قالب وردپرس درنا توس
Home / Tips and Tricks / Managing secrets in Kubernetes – CloudSavvy IT

Managing secrets in Kubernetes – CloudSavvy IT



Image with the Kubernetes logo

Kubernetes Secrets allows you to securely store confidential information. Using a secret eliminates the need to handle sensitive data in manifest definitions or regular container images.

Secrets is a premium resource type that exists independently of a pod. You reference Pods to your secrets. Its architecture allows you to limit access to secrets to only those pods that really need the data.

You generally use Secrets for all the sensitive constants your pods need. They are ideal for storing authentication keys, database credentials and API tokens.

Creating a secret

Secrets are created in the same way as any other Kubernetes API resource. You can use Kubectl commands or a YAML manifest that you then apply to your cluster. In this tutorial, we provide examples of YAML files.

Here̵

7;s how to define a user-created secret:

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: demo-secret
data:
  SECRET_USERNAME: dXNlcm5hbWUK
  SECRET_PASSWORD: cGFzc3dvcmQK

Secrets consist of one kind and a simple object of it dataThe sample secret defines two separate data fields, SECRET_USERNAME and SECRET_PASSWORDValues ​​must be Base64 encoded – the values ​​shown above were original username and password

When working with a Helm template, you can define your secret values ​​in a values.yaml File. Lead them through b64enc in your manifest to have Helm encode them as Base64.

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: demo-secret
data:
  SECRET_PASSWORD: {{ .Values.SecretPassword | b64enc }}

If you’d rather not encode your values ​​with Base64, you can use the stringData field instead. Like it data stringData is a map of key-value pairs, but the values ​​are processed literally, without any coding.

Secret types

The Opaque The secret type should be used for any data that you define yourself. Kubernetes defines a few other built-in secret types intended for specific use cases.

Available types include service-account-token (the Kubernetes service token), dockerconfigjson (a serialized Docker config.json file, to specify Docker credentials) and ssh-auth (provide SSH credentials). In addition to these types, there are solutions for HTTP basic authentication and TLS certificate information.

Each secret type can define its own extra fields and validation restrictions. Typically, you will need to set up additional annotations for your secret to provide the information needed for the secret type.

You can create your own secret type designations by adding your own string to it type field. The resulting secret will be functionally equivalent to the Opaque type.

Providing secrets to pods

After you create a secret, you must make it available to your pods. You can inject secret data as environment variables or as a file mounted on a volume.

Here’s a pod manifest that pulls the data from a secret to environment variables:

apiVersion: v1
kind: Pod
metadata:
  name: pod-with-secret
spec:
  containers:
    - name: demo-container
      image: my-image:latest
      envFrom:
        - secretRef:
            name: demo-secret

By using envFrom, all key / value pairs defined in the secrets data is converted to environment variables of the container. With the sample secret from earlier, your container SECRET_USERNAME and SECRET_PASSWORD environment variables injected. Values ​​are automatically decoded with Base64.

Sometimes you want to work with files instead of environment variables. Here’s how to mount a secret in a Kubernetes volume.

apiVersion: v1
kind: Pod
metadata:
  name: pod-with-secret
spec:
  containers:
    - name: demo-container
      image: my-image:latest
      volumeMounts:
        - name: secret-volume
          mountPath: /secrets
  volumes:
    - name: secret-volume
      secret:
        secretName: demo-secret

Gaining access to /secrets directory in the container to view the secret data. Each data key has its own file. The content of the file is the Base64-decoded value of that key. Would write our sample secret /secrets/SECRET_USERNAME and /secrets/SECRET_PASSWORD files.

The approach works by creating a Kubernetes volume using the secret source. This source populates the volume with the data of a named secret. The volume is then mounted in the container on the path defined under volumeMounts

Security considerations

Keeping data secret does not automatically protect it. The Base64 encoding is superficial, but make no mistake: this is it coding and not encryptionAnything with access to your cluster, be it a human user or an application with appropriate permission, can retrieve plain text secret values.

The point of secrets is to reduce the risk of accidental data exposure when creating and viewing pods. Secrets are only given to pods – and nodes – that actually need them. Node will destroy their local copies of secrets when the pod they used is terminated.

The Kubernetes control plane stores secret values ​​in its etcd instance. This is a key-value store that supports the Kubernetes cluster data. To maximize security, you must configure encryption at rest for your etcd store. This will encrypt your secrets within etcd.

You also need to assess how your application layer handles secrets. Even with encryption enabled at rest, your containers can inadvertently leak secrets by sending them to job logs or to external services. Using Kubernetes secrets does not require careful handling of sensitive data in your container.

Resume

Kubernetes secrets allow you to store and access sensitive data within your Kubernetes cluster. Using secrets gives you more control over information exposure. It also makes it clear that you are dealing with potentially sensitive values. This can serve as a warning to users and administrators in a cluster.

Pods use secrets as environment variables or as volume mounted files. Kubernetes provides the injection of secrets into containers. Your workloads can access the data using their existing configuration mechanisms. Secrets are not fully protected by default, but you can increase their protection by activating cluster-level encryption.


Source link