Kubernetes - Secrets 🕵️

Description 👀

Secrets are used to store sensitive information such as passwords, API keys, and ssh keys. Secrets are stored in the cluster as base64 encoded strings. Secrets can be create using the kubectl command or using a Secret definition.

• a secret is only sent to a node if a pod on that node requires it.
• kubelet stores the secret into a tmpfs so that the secret is not written to disk storage.
• once the pod that depends on the secret is deleted, kubelet will delete its local copy of the secret data as well.

Secrets are not encrypted, so it is not safer in that sense. However, some best practices around using secrets make it safer. As in best practices like:

• not checking-in secret object definition files to source code repositories.
• enabling encryption at rest for secrets so they are stored encrypted in etcd.

Read about the protections and risks of using secrets here.

Basic Commands 📝

• create secrets using the kubectl command

    kubectl create secret generic <secret name> --from-literal=<key>=<value>
  

• create secrets using a definition

    kubectl create secret generic <secret name> --from-file=<path to file>
  

• get secrets

    kubectl get secret <secret name>
  

• get all secrets

    kubectl get secrets
  

• describe secrets

    kubectl describe secret <secret name>
  

  • note that this method does not show the secret value

• view secrets and their values

    kubectl get secret <secret-name> -o yaml
  

• delete secrets

    kubectl delete secret <secret-name>
  

Examples 🧩

• command used for:  secret-examples/sample-secret.yaml

    kubectl create secret generic sample-secret --from-file=secret-examples/DB_Host --from-file=secret-examples/DB_User --from-file=secret-examples/DB_Password 
  

• command used for:  secret-examples/sample-secret2.yaml

    kubectl create secret generic sample-secret2 --from-literal=DB_Host=postgres --from-literal=DB_User=guerrero --from-literal=DB_Password=pokemon
  

• sample secrets

  DB_Host

    postgres
  

  DB_User

    guerrero
  

  DB_Password

    pokemon
  

• sample secret definition

    apiVersion: v1
    kind: Secret
    metadata:
        creationTimestamp: null
        name: sample-secret
    data:
        DB_Host: cG9zdGdyZXM=
        DB_Password: cG9rZW1vbg==
        DB_User: Z3VlcnJlcm8=
  

• sample pod with secret definition

    apiVersion: v1
    kind: Pod
    metadata:
        name: secret-pod
    spec:
        containers:
          - name: secret-container
            image: nginx
            ports:
              - containerPort: 80
            envFrom:
              - secretRef:
                name: sample-secret
  

• sample tls secret definition

    apiVersion: v1
    kind: Secret
    metadata:
        name: tls-secret
    type: kubernetes.io/tls
    data:
        tls.crt: <base64 encoded cert>
        tls.key: <base64 encoded key>
  

  • imperative command to create a tls secret

      kubectl create secret tls <secret-name> --cert=<path to cert> --key=<path to key>
    

↩️