Difficulty: intermediate
Estimated Time: 15-20 minutes

BoxBoat Logo

Secrets are a way to deploy sensitive information to Kubernetes Pods. They are similar to ConfigMaps, but are designed for sensitive information you don't want leaking out. They can optionally be encrypted at rest.

Secrets allow you to independently store sensitive data that your application needs in a Kubernetes object. Secrets are decoupled from Pods and Deployments. In addition, Secrets can be consumed by multiple Pods and Deployments, which can be extremely useful. As an example, if you have multiple micro-servies that need access to the same configuration parameter, all it takes is a single Secret. This used to be accomplished with a Config-Server micro-service, or supplying each micro-service with the same environment variable, which made updates difficult.

Kubernetes Secrets can store simple values like usernames and passwords. They can also store credentials to access a Docker registry, OAuth tokens, and SSH keys. In general, if there is some type of secret value you need to provide, regardless of the content, you can store it as a literal value and make sure your application can consume it without using a built-in construct.

We will go through the process of creating Secrets from literal values and files. We'll supply these values to Pods as environment variables and directories.

Secrets are powerful Kubernetes objects that let you deploy sensitive data to Pods. There are several other use-cases that can be solved with Kubernetes Secrets.

You can encrypt secrets at rest in Etcd, you can also deploy your secrets as hidden files. In addition, you can provide Docker Registry credentials to all pods deployed by a Service Account, deploy SSH keys to applications, etc.

Congratulations, you have completed the Secrets lab! Next up, we'll tackle Kubernetes Persistent Volumes.


Step 1 of 4

Create Secrets from Files

Secrets enable us to provide sensitive information to running Pods. The easiest way to create them is via the command line.

We have 2 files in /resources that contain sensitive data:

cat ./resources/username

cat ./resources/password

These files are populated by running the following:

echo -n 'admin' > ./username

echo -n 'password' > ./password

Once you have these files, you can create a Kubernetes secret with the following:

kubectl create secret generic login-credentials --from-file=./resources/username --from-file=./resources/password

Now, we can view the secret with kubectl:

kubectl get secrets

NAME                  TYPE                                  DATA      AGE
login-credentials     Opaque                                2         51s

We can get even more information with:

kubectl describe secret login-credentials

Note that Kubernetes will not give us the values of the secrets, these are only provided to Pods at runtime in the form of directories and environment variables.

The actual data is stored in Etcd, by default in Base 64 encoded form. This data can be encrypted at rest, but that is beyond the scope of this lab. For more information, please see the Kubernetes documentation.

In addition, your apps need access to secrets. This means that there is no 100% secure way to distribute secrets to your application.