Securing Sensitive Data with Kubernetes Secrets

Reetesh Kumar
5 min readDec 7, 2023

--

Kubernetes Secrets

Introduction

In the world of cloud-native applications, Kubernetes has emerged as the de facto standard for container orchestration. As applications become more complex and distributed, the need for secure data management becomes paramount. This is where Kubernetes secrets come into play. In this blog post, we’ll explore what Kubernetes Secrets are, why they are important, and how to effectively use them in your applications.

Understanding Kubernetes Secrets

Kubernetes secrets are objects that store sensitive data, such as API keys, passwords, and certificates(ex: TLS certificates). They are designed to be securely stored and accessed by applications running on Kubernetes clusters. Secrets are stored in a key-value format, and their contents are encrypted at rest and in transit. This ensures that sensitive data is protected from unauthorized access.

Key Benefits of Using Kubernetes Secrets:

Secure Data Storage: Secrets ensure that sensitive data is never exposed in plain text, preventing accidental leaks or malicious access.

Centralized Management: Secrets can be managed centrally from the Kubernetes API, providing a single point of control for sensitive data access.

Versioning and Auditing: Secrets support versioning and auditing, allowing for consistent access control and tracking changes made to sensitive data.

Creating and Managing Secrets

1. Create Secrets

There are several ways to create secrets in Kubernetes, and here are some common methods:

a. Creating Kubernetes Secrets Using kubectl

There are two ways of creating Secrets using Kubectl, and they are:

  • Providing the secret data through a file using the — from-file=<filename> tag to Kubectl

kubectl create secret generic my-secret --from-file=./credentials.txt
  • Providing the literal secret data using the — from-literal=<key>=<value> tag to Kubectl
kubectl create secret generic my-secret --from-literal=username=myuser --from-literal=password=mypassword

b. YAML Manifests: Create a YAML manifest file(secret.yaml) to define the secret and then apply it using kubectl apply. Here's an example manifest for a generic secret:

apiVersion: v1
kind: Secret
metadata:
name: my-secret
data:
username: bXl1c2Vy
password: bXlwYXNzd29yZA==

Encode the sensitive information in base64 format before adding it to the manifest.

echo -n 'myuser'     | base64
echo -n 'mypassword' | base64

Apply the manifest:


kubectl apply -f secret.yaml

2. Using Kubernetes Secrets in Applications

To utilize Kubernetes Secrets effectively, applications need to access the encrypted data stored within them. There are multiple approaches to accessing Secret data:

a. Volume Mounts: A volume mount exposes the encrypted Secret data as a file or directory within the container’s filesystem. Applications can then read the decrypted data from the mounted file.

apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mycontainer
image: myimage
volumeMounts:
- name: secret-volume
mountPath: /etc/secrets
volumes:
- name: secret-volume
secret:
secretName: mysecrets

b. Environment Variables: An environment variable mount injects the decrypted Secret data into the container’s environment as an environment variable. Applications can access the decrypted data directly through the environment variable.

apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mycontainer
image: myimage
env:
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
name: mysecrets
key: username
- name: SECRET_PASSWORD
valueFrom:
secretKeyRef:
name: mysecrets
key: password

c. Using Kubernetes Service Account: We can associate a Kubernetes service account with the pod, and the associated service account can be granted permission to access specific secrets. The microservice running in the pod can then access the secrets without explicitly referencing them.

apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
serviceAccountName: myserviceaccount
containers:
- name: mycontainer
image: myimage

d. Init Containers: We can use an init container to populate the necessary secrets before the main container starts. The init container can be responsible for fetching and storing secrets, and then the main container can access them.

apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: init-container
image: init-image
volumeMounts:
- name: secret-volume
mountPath: /etc/secrets
- name: mycontainer
image: myimage
volumeMounts:
- name: secret-volume
mountPath: /etc/secrets
volumes:
- name: secret-volume
emptyDir: {}

Choose the method that best suits your application’s architecture and requirements. The key is to keep sensitive information secure while allowing your applications to access the necessary credentials for proper functioning.

3. Updating Kubernetes Secrets in Applications

There are two primary methods for editing and updating Secrets in Kubernetes: using the kubectl command-line tool or managing Secrets through a configuration file.

Method 1: Using kubectl

a. Edit Secret using kubectl edit: This method directly opens the Secret in an editor, allowing you to modify its contents. To do this, execute the following command:

kubectl edit secret <secret-name>

b. Replace Secret using kubectl replace: This method replaces the entire contents of the Secret with new data. To do this, execute the following command:

kubectl replace secret <secret-name> <manifest-filename>

Replace <manifest-filename> with the path to the YAML or JSON manifest file containing the updated Secret data.

Method 2: Managing Secrets through a Configuration File

a. Create a Secret manifest file: Create a YAML or JSON manifest file that defines the updated Secret data. The format of the manifest file depends on the type of Secret (e.g., Opaque, DockerConfig, etc.).

b. Apply the manifest file: Apply the manifest file to the Kubernetes cluster using the kubectl apply command:

kubectl apply -f <manifest-filename>

This will update the existing Secret or create a new one if it doesn’t exist.

4. Renaming Secrets

Renaming Secrets directly is not supported in Kubernetes. To rename a Secret, you’ll need to create a new Secret with the desired name and then delete the old one.

kubectl create secret <type> <new-secret-name> <manifest-filename>
kubectl delete secret <old-secret-name>

5. Listing Secrets

There are two primary methods for retrieving secrets or listing secrets in Kubernetes: using the kubectl command-line tool or using the Kubernetes API server.

Method 1: Using kubectl

a. Listing Secrets: To list all Secrets in the current namespace, use the following command:

kubectl get secrets

This command will display a list of all existing Secrets in the current namespace, along with their names, types, and creation timestamps.

b. Retrieving Secret Data: To retrieve the contents of a specific Secret, use the following command:

kubectl get secret <secret-name> -o jsonpath='{.data.<key>}'

Replace <secret-name> with the name of the Secret you want to retrieve and <key> with the name of the key whose value you want to extract. This command will output the base64-encoded value of the specified key.

Method 2: Using the Kubernetes API server

a. Listing Secrets: To list all Secrets in the cluster, send a GET request to the /api/v1/secrets endpoint of the Kubernetes API server.

curl -X GET http://<API-server-address>/api/v1/secrets

b. Retrieving Secret Data: To retrieve the contents of a specific Secret, send a GET request to the /api/v1/secrets/<secret-name>/data/<key> endpoint of the Kubernetes API server.

curl -X GET http://<API-server-address>/api/v1/secrets/<secret-name>/data/<key>content_copy

Replace <API-server-address> with the address of the Kubernetes API server, <secret-name> with the name of the Secret you want to retrieve, and <key> with the name of the key whose value you want to extract. This request will output the base64-encoded value of the specified key.

Conclusion

Kubernetes Secrets provides a secure and efficient way to manage sensitive information in containerized applications. By understanding the key features and practical usage, you can enhance the security of your applications and ensure the confidentiality of critical data. Whether you’re deploying microservices or monolithic applications, integrating Kubernetes Secrets into your workflow is a crucial step toward building a robust and secure containerized infrastructure.

Happy Learning !!!

--

--

Reetesh Kumar
Reetesh Kumar

Written by Reetesh Kumar

Software developer. Writing about Java, Spring, Cloud and new technologies. LinkedIn: www.linkedin.com/in/reeteshkumar1

No responses yet