4.8 KiB
| title | content_template | weight |
|---|---|---|
| Distribute Credentials Securely Using Secrets | templates/task | 50 |
{{% capture overview %}} This page shows how to securely inject sensitive data, such as passwords and encryption keys, into Pods. {{% /capture %}}
{{% capture prerequisites %}}
{{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}
{{% /capture %}}
{{% capture steps %}}
Convert your secret data to a base-64 representation
Suppose you want to have two pieces of secret data: a username my-app and a password
39528$vdg7Jb. First, use Base64 encoding to
convert your username and password to a base-64 representation. Here's a Linux
example:
echo -n 'my-app' | base64
echo -n '39528$vdg7Jb' | base64
The output shows that the base-64 representation of your username is bXktYXBw,
and the base-64 representation of your password is Mzk1MjgkdmRnN0pi.
Create a Secret
Here is a configuration file you can use to create a Secret that holds your username and password:
{{< codenew file="pods/inject/secret.yaml" >}}
-
Create the Secret
kubectl create -f https://k8s.io/examples/pods/inject/secret.yaml -
View information about the Secret:
kubectl get secret test-secretOutput:
NAME TYPE DATA AGE test-secret Opaque 2 1m -
View more detailed information about the Secret:
kubectl describe secret test-secretOutput:
Name: test-secret Namespace: default Labels: <none> Annotations: <none> Type: Opaque Data ==== password: 13 bytes username: 7 bytes
{{< note >}}
If you want to skip the Base64 encoding step, you can create a Secret
by using the kubectl create secret command:
{{< /note >}}
kubectl create secret generic test-secret --from-literal=username='my-app' --from-literal=password='39528$vdg7Jb'
Create a Pod that has access to the secret data through a Volume
Here is a configuration file you can use to create a Pod:
{{< codenew file="pods/inject/secret-pod.yaml" >}}
-
Create the Pod:
kubectl create -f https://k8s.io/examples/pods/inject/secret-pod.yaml -
Verify that your Pod is running:
kubectl get pod secret-test-podOutput:
NAME READY STATUS RESTARTS AGE secret-test-pod 1/1 Running 0 42m -
Get a shell into the Container that is running in your Pod:
kubectl exec -it secret-test-pod -- /bin/bash -
The secret data is exposed to the Container through a Volume mounted under
/etc/secret-volume. In your shell, go to the directory where the secret data is exposed:root@secret-test-pod:/# cd /etc/secret-volume -
In your shell, list the files in the
/etc/secret-volumedirectory:root@secret-test-pod:/etc/secret-volume# lsThe output shows two files, one for each piece of secret data:
password username -
In your shell, display the contents of the
usernameandpasswordfiles:root@secret-test-pod:/etc/secret-volume# cat username; echo; cat password; echoThe output is your username and password:
my-app 39528$vdg7Jb
Create a Pod that has access to the secret data through environment variables
Here is a configuration file you can use to create a Pod:
{{< codenew file="pods/inject/secret-envars-pod.yaml" >}}
-
Create the Pod:
kubectl create -f https://k8s.io/examples/pods/inject/secret-envars-pod.yaml -
Verify that your Pod is running:
kubectl get pod secret-envars-test-podOutput:
NAME READY STATUS RESTARTS AGE secret-envars-test-pod 1/1 Running 0 4m -
Get a shell into the Container that is running in your Pod:
kubectl exec -it secret-envars-test-pod -- /bin/bash -
In your shell, display the environment variables:
root@secret-envars-test-pod:/# printenvThe output includes your username and password:
... SECRET_USERNAME=my-app ... SECRET_PASSWORD=39528$vdg7Jb
{{% /capture %}}
{{% capture whatsnext %}}
Reference
- [Secret](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#secret-v1-core)
- [Volume](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#volume-v1-core)
- [Pod](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#pod-v1-core)
{{% /capture %}}