diff --git a/docs/05-Application-Lifecycle-Management/10.Secrets.md b/docs/05-Application-Lifecycle-Management/10.Secrets.md index 87961272..3969943c 100644 --- a/docs/05-Application-Lifecycle-Management/10.Secrets.md +++ b/docs/05-Application-Lifecycle-Management/10.Secrets.md @@ -133,11 +133,29 @@ In this section, we will take a look at secrets in kubernetes - Each attribute in the secret is created as a file with the value of the secret as its content. ![secpv](../../images/secpv.PNG) - #### Additional Notes: [A Note on Secrets](https://kodekloud.com/topic/a-note-on-secrets/) +Remember that secrets encode data in base64 format. Anyone with the base64 encoded secret can easily decode it. As such the secrets can be considered not very safe. + +The concept of safety of the Secrets is a bit confusing in Kubernetes. The [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/secret) page and a lot of blogs out there refer to secrets as a “safer option” to store sensitive data. They are safer than storing in plain text as they reduce the risk of accidentally exposing passwords and other sensitive data. In my opinion it’s not the secret itself that is safe, it is the practices around it. + +Secrets are not encrypted, so it is not safer in that sense. However, some best practices around using secrets make it safer. As in best practices like: + +- Not checking-in secret object definition files to source code repositories. +- [Enabling Encryption at Rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/) for Secrets so they are stored encrypted in ETCD. + +Also the way kubernetes handles secrets. Such as: + +- A secret is only sent to a node if a pod on that node requires it. +- Kubelet stores the secret into a tmpfs so that the secret is not written to disk storage. +- Once the Pod that depends on the secret is deleted, kubelet will delete its local copy of the secret data as well. + +Read about the [protections](https://kubernetes.io/docs/concepts/configuration/secret/#protections) and [risks](https://kubernetes.io/docs/concepts/configuration/secret/#risks) of using secrets [here](https://kubernetes.io/docs/concepts/configuration/secret/#risks) + +Having said that, there are other better ways of handling sensitive data like passwords in Kubernetes, such as using tools like Helm Secrets, [HashiCorp Vault](https://www.vaultproject.io/). I hope to make a lecture on these in the future. + #### K8s Reference Docs - https://kubernetes.io/docs/concepts/configuration/secret/ - https://kubernetes.io/docs/concepts/configuration/secret/#use-cases diff --git a/docs/05-Application-Lifecycle-Management/15.Init-Containers.md b/docs/05-Application-Lifecycle-Management/15.Init-Containers.md index 85a98d15..eee3309b 100644 --- a/docs/05-Application-Lifecycle-Management/15.Init-Containers.md +++ b/docs/05-Application-Lifecycle-Management/15.Init-Containers.md @@ -1,6 +1,62 @@ -# Init-Containers - - Take me to [Init-Containers](https://kodekloud.com/topic/init-containers/) - +# Init Containers +- Take me to [Init-Containers](https://kodekloud.com/topic/init-containers/) + +In a multi-container pod, each container is expected to run a process that stays alive as long as the POD’s lifecycle. For example in the multi-container pod that we talked about earlier that has a web application and logging agent, both the containers are expected to stay alive at all times. The process running in the log agent container is expected to stay alive as long as the web application is running. If any of them fails, the POD restarts. + + + +But at times you may want to run a process that runs to completion in a container. For example a process that pulls a code or binary from a repository that will be used by the main web application. That is a task that will be run only one time when the pod is first created. Or a process that waits for an external service or database to be up before the actual application starts. That’s where initContainers comes in. + + + +An initContainer is configured in a pod like all other containers, except that it is specified inside a initContainers section, like this: + + + +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: myapp-pod + labels: + app: myapp +spec: + containers: + - name: myapp-container + image: busybox:1.28 + command: ['sh', '-c', 'echo The app is running! && sleep 3600'] + initContainers: + - name: init-myservice + image: busybox + command: ['sh', '-c', 'git clone ;'] +``` +When a POD is first created the initContainer is run, and the process in the initContainer must run to a completion before the real container hosting the application starts. + +You can configure multiple such initContainers as well, like how we did for multi-containers pod. In that case, each init container is run one at a time in sequential order. + +If any of the initContainers fail to complete, Kubernetes restarts the Pod repeatedly until the Init Container succeeds. + +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: myapp-pod + labels: + app: myapp +spec: + containers: + - name: myapp-container + image: busybox:1.28 + command: ['sh', '-c', 'echo The app is running! && sleep 3600'] + initContainers: + - name: init-myservice + image: busybox:1.28 + command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;'] + - name: init-mydb + image: busybox:1.28 + command: ['sh', '-c', 'until nslookup mydb; do echo waiting for mydb; sleep 2; done;'] +``` + #### K8s Reference Docs - https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ - https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-initialization/