Skip to content

Latest commit

 

History

History
84 lines (63 loc) · 2.55 KB

12-k8s-lab-secrets.md

File metadata and controls

84 lines (63 loc) · 2.55 KB
Raw

Secrets

References:
Secrets
Good practices for Kubernetes Secrets
Kubernetes API: Secret

Agenda

  • Secrets overview.
  • Create a Secret.
  • Verify and decode the Secret.
  • Cleanup.

Start a Kubernetes cluster using minikube start.

Background
A Secret object stores sensitive data such as credentials used by Pods to access services. For example, you might need a Secret to store the username and password needed to access a database.
Secrets can be mounted as data volumes or exposed as environment variables to be used by a container in a Pod.

Create Secret using source files

kubectl create secret generic SECRET_NAME --from-file=FILE_NAME
The default key name is the file name. You can optionally set the key name using --from-file=[key=]source.
For example:
kubectl create secret generic SECRET_NAME --from-file=KEY=FILE_NAME

Create Secret using config file
This example will store two strings, admin and mypassword, in a Secret using the data field. Convert the strings to base64.

~/learnk8s> echo -n 'admin' | base64
YWRtaW4=
~/learnk8s> echo -n 'mypassword' | base64
bXlwYXNzd29yZA==

Create the manifest. Save the following YAML file in your directory.
File: 6-k8s-secret.yaml

Secret manifest

Create the Secret using kubectl apply.

~/learnk8s> kubectl apply -f yaml/6-k8s-secret.yaml 
secret/mysecret created

Secret verification and decoding

~/learnk8s> kubectl get secrets
NAME       TYPE     DATA   AGE
mysecret   Opaque   2      3m49s
~/learnk8s> kubectl describe secret mysecret
Name:         mysecret
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
password:  10 bytes
username:  5 bytes

The commands kubectl get and kubectl describe avoid showing the contents of a Secret by default. This is to protect the Secret from being exposed accidentally, or from being stored in a terminal log.

To decode the password field stored in the secret, run the following command.

~/learnk8s> kubectl get secret mysecret -o jsonpath='{.data.password}' | base64 --decode
mypassword

Cleanup
To delete a Secret, run the following command:

~/learnk8s> kubectl delete secret mysecret
secret "mysecret" deleted