Managing sensitive data is a crucial aspect of any application deployment. In Kubernetes, managing such sensitive data—like passwords, OAuth tokens, and ssh keys—is done using the object called Secrets. This tutorial will guide you through the process of using Secrets within Kubernetes to ensure that sensitive data is handled securely without hardcoding it into your application’s images or scripts.

Understanding Kubernetes Secrets

Before we dive into practice, it’s important to understand what Secrets are and why they’re necessary. Secrets are intended to hold sensitive information, keeping such data away from Kubernetes manifests or Pod specifications. They’re stored on tmpfs within a cluster, which means they’re not written to non-volatile storage and are thus more secure.

A Secret can be used with a Pod in three ways:

As files in a volume mounted on one or more of its containers
As environment variables
Used by the kubelet when pulling images for the Pod

Now, we’ll explore each method through practical examples.

Creating a Simple Secret

To create a Secret, you can use a file like this:

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
type: Opaque
data:
    password: UGFzc3dvcmRBMTIz

Here, password is restricted to base64 encoded values. You can create one using the command echo -n 'PasswordA123' | base64.

Apply this secret using:

kubectl apply -f secret.yaml

You should see:

secret/my-secret created

Using a Secret as an Environment Variable

Next, you’ll see how to pass the secret to a Pod as an environment variable.

apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
  - name: myapp-container
    image: myapp-image
    env:
      - name: SECRET_PASSWORD
        valueFrom:
          secretKeyRef:
            name: my-secret
            key: password

Now, the Pod will have the password available as ${SECRET_PASSWORD} within the application environment.

Mounting Secrets as Volumes

The following code mounts the secret as a volume. Every data included in the secret is represented as a file, with the secret key as the filename.

apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
  - name: myapp-container
    image: myapp-image
    volumeMounts:
    - name: secret-volume
      mountPath: "/etc/secret"
  volumes:
  - name: secret-volume
    secret:
      secretName: my-secret

When the Pod is running, you’ll have /etc/secret/password file created with the Secret’s value.

Creating Secrets from Files

To create a Secret from a file, you can run:

kubectl create secret generic my-secret --from-file=path/to/my/password.txt

The file’s contents become the Secret’s value.

Advanced Secrets Configuration

Kubernetes also provides ways to automate Secrets creation, such as integrating with cloud provider’s secret management systems. Here’s an example snippet for integrating with AWS Secrets Manager using an example externalSecret:

apiVersion: 'kubernetes-client.io/v1'
kind: ExternalSecret
metadata:
  name: my-database-secret
spec:
  backendType: secretsManager
  data:
    - key: /my-app/my-database-credentials
      name: db-credentials

This resource, once deployed, retrieves your credentials directly from AWS Secrets Manager, making sure that you do not have to manually update your secrets on Kubernetes every time they rotate.

Conclusion

In conclusion, Kubernetes Secrets are a crucial element for managing sensitive information within containerized applications. Whether you’re setting them up through manifests, files, or automatic syncing via cloud services, the proper implementation of Secrets ensures that your sensitive data is kept secure and accessed only as necessary. By following the practices outlined in this guide, you can confidently manage your applications’ secret data in Kubernetes.

Next Article: Understanding Kubernetes Architecture: A Beginner’s Guide

Previous Article: Kubernetes error: User 'system:serviceaccount:default:default' cannot get services in the namespace

Series: Kubernetes Tutorials

DevOps