Overview #
Secrets are used to store and manage sensitive information, such as passwords, OAuth tokens, and SSH keys.
Opaque Secret #
Base64 Encoding #
# Encode the username
echo -n 'my-username' | base64
# Shell output:
bXktdXNlcm5hbWU=
# Encode the password
echo -n 'my-password' | base64
# Shell output:
bXktcGFzc3dvcmQ=
Secret Configuration #
# Create secret configuratin
vi opaque-secret-example.yaml
kind: "Secret"
apiVersion: "v1"
metadata:
name: "opaque-secret-example"
labels:
app: "secret-example"
type: "Opaque"
data:
username: "bXktdXNlcm5hbWU=" # Base64 encoding of "my-username"
password: "bXktcGFzc3dvcmQ=" # Base64 encoding of "my-password"
# Deploy the secret configuratin
kubectl create -f opaque-secret-example.yaml
List Secrets & Details #
# List secrets
kubectl get secrets
# Shell output:
NAME TYPE DATA AGE
opaque-secret-example Opaque 2 64s
# List secret details
kubectl describe secret opaque-secret-example
# Shell output
Name: opaque-secret-example
Namespace: default
Labels: app=secret-example
Annotations: <none>
Type: Opaque
Data
====
password: 11 bytes
username: 11 bytes
Pod: Secret as Environment Variable #
Pod Configuration #
# Create secret configuratin
vi opaque-secret-example-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: example-pod
labels:
app: secret-example
spec:
containers:
- name: example-container
image: nginx
env:
- name: USERNAME
valueFrom:
secretKeyRef:
name: opaque-secret-example
key: username
- name: PASSWORD
valueFrom:
secretKeyRef:
name: opaque-secret-example
key: password
# Deploy the pod
kubectl create -f opaque-secret-example-pod.yaml
Verify the Environment Variables #
# List pods
kubectl get pods
# Shell output
NAME READY STATUS RESTARTS AGE
example-pod 1/1 Running 0 8s
# List environment variables
kubectl exec example-pod -c example-container -- printenv
# Shell output:
NAME READY STATUS RESTARTS AGE
example-pod 1/1 Running 0 8s
nfs-nginx 0/1 Completed 0 17h
debian@node1:~/secrets$ kubectl exec example-pod -c example-container -- printenv
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=example-pod
NGINX_VERSION=1.25.5
NJS_VERSION=0.8.4
NJS_RELEASE=3~bookworm
PKG_RELEASE=1~bookworm
USERNAME=my-username # Secret
PASSWORD=my-password # Secret
KUBERNETES_SERVICE_PORT=443
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT=tcp://10.233.0.1:443
KUBERNETES_PORT_443_TCP=tcp://10.233.0.1:443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_ADDR=10.233.0.1
KUBERNETES_SERVICE_HOST=10.233.0.1
HOME=/root
# List environment variables: Username and Password variables only
kubectl exec example-pod -c example-container -- sh -c 'echo USERNAME=$USERNAME PASSWORD=$PASSWORD'
# Shell output:
USERNAME=my-username PASSWORD=my-password
Delete the Pod #
# Delete the pod
kubectl delete pod example-pod
Pod: Secret as a Volume #
Pod Configuration #
# Create secret configuratin
vi opaque-secret-example-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: example-pod
labels:
app: secret-example
spec:
containers:
- name: example-container
image: nginx
volumeMounts:
- name: secret-volume
mountPath: "/etc/secret"
readOnly: true
volumes:
- name: secret-volume
secret:
secretName: opaque-secret-example
# Deploy the pod
kubectl create -f opaque-secret-example-pod.yaml
Verify the Secrets in the Volume #
# List pods
kubectl get pods
# Shell output:
NAME READY STATUS RESTARTS AGE
example-pod 1/1 Running 0 5s
# Exec the container shell
kubectl exec -it example-pod -c example-container -- /bin/bash
# Cat the password secret
cat /etc/secret/password
# Shell output:
my-password
# Cat the username secret
cat /etc/secret/username
# Shell output:
my-username
Delete the Pod #
# Delete the pod
kubectl delete pod example-pod
Delete the Secret #
# Delete the secret
kubectl delete secret opaque-secret-example
# Verify / list secrets
kubectl get secrets
SSH Key Secret #
Generate SSH Key #
Create a SSH key for the Kubernetes secret:
# Generate an Ed25519 key with 256 bit
ssh-keygen -t ed25519 -C "your_email@example.com"
Secret Configuration #
# Create SSH key example
kubectl create secret generic ssh-key-secret-example --from-file=ssh-privatekey=/home/debian/.ssh/id_ed25519 --type=kubernetes.io/ssh-auth
-
ssh-key-secret-exampleName of the secret -
--type=kubernetes.io/ssh-authSpecifies that this secret is specifically for SSH authentication.
List the Secret & Details #
# List secrets
kubectl get secrets
# Shell output:
NAME TYPE DATA AGE
ssh-key-secret-example kubernetes.io/ssh-auth 1 3s
# List secret details
kubectl describe secret ssh-key-secret-example
# Shell output:
Name: ssh-key-secret-example
Namespace: default
Labels: <none>
Annotations: <none>
Type: kubernetes.io/ssh-auth
Data
====
ssh-privatekey: 419 bytes
Pod: SSH Key Secret #
The following pods starts an Alpine container and adds the SSH key from the secret into the “/root/.ssh” directory:
# Create pod configuratin
vi ssh-key-secret-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: ssh-pod-example
spec:
containers:
- name: alpine-container
image: alpine
command: ["sh", "-c", "mkdir -p /root/.ssh && sleep 3600"]
volumeMounts:
- name: ssh-key
mountPath: "/root/.ssh"
readOnly: true
volumes:
- name: ssh-key
secret:
secretName: ssh-key-secret-example
defaultMode: 0400 # Sets permission to read-only
# Deploy the pod
kubectl create -f ssh-key-secret-pod.yaml
Verify the SSH Key inside the Container #
# List pods
kubectl get pods
# Shell output:
NAME READY STATUS RESTARTS AGE
ssh-pod-example 1/1 Running 0 6s
# Exec the container shell
kubectl exec -it ssh-pod-example -c alpine-container -- /bin/ash
# Cat the SSH key
cat /root/.ssh/ssh-privatekey
Delete the Resources #
# Delete the pod
kubectl delete pod ssh-pod-example
# Delete the secret
kubectl delete secret ssh-key-secret-example