Skip to content

Kubernetes Secret

A Kubernetes Secret is an object used to store and manage sensitive information, such as passwords, API keys, and tokens.^[400-devops__06-Kubernetes__k8s-ithelp__Day19__README.md] Unlike a ConfigMap, which stores non-sensitive configuration data in plaintext, a Secret provides a mechanism to handle sensitive data within a Kubernetes cluster^[400-devops__06-Kubernetes__k8s-ithelp__Day19__README.md]. Kubernetes itself uses this mechanism to manage Access Tokens and restrict API access permissions^[400-devops__06-Kubernetes__k8s-ithelp__Day19__README.md].

Types of Secrets

Kubernetes supports several types of Secrets to handle different use cases^[400-devops__06-Kubernetes__k8s-ithelp__Day19__README.md]:

  • Service Account: Automatically created and mounted to Pods to access the Kubernetes API. These can be found in the /run/secret/kubernetes.io/serviceaccount directory^[400-devops__06-Kubernetes__k8s-ithelp__Day19__README.md].
  • Opaque: The default type used for storing arbitrary user data, such as passwords or keys, encoded in base64^[400-devops__06-Kubernetes__k8s-ithelp__Day19__README.md].
  • docker-registry: Used to store credentials for accessing private container registries, effectively storing docker login details so the cluster can automatically authenticate^[400-devops__06-Kubernetes__k8s-ithelp__Day19__README.md].

Usage Patterns

Applications can consume Secrets through several methods^[400-devops__06-Kubernetes__k8s-ithelp__Day19__README.md]:

  1. Environment Variables: Injecting Secret data as environment variables into a Pod container.
  2. Volume Mounts: Mounting the Secret as a file at a specific path within the container's filesystem. When mounted, Kubernetes automatically decodes the data and presents it as files^[400-devops__06-Kubernetes__k8s-ithelp__Day19__README.md].
  3. Image Pull Secret: Associating a docker-registry Secret with a Pod to allow Kubernetes to pull images from a private registry^[400-devops__06-Kubernetes__k8s-ithelp__Day19__README.md].

Creation and Encoding

Secret data must be encoded in base64 before it is stored in a YAML manifest^[400-devops__06-Kubernetes__k8s-ithelp__Day19__README.md]. For example, a username my-account is encoded as bXktYWNjb3VudA==^[400-devops__06-Kubernetes__k8s-ithelp__Day19__README.md].

A Secret can be created using a manifest file or directly via kubectl^[400-devops__06-Kubernetes__k8s-ithelp__Day19__README.md]:

  • Manifest: Define kind: Secret with data fields containing the base64-encoded values^[400-devops__06-Kubernetes__k8s-ithelp__Day19__README.md].
  • kubectl: Use the create secret generic command with literals or files (e.g., kubectl create secret generic test-secret --from-literal='username=my-account')^[400-devops__06-Kubernetes__k8s-ithelp__Day19__README.md].

When a Secret is mounted as a volume, Kubernetes decodes the base64 data back to its original plaintext value inside the container^[400-devops__06-Kubernetes__k8s-ithelp__Day19__README.md].

Security Considerations

While Secrets are designed to protect sensitive data, the native Kubernetes implementation has specific limitations and security implications^[400-devops__06-Kubernetes__k8s-ithelp__Day19__README.md].

Base64 Encoding is not Encryption

The primary mechanism for data storage is base64 encoding. This is essentially obfuscation rather than encryption; users with sufficient permissions can easily decode the values back to plaintext^[400-devops__06-Kubernetes__k8s-ithelp__Day19__README.md]. Consequently, relying solely on native Secrets may be insufficient for large enterprises or high-security environments without additional controls^[400-devops__06-Kubernetes__k8s-ithelp__Day19__README.md].

Best Practices and Hardening

To mitigate the risks associated with plaintext storage in etcd, several measures are recommended^[400-devops__06-Kubernetes__k8s-ithelp__Day19__README.md]:

  • etcd Encryption: Encrypting data at rest in etcd.
  • RBAC: Implementing strict Role-Based Access Control to limit who can read or write Secrets.
  • Node Security: Managing permissions and security on the Nodes where Pods run.

For enhanced security, external cloud solutions such as AWS Key Management Service (KMS) or Google Cloud KMS can be integrated to manage keys and secrets more securely^[400-devops__06-Kubernetes__k8s-ithelp__Day19__README.md].

Sources

  • 400-devops__06-Kubernetes__k8s-ithelp__Day19__README.md