Using Secrets in Kubernetes

In Kubernetes, a Secret is a resource designed to store sensitive information, such as passwords, OAuth tokens, SSH keys, and other confidential data. Secrets are encoded in base64 format and are intended to be used in a secure manner, allowing you to manage sensitive information without exposing it in your application code or configuration files.

Purpose of Secrets

The main purposes of using Secrets in Kubernetes are:

  • Security: Secrets help protect sensitive information by keeping it out of your application code and configuration files.
  • Decoupling: Secrets allow you to decouple sensitive data from your application, making it easier to manage and update without redeploying the application.
  • Access Control: Kubernetes provides fine-grained access control for Secrets, allowing you to specify which users and applications can access sensitive information.

Creating a Secret

You can create a Secret in several ways, including from literal values, files, or directories. Below is a sample YAML configuration for creating a Secret: 

        
apiVersion: v1
kind: Secret
metadata:
  name: my-secret
type: Opaque
data:
  DATABASE_PASSWORD: "cGFzc3dvcmQ="  # base64 encoded value of "password"

Explanation of the Secret Configuration

  • apiVersion: Specifies the version of the Kubernetes API for the Secret.
  • kind: Indicates that this resource is a Secret.
  • metadata: Contains data that helps uniquely identify the Secret, including its name.
  • type: Specifies the type of Secret. Opaque is the default type for arbitrary user-defined data.
  • data: Key-value pairs that store the sensitive information. The values must be base64 encoded.

Using a Secret in a Pod

You can use a Secret in a pod by mounting it as a volume or by exposing it as environment variables. Below is a sample pod configuration that uses the Secret: 

        
apiVersion: v1
kind: Pod
metadata:
  name: my-app
spec:
  containers:
    - name: my-container
      image: my-image:latest
      env:
        - name: DATABASE_PASSWORD
          valueFrom:
            secretKeyRef:
              name: my-secret
              key: DATABASE_PASSWORD

Explanation of the Pod Configuration

  • apiVersion: Specifies the version of the Kubernetes API for the Pod.
  • kind: Indicates that this resource is a Pod.
  • metadata: Contains data that helps uniquely identify the Pod, including its name.
  • spec: Defines the desired state of the Pod.
  • containers: A list of containers that will be run in the Pod.
  • env: Specifies environment variables for the container. In this case, the value for DATABASE_PASSWORD is sourced from the Secret using secretKeyRef.

Updating a Secret

You can update a Secret by modifying its configuration and applying the changes. For example, to update the DATABASE_PASSWORD in the existing Secret, you can use the following command: 

        
kubectl create secret generic my-secret --from-literal=DATABASE_PASSWORD=newpassword --dry-run=client -o yaml | kubectl apply -f -

Accessing Secrets

You can check the status of your Secrets by running: 

        
kubectl get secrets

To view the details of a specific Secret, you can use: 

 
kubectl describe secret my-secret

Conclusion

Secrets in Kubernetes provide a secure way to manage sensitive information required by your applications. By using Secrets, you can keep sensitive data out of your application code and configuration files, ensuring better security and easier management. Understanding how to create, use, and update Secrets is essential for maintaining the confidentiality of sensitive information in your Kubernetes deployments. This capability enhances the overall security posture of your applications while allowing for flexibility in managing sensitive configurations.