Prerequisites:

  • The virtual-kubelet node is deployed in the target Kubernetes cluster. Note that a serverless Kubernetes cluster is embedded with the virtual-kubelet node.

Elastic Container Instance (ECI) provides native support for secrets. You can use a secret in an ECI in the same way as that in native Kubernetes.

# kubectl create secret generic demo --from-literal=raw=test-secret
secret/demo created
# kubectl get secret demo -o yaml
apiVersion: v1
data:
  raw: dGVzdC1zZWNyZXQ=
kind: Secret
metadata:
  creationTimestamp: "2020-01-20T13:14:22Z"
  name: demo
  namespace: default
  resourceVersion: "15357979"
  selfLink: /api/v1/namespaces/default/secrets/demo
  uid: c645990b-3b86-11ea-aa30-3e3af7242710
type: Opaque

Save the following sample code in a YAML file named pod.yaml:

apiVersion: v1
kind: Pod
metadata:
  name: test-secret
spec:
  nodeName: virtual-kubelet
  containers:
  - name: nginx
    image: nginx:latest
    volumeMounts:
    - name: secret-vol
      mountPath: "/cache-test"
      readOnly: true
  volumes:
  - name: secret-vol
    secret:
      secretName: demo
      items:
      - key: raw
        path: secrets/raw

Use the kubectl client to create an ECI based on the preceding configuration file.

# kubectl create -f pod.yaml
pod/test-secret created
# kubectl exec -it test-secret bash
root@test-secret:/# ls /cache-test/
secrets
root@test-secret:/# cat /cache-test/secrets/raw
test-secret

According to the command output, the secret is mounted to the ECI as a volume.