Configuring a Secret

Kubernetes Secrets enable you to inject sensitive data into a Pod. For more information about Secrets, see Secrets.

The examples earlier in this section show how Secrets can be used in static and dynamic provisioning. Secrets are not by themselves secure. For more information about security and Secrets, see Security Properties. Specifically, it is important to turn on encryption at rest for Secrets. See Encrypting Secret Data at Rest.

During installation of the plug-in, the Kubernetes token that was moved into the Pod is written to the host node so that the FlexVolume plugin can query a Secret to pull the ticket for mounting. This Kubernetes token is sensitive and should be protected. The token is placed in /var/run/secrets/kubernetes.io/serviceaccount.

REST Secrets

For dynamic provisioning, you must use a Secret to pass the user name and password of a MapR user to the provisioner. This user must have privileges to create and delete a MapR volume. The credentials allow the provisioner to make REST calls to the MapR webserver. Secrets are protected by the Kubernetes RBAC.

Here is an example of a configuration file for a Kubernetes Secret:
apiVersion: v1
kind: Secret
metadata:
  name: your-volumeadmin-secrets
type: Opaque
data:
  MAPR_CLUSTER_USER: cm9vdA==
  MAPR_CLUSTER_PASSWORD: bwFwcg==

The following table describes the fields in the Secret example. For more information, see Secrets in the Kubernetes documentation.

Parameter Notes
apiVersion The Kubernetes API version.
kind The type of object being created.
name A string to identify the Secret.
type The type of Secret being created. For type Opaque, clients must treat these values as opaque and pass them unmodified back to the server.
MAPR_CLUSTER_USER The base64 representation of a MapR user that has the ability to create and delete MapR volumes.
MAPR_CLUSTER_PASSWORD The base64 representation of the password for the user defined by the MAPR_CLUSTER_USER parameter.
To create the Secret:
  1. Convert sensitive data, such as a MapR user name and password to a base64 representation. See Converting a String to Base64.
  2. Create the Secret:
    kubectl create -f <secret-name>.yaml
  3. Create a Pod that has access to the Secret data through a Kubernetes volume. See Example: Mounting a PersistentVolume for Dynamic Provisioning.

Ticket Secrets

The following example shows a ticket Secret:

apiVersion: v1
kind: Secret
metadata:
  name: mapr-ticket-secret
  namespace: mapr-examples
type: Opaque
data:
  CONTAINER_TICKET: CHANGETHIS!

The following table describes the CONTAINER_TICKET field in the ticket Secret example.

Parameter Notes
CONTAINER_TICKET Base64-encoded ticket value. See Converting a String to Base64.