Kubernetes Secrets
How to use?โ
Using kubernetes secrets, you can store the sensitive information as an encrypted data and use them on pods.
What can be stored in secretsโ
- Sensitive text like password
- Entire file with multiple sensitive information
- Docker registry credentials to pull the image using
ImagePullSecrets
ways to use with podsโ
- Simply retrieve the secret as environment variable
- Mount as a file to the pod
- Mount all items in the secrets to a directory on the pod
Create secretsโ
Create a simple secretโ
$ kubectl create secret generic db-user-pass --from-literal=password=mysecretpass
$ kubectl create secret generic db-user-pass --from-file=./username.txt --from-file=./password.txt
$ kubectl create secret generic db-user-pass --from-file=username=./username.txt --from-file=password=./password.txt
tip
If the key is not specifies as in 2nd statement, the secret get file name as key. Preferred way is --from-file=key=source
- Create secret using the config file
apiVersion: v1
kind: Secret
metadata:
name: db-user-pass
type: Opaque
data:
USER_NAME: mongousr
PASSWORD: MWYyZDFlMmU2N2Rm - Create pod with environment secret
Create secret file and mount to podโ
Create secret file using the config file
# mongo-master-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: mongo-master-key
type: Opaque
stringData:
master.key: |-
32d1b093fc5db7d104206702f31789e9Kubernetes creates a secret
mongo-master-keywith itemmaster.keyCreate pod with secret as persistent mount.
- Create a volume masterkey with the secret mongo-master-key
- Mount the volume masterkey to the path: /opt/some-config/master.key using
mountPath.caution
If
subPathis not specified, /opt/some-config/master.key would be created as directory rather than file.
# mongo-deploy.yaml
apiVersion: apps/v1beta2
kind: Deployment
metadata:
name: mongo-deploy
spec:
template:
spec:
containers:
- name: mongod
image: opscode/mongo:latest
volumeMounts:
- name: masterkey
mountPath: /opt/some-config/master.key
subPath: master.key
readOnly: true
volumes:
- name: masterkey
secret:
secretName: mongo-master-keyApply both configurations
$ kubectl apply -f mongo-master-secret.yaml
$ kubectl apply -f mongo-deploy.yaml
Create secret with docker configโ
$ kubectl create secret docker-registry <name> --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL
Ex:โ
- Create secret for docker registry
$ kubectl create secret docker-registry docker-hub-secret --docker-server='https://index.docker.io/v1/' --docker-username=opscode --docker-password='mysecurepassword' --docker-email='mysingedupemail@example.com' - Create pod using the secret.
apiVersion: apps/v1beta2
kind: Deployment
metadata:
name: mongo-deploy
spec:
template:
spec:
containers:
- name: mongod
image: opscode/mongo:latest
imagePullSecrets:
- name: docker-hub-secret
Takeawaysโ
- Secrets are limited to namespace. pods are created in the same namespace can use the secrets.
- Individual secrets are limited to 1MiB in size.
- Secret name must be a valid DNS subdomain name
- When a Pod is created, there is no check if a referenced secret exists. Once a Pod is scheduled, the kubelet will try to fetch the secret value.
- If secret does not exist kubelet will periodically retry.
- None of pod containers will start until all the Pod's volumes are mounted.
Useful commandsโ
- Secret info
kubectl describe secrets/db-user-pass
kubectl get secret mysecret -o yaml
kubectl edit secrets mysecret
- To create encrypted text. Below command will return MWYyZDFlMmU2N2Rm
echo -n '1f2d1e2e67df' | base64