This tutorial aims to guide you on how to manage sensitive data using Secrets in Kubernetes. Secrets offer a secure method to handle sensitive information such as passwords, tokens, or keys, ensuring they aren't exposed in your application code.
By the end of this tutorial, you'll learn:
Prerequisites:
Before starting this tutorial, you should have:
Kubernetes Secrets are objects that contain small amounts of sensitive data like passwords, OAuth tokens, and ssh keys. They are used to store non-public information, allowing you to manage sensitive data.
Creating a Secret:
You can create a secret using kubectl create secret command. For example, to create a secret named my-secret with the key my-key and value my-value, use the following command:
kubectl create secret generic my-secret --from-literal=my-key=my-value
Using a Secret:
You can use secrets in pods either as files from a volume mounted on one or more of its containers, or by the kubelet pulling images for the pod.
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
containers:
- name: my-container
image: my-image
volumeMounts:
- name: foo
mountPath: "/etc/foo"
volumes:
- name: foo
secret:
secretName: my-secret
In the above example, the secret my-secret is mounted on a volume foo and the Pod my-pod has access to this secret.
Example 1:
Create a Secret:
kubectl create secret generic my-secret --from-literal=username=my-username --from-literal=password=my-password
This command creates a secret named my-secret with two keys username and password.
Example 2:
Use the secret in a Pod:
apiVersion: v1
kind: Pod
metadata:
name: secret-pod
spec:
containers:
- name: test-container
image: test-image
volumeMounts:
- name: my-volume
mountPath: "/etc/secrets"
volumes:
- name: my-volume
secret:
secretName: my-secret
In this example, the secret my-secret is mounted on a volume my-volume. The test-container in the secret-pod Pod can use this secret.
In this tutorial, we've learned how to use Kubernetes Secrets to manage sensitive data. We've learned how to create a secret and use it in a Pod. To explore further, you can look at how to use Secrets for environment variables and how to use Secrets with a service account.
Exercise 1: Create a secret named test-secret with the key api-key and value 123456.
Solution:
kubectl create secret generic test-secret --from-literal=api-key=123456
Exercise 2: Create a Pod that uses the test-secret in a volume.
Solution:
apiVersion: v1
kind: Pod
metadata:
name: test-pod
spec:
containers:
- name: test-container
image: test-image
volumeMounts:
- name: test-volume
mountPath: "/etc/secrets"
volumes:
- name: test-volume
secret:
secretName: test-secret
Exercise 3: Extend the Pod created in Exercise 2 to read the api-key from the secret and print it out.
Solution:
This exercise depends on your application in the test-image having the ability to read a file and print its contents. Here's an example if you're using a bash script:
#!/bin/bash
api_key=$(cat /etc/secrets/api-key)
echo "API Key: $api_key"
This script reads the api-key from the mounted secret and prints it.