Version 0.9.0
Language EN

Configuration in Kubernetes

Kubernetes secret objects are intended to hold sensitive information, such as passwords, OAuth tokens, and ssh keys. The Kubernetes plugin allows you to access secret objects from your pipeline.

Example Kubernetes secret object:

apiVersion: v1
kind: Secret
type: Opaque
data:
  username: YWRtaW4=
  password: MWYyZDFlMmU2N2Rm
metadata:
  name: docker

Security

Secrets are available to all repositories and all build events by default. We strongly recommend that you limit access to secrets by repository and build events. This can be done using annotations:

apiVersion: v1
kind: Secret
type: Opaque
data:
  username: YWRtaW4=
  password: MWYyZDFlMmU2N2Rm
metadata:
  name: docker
  annotations:
    X-Drone-Repos: octocat/*
    X-Drone-Events: push,tag

Limit By Repository

You can use the X-Drone-Repos annotation to limit which repositories can access your global Kubernetes secret. The annotation accepts a comma-separate list of glob patterns. If a repository name matches at least one of the patterns, it is granted access to the secret.

Limit access to a single repository:

metadata:
  name: docker
  annotations:
    X-Drone-Repos: octocat/hello-world

Limit access to all repositories in an organization:

metadata:
  name: docker
  annotations:
    X-Drone-Repos: octocat/*

Limit access to muliptle repositories or organizations:

metadata:
  name: docker
  annotations:
    X-Drone-Repos: octocat/*,spaceghost/*

Limit By Event

You can use the X-Drone-Events annotation to limit which build events can access your global Kubernetes secret. The annotation is a comma-separate list of events. If a build matches at least one of the events, it is granted access to the secret.

Limit access to push and tag events:

metadata:
  name: docker
  annotations:
    X-Drone-Events: push,tag

You can combine annotations to limit by repository and event:

metadata:
  name: docker
  annotations:
    X-Drone-Repos: octocat/*
    X-Drone-Events: push,tag

On This Page:

Getting Help

Enterprise Support
Real-time chat support from the developers that wrote the code.
Mailing List
Search for information in the mailing list archives, or post a question.