GKE-Kubernetes Secrets
1 min readApr 18, 2024
Secrets,Volumes,VolumeMounts
Kubernetes Secret that stores potential service account credentials for GKE in a base64 encoded format.
---secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: appname-name
namespace: app-namespace
type: Opaque
data:
serviceAccountGKECredentials: 'InNlcnZpewogICJ0eXBlIjogInNlcnZp'serviceAccountGKECredentials: 'InNlcnZpewogICJ0eXBlIjogInNlcnZp' : This line defines a key named serviceAccountGKECredentials and assigns a base64 encoded string as its value.
The deployment creates pods and defines configurations like image, resources, environment variables, and security contexts. It mounts a secret volume potentially containing gcp iam service account credentials.
---deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: appname-name
namespace: app-namespace
labels:
...
spec:
replicas: 1
selector:
matchLabels:
app: appname-name
release: ...
template:
metadata:
annotations:
...
labels:
app: appname-name
release: ...
spec:
imagePullSecrets:
...
serviceAccountName: k8-serviceAccount
securityContext:
...
terminationGracePeriodSeconds: 60
containers:
- name: appname-name
securityContext:
...
image: ...
imagePullPolicy: ...
ports:
- name: appname-name
containerPort: 5005
protocol: TCP
volumeMounts:
- name: gcp-key
mountPath: /var/secrets/obu
readOnly: true
env:
- name: BATCH_SIZE
valueFrom:
configMapKeyRef:
name: appname-name
key: BATCH_SIZE
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/secrets/obu/serviceAccountGKECredentials
resources:
...
volumes:
- name: gcp-key
secret:
secretName: appname
{{- end }}volumes: This defines a volume namedgcp-keythat mounts a secret namedappname.volumeMounts: This mounts a volume namedgcp-keyto the/var/secrets/obupath in read-only mode.GOOGLE_APPLICATION_CREDENTIALS: Points to the path where service account credentials are mounted.
