Kubernetes - Secrets

  Kubernetes Secrets let you store and manage sensitive information, such as passwords, OAuth tokens, and ssh keys. Storing confidential information in a Secret is safer and more flexible than putting it verbatim in a Pod definition or in a container image


Secrets same as ConfigMap sensitive data( password Authtoken ssh keys)

1. Secrets to store the confidential data

2. Secrets use by default base64 algorithm to encode the data

3. Secrets are mapped to pod where these are decoded on Pod level

4. It stores the data in Key-Value pair 

5. from file and from literal

6. Data should not be more than 1 MB

7. you can store the data from text files 

8. Secret data is stored in etcd database

LAB

# 1. Creating Secret using Kubectl & Consuming it from "volumes" inside Pod


1a. Creating secret using "Kubectl":

------------------------------------

echo -n 'admin' > username.txt

echo -n 'pa$$w00rd' > password.txt

kubectl create secret generic nginx-secret-vol --from-file=username.txt --from-file=password.txt


# rm -f username.txt password.txt


kubectl get secrets

kubectl describe secrets nginx-secret-vol


1b. Consuming "nginx-secret-vol" from "volumes" inside Pod

--------------------------------------------------------


#nginx-pod-secret-vol.yaml

apiVersion: v1
kind: Pod
metadata:
  name: nginx-pod-secret-vol
spec:
  containers:
  - name: nginx-container
    image: nginx
    volumeMounts:
    - name: test-vol
      mountPath: "/etc/confidential"
      readOnly: true
  volumes:
  - name: test-vol
    secret:
      secretName: nginx-secret-vol


==========================================================

1c. Create | Display | Validate:

--------------------------------

# Create

kubectl create -f nginx-pod-secret-vol.yaml


# Display

kubectl get po

kubectl get secrets

kubectl describe pod nginx-pod-secret-vol


# Validate from "inside" the pod

kubectl exec nginx-pod-secret-vol -it /bin/sh

cd /etc/confidential

ls 

cat username.txt

cat password.txt

exit


(OR)


# Validate from "outside" the pod

kubectl exec nginx-pod-secret-vol ls /etc/confidential

kubectl exec nginx-pod-secret-vol cat /etc/confidential/username.txt

kubectl exec nginx-pod-secret-vol cat /etc/confidential/password.txt


*************************************************************************************************************************************************


2. Creating Secret "manually" using YAML file & Consuming it from "environment variables" inside Pod



2a.  Creating Secret using YAML file:

-------------------------------------

# Encoding secret

echo -n 'admin' | base64

echo -n 'pa$$w00rd' | base64


# YAML file

# redis-secret-env.yaml

apiVersion: v1
kind: Secret
metadata:
  name: redis-secret-env
type: Opaque
data:
  username: YWRtaW4=
  password: cGEkJHcwMHJk


kubectl create -f redis-secret-env.yaml

kubectl get secret

kubectl describe secret redis-secret-env


===============================================================================


2b. Consuming “redis-secret-env” secret from “Environment Variables” inside pod

# redis-pod-secret-env.yaml
apiVersion: v1
kind: Pod
metadata:
  name: redis-pod-secret-env
spec:
  containers:
  - name: redis-container
    image: redis
    env:
      - name: SECRET_USERNAME
        valueFrom:
          secretKeyRef:
            name: redis-secret-env
            key: username
      - name: SECRET_PASSWORD
        valueFrom:
          secretKeyRef:
            name: redis-secret-env
            key: password
  restartPolicy: Never


===============================================================================

2c. Create | Display | Validate:


# Create

kubectl create -f  redis-pod-secret-env.yaml


# Display

kubectl get pods

kubectl get secrets

kubectl describe pod redis-pod-secret-env


# Validate from "inside" the pod

kubectl exec redis-pod-secret-env -it /bin/sh

env | grep  SECRET

exit


(OR)


# Validate from "outside" the pod

kubectl exec redis-pod-secret-env env | grep SECRET


***************************************************************************

#Decode the secrets


kubectl get secret redis-secret-env -o yaml

echo 'cGEkJHcwMHJk' | base64 --decode

*************************************************************************************************************************************************

3. Cleanup

# Delete secrets

kubectl delete secrets nginx-secret-vol redis-secret-env


# Delete pods

kubectl delete pods nginx-pod-secret-vol redis-pod-secret-env


# Validate

kubectl get pods

kubectl get secrets


References

https://kubernetes.io/docs/concepts/configuration/secret/


Comments

Post a Comment

Popular posts from this blog

Terraform

Image
  Terraform is an infrastructure as code tool that lets you build, change, and version cloud and on-prem resources safely and efficiently. HashiCorp Terraform is an infrastructure as code tool that lets you define both cloud and on-prem resources in human-readable configuration files that you can version, reuse, and share. You can then use a consistent workflow to provision and manage all of your infrastructure throughout its lifecycle. Terraform can manage low-level components like compute, storage, and networking resources, as well as high-level components like DNS entries and SaaS features. How does Terraform work? Terraform creates and manages resources on cloud platforms and other services through their application programming interfaces (APIs). Providers enable Terraform to work with virtually any platform or service with an accessible API. HashiCorp and the Terraform community have already written  thousands of providers  to manage many different types of resources and services.
Read more

Scrum Master Interview help - Bootcamp

Understanding the MoSCoW prioritization | How to implement it into your project Projects, irrespective of their size or complexity, often juggle numerous tasks and requirements. In such a scenario,  MoSCoW prioritization  becomes essential to ensure the successful completion of the project.  Besides, it is also a very effective way to manage project priorities. With a straightforward and adaptable approach, the MoSCoW method helps manage stakeholder expectations and improve project outcomes. What is the MoSCoW prioritization technique?  The MoSCoW method is a prioritization matrix widely used in project management and software development. The term MoSCoW is an acronym that stands for  Must have ,  Should have ,  Could have , and  Won’t have , each denoting a level of priority. Here is the breakdown of the MoSCoW method:  Must have:  These are critical requirements that the project cannot be completed without them. If these are not fulfilled, the project is con
Read more

Kubernetes

  Using containers to host applications and other processes has gone mainstream. As more and more workload is moved into containers, management systems are needed to handle the demands of containerized applications at scale. One of the most popular options for managing  container-based workload is Kubernetes . Kubernetes combines container management automation with an extensible API to create a cloud-native application management powerhouse. At its core, Kubernetes manages the placement of pods, which can consist of one or more containers, on a Kubernetes cluster node. Additionally, if one of these pods crashes, Kubernetes can create a new instance of it. If a cluster node is removed, Kubernetes can move any affected workload to a different node in the cluster. On top of that, Kubernetes pods can be scaled to provide more or less throughput to meet scale demands and these scale operations can be triggered manually or automatically using Kuberentes horizontal pod auto-scaling. Finally,
Read more