others-prepare for cks exam with me 12: Secret in Kubernetes
1. Purpose
In this post, I would continue to write about preparing for the CKS (Certified Kubernetes Security Specialist) exam. I would write my own notes about the exam, and you can refer to these articles to prepare your own.
List of the series of posts:
-prepare for cks exam with me 1: Linux user and group management
-prepare for cks exam with me 2: Linux ssh hardening
-prepare for cks exam with me 3: Linux remove obsolete packages and services
-prepare for cks exam with me 4: Linux kernal hardening
-prepare for cks exam with me 5: Linux UFW(Uncomplicated firewall)
-prepare for cks exam with me 6: Seccomp in Linux, Docker and Kubernetes
-prepare for cks exam with me 7: Apparmor in Linux, Docker and Kubernetes
-prepare for cks exam with me 8: Security context in Kubernetes
-prepare for cks exam with me 9: Admission controllers in Kubernetes
-prepare for cks exam with me 10: Pod security policy in Kubernetes
-prepare for cks exam with me 11: Open policy agent in Kubernetes
-prepare for cks exam with me 12: Secrets in Kubernetes
-prepare for cks exam with me 13: Container runtimes(gvisor/kata containers) in Kubernetes
-prepare for cks exam with me 14: Container Image security in Docker and Kubernetes
-prepare for cks exam with me 15: How to print docker images of all pods in kubernetes
2. Environment
- CKS
- Ubuntu System
3. Secret in Kubernetes
3.1 What is secret?
Kubernetes Secrets are a way to store and distribute sensitive information – think passwords, or an SSL certificate – that are used by applications in your Kubernetes cluster. Importantly, the declarative nature of Kubernetes definitions allows third-party solutions to be integrated with the Secret management
3.2 How to create a secret
We can create secret in two ways, one is imperative by commands , the other is declative by using YAML as the template.
3.2.1 Imperative commands to create secret in kubernetes
Create secret from key-value pairs:
$ kubectl create secret generic <secret-name> --from-literal=<key>=<value> --from-literal=<key>=<value> --from-literal=<key>=<value>
For example:
$ kubectl create secret generic db-secret --from-literal=DB_Host=localhost --from-literal=DB_Username=root --from-literal=DB_Password=123qwe
The username and password would be automatically encoded in kubernetes.
In addition to the literal way to create secrets, we can also create secret from files.
$ kubectl create secret generic <secret-name> —-from-file=<pathToFile>
For example:
Suppose we have a file named DB_Password
123qwe
Then we can create the secret as:
$ kubectl create secret generic my-secret —-from-file=DB_Password
We can inspect the secret:
➜ ~ kubectl get secret my-secret -o yaml
apiVersion: v1
data:
DB_Password: MTIzcXdlCg==
kind: Secret
metadata:
name: my-secret
namespace: default
type: Opaque
You can see that the content of the file is encoded as data in the secret.
3.2.2 Declarative way to create secret in kubernetes
If you want to create secret in declarative way, we can create a YAML file as follows:
apiVersion: v1
kind: Secret
metadata:
name: secret-sample
data:
userName: admin
password: 123qwe
We should encode the userName and password in the file manually.
$ echo “admin”|base64
YWRtaW4K
$ echo "123qwe"|base64
MTIzcXdlCg==
Then update the yaml:
apiVersion: v1
kind: Secret
metadata:
name: secret-sample
data:
userName: YWRtaW4K
password: MTIzcXdlCg==
3.3 How to inspect the secret
We can inspect the secret as follows:
$ kubectl get secret secret-example -o yaml
We can decode the encoded string as follows:
$ echo YWRtaW4K|base64 —-decode
3.4 How to use the secret in pods?
We can use the secret as environment variables in pod:
apiVersion: v1
kind: Pod
metadata:
name: secret-test-pod
spec:
containers:
- name: test-container
image: k8s.gcr.io/busybox
command: [ "/bin/sh", "-c", "env" ]
envFrom:
- secretRef:
name: mysecret
restartPolicy: Never
In the above yaml, we create a pod that use the secret mysecret
as env variables in the pod.
And we can also inject the secret as file in the pod:
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mypod
image: redis
volumeMounts:
- name: foo
mountPath: "/etc/foo"
readOnly: true
volumes:
- name: foo
secret:
secretName: mysecret
In the above yaml, we create a pod that has a file named /etc/foo
which is injected from the secret mysecret
.
4. Summary
In this post, I write some examples about secrets in kubernetes.