Kubernetes Secrets: A complete guide to securely managing sensitive information

Introduction

In a container orchestration system, safeguarding and effectively managing sensitive information like passwords, API keys, and other confidential data is paramount. Kubernetes offers a robust solution through its Secrets feature, designed to handle sensitive information securely, centrally, and with precise control.

This article delves deeply into the fundamental principles, advantages, drawbacks, creation, updating procedures, and practical usage of Kubernetes Secrets. Additionally, it provides actionable suggestions for optimal implementation and management of Secrets within a Kubernetes environment.

Kubernetes Secrets Principle

• Secrets store sensitive information such as passwords, API keys, etc. in base64-encoded form.
• It is stored in etcd, but will undergo a layer of base64 encoding to improve the security of the information.

Kubernetes Secrets Advantage

• Improved security: Improved protection of sensitive information through base64 encoding and centralized management.
• Centralized management: Sensitive information is stored centrally for easy management and updates.
• Version control: Can be associated with a specific version of a Pod to achieve precise control and tracking of access rights.

Kubernetes Secrets Limitations

• Limited security: base64 encoding provides a simple obfuscation rather than true encryption.
• Simple permission management: Relatively simple permission management may not be enough to meet the needs of some scenarios.

Create and update Kubernetes Secrets

Create Secrets from text

kubectl create secret generic db-credentials \
  --from-literal=username=myuser \
  --from-literal=password=mypassword

Create Secrets from files

Assume secrets.txt the file contains the following content:

username=myuser
password=mypassword

kubectl create secret generic db-credentials --from-file=secrets.txt

Directly update Secrets (the example is only for demonstration, it is not recommended to update directly in the production environment)

kubectl create secret generic db-credentials \
  --from-literal=username=newuser \
  --from-literal=password=newpassword \
  --dry-run=client -o yaml | kubectl apply -f -

Update Secrets from files

Assume secrets_updated.txt the file contains the following content:

username=newuser
password=newpassword

kubectl create secret generic db-credentials --from-file=secrets_updated.txt --dry-run=client -o yaml | kubectl apply -f -

Use Kubernetes Secrets

Using Secrets in Pods

An in-depth discussion of how to reference Secrets in Pod configuration files and use valueFrom and secretKeyRef to obtain sensitive information from Secrets. For example, use the above database credential Secret in the Pod:

apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
  - name: mycontainer
    image: myimage
    env:
    - name: DB_USERNAME
      valueFrom:
        secretKeyRef:
          name: db-credentials
          key: username
    - name: DB_PASSWORD
      valueFrom:
        secretKeyRef:
          name: db-credentials
          key: password

An in-depth discussion of how to reference Secrets in Pod configuration files and use valueFrom and secretKeyRef to obtain sensitive information from Secrets. Here are examples of reading configuration in Java, Python and Node.js applications:

Java application

import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.Base64;

public class MyApp {
     public static void main(String[] args) throws Exception {
         //Read database credentials from Secrets
         String usernameSecret = System.getenv("DB_USERNAME");
         String passwordSecret = System.getenv("DB_PASSWORD");

         // Decode base64 encoded credentials
         String decodedUsername = new String(Base64.getDecoder().decode(usernameSecret));
         String decodedPassword = new String(Base64.getDecoder().decode(passwordSecret));

         // Use credentials to connect to the database or perform other sensitive operations
         // ...
     }
}

Python applications

import os
import base64

# Read database credentials from Secrets
username_secret = os.environ.get("DB_USERNAME")
password_secret = os.environ.get("DB_PASSWORD")

# Decode base64 encoded credentials
decoded_username = base64.b64decode(username_secret).decode('utf-8')
decoded_password = base64.b64decode(password_secret).decode('utf-8')

# Use credentials to connect to the database or perform other sensitive operations
#...

Node.js application

const { DB_USERNAME, DB_PASSWORD } = process.env;

//Read database credentials from Secrets
const usernameSecret = DB_USERNAME;
const passwordSecret = DB_PASSWORD;

// Decode base64 encoded credentials
const decodedUsername = Buffer.from(usernameSecret, 'base64').toString('utf-8');
const decodedPassword = Buffer.from(passwordSecret, 'base64').toString('utf-8');

// Use credentials to connect to the database or perform other sensitive operations
// ...

These examples show how to read Kubernetes Secrets in applications in different languages ​​and decode and use this sensitive information in the application. In this way, you can ensure that sensitive information is safely passed into the application.

Practical Suggestions

Some suggestions are provided for readers, including best practices such as avoiding hard-coding sensitive information and rotating sensitive information regularly, to help them better apply Secrets to actual production environments.

Cleanup and best practices

Introduces how to safely clean up Secrets that are no longer needed and some best practices for using Secrets to ensure the robustness and security of the system.

• Clean up Secrets no longer needed:

kubectl delete secret db-credentials

• Regular rotation of sensitive information:

Define an automated task, such as a CronJob, to regularly create new Secrets and update related applications to ensure that old credentials are no longer valid. 

For example, to rotate database credentials monthly:

apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: rotate-db-credentials
spec:
  schedule: "0 0 1 * *"
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - name: rotate
            image: rotate-image
            command: ["rotate-script.sh"]

Check our last updated Kubernetes Exam Guides (CKAD , CKA , CKS) :

Conclusion

Summarizes the key concepts and practices of Kubernetes Secrets, emphasizing the importance of securely managing sensitive information in containerized environments. 

Through this article, readers will have a more comprehensive understanding of how to effectively use Kubernetes Secrets to ensure the security and stability of applications and systems.