Kubernetes Secrets are a way to securely store and manage sensitive information, such as passwords, tokens, and keys, within a Kubernetes cluster. In this article, we will explore how to use Kubernetes Secrets to manage and secure your application.
First, let's create a Secret. To do this, we will use the kubectl create secret
command. The command takes the following format:
kubectl create secret <secret-type> <name> --from-literal=<key>=<value>
For example, to create a Secret named "mysecret" with a single key-value pair, we would run the following command:
kubectl create secret generic mysecret --from-literal=password=mypassword
This will create a Secret named "mysecret" of type "generic" with a single key-value pair, where the key is "password" and the value is "mypassword".
To view the Secret, we can use the kubectl get secret
command. This will display the Secret's name, type, and the number of key-value pairs it contains.
kubectl get secret mysecret
To get the details of the Secret, we can use the kubectl describe secret
command. This will display all the details of the Secret, including the key-value pairs and the timestamp of when the Secret was created.
kubectl describe secret mysecret
Now that we've created a Secret, let's use it in our application. To do this, we will create a Pod that references the Secret. In the Pod's definition file, we will add a secret
field to the containers
array. This field should contain the name of the Secret and the keys that should be exposed as environment variables.
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mycontainer
image: myimage
env:
- name: MY_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: password
In this example, the Pod references the "mysecret" Secret and exposes the "password" key as an environment variable named "MY_PASSWORD".
To update the Secret, we can use the kubectl create secret
command with the --dry-run
option and pipe the output to kubectl apply
. For example, to change the value of the "password" key in the "mysecret" Secret to "newpassword", we would run the following command:
kubectl create secret generic mysecret --from-literal=password=newpassword --dry-run -o yaml | kubectl apply -f -
It is important to note that the above command updates the whole secret, if you want to update a specific key value pair you can use the kubectl edit secret
command.
To delete a Secret, we can use the kubectl delete secret
command. For example, to delete the "mysecret" Secret, we would run the following command:
kubectl delete secret mysecret
Et voilà ! you have now your app secured using Kubernetes Secrets to store and manage your passwords.
To conclude, by using the kubectl
command-line tool, it is easy to create, view, update, and delete Secrets. The kubectl create secret
command is used to create a Secret, and the kubectl get secret
and kubectl describe secret
commands are used to view and get the details of a Secret.
Additionally, by referencing a Secret in a Pod's definition file, it is possible to expose the Secret's keys as environment variables to the container running in the Pod. Updating a Secret can be done by using kubectl edit secret
command or kubectl create secret
command with the --dry-run
option and pipe the output to kubectl apply
.
It's also worth noting that Kubernetes Secrets are encrypted by default at rest and in transit, which makes them a secure option for storing sensitive information. However, it is still important to follow best practices for managing secrets, such as rotation and least privilege access.
In the next step, you can explore how to use Kubernetes ConfigMaps to manage and secure your application configuration files, how to use Kubernetes Role-Based Access Control (RBAC) to control access to resources in your cluster, and how to use Kubernetes Network Policies to secure communication within your cluster.
Redouane is co-Leading the Platform team, his role at Future is to build, maintain and expand our Vanilla Platform.
His main focuses are on the performance and High scalability of the architectures.
- Gaël TrebosTech Lead
-
Write Better Code with SOLID Principles (PHP Examples)
By Dan Draper Published
-
Improving our internal tools - Part I: Design process for Flexi UI
Change is the trigger & tool to put us ahead of the present and open a better, more productive, and more efficient future.
By Karen Alonso Published
-
Upgrading to MacOS Monterey 12.6.5
Resolving "Invalid Active Developer Path" Issue After MacOS Monterey 12.6.5 Update
By Nirvaan Published