How To Manage Secrets in Kubernetes - Best Practices ?
In this post, we will explore How To Manage Secrets in Kubernetes and see some of the Best Practices. Secrets are objects in Kubernetes that are used to store sensitive data, such as passwords, tokens, keys, OAuth tokens ssh keys etc. in a secure and scalable manner within a Kubernetes cluster. This data can be used by pods or accessed through the Kubernetes API.
Secrets allows you to keep sensitive information out of your application code and reduces the risk of exposing it during the process of creating, viewing, and editing pods. Secrets are similar to ConfigMaps, but they are specifically designed to hold confidential data. Kubernetes and the applications running in your cluster can also take additional precautions with secrets, such as avoiding storing secret data on non-volatile storage.
Pre-requisite:
- Make sure you have a Kubernetes cluster and that the kubectl command-line tool is configured to communicate with it.
- It is recommended to have a cluster with at least two nodes that are not acting as control plane hosts.
- If you do not have a cluster, you can create one using minikube or you can use a Kubernetes playground like Killercoda or Play with Kubernetes.
You can manage Secrets in Kubernetes different ways. Let's explore each of them one by one.
1. Using kubectl :
Create a secret :
To Create a new secret in the cluster, you can specify the type of secret (e.g., "generic" or "tls") and the data to be included in the secret. You can also create a secret from a file or from a key-value pair.
- Create a secret from a file
kubectl create secret generic your-secret --from-file=path/to/file
kubectl create secret generic your-secret \\
--from-file=path/to/file/username.txt \\
--from-file=path/to/file/password.txt
# Create an opaque secret with a key-value pair
kubectl create secret generic your-secret --from-literal=key=value
# Create a TLS secret from a certificate and private key file
kubectl create secret tls my-tls-secret --cert=cert.pem --key=key.pem
List All Secrets :
- List all secrets in the cluster, or a specific secret
kubectl get secrets
Get Detailed Info of Secret:
- Display detailed information about a specific secret.
Get some info about a specific secret, including its type, data, and associated metadata. But this avoid showing the contents of a Secret by default.
kubectl describe secret
Show Contents of Secret:
- Show contents of a Secret
The password will be in undecoded format.
kubectl get secret your-secret -o jsonpath='{.data}'
Modify the Secret :
- Update an existing secret in the cluster.
Use it to add or modify the data in a secret, or to update its metadata. Note that you cannot edit an immutable Secret object.
kubectl edit secrets <secret-name>
This will open the default text editor and allow you to update the Secret values. For example, you might update the Secret as follows:
apiVersion: v1
data:
username: YWRtaW4=
password: UyFCKmQkekRzYj0=
kind: Secret
metadata:
creationTimestamp: "2022-01-01T00:00:00Z"
name: my-secret
namespace: default
resourceVersion: "12345"
selfLink: /api/v1/namespaces/default/secrets/my-secret
uid: abcdef01-2345-6789-abcd-ef0123456789
type: Opaque
Delete the Secret :
Use below command to delete a secret from the cluster. Specify the name of the secret to be deleted. Use the --all flag to delete all secrets.
kubectl delete secret
kubectl delete secret your-secret
2. Using Kustomize :
kubectl command-line tool supports using the Kustomize object management tool to manage Secrets and ConfigMaps in a Kubernetes cluster. To use Kustomize with kubectl, you need to have a Kubernetes cluster and the kubectl tool configured to communicate with it. To manage Secrets and ConfigMaps with Kustomize, you need to create a resource generator using Kustomize, which generates the desired Secret or ConfigMap object. To generate a Secret object in Kubernetes using Kustomize, you need to define a secretGenerator in a kustomization.yaml or kustomization.yml file. This secretGenerator can reference other existing files, such as .env files, or literal values to create the Secret.
Create kustomization.yaml or kustomization.yml file :
- Create the kustomization.yaml or kustomization.yml file.
kustomization.yaml with username & password hard-coded in it.
secretGenerator:
- name: your-secret
literals:
- username=admin
- password=aweqqfq12
kustomization.yaml with username & password from external files.
secretGenerator:
- name: your-secret
files:
- username.txt
- password.txt
kustomization.yaml with username & password from .env.secret file.
secretGenerator:
- name: your-secret
envs:
- .env.secret
Create the Secret :
- Create the Secret with the kustomization file
kubectl apply -k <kustomization\_file\_path>
- Check if the Secret was created from above step by listing all the secrets
kubectl get secrets
Modify the Secret :
To modify Secret, modify the kustomization.yaml or kustomization.yml file. And then apply the changes. Update references to the Secret in Pods.
kubectl apply -k <kustomization\_file\_path>
3. Using the Config File :
- To create a Secret object in Kubernetes using Config file, define the Secret in a manifest file in JSON or YAML format.
- Then use the kubectl apply command to create the object.
- The Secret resource contains two maps: data and stringData.
- The data field is used to store arbitrary data, encoded using base64.
- The stringData field is provided for convenience, and it allows you to provide the same data as unencoded strings.
- The keys of data and stringData must consist of alphanumeric characters, -, _, or ..
Create Manifest File :
- Convert the username & password format to base64:
echo -n '<username>' | base64
echo -n '<password>' | base64
- Create the Secret manifest file in YAML format e.g. sample_manifest.yaml
apiVersion: v1
kind: Secret
metadata:
name: my-secret
type: Opaque
data:
username: <base64\_output>
password: <base64\_output>
Create The Secret :
kubectl apply -f <path\_to\_sample\_manifest.yaml>
- Check if the Secret was created from above step by listing all the secrets
kubectl get secrets
Modify the Secret :
- Convert the new or updated username & password format to base64.
echo -n '<username>' | base64
echo -n '<password>' | base64
- Modify the Secret manifest file sample_manifest.yaml according to above changes.
- Apply the updated manifest file - sample_manifest.yaml.
kubectl apply -f <path\_to\_sample\_manifest.yaml>
That's it. Hope this helps.
Additional Posts you might want to read from this Blog -
kubectl get secret yaml ,kubectl get secrets ,kubectl list secrets ,kubectl delete secret ,kubectl create secret command ,kubernetes secrets ,kubectl get secret plain text ,kubectl create secret from-file ,Managing Secrets in Kubernetes , ,kustomize documentation ,kustomize examples ,kustomize secret generator stringdata ,kustomize secret generator commands ,kustomize sealed secrets ,kustomize patch ,kustomize replacements example ,kustomize secret generator no hash ,How do you manage secrets in Kubernetes ,Why Kustomize is better than Helm ,What is Kustomize used for ,How do you decode secrets in Kubernetes ,How secrets are managed in Kubernetes ,How do you securely store secrets in Kubernetes ,How do I manage secrets in Helm ,How do you decode secrets in Kubernetes ,