haopengzhan/k8s-ds-secret-injection
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: implement pod-specific secret injection for DaemonSets with automated lifecycle management

Browse Source
This commit is contained in:
haopengzhan
2026-01-21 06:38:25 +00:00
committed by Pengzhan Hao
commit c6978e24dd
15 changed files with 969 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
deploy/test-ds.yaml
+68
View File
@@ -0,0 +1,68 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: test-daemonset
namespace: gps-system
spec:
selector:
matchLabels:
app: test-daemonset
template:
metadata:
labels:
app: test-daemonset
spec:
serviceAccountName: test-ds-sa
terminationGracePeriodSeconds: 0
containers:
- name: test-client
image: us-docker.pkg.dev/haopengzhan-gke-dev/haopengzhan-gke-dev/test-client:latest
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
command: ["/bin/sh", "-c"]
args:
- |
/app/test-client --namespace=$(POD_NAMESPACE) --secret=$(POD_NAME)
echo "Test client finished. Sleeping forever..."
sleep infinity
volumeMounts:
- name: kubeconfig
mountPath: /var/lib/kubelet/kubeconfig
readOnly: true
- name: gke-bin
mountPath: /home/kubernetes/bin
readOnly: true
- name: pki
mountPath: /etc/srv/kubernetes/pki
readOnly: true
- name: kubelet-pki
mountPath: /var/lib/kubelet/pki
readOnly: true
volumes:
- name: kubeconfig
hostPath:
path: /var/lib/kubelet/kubeconfig
type: File
- name: gke-bin
hostPath:
path: /home/kubernetes/bin
type: Directory
- name: pki
hostPath:
path: /etc/srv/kubernetes/pki
type: Directory
- name: kubelet-pki
hostPath:
path: /var/lib/kubelet/pki
type: Directory