Kubernetes Secrets Encryption Tutorial with Examples

Kubernetes Secrets Encryption Tutorial with Example

It is a bad practice to store some valuable sensitive data like username, passwords and API keys in plain text form on a containers. We have to protect this data and at the same time we have to use this data to run applications. Using kubernetes secrets we can encrypt the sensitive data. The secrets will end up as environment variables within the pod. In this blog post i will explain in detail about kubernetes secrets encryption Tutorial with examples. Secrets are created outside the pods and containers. All the secretes are stored in ETCD database. By default secrets are encoded by base64.

Creating a Kubernetes Secret

We can create kubernetes secrets in 3 ways, those are.

  • using local files with kubectl tool
  • using literal values with kubectl  tool
  • using a manifest file

Create Secret Using Local Files with Kubectl tool

Lets imagine that we have to encrypt or we have to Create secret for database login username and password.

echo -n 'admin' > ./username.txt

echo -n '1f2d1e2e67df' > ./password.txt

Using above commands we created two files for username and password. But the username and password are stored in normal text form in those files. always use echo -n when creating secrets to import with kubectl.

Lets create secret for above two files. To create secrete using file we use syntax like

kubectl create secret generic <secret name> --from-file=<filepath1> --from-file=<file path2>

kubectl create secret generic mysecret --from-file=./username.txt --from-file=./password.txt

You will get output like    "secret/mysecret" created.

List the secrets:

Using kubectl get command we can list the secrets.

master $ kubectl get secrets

NAME                  TYPE                                  DATA   AGE
mysecret              Opaque                                2      17s

Know more about secret

using kubectl describe command we can get more information about secret

master $ kubectl describe secrets mysecret

Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
username.txt:  5 bytes
password.txt:  12 bytes

Retrieve the secret data in Base 64

By default secrets are encoded by base64. we can retrieve our Secret data in the base64 by running the below command.

master $ kubectl get secret mysecret -o yaml

apiVersion: v1
data:
  password.txt: MWYyZDFlMmU2N2Rm
  username.txt: YWRtaW4=
kind: Secret
metadata:
  creationTimestamp: "2019-09-08T14:46:03Z"
  name: mysecret
  namespace: default
  resourceVersion: "931"
  selfLink: /api/v1/namespaces/default/secrets/mysecret
  uid: 618520d3-d247-11e9-b96c-0242ac110040
type: Opaque

in the above command output you can see 'MWYyZDFlMmU2N2Rm, YWRtaW4= '. these are the base64 encoded values of username and password. we can decode and get the plain text by using decode command.

master $ echo "YWRtaW4=" | base64 --decode

admin

By default, data in Kubernetes secrets is stored in Base64 encoding

Create Secret Using literal values with kubectl tool

using kubectl command it self we can create secrets. these are key value pairs. To create secrete using from literal values we use syntax like

kubectl create secret generic <secret name> --from-literal=<key1>=<value1> --from-literal=<key2>=<value2>

kubectl create secret generic myliteralsecret --from-literal=username=admin --from-literal=password=1f2d1e2e67df

secret/myliteralsecret created
master $ kubectl get secret myliteralsecret -o yaml

apiVersion: v1
data:
  password: MWYyZDFlMmU2N2Rm
  username: YWRtaW4=
kind: Secret
metadata:
  creationTimestamp: "2019-09-08T16:14:45Z"
  name: myliteralsecret
  namespace: default
  resourceVersion: "3761"
  selfLink: /api/v1/namespaces/default/secrets/myliteralsecret
  uid: c5b35717-d253-11e9-8d5e-0242ac110007
type: Opaque

in the data section you can see base64 values of username and password.

Create secret using a manifest file:

Till now we have seen creating secrets from kubectl command line tool. But we can also create secret from manifest file.

cat  abcd.yml

apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  username: YWRtaW4=
  password: MWYyZDFlMmU2N2Rm

using kubectl apply command command we can create kubernetes secret object.

master $ kubectl apply -f abcd.yml

secret/mysecret created
  • Kubernetes Secrets Encryption Example
  • create kubernetes secrets from literal values
  • Kubernetes Secrets tutorial
  • Kubernetes Secrets Encryption Example
  • create kuberntes secretes frim directroy
  • Kubernetes Secrets Encryption
  • kubernetes create secret from file

Leave a Reply

Your email address will not be published. Required fields are marked *