Shashikant shah

Wednesday, 29 January 2025

What is a Secret in Kubernetes ?

 1. What is a secret in Kubernetes?


A Secret in Kubernetes is a Kubernetes object used to store and manage sensitive information, such as:

i)  Database passwords.
ii) TLS certificates.
iii) ssh keys.
iv) API keys.


2.Key Features of Kubernetes Secrets.

  1. Encapsulated Sensitive Data: Stores credentials, tokens, and certificates securely.
  2. Base64 Encoding: Secret data is stored in a Base64-encoded format (not encrypted by default).
  3. Pod Access: Pods can consume secrets as environment variables or mounted volumes.
  4. Automatic Injection: Kubernetes automatically injects secrets into pods when configured.
  5. RBAC Control: Kubernetes Role-Based Access Control (RBAC) can restrict who can read/write secrets.
  6. Encrypted Storage (Optional): Kubernetes allows encrypting secrets at rest using encryption providers.

7.     Stored inside ETCD database on Kubernetes master.

8.     ETCD does not store more than 1 MB.

9.   Secrets are NOT encrypted but base64 encoded in the etcd. You can decode them with a simple echo '<your-encoded-value>' | base64 –decode;


3. Types of Secrets.

Kubernetes supports different types of Secrets:

i)Generic.

ii)Docker-Registry.

iii)TLS.

Type

Description

Opaque (default)

Stores arbitrary key-value pairs.

kubernetes.io/dockerconfigjson

Stores Docker registry credentials for pulling images.

kubernetes.io/tls

Stores TLS certificate (tls.crt) and private key (tls.key).

kubernetes.io/service-account-token

Stores service account tokens for API authentication.

Custom Secrets

Users can define custom types for specific use cases.

 

4. How to create a secret in Kubernetes?

There are two ways to create secrets.

i)                    Imperative way.

ii)                  Declarative way.


i)Imperative way.

Using kubectl (from literal values).

# kubectl create secret generic <my-secret> --from-literal=<username>=<admin> --from-literal=<password>=<secret123>

# kubectl create secret generic <my-secret> --from-file=<path-to-file>

# kubectl create secret generic <my-secret-ssh> --from-file=ssh-privatekey=path/to/id_rsa --from-file=ssh-publickey=path/to/id_rsa.pub


ii)Declarative way.

Using a YAML Manifest.

# vim secret.yaml

apiVersion: v1

kind: Secret

metadata:

  name: my-secret

type: Opaque

data:

  username: YWRtaW4=   # Base64 encoded 'admin'

  password: c2VjcmV0MTIz  # Base64 encoded 'secret123'

 

i)Imperative way.

How to create a (Generic Secret) and uset it in yaml file.

# kubectl create secret generic my-secret --from-literal=username=admin --from-literal=password=secret123

# kubectl get secrets





# kubectl describe secrets my-secret










# vim secret-1.yaml

apiVersion: v1

kind: Pod

metadata:

  name: secret-demo-1

spec:

  containers:

  - name: demo-container

    image: nginx

    env:

    - name: Username

      valueFrom:  

        secretKeyRef:  

          name: my-secret

          key: username

# kubectl apply -f secret-1.yaml

# kubectl exec -it secret-demo-1 -- printenv










How to create a from-file (Generic Secret) and use it in yaml file.

# echo -n "mypassword" > password.txt
# kubectl create secret generic my-secret --from-file=password=password.txt

# kubectl get secret



















# kubectl exec -it my-pod -- bash






How to create a Docker-registry Secret and use it in yaml file.

# kubectl create secret docker-registry docker-secret --docker-email=example@gmail.com --docker-username=dev --docker-password=pass1234 --docker-server=my-registry.example:5000

# kubectl get secrets





# vim  secret-1.yaml

apiVersion: v1

kind: Pod

metadata:

  name: secret-demo-2

spec:

  containers:

  - name: demo-container

    image: nginx

    envFrom:

    - secretRef:

       name: docker-secret

# kubectl apply -f secret-1.yaml

# kubectl get pods





# kubectl exec -it secret-demo-2 -- printenv





How to create a TLS Secret and use it in yaml file:

# kubectl create secret tls my-tls-secret --key=/root/data/selfsigned.key --cert=/root/data/selfsigned.pem

# kubectl get secret




# kubectl describe secret my-tls-secret



 






# vim  secret-1.yaml

apiVersion: v1

kind: Pod

metadata:

  name: secret-demo-3

spec:

  containers:

  - name: demo-container

    image: nginx

    volumeMounts:

      - name: data

        mountPath: /etc/cert-data

  volumes:

  - name: data

    secret:

      secretName: my-tls-secret

 

# kubectl exec -it secret-demo-3 -- bash



 


Delete :-

# kubectl delete secret my-secret

 

Decode Secret Value:

# kubectl get secret my-secret -o jsonpath="{.data.password}" | base64 --decode



Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)