Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
51a4e08e
Commit
51a4e08e
authored
Jun 02, 2015
by
Brian Grant
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #8979 from erictune/docs6
Explain that file-based pods cannot use secrets
parents
21147d78
7fee4de4
Show whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
11 additions
and
1 deletion
+11
-1
secrets.md
docs/design/secrets.md
+5
-1
secrets.md
docs/secrets.md
+6
-0
No files found.
docs/design/secrets.md
View file @
51a4e08e
# Secret Distribution
## Abstract
...
...
@@ -184,6 +183,11 @@ For now, we will not implement validations around these limits. Cluster operato
much node storage is allocated to secrets. It will be the operator's responsibility to ensure that
the allocated storage is sufficient for the workload scheduled onto a node.
For now, kubelets will only attach secrets to api-sourced pods, and not file- or http-sourced
ones. Doing so would:
-
confuse the secrets admission controller in the case of mirror pods.
-
create an apiserver-liveness dependency -- avoiding this dependency is a main reason to use non-api-source pods.
### Use-Case: Kubelet read of secrets for node
The use-case where the kubelet reads secrets has several additional requirements:
...
...
docs/secrets.md
View file @
51a4e08e
...
...
@@ -73,6 +73,12 @@ of very large secrets which would exhaust apiserver and kubelet memory.
However, creation of many smaller secrets could also exhaust memory. More
comprehensive limits on memory usage due to secrets is a planned feature.
Kubelet only supports use of secrets for Pods it gets from the API server.
This includes any pods created using kubectl, or indirectly via a replication
controller. It does not include pods created via the kubelets
`--manifest-url`
flag, its
`--config`
flag, or its REST API (these are
not common ways to create pods.)
### Consuming Secret Values
The program in a container is responsible for reading the secret(s) from the
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment