Kubernetes is a powerful platform for deploying and managing containerized applications. One of the critical aspects of managing applications is handling sensitive information, such as passwords, tokens, and keys, securely. Kubernetes offers a resource called “Secrets” to manage such sensitive information. In this blog post, we’ll dive into a hands-on exercise to understand how to create, use, and manage Secrets in Kubernetes.
But, Why Though?
Proper secrets management is crucial for maintaining the security and integrity of your applications and infrastructure. Storing secrets directly in code is a risky practice that can lead to accidental exposure of sensitive information, such as passwords, API keys, and tokens, especially when code is shared or stored in version control systems. This can result in unauthorized access, data breaches, and potentially severe consequences for your organization’s reputation and finances. By using a dedicated secrets management solution, you can centralize and secure the storage of secrets, enforce access controls, and audit usage. This not only enhances security but also simplifies the process of rotating and managing secrets, reducing the risk of human error and ensuring compliance with security policies and regulations. Thankfully, Kubernetes got a built-in secrets management system that we can leverage for this.
Creating a Secret
Secret is a resource in Kubernetes, much like pods, services, deployments and replicasets. So, we’ll follow the same patterns that we’ve used for standing up other resources that we’ve done throughout the course of this series. Start by creating a new yaml file named mysecret.yaml:
apiVersion: v1 kind: Secret metadata: name: mysecret type: Opaque data: username: dXNlcm5hbWU= # Base64 encoded "username" password: cGFzc3dvcmQ= # Base64 encoded "password"
Note: The data values must be Base64 encoded. If you are on MacOS or linux, You can encode a string using echo -n 'string' | base64 on the command line. If you’re one Windows, you can use Base64 Encode and Decode – Online or a similar utility.
Next, apply the secret to your Kubernetes cluster so that it can be used by your resources:
kubectl apply -f mysecret.yamlUsing the Secret in a Pod
Now that we have the secret setup in our cluster, let’s try using it in one of our pods. Let’s stand up a new pod using the following configuration:
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mycontainer
image: busybox
command: ["sh", "-c", "echo 'Username: $USERNAME, Password: $PASSWORD' && sleep 3600"]
env:
- name: USERNAME
valueFrom:
secretKeyRef:
name: mysecret
key: username
- name: PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: password
In the example above, we’re setting up two environment variables – USERNAME and PASSWORD and we’re having Kubernetes populate those two variables from the two secrets that we created earlier under the mysecret key. Our pod is simply echoes those values in its terminal.
Apply the pod configuration to your cluster:
kubectl apply -f mypod.yamlVerify that the pod was able to get those secrets by inspect the logs:
kubectl logs mypodYou should see output similar to Username: username, Password: password.
Updating Secrets
If you need to update the secret, you can edit the mysecret.yaml file and reapply it. Update the file with new values for the username and password (remember to Base64 encode them).
Reapply the secret:
kubectl apply -f mysecret.yamlDelete the existing Pod so that a new one is created with the updated secret:
kubectl delete pod mypodVerify that the updates now show when reinspecting the logs:
kubectl logs mypodClosing Thoughts
You can clean up the resources that you created for this exercise, like so:
kubectl delete secret mysecret
kubectl delete pod mypodIn this installment, we explored how to create, use, and update Kubernetes Secrets to manage sensitive information securely. Secrets are a vital tool in Kubernetes for maintaining the confidentiality of your application’s sensitive data.