kubernetes: Secrets






In the last article we studied about one type of object known as ConfigMaps that is a way which allows us to store information in the form of key value pairs and refer them in pod definition file for use.Let's assume that we want to deploy a MySQL database on a pod. To successfully deploy MySQL pod, we need to pass database username and password as arguments.We will all agree that passwords are always critical and should not be exposed publicly.


Next question that pops up in the mind is that "is there any way to hide such values in kubernetes?". The answer is yes and the object type that facilitate this is known as a secret.


There are two basic steps involved in using secrets


  1. Create the secret

  2. Inject it in to pod


Create your own secret


We are now going to see how to create a secret. One point here is username and password given here are human readable so first we will find a way to encrypt it as well.On a Unix operating system this can be achieved by using a base64 hash.


  • Suppose username is admin and password is Passw0rd . Execute the below command on the kubernetes cluster.


[root@node1 secret]# echo -n 'admin' | base64
YWRtaW4=
[root@node1 secret]# echo -n 'Passw0rd' | base64
UGFzc3cwcmQ=
[root@node1 secret]# cat secret-demo.yaml
apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  username: YWRtaW4=
  password: UGFzc3cwcmQ=
  • To create a secret execute

kubectl create -f  secret-demo.yaml
  • To view the contents of secret or in other words to decode it execute

kubectl get secret mysecret -o yaml
  • Use the secret that we have created in a pod

apiVersion: v1
kind: Pod
metadata:
  name: secret-test-pod
spec:
  containers:
    - name: test-container
      image: k8s.gcr.io/busybox
      command: [ "/bin/sh", "-c", "env" ]
      envFrom:
      - secretRef:
          name: mysecret
  restartPolicy: Never

[root@node1 secret]# kubectl create -f pod-with-secret.yaml
pod/secret-test-pod created
[root@node1 secret]# kubectl get pods | grep -i secret
secret-test-pod           0/1     Completed   0          29s
[root@node1 secret]#


This is how we can secure sensitive data using secrets. Hope this was helpful.










379 views1 comment

Recent Posts

See All