Introduction
In a container orchestration system, safeguarding and effectively managing sensitive information like passwords, API keys, and other confidential data is paramount. Kubernetes offers a robust solution through its Secrets feature, designed to handle sensitive information securely, centrally, and with precise control.
This article delves deeply into the fundamental principles, advantages, drawbacks, creation, updating procedures, and practical usage of Kubernetes Secrets. Additionally, it provides actionable suggestions for optimal implementation and management of Secrets within a Kubernetes environment.
Kubernetes Secrets Principle
- Secrets store sensitive information such as passwords, API keys, etc. in base64-encoded form.
- It is stored in etcd, but will undergo a layer of base64 encoding to improve the security of the information.
Kubernetes Secrets Advantage
- Improved security: Improved protection of sensitive information through base64 encoding and centralized management.
- Centralized management: Sensitive information is stored centrally for easy management and updates.
- Version control: Can be associated with a specific version of a Pod to achieve precise control and tracking of access rights.
Kubernetes Secrets Limitations
- Limited security: base64 encoding provides a simple obfuscation rather than true encryption.
- Simple permission management: Relatively simple permission management may not be enough to meet the needs of some scenarios.
Create and update Kubernetes Secrets
Create Secrets from text
kubectl create secret generic db-credentials \
--from-literal=username=myuser \
--from-literal=password=mypasswordCreate Secrets from files
Assume secrets.txt the file contains the following content:
username=myuser
password=mypasswordkubectl create secret generic db-credentials --from-file=secrets.txtDirectly update Secrets (the example is only for demonstration, it is not recommended to update directly in the production environment)
kubectl create secret generic db-credentials \
--from-literal=username=newuser \
--from-literal=password=newpassword \
--dry-run=client -o yaml | kubectl apply -f -Update Secrets from files
Assume secrets_updated.txt the file contains the following content:
username=newuser
password=newpasswordkubectl create secret generic db-credentials --from-file=secrets_updated.txt --dry-run=client -o yaml | kubectl apply -f -
Use Kubernetes Secrets
Using Secrets in Pods
An in-depth discussion of how to reference Secrets in Pod configuration files and use valueFrom and secretKeyRef to obtain sensitive information from Secrets. For example, use the above database credential Secret in the Pod:
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mycontainer
image: myimage
env:
- name: DB_USERNAME
valueFrom:
secretKeyRef:
name: db-credentials
key: username
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: db-credentials
key: passwordAn in-depth discussion of how to reference Secrets in Pod configuration files and use valueFrom and secretKeyRef to obtain sensitive information from Secrets. Here are examples of reading configuration in Java, Python and Node.js applications:
Java application
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.Base64;
public class MyApp {
public static void main(String[] args) throws Exception {
//Read database credentials from Secrets
String usernameSecret = System.getenv("DB_USERNAME");
String passwordSecret = System.getenv("DB_PASSWORD");
// Decode base64 encoded credentials
String decodedUsername = new String(Base64.getDecoder().decode(usernameSecret));
String decodedPassword = new String(Base64.getDecoder().decode(passwordSecret));
// Use credentials to connect to the database or perform other sensitive operations
// ...
}
}Python applications
import os
import base64
# Read database credentials from Secrets
username_secret = os.environ.get("DB_USERNAME")
password_secret = os.environ.get("DB_PASSWORD")
# Decode base64 encoded credentials
decoded_username = base64.b64decode(username_secret).decode('utf-8')
decoded_password = base64.b64decode(password_secret).decode('utf-8')
# Use credentials to connect to the database or perform other sensitive operations
#...Node.js application
const { DB_USERNAME, DB_PASSWORD } = process.env;
//Read database credentials from Secrets
const usernameSecret = DB_USERNAME;
const passwordSecret = DB_PASSWORD;
// Decode base64 encoded credentials
const decodedUsername = Buffer.from(usernameSecret, 'base64').toString('utf-8');
const decodedPassword = Buffer.from(passwordSecret, 'base64').toString('utf-8');
// Use credentials to connect to the database or perform other sensitive operations
// ...These examples show how to read Kubernetes Secrets in applications in different languages and decode and use this sensitive information in the application. In this way, you can ensure that sensitive information is safely passed into the application.
Practical Suggestions
Some suggestions are provided for readers, including best practices such as avoiding hard-coding sensitive information and rotating sensitive information regularly, to help them better apply Secrets to actual production environments.
Cleanup and best practices
Introduces how to safely clean up Secrets that are no longer needed and some best practices for using Secrets to ensure the robustness and security of the system.
- Clean up Secrets no longer needed:
kubectl delete secret db-credentials
- Regular rotation of sensitive information:
Define an automated task, such as a CronJob, to regularly create new Secrets and update related applications to ensure that old credentials are no longer valid.
For example, to rotate database credentials monthly:
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: rotate-db-credentials
spec:
schedule: "0 0 1 * *"
jobTemplate:
spec:
template:
spec:
containers:
- name: rotate
image: rotate-image
command: ["rotate-script.sh"]🔥 [20% Off] Linux Foundation Coupon Code for 2024 DevOps & Kubernetes Exam Vouchers (CKAD , CKA and CKS) [RUNNING NOW ]
Save 20% on all the Linux Foundation training and certification programs. This is a limited-time offer for this month. This offer is applicable for CKA, CKAD, CKS, KCNA, LFCS, PCA FINOPS, NodeJS, CHFA, and all the other certification, training, and BootCamp programs.
$395 $316
- Upon registration, you have ONE YEAR to schedule and complete the exam.
- The CKA exam is conducted online and remotely proctored.
- To pass the exam, you must achieve a score of 66% or higher.
- The CKAD Certification remains valid for a period of 3 years.
- You are allowed a maximum of 2 attempts to take the test. However, if you miss a scheduled exam for any reason, your second attempt will be invalidated.
- Free access to killer.sh for the CKAD practice exam.
CKAD Exam Voucher: Use coupon Code TECK20 at checkout
$395 $316
- Upon registration, you have ONE YEAR to schedule and complete the exam.
- The CKA exam is conducted online and remotely proctored.
- To pass the exam, you must achieve a score of 66% or higher.
- The CKA Certification remains valid for a period of 3 years.
- You are allowed a maximum of 2 attempts to take the test. However, if you miss a scheduled exam for any reason, your second attempt will be invalidated.
- Free access to killer.sh for the CKA practice exam.
CKA Exam Voucher: Use coupon Code TECK20 at checkout
$395 $316
- Upon registration, you have ONE YEAR to schedule and complete the exam.
- The CKA exam is conducted online and remotely proctored.
- To pass the exam, you must achieve a score of 67% or higher.
- The CKS Certification remains valid for a period of 2 years.
- You are allowed a maximum of 2 attempts to take the test. However, if you miss a scheduled exam for any reason, your second attempt will be invalidated.
- Free access to killer.sh for the CKS practice exam.
CKS Exam Voucher: Use coupon Code TECK20 at checkout
Check our last updated Kubernetes Exam Guides (CKAD , CKA , CKS) :
Conclusion
Summarizes the key concepts and practices of Kubernetes Secrets, emphasizing the importance of securely managing sensitive information in containerized environments.
Through this article, readers will have a more comprehensive understanding of how to effectively use Kubernetes Secrets to ensure the security and stability of applications and systems.
Author
