Kubernetes - Secret

tags: Kubernetes

Foreword

When you wnat to store some sensitive data in your Kubernetes cluster, you will need the "Secret" to help you. Secret usually store some sensitive data such as account of database, Access Token or SSH Key etc.

Secret

Definition

Kubernetes Secrets let you store and manage sensitive information, such as passwords, OAuth tokens, and ssh keys. Storing confidential information in a Secret is safer and more flexible than putting it verbatim in a Pod definition or in a container image.

Ways to use Secrets

• As files in a volume mounted on one or more of its containers.
• As container environment variable.
• By the kubelet when pulling images for the Pod.

Practice

Create Secret

We have three ways to import the sesitive data to Secert.

• From file
• By command
• Use Yaml file

From file

We can save our data in the txt file. Then, we can use kubrctl create to create the Secret.

We can save Account and Password to username.txt and password.txt.

$ echo -n "root" > ./username.txt
$ echo -n "password" > ./password.txt

Then, we can use kubectl create secret generic demo-seccret-file to create Secret.

Message

$ kubectl create secret generic demo-seccret-file \
> --from-file=./username.txt \
> --from-file=./password.txt
secret/demo-seccret-file created

Use kubectl describe to see demo-seccret-file.

We can also use kubectl get Secret to see the Secret.

By Command

We can use kubectl create and with --from-literal to create Secret.

$ kubectl create secret generic demo-secret-literal \
> --from-literal=username=root \
> --from-literal=password=password
secret "demo-secret-literal" created

Use kubectl describe secret demo-secret-literal to see the Secret.

Use Yaml file

When we use the Yaml to create Secret, we need to use base64 to encode password.

$ echo -n "root" | base64
cm9vdA==

$ echo -n "password" | base64
cGFzc3dvcmQ=

Write the yaml file.

apiVersion: v1
kind: Secret
metadata:
  name: demo-secret-yaml
type: Opaque
data:
  username: cm9vdA==
  password: cGFzc3dvcmQ=

Use kubectl create to create Secret.

$ kubectl create -f ./demo-secret.yaml
secret "demo-secret-yaml" created

Use Secret

Volume mounted

To consume a Secret in a volume, we need to add the volume in yaml file.

apiVersion: v1
kind: Pod
metadata:
  name: vm-pod
  labels:
    app: webserver
spec:
  containers:
  - name: demo-pod
    image: nginx
    ports:
    - containerPort: 3000
    volumeMounts:
    - name: secret-volume
      mountPath: /etc/creds
      readOnly: true
  volumes:
  - name: secret-volume
    secret:
      secretName: demo-secret-yaml
      defaultMode: 0400

In this yaml file. We can set the Secret permission. Then, the secret will be mounted on /etc/creds and all the files created by the secret volume mount will have permission 0400.

Or you can also use mapping, as in the previous example, and specify different permissions for different files.

apiVersion: v1
kind: Pod
metadata:
  name: vm-pod
spec:
  containers:
  - name: mypod
    image: nginx
    volumeMounts:
    - name: secret-volume
      mountPath: "/etc/creds"
  volumes:
  - name: secret-volume
    secret:
      secretName: demo-secret-yaml
      items:
      - key: username
        path: my-group/my-username
        mode: 511

In this case, the file resulting in /etc/creds/my-group/my-username will have permission value of 0777. If you use JSON, owing to JSON limitations, you must specify the mode in decimal notation, 511.

Then use kubectl apply -f ./demo-pod to create a Pod.

And we can use kubectl exec into the container to find our data in /etc/creds.

kubectl exec -it demo-pod-mounting-secret -- bash

We can find our data in Pod.

Environment Variables

Secrets can be exposed as environment variables to be used by a container in a Pod.

Example yaml file

apiVersion: v1
kind: Pod
metadata:
  name: ev-pod
  labels:
    app: webserver
spec:
  containers:
  - name: demo-pod
    image: nginx
    ports:
    - containerPort: 3000
    env:
    - name: SECRET_USERNAME
      valueFrom:
        secretKeyRef:
          name: demo-secret-yaml
          key: username
    - name: SECRET_PASSWORD
      valueFrom:
        secretKeyRef:
          name: demo-secret-yaml
          key: password

Use kubectl apply -f ./ev-pod.yml to create Pod.

We can see the environment varibles in the container. Then, use kubectl exec enter the contaioner.

kubectl exec -it ev-pod -- bash

Reference

https://kubernetes.io/docs/concepts/configuration/secret/

https://ithelp.ithome.com.tw/articles/10195094