GKE-Kubernetes Secrets
1 min readApr 18, 2024
Secrets,Volumes,VolumeMounts
Kubernetes Secret that stores potential service account credentials for GKE in a base64 encoded format.
---secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: appname-name
namespace: app-namespace
type: Opaque
data:
serviceAccountGKECredentials: 'InNlcnZpewogICJ0eXBlIjogInNlcnZp'
serviceAccountGKECredentials: 'InNlcnZpewogICJ0eXBlIjogInNlcnZp'
: This line defines a key named serviceAccountGKECredentials
and assigns a base64 encoded string as its value.
The deployment creates pods and defines configurations like image, resources, environment variables, and security contexts. It mounts a secret volume potentially containing gcp iam service account credentials.
---deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: appname-name
namespace: app-namespace
labels:
...
spec:
replicas: 1
selector:
matchLabels:
app: appname-name
release: ...
template:
metadata:
annotations:
...
labels:
app: appname-name
release: ...
spec:
imagePullSecrets:
...
serviceAccountName: k8-serviceAccount
securityContext:
...
terminationGracePeriodSeconds: 60
containers:
- name: appname-name
securityContext:
...
image: ...
imagePullPolicy: ...
ports:
- name: appname-name
containerPort: 5005
protocol: TCP
volumeMounts:
- name: gcp-key
mountPath: /var/secrets/obu
readOnly: true
env:
- name: BATCH_SIZE
valueFrom:
configMapKeyRef:
name: appname-name
key: BATCH_SIZE
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/secrets/obu/serviceAccountGKECredentials
resources:
...
volumes:
- name: gcp-key
secret:
secretName: appname
{{- end }}
volumes
: This defines a volume namedgcp-key
that mounts a secret namedappname
.volumeMounts
: This mounts a volume namedgcp-key
to the/var/secrets/obu
path in read-only mode.GOOGLE_APPLICATION_CREDENTIALS
: Points to the path where service account credentials are mounted.