What are Kubernetes Secrets?
A Secret in the programming world refers to sensitive data such as a password, a token, or a key. Kubernetes provides a way to store it on the pod without having to include it in your application image. This mechanism is called a Secret in the Kubernetes world.
Secrets are similar to ConfigMap, however, they are specifically intended to hold confidential data.
Creating a Secret
apiVersion: v1kind: Secretmetadata:name: test-secrettype: kubernetes.io/service-account-tokendata:test-secret-token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklsQktZakZCUVdZdFpGaDRZWGxWUlc0MGVWZE5kemRMZGxCeFlWcDNSWFk1ZUV3NU1VaDZOM0pIZFRBaWZRLmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUpzTjJOd2JHRnVaU0lzSW10MVltVnlibVYwWlhNdWFXOHZjMlZ5ZG1salpXRmpZMjkxYm5RdmMyVmpjbVYwTG01aGJXVWlPaUozWVdGekxYSmxaR2x6TFdkdGNtNTNkSGQ1YW1NMU1uVXpkRzlwYzNBdGRHOXJaVzR0Wkd4clpuWWlMQ0pyZFdKbGNtNWxkR1Z6TG1sdkwzTmxjblpwWTJWaFkyTnZkVzUwTDNObGNuWnBZMlV0WVdOamIzVnVkQzV1WVcxbElqb2lkMkZoY3kxeVpXUnBjeTFuYlhKdWQzUjNlV3BqTlRKMU0zUnZhWE53SWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXpaWEoyYVdObExXRmpZMjkxYm5RdWRXbGtJam9pTVRsbE5USTRNVEl0TXpReE5TMDBOekExTFRsaVlqQXRZalZoTW1FeFltUmlZams0SWl3aWMzVmlJam9pYzNsemRHVnRPbk5sY25acFkyVmhZMk52ZFc1ME9tdzNZM0JzWVc1bE9uZGhZWE10Y21Wa2FYTXRaMjF5Ym5kMGQzbHFZelV5ZFROMGIybHpjQ0o5LmlOODlFTndpeXNMV2w4WDFEMFU1RW1JdjA5X01fZTJLVjVLTTJkTlNxT3pNRUNTWG80R1NpdDZQVFFXM0xmVmp6LVdSb2pBTWlXMHpTQkRHMFJpZFdnVlBmVk9sNlREaUpvMnE0ZHRNR2cydG1RM1d3cW5qbXlSclhMa3laRWZzNnZqVkJkbDJvTmEwT01TN0lnX2p6ZFBqYnNPNFRFOVMydFU2MGRTYklFV2hmU29JWFhyWC1UWldsOGpfSzZINDdiNmpmN3BfaVZ4MDFKcjRUaEJ0T3RaMkVFMUlrWlhSUi1SMmNpMVAwUlFBWlJYT3poTmhJVkRKeTVENE5OUEU2ZWJqZXQtelU3MERtbHZwU3BuVGNVeHpSRy0xXzB2NEYtbGp0eDk1X1J5T2ZkckhnLTdCSFFZOGdjdGdMTkNRVG96WVF345g2RVBmZlFKWHRuajRrUQ==
Explanation
The serialized JSON and YAML values of secret data are encoded as base64 strings.
Line 2: Defines the kind of the Kubernetes object, which is Secret in this case.
Lines 3–4: Defines the metadata for Secrets, similar to any other Kubernetes objects.
Line 6: Defines the data that defines the Secrets.
Note: Secrets have a size limit of 1
MiB Mebibyte
Using a secret
Secrets can be mounted as data volumes or exposed as environment variables to be used by a container in a pod.
Using a Secret as a file from a pod
apiVersion: v1kind: Podmetadata:name: example-secretspec:containers:- name: example-containerimage: busyboxvolumeMounts:# name must match the volume name below- name: secret-volumemountPath: /etc/secret-volumereadOnly: true# The secret data is exposed to Containers in the Pod through a Volume.volumes:- name: secret-volumesecret:secretName: test-secret
Explanation
Lines 9–13: Declares the volume mount details along with the path at which it should be pointed
Lines 15–18: Declares the name of the Secret that should be mounted.
Using a Secret as an environment variable
apiVersion: v1kind: Podmetadata:name: example-secretspec:containers:- name: example-containerimage: busyboxenv:- name: SECRETvalueFrom:secretKeyRef:name: test-secretkey: test-secret-token
Explanation
Line 9: Indicates that the details of the environment follows.
Lines 11–14: Provide the details of the secret which needs to be set in the environment variable.
How to secure Secrets
Encryption at rest should be configured for Secrets.
Always configure least-privilege access to Secrets.
Restrict access to secrets to the specific container in the pod that requires to use the Secret.
Secrets should be protected after reading, that is, the application should ensure that it is dealing with secrets in an appropriate manner.
Lastly, if the Secrets are being configured via manifest, it should be ensured that these are not shared or checked in to a version control.
Conclusion
Kubernetes Secrets are a great way to ensure that the delivery of Secrets are decoupled from the code.
Free Resources
- undefined by undefined