Kubernetes Secrets are secure objects which store sensitive data, such as passwords, OAuth tokens, and SSH keys etc. with encryption in your clusters.
Using Secrets gives you more flexible in a Pod Life cycle definition, and control over how sensitive data is used. It reduces the risk of exposing the data to unauthorized users.
- Secrets are namespaced objects.
- Secrets can be mounted as data volumes or environment variables to be used by a container in a pod.
- Secret data is stored in tmpfs in nodes
- API server stores secrets as plain text in etcd
- A per-secret size limit of 1MB
Creating a Secret
Using kubectl create secret:
Create username.txt and password.txt files.
$ echo -n 'root' > ./username.txt
$ echo -n 'Mq2D#(8gf09' > ./password.txt
$ kubectl create secret generic db-cerds --from-file=./username.txt --from-file=./password.txt
secret "db-cerds" created
$ kubectl get secret/db-cerds
NAME TYPE DATA AGE
db-cerds Opaque 2 26s
$ kubectl describe secret/db-cerds
Name: db-cerds
Namespace: default
Labels:
Annotations:
Type: Opaque
Data
====
password.txt: 11 bytes
username.txt: 4 bytes
Using YAML file:
The Secret contains two maps: data and stringData. The data field is used to store arbitrary data, encoded using base64.
$ echo -n 'root' | base64
cm9vdA==
$ echo -n 'Mq2D#(8gf09' | base64
TXEyRCMoOGdmMDk=
Write a Secret yaml file
apiVersion: v1
kind: Secret
metadata:
name: database-creds
type: Opaque
data:
username: cm9vdA==
password: TXEyRCMoOGdmMDk=
Create the Secret using kubectl create
$ kubectl create -f creds.yaml
secret "database-creds" created
$ kubectl get secret/database-creds
NAME TYPE DATA AGE
database-creds Opaque 2 1m
Decoding a Secret
$ kubectl get secret/database-creds -o yaml
apiVersion: v1
data:
password: TXEyRCMoOGdmMDk=
username: cm9vdA==
kind: Secret
metadata:
creationTimestamp: 2019-02-25T06:22:37Z
name: database-creds
namespace: default
resourceVersion: "2657"
selfLink: /api/v1/namespaces/default/secrets/database-creds
uid: bf0cef90-38c5-11e9-8c95-42010a800068
type: Opaque
$ echo -n "cm9vdA==" | base64 --decode
root
$ echo -n "TXEyRCMoOGdmMDk=" | base64 --decode
Mq2D#(8gf09
Using Secrets
A Secret can be used with your workloads in two ways:
- specify environment variables that reference the Secret’s values
- mount a volume containing the Secret.
Environment variables:
apiVersion: v1 kind: Pod metadata: name: php-mysql-app spec: containers: - name: php-app image: php:latest env: - name: MYSQL_USER valueFrom: secretKeyRef: name: database-creds key: username - name: MYSQL_PASSWORD valueFrom: secretKeyRef: name: database-creds key: password
Secret as Volume:
apiVersion: v1 kind: Pod metadata: name: redis-pod spec: containers: - name: redis-pod image: redis volumeMounts: - name: dbcreds mountPath: "/etc/dbcreds" readOnly: true volumes: - name: dbcreds secret: secretName: database-creds
Additional Info :
Secret creation syntax
kubectl create secret [TYPE] [NAME] [DATA]
Type can be one of the following:
- generic: Create a Secret from a local file, directory, or literal value.
- docker-registry: Creates a dockercfg Secret for use with a Docker registry. Used to authenticate against Docker registries.
- tls: Create a TLS secret from the given public/private key pair. The public/private key pair must exist beforehand. The public key certificate must be .PEM encoded and match the given private key.
DATA can be one of the following:
–from-file
$ kubectl create secret generic credentials --from-file=username=./username.txt --from-file=password=./password.txt
–from-env-file
$ cat credentials.txt username=admin password=Ex67Hn*9#(jw
$ kubectl create secret generic credentials --from-env-file ./credentials.txt
–from-literal flags
$ kubectl create secret generic literal-token --from-literal user=admin --from-literal password="Ex67Hn*9#(jw"