Posted onOct 2, 2024

Kubernetes Secrets | Secure Data Management

Introduction

This article covers the following tech skills:

Inthis lab, you will learn how to use Kubernetes Secrets to securely manage sensitive information such as passwords, API keys, and other confidential data. You will create a secret, use it in your application, and verify that the application is properly configured. Each step builds upon the previous one, so make sure you follow along carefully.

Create A Secret

In this step, you will create a Kubernetes Secret that contains a database password.

Create a file namedmy-secret.yaml with the following contents:

apiVersion:v1kind:Secretmetadata:name:my-secrettype:Opaquedata:password:dXNlcm5hbWU6cGFzc3dvcmQ=

In this file, we specify the name of the Secret (my-secret), the type of data it contains (Opaque), and the actual data in Base64-encoded format.

Apply the Secret to your cluster by running the following command:

kubectl apply-f my-secret.yaml

Verify that the Secret was created by running the following command:

kubectl get secrets

You should see themy-secret Secret listed.

Use The Secret In Your Application

In this step, you will modify your application to use themy-secret Secret to retrieve the database password.

Create a file namedmy-app.yaml with the following contents:

apiVersion:apps/v1kind:Deploymentmetadata:name:my-appspec:replicas:1selector:matchLabels:app:my-apptemplate:metadata:labels:app:my-appspec:containers:-name:my-appimage:nginx:latestenv:-name:DATABASE_PASSWORDvalueFrom:secretKeyRef:name:my-secretkey:password

In this file, we specify the name of the Deployment (my-app), the image to use (my-image), and the environment variable to set (DATABASE_PASSWORD). We also use asecretKeyRef to retrieve thepassword key from themy-secret Secret.

Apply the Deployment to your cluster by running the following command:

kubectl apply-f my-app.yaml

Verify that the Deployment was created by running the following command:

kubectl get deployments

You should see themy-app Deployment listed.

Verify The Configuration

In this step, you will verify that your application is properly configured with the database password from themy-secret Secret.

Find the name of the pod running your application by running the following command:

kubectl get pods-lapp=my-app

You should see a single pod running your application. Note the name of the pod.

Next, run the following command to open a shell session in the container running your application:

kubectlexec-it sh < pod-name>--

Replace<pod-name> with the name of the pod that you noted earlier.

Once you are in the shell session, run the following command to print the value of theDATABASE_PASSWORD environment variable:

echo$DATABASE_PASSWORD

You should see the database password that was retrieved from themy-secret Secret.

Mount The Secret As A Volume In A Pod

Now that we have created the secret, we can mount it as a volume in a pod. We will create a simple pod that reads the secret value from the mounted volume and outputs it to the console.

Create a file namedpod.yaml with the following contents:

apiVersion:v1kind:Podmetadata:name:secret-podspec:containers:-name:secret-containerimage:nginxvolumeMounts:-name:secret-volumemountPath:/etc/secret-volumevolumes:-name:secret-volumesecret:secretName:my-secret

Apply the pod configuration:

kubectl apply-f pod.yaml

Verify The Secret As A Volume In A Pod

In this step, you will verify that your application is properly configured with the database password from themy-secret Secret.

First, run the following command to open a shell session in the container running your application:

kubectlexec-it secret-pod-- sh

Once you are in the shell session, run the following command to print the value:

cat /etc/secret-volume/password

The output should be the value of the secret.

Summary

Inthis lab, we learned how to use Kubernetes secrets to store sensitive information and how to use them in a pod. Secrets provide a secure way to manage sensitive information and should be used whenever possible to avoid exposing secrets in plaintext.