I am following Kubernetes documentations on secret. I have this secret.yaml file:
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
val1: YXNkZgo=
stringData:
val1: asdf
and secret-pod.yaml:
apiVersion: v1
kind: Pod
metadata:
name: mysecretpod
spec:
containers:
- name: mypod
image: nginx
volumeMounts:
- name: myval
mountPath: /etc/secret
readOnly: true
volumes:
- name: myval
secret:
secretName: val1
items:
- key: val1
path: myval
I use kubectl apply -f on both of these files. Then using kubectl exec -it mysecretpod -- cat /etc/secret/myval, I can see the value asdf in the file /etc/secret/myval of mysecretpod.
However I want the mounted path to be /etc/myval. Thus I make the following change in secret-pod.yaml:
volumeMounts:
- name: myval
mountPath: /etc
readOnly: true
After using kubectl apply -f on that file again, I check pod creation with kubectl get pods --all-namespaces. This is what I see:
NAMESPACE NAME READY STATUS RESTARTS AGE
default mysecretpod 0/1 CrashLoopBackOff 2 (34s ago) 62s
Looking into that pod using kubectl describe pods mysecretpod, this is what I see:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 35s default-scheduler Successfully assigned default/mysecretpod to minikube
Normal Pulled 32s kubelet Successfully pulled image "nginx" in 2.635766453s
Warning Failed 31s kubelet Error: failed to start container "mypod": Error response from daemon: OCI runtime create failed: container_linux.go:380: starting container process caused: process_linux.go:545: container init caused: rootfs_linux.go:76: mounting "/var/lib/docker/containers/c84a8d278dc2f131daf9f322d26ff8c54d68cea8cd9c0ce209f68d7a9b677b3c/resolv.conf" to rootfs at "/etc/resolv.conf" caused: open /var/lib/docker/overlay2/4aaf54c61f7c80937a8edc094b27d6590538632e0209165e0b8c96e9e779a4b6/merged/etc/resolv.conf: read-only file system: unknown
Normal Pulled 28s kubelet Successfully pulled image "nginx" in 3.313846185s
Warning Failed 28s kubelet Error: failed to start container "mypod": Error response from daemon: OCI runtime create failed: container_linux.go:380: starting container process caused: process_linux.go:545: container init caused: rootfs_linux.go:76: mounting "/var/lib/docker/containers/c84a8d278dc2f131daf9f322d26ff8c54d68cea8cd9c0ce209f68d7a9b677b3c/resolv.conf" to rootfs at "/etc/resolv.conf" caused: open /var/lib/docker/overlay2/34af5138f14d192ade7e53211476943ea82cd2c8186d69ca79a3adf2abbc0978/merged/etc/resolv.conf: read-only file system: unknown
Warning BackOff 24s kubelet Back-off restarting failed container
Normal Pulling 9s (x3 over 34s) kubelet Pulling image "nginx"
Normal Created 7s (x3 over 32s) kubelet Created container mypod
Normal Pulled 7s kubelet Successfully pulled image "nginx" in 2.73055072s
Warning Failed 6s kubelet Error: failed to start container "mypod": Error response from daemon: OCI runtime create failed: container_linux.go:380: starting container process caused: process_linux.go:545: container init caused: rootfs_linux.go:76: mounting "/var/lib/docker/containers/c84a8d278dc2f131daf9f322d26ff8c54d68cea8cd9c0ce209f68d7a9b677b3c/resolv.conf" to rootfs at "/etc/resolv.conf" caused: open /var/lib/docker/overlay2/01bfa6b2c35d5eb12ad7ad204a5acc58688c1e04d9b5891382e48c26d2e7077f/merged/etc/resolv.conf: read-only file system: unknown
Why does this fail? Is it possible to have a secret mounted at the /etc level instead of /etc/something level? If yes, how can I achieve that? Thank you so much!
CodePudding user response:
volumeMounts:
- name: myval
mountPath: /etc
readOnly: true
Instead of /etc directory, try mount as a single file:
apiVersion: v1
kind: Secret
metadata:
name: nginx
type: Opaque
stringData:
val1: asdf
---
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- name: nginx
image: nginx:alpine
volumeMounts:
- name: myval
mountPath: /etc/myval
subPath: myval
volumes:
- name: myval
secret:
secretName: nginx
items:
- key: val1
path: myval
...