Kubernetes Secrets

Why should we use Secrets?

Many a time you will find that developer have hardcode credentials within there container image.

There are multiple risks of hard-coding credentials.

1. Anyone having access to the container repository can easily fetch the credentials
2. The developer needs to have the credentials of the production system.
3. The update of credentials will lead to a new docker image built again.

So to overcome these Risks we used Secrets in Kubernetes.

Overview of Secrets

1. A Secret is an object that contains a small amount of sensitive data such as a password, a token, or a key. Such information might otherwise be put in a Pod specification or in an image.

2. It allows customers to store secrets centrally to reduce the risk of exposure.

3. Stored inside ETCD database on Kubernetes Master

4. You can update the secret dynamically and the pod will get the updated value.

5. Limit of secrets not more than 1MB

6. Consuming secrets inside pods: 1. Volumes 2.Environment variables

Now we see how to create a Secrets in Kubernetes, There are 2 ways of creating a secret in Kubernetes.

1. kubectl command-line tool
2. YAML file(manually)

Create a secret using kubectl command-line tool.

1. use the following cmd to create a secret.

kubectl create secret generic <secretname> --from-literal=username=<username> --from-literal=password=<password>

Output: you see the secret is created.

Creates a Kubernetes secret using the YAML file.

Using the YAML file.

apiVersion: v1
kind: Secret
metadata:
 name: secret-demo
type: Opaque
data:
 username: <base64 encded value>
 password: <base64 encoded value>

Secret.yaml

1.here we give kind=secret, the name of the secret is secret-demo.

2. in this example I’m adding 2 key-value pairs username and password, so it has to be base64 encoded.

3. so to create a base64 encoded format use following cmd.

echo -n '<username>' | base64

Output:

4. Now we copy-paste this base64 values in our secrets.yaml file.

5. let's create a secret resource.

kubectl create -f <filename.yaml>

6. Check the secret is created or not using the following command.

kubectl get secret

Consuming Secrets inside pods.

1. Consuming Secret Values from environment variables.

2. Consuming Secret values from volumes.

Consuming Secret Values from environment variables

When we use this option the secret will get mounted as an environment variable which you can then use within your container.

1. Create an env variable using the YAML.

apiVersion: v1
kind: Pod
metadata:
  name: busybox
spec:
  containers:
  - image: busybox
    name: busybox
    command: ["/bin/sh"]
    args: ["-c", "sleep 600"]
    env:
    - name: myusername
      valueFrom:
        secretKeyRef:
          name: secret-demo
          key: username

YAML IMP fields.

1. Here in the YAML I basically create a pod, the name of the pod is busybox, and what I’m going to run is just a command to sleep for 600s(10min).

2. env: Specify the name of the environment variable.

In my case -name: myusername (i want to call my environment variable as a myusername)

3. secretKeyRef: you should specify here from which secret you’re going to grab the value.

4. key: Specify which key use should grab.

2. Create the pod.

kubectl create -f <filename.yaml>

3. After the pod is created, go inside in the pod using the following command.

kubectl exec -it <podname> -- sh

4. Now we are inside the container and if I do env command list all the environment variables in your container.

env | grep <envfilename>

Output: We see my secrets inside the container.

Consuming Secret values from volumes.

1. Create a volume.yaml

apiVersion: v1
kind: Pod
metadata:
  name: busybox
spec:
  volumes:
  - name: secret-volume
    secret:
      secretName: secret-demo
  containers:
  - image: busybox
    name: busybox
    command: ["/bin/sh"]
    args: ["-c", "sleep 600"]
    volumeMounts:
    - name: secret-volume
      mountPath: /mydata

1. Here we going to mount volume inside your container so you’re gonna define volume, volume section under pods specification you’re creating a volume.
2. mount path is /mydata , so once I run the container and if I go to mydata you will have the 1 file for a key-value pair you have got in your secret resource.

2. Create the volume file.

kubectl create -f <volumefilename.yaml>

3. Now we go inside our pod, using the following command.

kubectl exec -it <podname> -- sh

4. When you do ls you see your directories of your container in this, we got mydata directory which we set in the yaml file as our mount path.

5. Go to that mydata directory, in this directory you see a separate file is created for your key value.

when you read these files you got your username and password inside the container(pod)in decrypted format.

Advantage of Secrets.

You can update the secret dynamically and the pod will get the updated value.

E.X :

1. let change the secret.yaml file with new key-value pair.

here I added a new key-value pair name.

2. We apply the update yaml using the following command.

kubectl apply -f <secretfilename.yaml>

We updated the secret resource but I haven’t deleted the pod yet, the pod is still running.

3. After updating the secret when we go inside the running pod, see the value is updated or not inside the container.

kubectl exec -it <podname> -- sh

4. When we go to our mount path, we got the updated changes inside the container.

Thank you, if you have any doubt reach out to me

LinkedIn : linkedin.com/in/harshal-kathar-b2a19b118