{"id":216632,"date":"2021-04-01T16:00:36","date_gmt":"2021-04-01T13:00:36","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/managing-secrets-in-kubernetes-cloudsavvy-it\/"},"modified":"2021-04-01T16:00:36","modified_gmt":"2021-04-01T13:00:36","slug":"managing-secrets-in-kubernetes-cloudsavvy-it","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/managing-secrets-in-kubernetes-cloudsavvy-it\/","title":{"rendered":"#Managing Secrets in Kubernetes \u2013 CloudSavvy IT"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a2eebc7739dd\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a2eebc7739dd\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/managing-secrets-in-kubernetes-cloudsavvy-it\/#Creating_a_Secret\" >Creating a Secret<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/managing-secrets-in-kubernetes-cloudsavvy-it\/#Secret_Types\" >Secret Types<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/managing-secrets-in-kubernetes-cloudsavvy-it\/#Providing_Secrets_to_Pods\" >Providing Secrets to Pods<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/managing-secrets-in-kubernetes-cloudsavvy-it\/#Security_Considerations\" >Security Considerations<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/buradabiliyorum.com\/en\/managing-secrets-in-kubernetes-cloudsavvy-it\/#Summary\" >Summary<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#Managing Secrets in Kubernetes \u2013 CloudSavvy IT&#8221;<\/strong><\/p>\n<div id=\"article-content-area\">\n<img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-9632\" data-pagespeed-lazy-src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/02\/748108a6.jpg?width=1200&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Graphic showing the Kubernetes logo\" width=\"1602\" height=\"902\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Kubernetes Secrets let you store confidential information safely. Using a Secret removes the need to bake sensitive data into manifest definitions or plain container images.<\/p>\n<p>Secrets are a first-class resource type which exist independently of any Pod. You provide Pods with references to your Secrets. The architecture lets you confine secrets access to only those Pods that actually need the data.<\/p>\n<p>You <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/general\/\" data-internallinksmanager029f6b8e52c=\"3\" title=\"General\" target=\"_blank\" rel=\"noopener\">general<\/a>ly use Secrets for any sensitive constants which your Pods may need. They\u2019re ideal for storing authentication keys, database credentials and API tokens.<\/p>\n<h2 id=\"creating-a-secret\"><span class=\"ez-toc-section\" id=\"Creating_a_Secret\"><\/span>Creating a Secret<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Secrets are created in the same way as any other Kubernetes API resource. You can use Kubectl commands or a YAML manifest which you then <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>ly to your cluster. We\u2019ll provide example YAML files in this tutorial.<\/p>\n<p>Heres\u2019s how to define a user-created secret:<\/p>\n<pre>apiVersion: v1&#13;\nkind: Secret&#13;\ntype: Opaque&#13;\nmetadata:&#13;\n  name: demo-secret&#13;\ndata:&#13;\n  SECRET_USERNAME: dXNlcm5hbWUK&#13;\n  SECRET_PASSWORD: cGFzc3dvcmQK<\/pre>\n<p>Secrets consist of a <code>kind<\/code> and a simple object of <code>data<\/code>. The example secret defines two separate data fields, <code>SECRET_USERNAME<\/code> and <code>SECRET_PASSWORD<\/code>. Values must be Base64-encoded \u2013 the values shown above were originally <code>username<\/code> and <code>password<\/code>.<\/p>\n<p>If you\u2019re working with a Helm template, you can define your secret values in a <code>values.yaml<\/code> file. Pipe them through <code>b64enc<\/code> in your manifest to have Helm encode them as Base64.<\/p>\n<pre>apiVersion: v1&#13;\nkind: Secret&#13;\ntype: Opaque&#13;\nmetadata:&#13;\n  name: demo-secret&#13;\ndata:&#13;\n  SECRET_PASSWORD: {{ .Values.SecretPassword | b64enc }}<\/pre>\n<p>If you\u2019d rather not Base64-encode your values, you can use the <code>stringData<\/code> field instead. Like <code>data<\/code>, <code>stringData<\/code> is a map of key-value pairs but the values will be processed verbatim, without any encoding.<\/p>\n<h2 id=\"secret-types\"><span class=\"ez-toc-section\" id=\"Secret_Types\"><\/span>Secret Types<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The <code>Opaque<\/code> secret type should be used for arbitrary data that you define yourself. Kubernetes defines a few other built-in <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/kubernetes.io\/docs\/concepts\/configuration\/secret\/#secret-types\">secret types<\/a> intended for specific usage scenarios.<\/p>\n<p>Available types include <code>service-account-token<\/code> (a Kubernetes service token), <code>dockerconfigjson<\/code> (a serialised Docker <code>config.json<\/code> file, to provide Docker credentials) and <code>ssh-auth<\/code> (provide SSH credentials). In addition to these types, there are solutions for HTTP Basic Authentiation and TLS certificate data.<\/p>\n<p>Each secret type is able to define its own extra fields and validation constraints. You\u2019ll typically need to set additional annotations on your secret to provide the data needed by the secret type.<\/p>\n<p>You can create your own secret type identifiers by supplying your own string to the <code>type<\/code> field. The resulting secret will be functionally equivalent to the <code>Opaque<\/code> type.<\/p>\n<h2 id=\"providing-secrets-to-pods\"><span class=\"ez-toc-section\" id=\"Providing_Secrets_to_Pods\"><\/span>Providing Secrets to Pods<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Once you\u2019ve created a Secret, you need to make it available to your Pods. You can inject secret data as environment variables or as a file mounted into a volume.<\/p>\n<p>Here\u2019s a Pod manifest that pulls a secret\u2019s data into environment variables:<\/p>\n<pre>apiVersion: v1&#13;\nkind: Pod&#13;\nmetadata:&#13;\n  name: pod-with-secret&#13;\nspec:&#13;\n  containers:&#13;\n    - name: demo-container&#13;\n      image: my-image:latest&#13;\n      envFrom:&#13;\n        - secretRef:&#13;\n            name: demo-secret<\/pre>\n<p>By using <code>envFrom<\/code>, all the key-value pairs defined in the secret\u2019s <code>data<\/code> will be converted to container environment variables. With the example secret from earlier, your container would have <code>SECRET_USERNAME<\/code> and <code>SECRET_PASSWORD<\/code> environment variables injected. Values will be automatically Base64-decoded.<\/p>\n<p>Sometimes you\u2019ll want to work with files instead of environment variables. Here\u2019s how to mount a secret into a Kubernetes volume.<\/p>\n<pre>apiVersion: v1&#13;\nkind: Pod&#13;\nmetadata:&#13;\n  name: pod-with-secret&#13;\nspec:&#13;\n  containers:&#13;\n    - name: demo-container&#13;\n      image: my-image:latest&#13;\n      volumeMounts:&#13;\n        - name: secret-volume&#13;\n          mountPath: \/secrets&#13;\n  volumes:&#13;\n    - name: secret-volume&#13;\n      secret:&#13;\n        secretName: demo-secret<\/pre>\n<p>Access the <code>\/secrets<\/code> directory within the container to view the secret data. Each data key will have its own file. The contents of the file will be the Base64-decoded value of that key. Our example secret would write <code>\/secrets\/SECRET_USERNAME<\/code> and <code>\/secrets\/SECRET_PASSWORD<\/code> files.<\/p>\n<p>The approach works by creating a Kubernetes volume using the <code>secret<\/code> source. This source populates the volume with the data from a named secret. The volume then gets mounted into the container at the path defined under <code>volumeMounts<\/code>.<\/p>\n<h2 id=\"security-considerations\"><span class=\"ez-toc-section\" id=\"Security_Considerations\"><\/span>Security Considerations<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Putting data into a secret does not automatically make it secure. The Base64-encoding provides superficial obscurity but make no mistake: this is <em>encoding<\/em> and not <em>encryption<\/em>. Anything with access to your cluster, whether a human user or a suitably permissioned application, can retrieve plain-text secret values.<\/p>\n<p>The point of secrets is to reduce the risk of accidental data exposure when creating and viewing Pods. Secrets are only provided to Pods \u2013 and to Nodes \u2013 which actually require them. Node will destroy their local copies of secrets when the Pod that used them terminates.<\/p>\n<p>The Kubernetes control plane stores secret values within its etcd instance. This is a key-value store which backs the Kubernetes cluster data. If you want to maximise security, you should <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/kubernetes.io\/docs\/tasks\/administer-cluster\/encrypt-data\">configure encryption at rest<\/a> for your etcd store. This will encrypt your secrets within etcd.<\/p>\n<p>You should also assess how your application layer handles secrets. Even with encryption at rest enabled, your containers could inadvertently leak secrets by emitting them to job logs or sending them to external services. Using Kubernetes secrets doesn\u2019t obviate the need to carefully handle sensitive data within your container.<\/p>\n<h2 id=\"summary\"><span class=\"ez-toc-section\" id=\"Summary\"><\/span>Summary<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Kubernetes secrets let you store and access confidential data within your Kubernetes cluster. Using secrets gives you more control over information exposure. It also makes it explicit that you\u2019re handling potentially sensitive values. This can act as a warning to cluster users and administrators.<\/p>\n<p>Pods consume secrets as either environment variables or volume-mounted files. Kubernetes handles the injection of secrets into containers. Your workloads can access the data using their existing configuration mechanisms. Secrets aren\u2019t fully secure by default but you can increase their protection by activating cluster-level encryption.\n<\/p><\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.cloudsavvyit.com\/10381\/managing-secrets-in-kubernetes\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#Managing Secrets in Kubernetes \u2013 CloudSavvy IT&#8221; Kubernetes Secrets let you store confidential information safely. Using a Secret removes the need to bake sensitive data into manifest definitions or plain container images. Secrets are a first-class resource type which exist independently of any Pod. You provide Pods with references to your Secrets. The architecture lets&#8230;<\/p>\n","protected":false},"author":1,"featured_media":216633,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/02\/748108a6.jpg","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-216632","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/216632","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=216632"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/216632\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/216633"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=216632"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=216632"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=216632"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}