Introduction
Kubernetes is widely used to deploy, scale and manage containerized applications. In order to run these containerized applications securely, Kubernetes provides us with a tool known as Secrets. In this blog post, we will explore the basics of Secrets, how to create them, and how to use Secrets in a Kubernetes environment.
What are Secrets?
In Kubernetes, Secrets are objects that allow us to store and manage sensitive information, such as passwords, private keys, and tokens. These objects can be consumed by Kubernetes pods or used by Kubernetes itself for internal purposes.
Secrets are stored in Kubernetes as plain text or encoded data, but we can use Kubernetes to manage their encryption and decryption. Kubernetes also allows us to restrict access to Secrets and defines the permissions of who can access it.
Secrets are primarily used to pass confidential configuration data, such as database URLs or API keys, to a pod container securely, without exposing the actual value.
Creating Secrets
Let's go over creating Secrets in Kubernetes. Let's say we have a MySQL database that we want to connect to our application via a Kubernetes pod. The database password is pa$$word. To create a Secret object containing the database password, we need to run the following command:
kubectl create secret generic db-password --from-literal=password=pa$$word
The above command creates a Secret object named db-password in the Kubernetes cluster with the value pa$$word.
Using Secrets
Now that we have created our Secret object, we can use it in our pod configuration file by referencing the Secret name and key as an environment variable, a command-line argument, or a configuration file entry as desired.
Using Secrets as Environment Variables
In the pod definition file, if we want to use the secret as an environment variable, we must specify the environment variable config in the containers specification of the deployment manifest.
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
containers:
- name: my-container
image: my-image:latest
env:
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: db-password
key: password
In this example, we used env to create an environment variable DB_PASSWORD, with a value coming from the Secret db-password and its key password.
Using Secrets as a Volume
In addition to using Secrets as environment variables, we can also mount them as volumes that point to the Secrets file stored in a designated directory, this ensures that our data is well encrypted and safe from prying eyes.
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
containers:
- name: my-container
image: my-image:latest
volumeMounts:
- name: secret-volume
mountPath: /etc/secret-volume
volumes:
- name: secret-volume
secret:
secretName: db-secret
items:
- key: username
path: my-username
- key: password
path: my-password
This pod definition file demonstrates how to use Secrets with a Pod by loading it as a volume. In this example, the Secret object is mounted to the pod at mountPath: /etc/secret-volume. Note that, items allow Secrets to be projected as individual files, we're specifying two files here named my-username and my-password.
Conclusion
In conclusion, Kubernetes Secrets are used to provide a secure way of storing your sensitive information and pass it along to the containers. In this blog post, we walked through the basics of Secrets in Kubernetes, including creating Secrets and using them in deployments as environment variables and volumes.
Remember that Secrets can be accessed by those with permission to do so; ensuring that the sensitive information is encrypted, and taking steps to secure access to Secrets is crucial.
source:- https://kubernetes.io/docs/concepts/configuration/secret/