Introduction
Managing sensitive data is a crucial aspect of any application deployment. In Kubernetes, managing such sensitive data—like passwords, OAuth tokens, and ssh keys—is done using the object called Secrets. This tutorial will guide you through the process of using Secrets within Kubernetes to ensure that sensitive data is handled securely without hardcoding it into your application’s images or scripts.
Understanding Kubernetes Secrets
Before we dive into practice, it’s important to understand what Secrets are and why they’re necessary. Secrets are intended to hold sensitive information, keeping such data away from Kubernetes manifests or Pod specifications. They’re stored on tmpfs within a cluster, which means they’re not written to non-volatile storage and are thus more secure.
A Secret can be used with a Pod in three ways:
- As files in a volume mounted on one or more of its containers
- As environment variables
- Used by the kubelet when pulling images for the Pod
Now, we’ll explore each method through practical examples.
Creating a Simple Secret
To create a Secret, you can use a file like this:
apiVersion: v1
kind: Secret
metadata:
name: my-secret
type: Opaque
data:
password: UGFzc3dvcmRBMTIz
Here, password
is restricted to base64 encoded values. You can create one using the command echo -n 'PasswordA123' | base64
.
Apply this secret using:
kubectl apply -f secret.yaml
You should see:
secret/my-secret created
Using a Secret as an Environment Variable
Next, you’ll see how to pass the secret to a Pod as an environment variable.
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: myapp-container
image: myapp-image
env:
- name: SECRET_PASSWORD
valueFrom:
secretKeyRef:
name: my-secret
key: password
Now, the Pod will have the password available as ${SECRET_PASSWORD}
within the application environment.
Mounting Secrets as Volumes
The following code mounts the secret as a volume. Every data included in the secret is represented as a file, with the secret key as the filename.
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: myapp-container
image: myapp-image
volumeMounts:
- name: secret-volume
mountPath: "/etc/secret"
volumes:
- name: secret-volume
secret:
secretName: my-secret
When the Pod is running, you’ll have /etc/secret/password
file created with the Secret’s value.
Creating Secrets from Files
To create a Secret from a file, you can run:
kubectl create secret generic my-secret --from-file=path/to/my/password.txt
The file’s contents become the Secret’s value.
Advanced Secrets Configuration
Kubernetes also provides ways to automate Secrets creation, such as integrating with cloud provider’s secret management systems. Here’s an example snippet for integrating with AWS Secrets Manager using an example externalSecret:
apiVersion: 'kubernetes-client.io/v1'
kind: ExternalSecret
metadata:
name: my-database-secret
spec:
backendType: secretsManager
data:
- key: /my-app/my-database-credentials
name: db-credentials
This resource, once deployed, retrieves your credentials directly from AWS Secrets Manager, making sure that you do not have to manually update your secrets on Kubernetes every time they rotate.
Conclusion
In conclusion, Kubernetes Secrets are a crucial element for managing sensitive information within containerized applications. Whether you’re setting them up through manifests, files, or automatic syncing via cloud services, the proper implementation of Secrets ensures that your sensitive data is kept secure and accessed only as necessary. By following the practices outlined in this guide, you can confidently manage your applications’ secret data in Kubernetes.