kubernetes-1.4 things got simpler. Here's my take how to improve the official Kubernetes howto.
To create the secret, use:
kubectl create secret generic ssh-keys --from-file=id_rsa=/path/to/.ssh/id_rsa --from-file=id_rsa.pub=/path/to/.ssh/id_rsa.pub
To mount the secret in your containers, use the following Pod config:
apiVersion: v1
kind: Pod
metadata:
name: secret-test-pod
labels:
name: secret-test
spec:
volumes:
- name: ssh-keys-v
secret:
secretName: ssh-keys
defaultMode: 0600
containers:
- name: ssh-test-container
image: mySshImage
volumeMounts:
- name: ssh-keys-v
readOnly: true
# container will see /root/.ssh/id_rsa as usual:
mountPath: "/root/.ssh"
Also nitpick: the id_rsa.pub is hardly ever used, I wouldn't bother to secretize it until required.