What is a Secret in Kubernetes ?
In kubernetes, a Secret is an object that stores sensitive information such as passwords, OAuth Tokens and SSH keys. These secrets are crucial for the proper functioning of applications and services within a kubernetes cluster, as they often grant access to essential resources.
Understanding and managing these secrets are vital as inadequate management of secrets can lead to unauthorized access and data breaches.
Why use a Kubernetes Secret ?
Secrets enable you to separate sensitive information from application code and configuration, which makes it easier to manage and update your application code without modifying the code itself.
Secrets give you more control over how sensitive information is used and reduces the risk of accidental exposure.
How to use Kubernetes Secrets ?
We will see two different ways with which we can create Kubernetes Secrets.
1. Using kubectl command-line tool by providing the required data as key-value pair.
kubectl create secret generic test-secret --from-literal=db-port="3306"
2. Using YAML configuration file, but before that you need to encode your sensitive data in base64 format, then create the below YAML file.
echo -n "3306" | base64
This will return the encoded version of the value. Copy this value to your secret.yaml file.
apiVersion: v1
kind: Secret
metadata:
name: test-secret
data:
db-port: MzMwNg==
Apply the YAML file using the command
kubectl apply -f secret.yaml
How to use Secrets within the Pods ?
We will look into two different ways in which secrets can be used within the Pods.
Mounting secrets as volume for containers.
Setting secrets as container Environment Variables.
Mounting Secrets as a volume for containers.
apiVersion: v1
kind: Pod
metadata:
name: demo
spec:
containers:
- name: demo-app
image: nginx
volumeMounts:
- name: db-connections
mountPath: /opt
volumes:
- name: db-connections
secret:
secretName: test-secret
volumes: - name: db-connections - Name of the volume.
secret: - name: test-secret - Read the information from the Secret named test-secret.
volumeMounts: Mounting the volume named db-connections.
mountPath: Path for the volume mount.
kubectl apply -f pod3.yaml
Once the pods are running, exec into the pods and run the below command.
kubectl exec -it (name of the pod) -- /bin/bash
Now we are inside the container, next run the below command to check the env variable.
cat /opt/db-port | more
As you can see, we have confirmed that the value of the db-port has been retrieved from the secret inside our container.
Setting secrets as container Environment Variables.
apiVersion: v1
kind: Pod
metadata:
name: demo
spec:
containers:
- name: demo-app
image: nginx
env:
- name: DB_CONNECTION
valueFrom:
secretKeyRef:
name: test-secret
key: db-port
DB-CONNECTION - Name of the env variable
valueFrom: Get the value from secret
secretKeyRef: Secret reference
name: Name of the Secret
key: value of key inside the Secret
kubectl apply -f pod4.yaml
Once the pods are running, exec into the pods and run the below command.
kubectl exec -it (name of the pod) -- /bin/bash
Now we are inside the container, next run the below command to check the env variable.
env | grep DB
So the Environment Variable has been successfully retrieved from the Secret.
Understanding Kubernetes Secret updates
This will be same working as the configMap as when a Secret is set with the environment variable they won't update the value automatically until the containers are restarted. The same Secret when set using the volumes, it will receive the new Secret value automatically without restarting the containers.
Conclusion:
Kubernetes Secrets are a great way to manage sensitive information for your applications. They can be used to store things like db passwords, API keys etc. Ofcource there are many other better options for securing your secrets including Sealed Secrets and Hashicorp.
But to get started with managing sensitive information, you can use Kubernetes Secrets. With the help of kubectl get secrets command, DevOps Engineers can easily create, manage and retrieve secrets needed by their applications.
If you found this post useful, give it a like👍
Repost♻️
Follow Bala for more such posts 💯🚀