Kubernetes - Secret

Posted on In

Kubernetes secret object let you store and mange sensitive information, such as passwords, OAuth tokens and SSH Keys. It is better to store this kind of secret in Kubernetes secret than in a container image.

NOTE: Creation of Secret and its usage is very similar to ConfigMap.

create secrets from Literal

Commands to create secret dev-db-secret with key username and password

1
kubectl create secret generic dev-db-secret --from-literal=username='admin' --from-literal=password='password'

Use kubectl get secrets command to check the secret. DATA field shows the number of entries in the secret.

1
2
3
$ kubectl get secrets
NAME                  TYPE                                  DATA   AGE
db-user-pass          Opaque                                2      43s

Use kubectl describe secrets command to get more details on the secret. The secret is not printed to the screen. 

1
2
3
4
5
6
7
8
9
10
11
12
$ kubectl describe secret/dev-db-secret 
Name:         dev-db-secret
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
username:  5 bytes
password:  8 bytes

Create Secret from File

First create file to store username ‘admin’ and password ‘password’ for database access

1
2
$ echo -n 'admin' > .username.txt
$ echo -n 'password' > ./password.txt

Use kubectl create secret command to create secret

1
kubectl create secret generic dev-db-secret --from-file=./username.txt --from-file=./password.txt

Create Secret using YAML File

You can create the secret from yaml file using kubectl apply -f ./secret.yaml command

secret.yaml

1
2
3
4
5
6
7
8
apiVersion: v1
kind: Secret
metadata:
  name: dev-db-secret
type: Opaque
data:
  username: YWRtaW4=
  password: cGFzc3dvcmQ=

Getting the Content of a Secret

To retrieve the password

1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ kubectl get secret dev-db-secret -o yaml
apiVersion: v1
data:
  password: cGFzc3dvcmQ=
  username: YWRtaW4=
kind: Secret
metadata:
  creationTimestamp: "2019-10-06T18:30:03Z"
  name: dev-db-secret
  namespace: default
  resourceVersion: "28952"
  selfLink: /api/v1/namespaces/default/secrets/dev-db-secret
  uid: afad2f47-d1d7-4477-976b-f3f05454c701
type: Opaque

To decode the data, use base64 --decode command

1
2
3
4
5
$ echo 'YWRtaW4=' | base64 --decode
admin

$ echo 'cGFzc3dvcmQ=' | base64 --decode
password

Using Secret as Environment Variable

busybox-secret.yml : secrets are added to the container as environment variable

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
apiVersion: v1
kind: Pod
metadata:
  name: busybox
  labels:
    name: busybox
spec:
  restartPolicy: OnFailure
  containers:
  - name: busybox
    image: busybox
    command: [ "/bin/sh", "-c", "env" ]
    env:
    - name: DBUSERNAME
      valueFrom:
        secretKeyRef:
          name: dev-db-secret
          key: username
    - name: DBPASSWORD
      valueFrom:
        secretKeyRef:
          name: dev-db-secret
          key: password

use kubectl logs busybox command to check the pod’s logs. output:

1
2
3
DBUSERNAME=admin
DBPASSWORD=password
...

Add Secret data to a Volume

busybox-secret.yaml: secret is add to volume with path db/dbusername and db/dbpassword. The volume is mount to path /etc/secret.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
apiVersion: v1
kind: Pod
metadata:
  name: secret-volume-test
spec:
  containers:
    - name: test-container
      image: k8s.gcr.io/busybox
      command: [ "/bin/sh", "-c", "cat /etc/secret/db/dbusername;" ]
      volumeMounts:
      - name: secret-volume
        mountPath: /etc/secret
  volumes:
    - name: secret-volume
      secret:
          secretName: dev-db-secret
          items:
            - key: username
              path: db/dbusername
            - key: password
              path: db/dbpassword
  restartPolicy: Never

use kubectl logs secret-volume-test to get the container output. output is

1
admin

References