What is the Kubernetes Secret Object

The purpose of a Secret is to store environment variables with an encoding unlike a ConfigMap.

How do we create a Secret?

Imperatively

kubectl create secret generic <secret-name> --from-literal=key=value

Declaratively

kubectl create -f name-of-secret-definition-file.yaml
apiVersion: v1
kind: Secret
metadata:
  name: name-of-secret
data:
  ENV_VAR_1: <a-value-encrypted-using-base64>
  ENV_VAR_2: <a-value-encrypted-using-base64>

We can encrypt a value using base64 by running this command.

echo 'Ali' | base64
=> QWxpCg==

How do we view a secret?

kubectl get secrets
kubectl get secrets <secret-name>

kubectl describe secrets
kubectl describe secrets <secret-name>

To decode the encrypted value, we simply run this command.

echo 'QWxpCg==' | base64 --decode
=> Ali

How do we make use of a Secret in a Pod?

Using envFrom

spec:
  containers:
    - name: name-of-container
       envFrom:
         - secretRef:
              name: name-of-secret

Using valueFrom

spec:
  containers:
    - name: name-of-container
       env:
         - name: name-of-env
            valueFrom:
              secretKeyRef:
                name: name-of-secret
                key: NAME_OF_ENV_VAR

One key thing to note is that a Secret isn't actually encrypted in a special way. Whoever with access to the Secret can just decode the values using base64 as shown above. I find the existence of Secrets rather baffling.

This article sheds more light about using Secrets. itnext.io/can-kubernetes-keep-a-secret-it-a..

No Comments Yet