Kubernetes
Secrets Management
Cloud Computing
DevOps
Containers

Decoding Kubernetes secret

Master System Design with Codemia

Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.

Kubernetes has become the de facto standard for container orchestration, providing a comprehensive framework to manage containerized applications. One of the essential features offered by Kubernetes is handling secrets. This article aims to provide a detailed understanding of Kubernetes Secrets, focusing on their usage and practical implications.

Understanding Kubernetes Secrets

A Kubernetes Secret is an object that stores sensitive data like passwords, OAuth tokens, SSH keys, etc., in a base64-encoded format. They provide an extra layer of security compared to storing this information in plaintext inside ConfigMaps or directly in Pod specifications.

Why Use Kubernetes Secrets?

  1. Separation of Concerns: Secrets enable you to separate sensitive data from application code, adhering to best practices regarding the principle of least privilege.
  2. Decoupling: They allow applications to be portable across different environments without modifying the source code.
  3. Security: While not fully secure because it's just encoded, it prevents accidental exposure of sensitive data when handling configuration files.

Creating Secrets in Kubernetes

You can create secrets in Kubernetes in various ways:

Using the kubectl command

The most straightforward way to create a secret is using the kubectl command with the generic subcommand:

bash
kubectl create secret generic db-credentials \
  --from-literal=username=admin \
  --from-literal=password=Secret123

This command creates a secret named db-credentials with keys username and password.

Using YAML Files

You can also define secrets in a declarative manner using a YAML file:

yaml
1apiVersion: v1
2kind: Secret
3metadata:
4  name: db-credentials
5type: Opaque
6data:
7  username: YWRtaW4=
8  password: U2VjcmV0MTIz

In the YAML definition:

  • data holds key-value pairs, where values are base64-encoded strings.
  • Opaque is a default Secret type used for generic secrets.

To create the secret from this file:

bash
kubectl apply -f secret.yaml

Using Secrets in Pods

Secrets can be accessed from Pods in a few ways:

As Environment Variables

You can mount secrets as environment variables in Pod containers:

yaml
1apiVersion: v1
2kind: Pod
3metadata:
4  name: example-pod
5spec:
6  containers:
7    - name: example-container
8      image: myapp:latest
9      env:
10        - name: DB_USERNAME
11          valueFrom:
12            secretKeyRef:
13              name: db-credentials
14              key: username
15        - name: DB_PASSWORD
16          valueFrom:
17            secretKeyRef:
18              name: db-credentials
19              key: password

As Volumes

If you prefer to mount secrets as files within your container, you can do so using volumes:

yaml
1apiVersion: v1
2kind: Pod
3metadata:
4  name: example-pod-volume
5spec:
6  containers:
7    - name: example-container
8      image: myapp:latest
9      volumeMounts:
10        - name: secret-volume
11          mountPath: "/etc/secret-volume"
12  volumes:
13    - name: secret-volume
14      secret:
15        secretName: db-credentials

In this setup, the secrets are automatically injected into files located at /etc/secret-volume/username and /etc/secret-volume/password.

Securing Secrets

Encrypting Secrets

In Kubernetes, you can configure Encryption at Rest to encrypt secret data in etcd, which stores the cluster data. Here's an example configuration snippet for an encryption configuration file:

yaml
1kind: EncryptionConfig
2apiVersion: v1
3resources:
4  - resources:
5      - secrets
6    providers:
7      - aescbc:
8          keys:
9            - name: key1
10              secret: <Base64-encoded secret>
11      - identity: {}

To enable encryption, update the --encryption-provider-config option in the kube-apiserver manifests.

Role-Based Access Control (RBAC)

Employ RBAC to enforce access control over who can view and modify secrets. Define roles and role bindings specifically for managing secrets, limiting access to authorized users and service accounts.

yaml
1apiVersion: rbac.authorization.k8s.io/v1
2kind: Role
3metadata:
4  namespace: default
5  name: secret-reader
6rules:
7  - apiGroups: [""]
8    resources: ["secrets"]
9    verbs: ["get", "watch", "list"]
10
11apiVersion: rbac.authorization.k8s.io/v1
12kind: RoleBinding
13metadata:
14  name: read-secrets
15  namespace: default
16subjects:
17  - kind: User
18    name: jane
19    apiGroup: rbac.authorization.k8s.io
20roleRef:
21  kind: Role
22  name: secret-reader
23  apiGroup: rbac.authorization.k8s.io

Key Points Summary

AspectDescription
DefinitionStores sensitive data like passwords and tokens
CreationVia kubectl or YAML files, data base64-encoded
UsageEnvironment variables or file mounts in Pods
EncryptionEncryption at Rest for data stored in etcd
Access ControlManaged through RBAC policies

Conclusion

Kubernetes Secrets provide a flexible and secure way to manage sensitive information, crucial for deploying and managing applications at scale. By understanding how to create, manage, and use secrets, you can leverage Kubernetes to its full potential while maintaining security best practices. Be sure to utilize the mechanisms available like encryption and RBAC to protect your secrets from unauthorized access.


Course illustration
Course illustration

All Rights Reserved.