Secrets

Kubernetes Secrets are secure objects which store sensitive data, such as passwords, OAuth tokens, and SSH keys etc. with encryption in your clusters.

Using Secrets gives you more flexible in a Pod Life cycle definition, and control over how sensitive data is used. It reduces the risk of exposing the data to unauthorized users.

  • Secrets are namespaced objects.
  • Secrets can be mounted as data volumes or environment variables to be used by a container in a pod.
  • Secret data is stored in tmpfs in nodes
  • API server stores secrets as plain text in etcd
  • A per-secret size limit of 1MB

Creating a Secret

Using kubectl create secret:

Create username.txt and password.txt files.

$ echo -n 'root' > ./username.txt
$ echo -n 'Mq2D#(8gf09' > ./password.txt
$ kubectl create secret generic db-cerds --from-file=./username.txt --from-file=./password.txt
secret "db-cerds" created
$ kubectl get secret/db-cerds
NAME       TYPE      DATA      AGE
db-cerds   Opaque    2         26s
$ kubectl describe secret/db-cerds
Name:         db-cerds
Namespace:    default
Labels:       
Annotations:  

Type:  Opaque

Data
====
password.txt:  11 bytes
username.txt:  4 bytes

Using YAML file:

The Secret contains two maps: data and stringData. The data field is used to store arbitrary data, encoded using base64.

$ echo -n 'root' | base64
cm9vdA==

$ echo -n 'Mq2D#(8gf09' | base64
TXEyRCMoOGdmMDk=

Write a Secret yaml file

apiVersion: v1
kind: Secret
metadata:
  name: database-creds
type: Opaque
data:
  username: cm9vdA==
  password: TXEyRCMoOGdmMDk=

Create the Secret using kubectl create

$ kubectl create -f creds.yaml 
secret "database-creds" created
$ kubectl get secret/database-creds
NAME             TYPE      DATA      AGE
database-creds   Opaque    2         1m

Decoding a Secret

$ kubectl get secret/database-creds -o yaml
apiVersion: v1
data:
  password: TXEyRCMoOGdmMDk=
  username: cm9vdA==
kind: Secret
metadata:
  creationTimestamp: 2019-02-25T06:22:37Z
  name: database-creds
  namespace: default
  resourceVersion: "2657"
  selfLink: /api/v1/namespaces/default/secrets/database-creds
  uid: bf0cef90-38c5-11e9-8c95-42010a800068
type: Opaque
$ echo -n "cm9vdA==" | base64 --decode
root

$ echo -n "TXEyRCMoOGdmMDk=" | base64 --decode
Mq2D#(8gf09

Using Secrets

A Secret can be used with your workloads in two ways:

  • specify environment variables that reference the Secret’s values
  • mount a volume containing the Secret.

Environment variables:

apiVersion: v1
kind: Pod
metadata:
  name: php-mysql-app
spec:
  containers:
  - name: php-app
    image: php:latest
    env:
    - name: MYSQL_USER
      valueFrom:
        secretKeyRef:
          name: database-creds
          key: username
    - name: MYSQL_PASSWORD
      valueFrom:
        secretKeyRef:
          name: database-creds
          key: password

Secret as Volume:

apiVersion: v1
kind: Pod
metadata:
  name: redis-pod
spec:
  containers:
  - name: redis-pod
    image: redis
    volumeMounts:
    - name: dbcreds
      mountPath: "/etc/dbcreds"
      readOnly: true
  volumes:
  - name: dbcreds
    secret:
      secretName: database-creds

 

Additional Info :

Secret creation syntax

kubectl create secret [TYPE] [NAME] [DATA]

Type can be one of the following:

  • generic: Create a Secret from a local file, directory, or literal value.
  • docker-registry: Creates a dockercfg Secret for use with a Docker registry. Used to authenticate against Docker registries.
  • tls: Create a TLS secret from the given public/private key pair. The public/private key pair must exist beforehand. The public key certificate must be .PEM encoded and match the given private key.

DATA can be one of the following:

–from-file

$ kubectl create secret generic credentials \
  --from-file=username=./username.txt \
  --from-file=password=./password.txt

–from-env-file

$ cat credentials.txt
username=admin
password=Ex67Hn*9#(jw
$ kubectl create secret generic credentials \
  --from-env-file ./credentials.txt

–from-literal flags

$ kubectl create secret generic literal-token \
  --from-literal user=admin \
  --from-literal password="Ex67Hn*9#(jw"
Advertisements