Swiftorial Logo
Home
Swift Lessons
Matchups
CodeSnaps
Tutorials
Career
Resources

Kubernetes - Managing Secrets

Core Concepts in Kubernetes

Kubernetes is an open-source platform designed to automate deploying, scaling, and operating application containers. This guide provides an understanding of secrets, one of the core concepts in Kubernetes.

Key Points:

  • Secrets are used to store sensitive information, such as passwords, OAuth tokens, and SSH keys.
  • They provide a mechanism to manage sensitive data separately from application code.
  • Secrets can be consumed by pods as environment variables or as files mounted from volumes.

What is a Secret?

A Secret is an object that contains a small amount of sensitive data such as a password, a token, or a key. Such information might otherwise be put in a Pod specification or in a container image. Using a Secret means that you don't need to include confidential data in your application code.

# Example of a Secret definition
apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  username: dXNlcm5hbWU=  # base64 encoded value
  password: cGFzc3dvcmQ=  # base64 encoded value

Creating and Managing Secrets

Here are some basic commands to create and manage Secrets:

# Create a Secret from literal values
kubectl create secret generic mysecret --from-literal=username='admin' --from-literal=password='s3cr3t'

# Create a Secret from a file
kubectl create secret generic mysecret --from-file=path/to/secret-file

# View details of a Secret (note: base64 encoded)
kubectl get secret mysecret -o yaml

# Delete a Secret
kubectl delete secret mysecret

Using Secrets in Pods

Secrets can be consumed by pods in different ways:

As Environment Variables

# Pod definition using Secret as environment variables
apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
  - name: mycontainer
    image: nginx
    env:
    - name: USERNAME
      valueFrom:
        secretKeyRef:
          name: mysecret
          key: username
    - name: PASSWORD
      valueFrom:
        secretKeyRef:
          name: mysecret
          key: password

As Mounted Volumes

# Pod definition using Secret as mounted volumes
apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
  - name: mycontainer
    image: nginx
    volumeMounts:
    - name: secret-volume
      mountPath: "/etc/secret"
      readOnly: true
  volumes:
  - name: secret-volume
    secret:
      secretName: mysecret

Best Practices

Follow these best practices when using Secrets:

  • Use Encryption: Ensure that Secrets are encrypted at rest and in transit to protect sensitive data.
  • Limit Access: Use Role-Based Access Control (RBAC) to restrict access to Secrets to only those who need it.
  • Rotate Secrets Regularly: Regularly update and rotate Secrets to reduce the risk of compromise.
  • Avoid Hardcoding: Do not hardcode sensitive information in application code. Use Secrets to manage sensitive data securely.
  • Audit Access: Enable auditing to monitor access to Secrets and detect any unauthorized access attempts.

Conclusion

This guide provided an overview of Secrets in Kubernetes, including their creation, usage, and best practices. By understanding and using Secrets effectively, you can manage sensitive information securely and separately from your application code, enhancing the security and portability of your applications.