# 第十一题 Secret ###### tags: `真题讲解` 切换集群kubectl config use-context k8s **Task** Retrieve the content of the existing secret named **db1-test** in the **istio-system** namespace. store the username field in a file named /cks/11/old-username.txt, and the password field in a file named /cks/11/old-pass.txt. You must create both files; they don't exist yet. Do not use/modify the created files in the following steps, create new temporary files if needed. Create a new secret named **test-workflow** inthe **istio-system** namespace, with the following content: ``` username : thanos password : hahahaha ``` Finally, create a new Pod that has access to the secret **test-workflow** via a volume: pod name **dev-pod** namespace **istio-system** container name **dev-container** image **nginx:1.9** volume name **dev-volume** mount path **/etc/test-secret** ## 解法 第一部分, 注意别把passwd和username导反了. ``` kubectl get secrets -n istio-system db1-test -ojsonpath='{.data.password}' |base64 -d > /cks/11/old-pass.txt kubectl get secrets -n istio-system db1-test -ojsonpath='{.data.username}' |base64 -d > /cks/11/old-username.txt ``` 第二部分, 创建Secret ``` kubectl create secret -n istio-system generic test-workflow --from-literal=username=thanos --from-literal=password=hahahaha ``` 生成一个基础Pod YAML ``` kubectl run dev-pod -n istio-system --image nginx:1.9 --dry-run=client -oyaml > 11pod.yaml ``` 参考官方文档根据题意修改YAML(考试时直接使用nginx镜像即可), [k8s.io/secret](https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod) ``` apiVersion: v1 kind: Pod metadata: labels: run: dev-pod name: dev-pod namespace: istio-system spec: containers: - image: public.ecr.aws/nginx/nginx:1.19 name: dev-container volumeMounts: - name: dev-volume mountPath: "/etc/test-secret" readOnly: true volumes: - name: dev-volume secret: secretName: test-workflow ``` 验证: ``` kubectl exec -n istio-system dev-pod -- ls /etc/test-secret/ password username ```