others-prepare for cks exam with me 12: Secret in Kubernetes

May 31, 2021

1. Purpose

In this post, I would continue to write about preparing for the CKS (Certified Kubernetes Security Specialist) exam. I would write my own notes about the exam, and you can refer to these articles to prepare your own.

List of the series of posts:

-prepare for cks exam with me 1: Linux user and group management

-prepare for cks exam with me 2: Linux ssh hardening

-prepare for cks exam with me 3: Linux remove obsolete packages and services

-prepare for cks exam with me 4: Linux kernal hardening

-prepare for cks exam with me 5: Linux UFW（Uncomplicated firewall）

-prepare for cks exam with me 6: Seccomp in Linux, Docker and Kubernetes

-prepare for cks exam with me 7: Apparmor in Linux, Docker and Kubernetes

-prepare for cks exam with me 8: Security context in Kubernetes

-prepare for cks exam with me 9: Admission controllers in Kubernetes

-prepare for cks exam with me 10: Pod security policy in Kubernetes

-prepare for cks exam with me 11: Open policy agent in Kubernetes

-prepare for cks exam with me 12: Secrets in Kubernetes

-prepare for cks exam with me 13: Container runtimes(gvisor/kata containers) in Kubernetes

-prepare for cks exam with me 14: Container Image security in Docker and Kubernetes

-prepare for cks exam with me 15: How to print docker images of all pods in kubernetes

2. Environment

CKS
Ubuntu System

3. Secret in Kubernetes

3.1 What is secret?

Kubernetes Secrets are a way to store and distribute sensitive information – think passwords, or an SSL certificate – that are used by applications in your Kubernetes cluster. Importantly, the declarative nature of Kubernetes definitions allows third-party solutions to be integrated with the Secret management

3.2 How to create a secret

We can create secret in two ways, one is imperative by commands , the other is declative by using YAML as the template.

3.2.1 Imperative commands to create secret in kubernetes

Create secret from key-value pairs:

$ kubectl create secret generic <secret-name> --from-literal=<key>=<value> --from-literal=<key>=<value> --from-literal=<key>=<value>

For example:

$ kubectl create secret generic db-secret --from-literal=DB_Host=localhost --from-literal=DB_Username=root --from-literal=DB_Password=123qwe

The username and password would be automatically encoded in kubernetes.

In addition to the literal way to create secrets, we can also create secret from files.

$ kubectl create secret generic <secret-name> —-from-file=<pathToFile>

For example:

Suppose we have a file named DB_Password

123qwe

Then we can create the secret as:

$ kubectl create secret generic my-secret —-from-file=DB_Password

We can inspect the secret:

➜  ~ kubectl get secret my-secret -o yaml
apiVersion: v1
data:
  DB_Password: MTIzcXdlCg==
kind: Secret
metadata:
  name: my-secret
  namespace: default
type: Opaque

You can see that the content of the file is encoded as data in the secret.

3.2.2 Declarative way to create secret in kubernetes

If you want to create secret in declarative way, we can create a YAML file as follows:

apiVersion: v1
kind: Secret
metadata:
  name: secret-sample
data:
  userName: admin
  password: 123qwe

We should encode the userName and password in the file manually.

$ echo “admin”|base64
YWRtaW4K

$ echo "123qwe"|base64
MTIzcXdlCg==

Then update the yaml:

apiVersion: v1
kind: Secret
metadata:
  name: secret-sample
data:
  userName: YWRtaW4K
  password: MTIzcXdlCg==

3.3 How to inspect the secret

We can inspect the secret as follows:

$ kubectl get secret secret-example -o yaml

We can decode the encoded string as follows:

$ echo YWRtaW4K|base64 —-decode

3.4 How to use the secret in pods?

We can use the secret as environment variables in pod:

apiVersion: v1
kind: Pod
metadata:
  name: secret-test-pod
spec:
  containers:
    - name: test-container
      image: k8s.gcr.io/busybox
      command: [ "/bin/sh", "-c", "env" ]
      envFrom:
      - secretRef:
          name: mysecret
  restartPolicy: Never

In the above yaml, we create a pod that use the secret mysecret as env variables in the pod.

And we can also inject the secret as file in the pod:

apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
  - name: mypod
    image: redis
    volumeMounts:
    - name: foo
      mountPath: "/etc/foo"
      readOnly: true
  volumes:
  - name: foo
    secret:
      secretName: mysecret

In the above yaml, we create a pod that has a file named /etc/foo which is injected from the secret mysecret.

4. Summary

In this post, I write some examples about secrets in kubernetes.