Kubernetes Secrets are a way to securely store and manage sensitive information, such as passwords, tokens, and keys, within a Kubernetes cluster. In this article, we will explore how to use Kubernetes Secrets to manage and secure your application.
First, let's create a Secret. To do this, we will use the kubectl create secret command. The command takes the following format:
kubectl create secret <secret-type> <name> --from-literal=<key>=<value>
For example, to create a Secret named "mysecret" with a single key-value pair, we would run the following command:
kubectl create secret generic mysecret --from-literal=password=mypassword
This will create a Secret named "mysecret" of type "generic" with a single key-value pair, where the key is "password" and the value is "mypassword".
To view the Secret, we can use the kubectl get secret command. This will display the Secret's name, type, and the number of key-value pairs it contains.
kubectl get secret mysecret
To get the details of the Secret, we can use the kubectl describe secret command. This will display all the details of the Secret, including the key-value pairs and the timestamp of when the Secret was created.
kubectl describe secret mysecret
Now that we've created a Secret, let's use it in our application. To do this, we will create a Pod that references the Secret. In the Pod's definition file, we will add a secret field to the containers array. This field should contain the name of the Secret and the keys that should be exposed as environment variables.
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mycontainer
image: myimage
env:
- name: MY_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: password
In this example, the Pod references the "mysecret" Secret and exposes the "password" key as an environment variable named "MY_PASSWORD".
To update the Secret, we can use the kubectl create secret command with the --dry-run option and pipe the output to kubectl apply. For example, to change the value of the "password" key in the "mysecret" Secret to "newpassword", we would run the following command:
kubectl create secret generic mysecret --from-literal=password=newpassword --dry-run -o yaml | kubectl apply -f -
It is important to note that the above command updates the whole secret, if you want to update a specific key value pair you can use the kubectl edit secret command.
To delete a Secret, we can use the kubectl delete secret command. For example, to delete the "mysecret" Secret, we would run the following command:
kubectl delete secret mysecret
Et voilà ! you have now your app secured using Kubernetes Secrets to store and manage your passwords.
To conclude, by using the kubectl command-line tool, it is easy to create, view, update, and delete Secrets. The kubectl create secret command is used to create a Secret, and the kubectl get secret and kubectl describe secret commands are used to view and get the details of a Secret.
Additionally, by referencing a Secret in a Pod's definition file, it is possible to expose the Secret's keys as environment variables to the container running in the Pod. Updating a Secret can be done by using kubectl edit secret command or kubectl create secret command with the --dry-run option and pipe the output to kubectl apply.
It's also worth noting that Kubernetes Secrets are encrypted by default at rest and in transit, which makes them a secure option for storing sensitive information. However, it is still important to follow best practices for managing secrets, such as rotation and least privilege access.
In the next step, you can explore how to use Kubernetes ConfigMaps to manage and secure your application configuration files, how to use Kubernetes Role-Based Access Control (RBAC) to control access to resources in your cluster, and how to use Kubernetes Network Policies to secure communication within your cluster.
That Time I Organised an Internal Tech Conference (and Had No Idea What I Was Doing)
Finding My Place at Future PLC: A Journey I’m Excited About
My Journey at Future: A Year of Growth and Connection
