Introduction

This tutorial aims to guide you on how to manage sensitive data using Secrets in Kubernetes. Secrets offer a secure method to handle sensitive information such as passwords, tokens, or keys, ensuring they aren't exposed in your application code.

By the end of this tutorial, you'll learn:

• What Kubernetes Secrets are and why they're essential.
• How to create and use Secrets in Kubernetes.
• Best practices for managing sensitive data with Kubernetes Secrets.

Prerequisites:

Before starting this tutorial, you should have:

• Basic knowledge of Kubernetes
• Access to a Kubernetes cluster for practical exercises

Step-by-Step Guide

Kubernetes Secrets are objects that contain small amounts of sensitive data like passwords, OAuth tokens, and ssh keys. They are used to store non-public information, allowing you to manage sensitive data.

Creating a Secret:

You can create a secret using kubectl create secret command. For example, to create a secret named my-secret with the key my-key and value my-value, use the following command:

kubectl create secret generic my-secret --from-literal=my-key=my-value

Using a Secret:

You can use secrets in pods either as files from a volume mounted on one or more of its containers, or by the kubelet pulling images for the pod.

apiVersion: v1
kind: Pod
metadata:
  name: my-pod
spec:
  containers:
  - name: my-container
    image: my-image
    volumeMounts:
    - name: foo
      mountPath: "/etc/foo"
  volumes:
  - name: foo
    secret:
      secretName: my-secret

In the above example, the secret my-secret is mounted on a volume foo and the Pod my-pod has access to this secret.

Code Examples

Example 1:

Create a Secret:

kubectl create secret generic my-secret --from-literal=username=my-username --from-literal=password=my-password

This command creates a secret named my-secret with two keys username and password.

Example 2:

Use the secret in a Pod:

apiVersion: v1
kind: Pod
metadata:
  name: secret-pod
spec:
  containers:
  - name: test-container
    image: test-image
    volumeMounts:
    - name: my-volume
      mountPath: "/etc/secrets"
  volumes:
  - name: my-volume
    secret:
      secretName: my-secret

In this example, the secret my-secret is mounted on a volume my-volume. The test-container in the secret-pod Pod can use this secret.

Summary

In this tutorial, we've learned how to use Kubernetes Secrets to manage sensitive data. We've learned how to create a secret and use it in a Pod. To explore further, you can look at how to use Secrets for environment variables and how to use Secrets with a service account.

Practice Exercises

Exercise 1: Create a secret named test-secret with the key api-key and value 123456.

Solution:

kubectl create secret generic test-secret --from-literal=api-key=123456

Exercise 2: Create a Pod that uses the test-secret in a volume.

Solution:

apiVersion: v1
kind: Pod
metadata:
  name: test-pod
spec:
  containers:
  - name: test-container
    image: test-image
    volumeMounts:
    - name: test-volume
      mountPath: "/etc/secrets"
  volumes:
  - name: test-volume
    secret:
      secretName: test-secret

Exercise 3: Extend the Pod created in Exercise 2 to read the api-key from the secret and print it out.

Solution:

This exercise depends on your application in the test-image having the ability to read a file and print its contents. Here's an example if you're using a bash script:

#!/bin/bash
api_key=$(cat /etc/secrets/api-key)
echo "API Key: $api_key"

This script reads the api-key from the mounted secret and prints it.