In this post, I would continue to write about preparing for the CKS (Certified Kubernetes Security Specialist) exam. I would write my own notes about the exam, and you can refer to these articles to prepare your own.
List of the series of posts:
- Ubuntu System
3. Secret in Kubernetes
3.1 What is secret?
Kubernetes Secrets are a way to store and distribute sensitive information – think passwords, or an SSL certificate – that are used by applications in your Kubernetes cluster. Importantly, the declarative nature of Kubernetes definitions allows third-party solutions to be integrated with the Secret management
3.2 How to create a secret
We can create secret in two ways, one is imperative by commands , the other is declative by using YAML as the template.
3.2.1 Imperative commands to create secret in kubernetes
Create secret from key-value pairs:
$ kubectl create secret generic <secret-name> --from-literal=<key>=<value> --from-literal=<key>=<value> --from-literal=<key>=<value>
$ kubectl create secret generic db-secret --from-literal=DB_Host=localhost --from-literal=DB_Username=root --from-literal=DB_Password=123qwe
The username and password would be automatically encoded in kubernetes.
In addition to the literal way to create secrets, we can also create secret from files.
$ kubectl create secret generic <secret-name> —-from-file=<pathToFile>
Suppose we have a file named
Then we can create the secret as:
$ kubectl create secret generic my-secret —-from-file=DB_Password
We can inspect the secret:
➜ ~ kubectl get secret my-secret -o yaml apiVersion: v1 data: DB_Password: MTIzcXdlCg== kind: Secret metadata: name: my-secret namespace: default type: Opaque
You can see that the content of the file is encoded as data in the secret.
3.2.2 Declarative way to create secret in kubernetes
If you want to create secret in declarative way, we can create a YAML file as follows:
apiVersion: v1 kind: Secret metadata: name: secret-sample data: userName: admin password: 123qwe
We should encode the userName and password in the file manually.
$ echo “admin”|base64 YWRtaW4K $ echo "123qwe"|base64 MTIzcXdlCg==
Then update the yaml:
apiVersion: v1 kind: Secret metadata: name: secret-sample data: userName: YWRtaW4K password: MTIzcXdlCg==
3.3 How to inspect the secret
We can inspect the secret as follows:
$ kubectl get secret secret-example -o yaml
We can decode the encoded string as follows:
$ echo YWRtaW4K|base64 —-decode
3.4 How to use the secret in pods?
We can use the secret as environment variables in pod:
apiVersion: v1 kind: Pod metadata: name: secret-test-pod spec: containers: - name: test-container image: k8s.gcr.io/busybox command: [ "/bin/sh", "-c", "env" ] envFrom: - secretRef: name: mysecret restartPolicy: Never
In the above yaml, we create a pod that use the secret
mysecret as env variables in the pod.
And we can also inject the secret as file in the pod:
apiVersion: v1 kind: Pod metadata: name: mypod spec: containers: - name: mypod image: redis volumeMounts: - name: foo mountPath: "/etc/foo" readOnly: true volumes: - name: foo secret: secretName: mysecret
In the above yaml, we create a pod that has a file named
/etc/foo which is injected from the secret
In this post, I write some examples about secrets in kubernetes.