Followers

Kubernetes - Secrets


Kubernetes Secrets let you store and manage sensitive information, such as passwords, OAuth tokens, and ssh keys. Storing confidential information in a Secret is safer and more flexible than putting it verbatim in a Pod definition or in a container image


Secrets same as ConfigMap sensitive data( password Authtoken ssh keys)

1. Secrets to store the confidential data

2. Secrets use by default base64 algorithm to encode the data

3. Secrets are mapped to pod where these are decoded on Pod level

4. It stores the data in Key-Value pair 

5. from file and from literal

6. Data should not be more than 1 MB

7. you can store the data from text files 

8. Secret data is stored in etcd database


LAB


# 1. Creating Secret using Kubectl & Consuming it from "volumes" inside Pod



1a. Creating secret using "Kubectl":

------------------------------------

echo -n 'admin' > username.txt

echo -n 'pa$$w00rd' > password.txt


kubectl create secret generic nginx-secret-vol --from-file=username.txt --from-file=password.txt


# rm -f username.txt password.txt


kubectl get secrets

kubectl describe secrets nginx-secret-vol


1b. Consuming "nginx-secret-vol" from "volumes" inside Pod



#nginx-pod-secret-vol.yaml

apiVersion: v1
kind: Pod
metadata:
  name: nginx-pod-secret-vol
spec:
  containers:
  - name: nginx-container
    image: nginx
    volumeMounts:
    - name: test-vol
      mountPath: "/etc/confidential"
      readOnly: true
  volumes:
  - name: test-vol
    secret:
      secretName: nginx-secret-vol



1c. Create | Display | Validate:

--------------------------------


Create

kubectl create -f nginx-pod-secret-vol.yaml


Display

kubectl get po

kubectl get secrets

kubectl describe pod nginx-pod-secret-vol


 Validate from "inside" the pod

kubectl exec nginx-pod-secret-vol -it /bin/sh

cd /etc/confidential

ls 

cat username.txt

cat password.txt

exit


(OR)


Validate from "outside" the pod

kubectl exec nginx-pod-secret-vol ls /etc/confidential

kubectl exec nginx-pod-secret-vol cat /etc/confidential/username.txt

kubectl exec nginx-pod-secret-vol cat /etc/confidential/password.txt



2. Creating Secret "manually" using YAML file & Consuming it from "environment variables" inside Pod



Creating Secret using YAML file:

-------------------------------------


# Encoding secret

echo -n 'admin' | base64

echo -n 'pa$$w00rd' | base64


# YAML file

# redis-secret-env.yaml

apiVersion: v1
kind: Secret
metadata:
  name: redis-secret-env
type: Opaque
data:
  username: YWRtaW4=
  password: cGEkJHcwMHJk

kubectl create -f redis-secret-env.yaml

kubectl get secret

kubectl describe secret redis-secret-env



2b. Consuming “redis-secret-env” secret from “Environment Variables” inside pod

# redis-pod-secret-env.yaml
apiVersion: v1
kind: Pod
metadata:
  name: redis-pod-secret-env
spec:
  containers:
  - name: redis-container
    image: redis
    env:
      - name: SECRET_USERNAME
        valueFrom:
          secretKeyRef:
            name: redis-secret-env
            key: username
      - name: SECRET_PASSWORD
        valueFrom:
          secretKeyRef:
            name: redis-secret-env
            key: password
  restartPolicy: Never

2c. Create | Display | Validate:


# Create

kubectl create -f  redis-pod-secret-env.yaml


# Display

kubectl get pods

kubectl get secrets

kubectl describe pod redis-pod-secret-env



# Validate from "inside" the pod

kubectl exec redis-pod-secret-env -it /bin/sh

env | grep  SECRET

exit


(OR)


# Validate from "outside" the pod

kubectl exec redis-pod-secret-env env | grep SECRET


***************************************************************************

#Decode the secrets


kubectl get secret redis-secret-env -o yaml

echo 'cGEkJHcwMHJk' | base64 --decode

*************************************************************************************************************************************************


3. Cleanup


# Delete secrets

kubectl delete secrets nginx-secret-vol redis-secret-env


# Delete pods

kubectl delete pods nginx-pod-secret-vol redis-pod-secret-env


# Validate

kubectl get pods

kubectl get secrets

kuberenetes-pull-image-from-private Registry

References

https://kubernetes.io/docs/concepts/configuration/secret/

COMMENTS

BLOGGER
Name

Ansible,6,AWS,1,Azure DevOps,1,Containerization with docker,2,DevOps,2,Docker Quiz,1,Docker Swarm,1,DockerCompose,1,ELK,2,git,2,Jira,1,Kubernetes,1,Kubernetes Quiz,5,SAST DAST Security Testing,1,SonarQube,3,Splunk,2,vagrant kubernetes,1,YAML Basics,1,
ltr
static_page
DevOpsWorld: Kubernetes - Secrets
Kubernetes - Secrets
DevOpsWorld
https://www.devopsworld.co.in/p/kubernetes-secrets.html
https://www.devopsworld.co.in/
https://www.devopsworld.co.in/
https://www.devopsworld.co.in/p/kubernetes-secrets.html
true
5997357714110665304
UTF-8
Loaded All Posts Not found any posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU LABEL ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS PREMIUM CONTENT IS LOCKED STEP 1: Share to a social network STEP 2: Click the link on your social network Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy Table of Content