Hands-On with Secrets
Explore how to create and use Kubernetes Secrets to handle sensitive configuration data such as passwords and certificates. Understand their encoding and security limitations, methods for injecting Secrets into Pods, and basic secrets management workflows within Kubernetes clusters.
We'll cover the following...
Secrets are almost identical to ConfigMaps — they hold application configuration data that Kubernetes injects into containers at runtime. However, Secrets are designed to hold sensitive data such as passwords, certificates, and OAuth tokens.
Are Kubernetes Secrets secure?
The quick answer to this question is no. But here’s the slightly longer answer…
Despite being designed for sensitive data, Kubernetes does not encrypt Secrets in the cluster store. It only obscures them as base-64 encoded values, which anyone can decode without a key. Fortunately, most service meshes encrypt network traffic, and we can configure encryption-at-rest with EncryptionConfiguration objects. However, many people use tools such as HashiCorp’s Vault for a more complete and secure secrets management solution.
We’ll focus on the basic secrets management functionality provided natively by Kubernetes as it’s still useful if augmented with third-party tools.
A typical secrets workflow looks like this:
We create the Secret and it gets persisted to the cluster store as an un-encrypted object. ...