Skip to content

Latest commit

 

History

History
121 lines (95 loc) · 2.88 KB

README.md

File metadata and controls

121 lines (95 loc) · 2.88 KB

Secret

You don’t want sensitive information such as a database password or an API key kept around in clear text. Secrets provide you with a mechanism to use such information in a safe and reliable way with the following properties:

  • Secrets are namespaced objects, that is, exist in the context of a namespace
  • You can access them via a volume or an environment variable from a container running in a pod
  • The secret data on nodes is stored in tmpfs volumes
  • A per-secret size limit of 1MB exists
  • The API server stores secrets as plaintext in etcd

Let’s create a file apikey that holds a (made-up) API key:

$ echo -n "A19fh68B001j" > ./apikey.txt

This file can be used to create a Kubernetes Secret

$ kubectl create secret generic apikey --from-file=./apikey.txt
secret/apikey created

Inspect the secret

$ kubectl describe secrets/apikey
Name:         apikey
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
apikey.txt:  12 bytes

Now let’s use the secret in a pod via a volume:

$ kubectl apply -f pod-secretvolume.yaml
pod/pod-secretvolume created

This pod declaration contains the following snippet, which takes a secret by name and injects it as a volume within the pod's container.

...
  containers:
  - name: shell
    image: centos:7
    command:
      - "bin/bash"
      - "-c"
      - "sleep 10000"
    volumeMounts:
      - name: apikeyvol
        mountPath: "/tmp/apikey"
        readOnly: true
  volumes:
  - name: apikeyvol
    secret:
      secretName: apikey
...

If we now exec into the container we see the secret mounted at /tmp/apikey:

$ kubectl exec -it pod-secretvolume -c shell -- bash
[root@pod-secretvolume /]# mount | grep apikey
tmpfs on /tmp/apikey type tmpfs (ro,relatime)
[root@pod-secretvolume /]# cat /tmp/apikey/apikey.txt
A19fh68B001j
[root@pod-secretvolume /]# exit

The next example shows how to inject a secret as a container environment variable.

$ kubectl apply -f pod-secretenv.yaml 
pod/pod-secretenv created

This pod declaration contains the following snippet, which take a secret by name and inject its value within the container into the Pod.

...
  containers:
  - name: shell
    image: centos:7
    env:
      - name: SECRET_APIKEY
        valueFrom:
          secretKeyRef:
            name: apikey
            key: apikey.txt
...

Now if we now exec into the container you can see your secret injected as an environment variable:

$ kubectl exec -it pod-secretenv -c shell -- bash
[root@pod-secretvolume /]# env | grep APIKEY
SECRET_APIKEY=A19fh68B001j
[root@pod-secretvolume /]# exit

You can remove the pods and the secret with:

$  kubectl delete pod/pod-secretenv pod/pod-secretvolume secret/apikey 
pod "pod-secretenv" deleted
pod "pod-secretvolume" deleted
secret "apikey" deleted