Kubernetes

Home / Dashboard

Introduction▸
Installation & Setup▸
Architecture Overview▸
Core Concepts▸
Pods & Containers▸
Services & Networking▸
Volumes & Storage▸
ConfigMaps & Secrets▸
RBAC & Security▸
Scheduling & Scaling▸
Upgrades & Maintenance▸
Monitoring & Logging▸
Troubleshooting & Debugging▸
Ingress & API Gateway▸
StatefulSets & DaemonSets▸
Custom Resources & Operators▸
Helm & Package Management▸
Federation & Multi-cluster▸
Cloud Integrations▸
Edge & IoT▸
CI/CD & GitOps▸
Performance & Tuning▸
Advanced Networking▸
Wrap-up & Future▸

v1.0 • SwiftLessons

Managing Secrets in Kubernetes

Introduction

Secrets in Kubernetes are a way to store and manage sensitive information, such as passwords, OAuth tokens, and SSH keys. This lesson covers the key concepts and practices for managing secrets effectively in Kubernetes.

What are Secrets?

Kubernetes Secrets are objects that hold sensitive data in a way that is more secure than using plain text in Pod specifications or ConfigMaps. Secrets can be used to store various types of sensitive information, including:

Passwords
SSH keys
API tokens
Certificates

Note: Secrets are base64 encoded but not encrypted. It's important to use additional layers of security, such as encryption at rest.

Creating Secrets

Secrets can be created using several methods, such as:

From literal values: Create a secret directly from command line literals.
From files: Create a secret from a file that contains sensitive data.
From directories: Create a secret from all files in a directory.

Creating a Secret from Literal Values

kubectl create secret generic my-secret --from-literal=key1=value1 --from-literal=key2=value2

Creating a Secret from a File

kubectl create secret generic my-secret --from-file=path/to/your/file

Creating a Secret from a Directory

kubectl create secret generic my-secret --from-file=path/to/your/directory/

Using Secrets

Secrets can be accessed in Pods in two primary ways:

As environment variables: Secrets can be exposed as environment variables in a Pod.
As mounted files: Secrets can be mounted as files in a container.

Using Secrets as Environment Variables

apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
  - name: mycontainer
    image: myimage
    env:
    - name: MY_SECRET
      valueFrom:
        secretKeyRef:
          name: my-secret
          key: key1

Using Secrets as Mounted Files

apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
  - name: mycontainer
    image: myimage
    volumeMounts:
    - name: secret-volume
      mountPath: /etc/secret
  volumes:
  - name: secret-volume
    secret:
      secretName: my-secret

Best Practices

When managing secrets in Kubernetes, consider the following best practices:

Use RBAC to control access to Secrets.
Enable encryption at rest for Secrets.
Regularly rotate secrets.
Use tools like HashiCorp Vault for managing secrets.
Monitor and audit access to Secrets.

FAQ

What happens if a Secret is deleted?

If a Secret is deleted, Pods that reference that Secret will no longer have access to the sensitive data it contained, which may lead to application failures.

Can Secrets be shared across namespaces?

No, Secrets are namespace-scoped. A Secret in one namespace cannot be accessed directly from another namespace.

How do I update a Secret?

You can update a Secret by using the kubectl apply command with a new definition or using kubectl edit secret my-secret.