Kubernetes Beginner’s Guide Part 7: Managing Secrets

Kubernetes is a powerful platform for deploying and managing containerized applications. One of the critical aspects of managing applications is handling sensitive information, such as passwords, tokens, and keys, securely. Kubernetes offers a resource called “Secrets” to manage such sensitive information. In this blog post, we’ll dive into a hands-on exercise to understand how to create, use, and manage Secrets in Kubernetes.

But, Why Though?

Proper secrets management is crucial for maintaining the security and integrity of your applications and infrastructure. Storing secrets directly in code is a risky practice that can lead to accidental exposure of sensitive information, such as passwords, API keys, and tokens, especially when code is shared or stored in version control systems. This can result in unauthorized access, data breaches, and potentially severe consequences for your organization’s reputation and finances. By using a dedicated secrets management solution, you can centralize and secure the storage of secrets, enforce access controls, and audit usage. This not only enhances security but also simplifies the process of rotating and managing secrets, reducing the risk of human error and ensuring compliance with security policies and regulations. Thankfully, Kubernetes got a built-in secrets management system that we can leverage for this.

Creating a Secret

Secret is a resource in Kubernetes, much like pods, services, deployments and replicasets. So, we’ll follow the same patterns that we’ve used for standing up other resources that we’ve done throughout the course of this series. Start by creating a new yaml file named mysecret.yaml:

apiVersion: v1
kind: Secret
  name: mysecret
type: Opaque
  username: dXNlcm5hbWU=  # Base64 encoded "username"
  password: cGFzc3dvcmQ=  # Base64 encoded "password"

Note: The data values must be Base64 encoded. If you are on MacOS or linux, You can encode a string using echo -n 'string' | base64 on the command line. If you’re one Windows, you can use Base64 Encode and Decode – Online or a similar utility.

Next, apply the secret to your Kubernetes cluster so that it can be used by your resources:

kubectl apply -f mysecret.yaml

Using the Secret in a Pod

Now that we have the secret setup in our cluster, let’s try using it in one of our pods. Let’s stand up a new pod using the following configuration:

apiVersion: v1
kind: Pod
  name: mypod
  - name: mycontainer
    image: busybox
    command: ["sh", "-c", "echo 'Username: $USERNAME, Password: $PASSWORD' && sleep 3600"]
      - name: USERNAME
            name: mysecret
            key: username
      - name: PASSWORD
            name: mysecret
            key: password

In the example above, we’re setting up two environment variables – USERNAME and PASSWORD and we’re having Kubernetes populate those two variables from the two secrets that we created earlier under the mysecret key. Our pod is simply echoes those values in its terminal.

Apply the pod configuration to your cluster:

kubectl apply -f mypod.yaml

Verify that the pod was able to get those secrets by inspect the logs:

kubectl logs mypod

You should see output similar to Username: username, Password: password.

Updating Secrets

If you need to update the secret, you can edit the mysecret.yaml file and reapply it. Update the file with new values for the username and password (remember to Base64 encode them).

Reapply the secret:

kubectl apply -f mysecret.yaml

Delete the existing Pod so that a new one is created with the updated secret:

kubectl delete pod mypod

Verify that the updates now show when reinspecting the logs:

kubectl logs mypod

Closing Thoughts

You can clean up the resources that you created for this exercise, like so:

kubectl delete secret mysecret
kubectl delete pod mypod

In this installment, we explored how to create, use, and update Kubernetes Secrets to manage sensitive information securely. Secrets are a vital tool in Kubernetes for maintaining the confidentiality of your application’s sensitive data.

Leave a Comment

Your email address will not be published. Required fields are marked *