Kubernetes Secret: A Guide for Beginners

Kubernetes Secret is a resource that allows you to store sensitive data such as passwords, tokens, and keys in a secure way. Unlike ConfigMap, which stores plain text data, Secret encodes the data using base64 encoding and restricts access to authorized users and pods.

Why do we need Kubernetes Secret?

Because storing sensitive data in plain text is risky and can expose your application to security breaches. For example, if you store your database credentials in a ConfigMap and mount it as an environment variable in your pod, anyone who can access the pod can see the credentials.

Moreover, if you store your credentials in a source code repository or a Docker image, you risk leaking them to unauthorized parties.

To avoid these risks, you can use Kubernetes Secret to store your sensitive data and consume it in your pods.

There are different types of Secrets, such as generic, docker-registry, tls, and service-account-token.

Creating Secret

You can create a Secret using a YAML manifest file or a kubectl command.

For example, to create a generic Secret that stores a username and a password for a database, you can use the following command:

kubectl create secret generic db-secret –from-literal=username=admin –from-literal=password=secret

This command will create a Secret named db-secret with two keys: username and password. You can verify the creation of the Secret by running:

kubectl get secret db-secret -o yaml

You will see something like this:

apiVersion: v1
kind: Secret
metadata:
name: db-secret
type: Opaque
data:
username: YWRtaW4=
password: c2VjcmV0

The data field contains the base64-encoded values of the username and password. You can decode them using the base64 command:

echo YWRtaW4= | base64 –decode
echo c2VjcmV0 | base64 –decode

Now that you have created a Secret, how can you consume it in your pods? There are two ways: as environment variables or as volumes.

Consuming a Secret as Environment Variables

To consume a Secret as environment variables, you need to specify the Secret name and the keys in the env section of your pod spec. For example:

apiVersion: v1
kind: Pod
metadata:
name: db-pod
spec:
containers:

  • name: db-container image: mysql env:
    • name: DB_USER
      valueFrom:
      secretKeyRef:
      name: db-secret
      key: username
    • name: DB_PASS
      valueFrom:
      secretKeyRef:
      name: db-secret
      key: password

This pod spec will create a pod named db-pod with a container named db-container that runs the mysql image. The container will have two environment variables: DB_USER and DB_PASS, which will have the values of the username and password from the db-secret Secret.

To consume a Secret as a volume, you need to specify the Secret name and the mount path in the volumes section of your pod spec. For example:

apiVersion: v1
kind: Pod
metadata:
name: app-pod
spec:
containers:

  • name: app-container image: app-image volumeMounts:
    • name: app-secret-volume
      mountPath: /etc/secret
      readOnly: true
      volumes:
  • name: app-secret-volume
    secret:
    secretName: app-secret

This pod spec will create a pod named app-pod with a container named app-container that runs the app-image image. The container will have a volume mounted at /etc/secret that contains the files from the app-secret Secret. The files will have the same names and contents as the keys in the Secret.

Summary

In summary, Kubernetes Secret is a useful resource that allows you to store and consume sensitive data in a secure way. You can create and use different types of Secrets depending on your needs. You can also consume Secrets as environment variables or as volumes in your pods.