What is Kubernetes Secrets
A Secret is an object that contains a small amount of sensitive data such as a password, a token, or a key. Objects of type secret are intended to hold sensitive information, such as passwords, OAuth tokens, and ssh keys. Putting this information in a secret is safer and more flexible than putting it verbatim in a pod definition or in a docker image. putting it in a Secret object allows for more control over how it is used, and reduces the risk of accidental exposure.
How Secrets can be created?
Built-in Secrets – The system also creates some secrets. Service Accounts Automatically Create and Attach Secrets with API Credentials. Kubernetes automatically creates secrets which contain credentials for accessing the API and it automatically modifies your pods to use this type of secret.
- Creating your own Secrets – Users can create secrets. Creating a Secret Using kubectl create secret.
How to Create Secrets?
Method 1 – Creating a Secret Using “kubectl create secret”
Assume – Say that some pods need to access a database. The username and password that the pods should use is in the files ./username.txt and ./password.txt on your local machine.
echo 'admin' | base64
echo 'password' | base64
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
username: YWRtaW4K
password: cGFzc3dvcmQK
apiVersion: v1
kind: Pod
metadata:
name: mysecretpod
spec:
containers:
- name: mypod
image: scmgalaxy/nginx-devopsschoolv1
volumeMounts:
- name: foo
mountPath: "/etc/foo"
readOnly: true
volumes:
- name: foo
secret:
secretName: mysecret
1069 vi secret.yaml
1070 kubectl get secret
1071 kubectl create -f secret.yaml
1072 kubectl get secret
1073 clear
1074 ls
1075 vi mysecretpod.yaml
1076 kubectl create -f mysecretpod.yaml
1077 kubectl get pods
1078 kubectl exec mysecretpod ls /etc/foo
1079 kubectl exec mysecretpod ls /etc/foo/username
1080 kubectl exec mysecretpod more /etc/foo/username
1081 kubectl exec mysecretpod more /etc/foo/password
# wordpress-secrets.yml
apiVersion: v1
kind: Secret
metadata:
name: wordpress-secrets
type: Opaque
data:
db-password: cGFzc3dvcmQ=
# wordpress-service.yml
apiVersion: v1
kind: Service
metadata:
name: wordpress-service
spec:
ports:
- port: 31001
nodePort: 31001
targetPort: http-port
protocol: TCP
selector:
app: wordpress
type: NodePort
# wordpress-single-deployment-no-volumes.yml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: wordpress-deployment
spec:
replicas: 1
template:
metadata:
labels:
app: wordpress
spec:
containers:
- name: wordpress
image: wordpress:4-php7.0
ports:
- name: http-port
containerPort: 80
env:
- name: WORDPRESS_DB_PASSWORD
valueFrom:
secretKeyRef:
name: wordpress-secrets
key: db-password
- name: WORDPRESS_DB_HOST
value: 127.0.0.1
- name: mysql
image: mysql:5.7
ports:
- name: mysql-port
containerPort: 3306
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: wordpress-secrets
key: db-password
Each item must be base64 encoded:
$ echo -n 'admin' | base64
YWRtaW4=
$ echo -n '1f2d1e2e67df' | base64
MWYyZDFlMmU2N2Rm
Now write a secret object in yaml file "secret.yaml" that looks like this:
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
username: YWRtaW4=
password: MWYyZDFlMmU2N2Rm
apiVersion: v1
kind: Secret
metadata:
name: db-secrets
type: Opaque
data:
username: cm9vdA==
password: cGFzc3dvcmQ=
$ kubectl create -f ./secret.yaml
How to Decoding a Secret
$ kubectl get secret mysecret -o yaml
$ $ echo 'MWYyZDFlMmU2N2Rm' | base64 --decode
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mypod
image: redis
volumeMounts:
- name: foo
mountPath: "/etc/foo"
readOnly: true
volumes:
- name: foo
secret:
secretName: mysecret
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: helloworld-deployment
spec:
replicas: 3
template:
metadata:
labels:
app: helloworld
spec:
containers:
- name: k8s-demo
image: wardviaene/k8s-demo
ports:
- name: nodejs-port
containerPort: 3000
volumeMounts:
- name: cred-volume
mountPath: /etc/creds
readOnly: true
volumes:
- name: cred-volume
secret:
secretName: db-secrets
$ kubectl create -f helloworld-secrets-volumes.yaml
$ kubectl gets pods
$ kubectl describe pod podname
$ kubectl exec podname -i -t -- /bin/bash
$ cd /etc/creds
Projection of secret keys to specific paths
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mypod
image: redis
volumeMounts:
- name: foo
mountPath: "/etc/foo"
readOnly: true
volumes:
- name: foo
secret:
secretName: mysecret
items:
- key: username
path: my-group/my-username
$ kubectl exec podname -i -t -- /bin/bash
$ ls /etc/foo/
username
password
$ cat /etc/foo/username
admin
$ cat /etc/foo/password
1f2d1e2e67df
Using Secrets as Environment Variables
This is an example of a pod that uses secrets from environment variables:
apiVersion: v1
kind: Pod
metadata:
name: secret-env-pod
spec:
containers:
- name: mycontainer
image: redis
env:
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
name: mysecret
key: username
- name: SECRET_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: password
restartPolicy: Never
Consuming Secret Values from Environment Variables
$ kubectl exec podname -i -t -- /bin/bash
$ echo $SECRET_USERNAME
admin
$ echo $SECRET_PASSWORD
1f2d1e2e67df
WordPress Demo
=============================
wordpress-secrets.yml
apiVersion: v1
kind: Secret
metadata:
name: wordpress-secrets
type: Opaque
data:
db-password: cGFzc3dvcmQ=
wordpress-single-deployment-no-volumes.yml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: wordpress-deployment
spec:
replicas: 1
template:
metadata:
labels:
app: wordpress
spec:
containers:
- name: wordpress
image: wordpress:4-php7.0
ports:
- name: http-port
containerPort: 80
env:
- name: WORDPRESS_DB_PASSWORD
valueFrom:
secretKeyRef:
name: wordpress-secrets
key: db-password
- name: WORDPRESS_DB_HOST
value: 127.0.0.1
- name: mysql
image: mysql:5.7
ports:
- name: mysql-port
containerPort: 3306
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: wordpress-secrets
key: db-password
wordpress-service.yml
apiVersion: v1
kind: Service
metadata:
name: wordpress-service
spec:
ports:
- port: 31001
nodePort: 31001
targetPort: http-port
protocol: TCP
selector:
app: wordpress
type: NodePort
reference
https://kubernetes.io/docs/concepts/configuration/secret/
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mypod
image: ngnix
volumeMounts:
- name: foo
mountPath: "/etc/foo"
readOnly: true
volumes:
- name: foo
secret:
secretName: db-user-pass
- Top 10 Website Development Companies in Vadodara - December 20, 2024
- Compare SAST, DAST and RASP & its Tools for DevSecOps - December 19, 2024
- Comparing AWS, Azure, and Google Cloud in terms of services - December 19, 2024