Secrets in Kubernetes are designed to securely store sensitive information like passwords, tokens, and keys. They ensure your sensitive data isn’t exposed in plain text. Let’s dive into the essentials!
Secrets are Kubernetes objects used to store small, sensitive data.
Unlike ConfigMaps, Secrets encode data in Base64, adding a layer of obfuscation (though not encryption).
Creation Ways of Secrets
Imperative Way
kubectl create secret <secret-type> <secret-name> --from-literal=<key>=<value># Secret through files kubectl create secret <secret-type> <secret-name> --from-file=path-of-fileDeclarative Way
apiVersion: v1 kind: Secret metadata: name: my-secret type: Opaque data: username: YWRtaW4= # Base64 encoded password: c2VjcmV0MTIz # Base64 encoded
Types of Secrets
Generic (Opaque): It is a general type of secret, used for arbitrary key-value pairs.
Use Case: Storing sensitive data like passwords, API tokens, or configuration values.
Example -
Imperative
kubectl reate secret generic db-creds --from-file=username=harshit\
--from-file=password=KJBJL89F=
- Declarative
apiVersion: v1
kind: Secret
metadata:
name: my-opaque-secret
type: Opaque
data:
username: YWRtaW4= # Base64-encoded
password: cGFzc3dvcmQ= # Base64-encoded
Docker Registry: Used to authenticate with private Docker registries.
Use Case: Pulling container images from private registries.
Example-
kubectl create secret docker-registry docker-secret \
--docker-email=example@gmail.com \
--docker-username=my-user \
--docker-password=my-password \
--docker-server=https://index.docker.io/v1/
TLS: Stores certificates and keys for TLS (Transport Layer Security).
Type:
kubernetes.io/tlsUse Case: Enabling HTTPS for Ingress controllers or secure communications.
Example-
Imperative
kubectl create secret tls tls-secret --cert=path/to/cert/file --key=path/to/key/fileDeclarative
apiVersion: v1 kind: Secret metadata: name: tls-secret type: kubernetes.io/tls data: tls.crt: BASE64_ENCODED_CERTIFICATE tls.key: BASE64_ENCODED_KEY
Secrets in Pod
First Create a Secret in Kubernetes
kubectl create secret generic db-creds --from-literal=username=harshit \
--from-literal=password=KJBJL89F=
Injecting Secrets as a Whole Object
apiVersion: v1
kind: Pod
metadata:
name: secret-demo
spec:
containers:
- name: project
image: nginx
envFrom:
- secretRef:
name: db-creds
Passing as Environment variables in Pods
apiVersion: v1
kind: Pod
metadata:
name: secret-demo
spec:
containers:
- name: project
image: nginx
env:
- name: USERNAME
valueFrom:
secretKeyRef:
name: db-creds
key: username
Mounted as Volumes in Pods
apiVersion: v1
kind: Pod
metadata:
name: secret-demo
spec:
containers:
- name: project
image: nginx
volumeMounts:
- name: secret-volume
mountPath: /etc/creds
volumes:
- name: secret-volume
secret:
secretName: db-creds
To view all secrets in a namespace:
kubectl get secrets -n <namespace>
To see the details of a secret in a namespace:
kubectl describe secret <secret-name> -n <namespace>
Implementation of each type of secrets
Generic Secret
Create a Generic Secret in Kubernetes
kubectl create secret generic db-secret --from-literal=username=dbuser \
--from-literal=password=SGFyc2hpdAo=
secret-1.yaml
apiVersion: v1
kind: Pod
metadata:
name: secret-demo-1
spec:
containers:
- name: demo-container
image: nginx
env:
- name: Username
valueFrom:
secretKeyRef:
name: db-secret
key: username
Docker Registry Secret
Create a Docker Registry secret in Kubernetes
kubectl create secret docker-registry docker-secret \
--docker-email=example@gmail.com \
--docker-username=dev \
--docker-password=pass1234 \
--docker-server=my-registry.example:5000
secret-2.yaml
apiVersion: v1
kind: Pod
metadata:
name: secret-demo-2
spec:
containers:
- name: demo-container
image: nginx
envFrom:
- secretRef:
name: docker-secret
TLS Secret
Create a TLS Secret in kubernetes
kubectl create secret tls my-tls-secret --cert=path/of/cert/file \
--key=path/of/key/file
secret-3.yaml
apiVersion: v1
kind: Pod
metadata:
name: secret-demo-3
spec:
containers:
- name: demo-container
image: nginx
volumeMounts:
- name: data
mountPath: /etc/cert-data
volumes:
- name: data
secret:
secretName: my-tls-secret
Key Takeaways
Default (Opaque) works for most use cases.
Use TLS Secrets for certificates and secure communication.
Leverage Docker Config Secrets for private registry authentication.
Always encrypt and manage access to Secrets for enhanced security.
For more content related to DevOps and Cloud, Follow me on LinkedIn