Certified Kubernetes Administrator (CKA) — Tips and Tricks — Part 6
How to store sensitive information into the cluster with kubernetes secrets ㊙️
I wish you all a Very Happy New Year! Let your certification dreams come true this year 🏄
Kubernetes secrets are one of the high-value questions in the CKA exam. I don’t think that there is another question in the exam where the concept is simple but the marks are maximum. One cannot afford to get this question wrong. Lets quickly look into the basics of Kubernetes secrets and various ways in which you may face an exam question.
What are Kubernetes secrets?
Do you have a small amount of sensitive data that can not be exposed in a pod specification or ConfigMaps, then Kubernetes secrets is the way to store them in the cluster. Let’s quickly see some facts about Kubernetes secrets.
- Kubernetes secrets are namespaced object and lives in the context of the namespace.
- Having a separate Kubernetes resource type for secrets enables us a precise RBAC control.
- Secrets can be made available to a pod via environment variable or volume.
- The limit for the size of data in secrets is 1MB
- Securing ETCD access is very critical, as secrets are stored as Base64 encoding in ETCD. This is the same as storing in a plaintext.
- If you are running some serious production workloads, try sealed secrets or a vault solution which is more production hardened. We will not look into this as it’s out of the scope for the exam.
Of all the above facts, the fact below is very critical for the exam
Secrets can be made available to a pod via environment variable or volume
Let’s understand this in a quick picture
How should I create secret ?
kubectl create secret [TYPE] [NAME] [DATA]
[TYPE]
- generic To create a secret from a local file, directory, or literal value.
- docker-registry This will create a dockercfg secret file to authenticate against any Docker registries.
- tls Used when you have a tls public/private key pair to be stored.
[NAME] — Name of the secret, will be used when you refer inside a POD
[DATA]
- — from-file Used when you load the data from a file. (the value of the Secret is the entire content of the file)
- — from-env-file Used when you want to load multiple secrets key-value pair from a file.
- — from-literal Used when you load the secret data from key-value pair.
Creating secret will full file content
echo -n “mysecret” > ./secret.txt
kubectl create secret generic mysecret — from-file=./secret.txt
kubectl describe secrets mysecret
Creating secret from a file with key-values
vi secret2.txt , then add you key values each in a new line
kubectl create secret generic newsecret — from-env-file=./secret2.txt
kubectl describe secrets newsecret
Creating secret from literal
kubectl create secret generic literal-token — from-literal user=admin — from-literal password=1234
Creating secret from YAML
There is an important fact that you have to know, before looking into the YAML way of creating a secret. All the secrets will be Base64 encoded automatically in all the above ways of creating a secret. See the attached YAML outputs.
Now lets see how YAML way of creating is different
If you look at the YAML above, we are manually encoding the value of the secret into YAML we create.
To encode any text use
echo -n ‘admin’ | base64
Then run
kubectl apply -f secret.yaml
Exam Tips
For the exam, we should be able to do the below
- Map the created secret as an environment variable in the pod specification.
- Map the created secret to a volume and map it to the pod.
Environment Variable
When you write your pod specification use “valueFrom” into the environment variable with “secretKeyRef” and then use the name of the secret with the key of the secret.
In the below example pod, we pick up two evironment variable “SECRET_USERNAME”, “SECRET_PASSWORD” and fill them with value from the secret “mysecret” with the keys “username” and “password” respectively
Pod Volume Mapping
First create a pod volume from the secret.
volumes → name: [Volume Name] → secret → secretName: [Secret Name]
Then mount the volume to the pod
volumeMounts → name: [Volume Name] → mountPath: “[Mount Path]” → readOnly: true
You can use “readOnly” attribute optionally, if you wish that the secret file in the volume should not be modified.
A final important note: If you are not able to memorize any of the above commands, no worries. Kubernetes documentation page for secrets is there for the rescue during the exam.
That is all you need to know about secrets, we are done 🚀. Also, visit other tips and tricks for Certified Kubernetes Administrator (CKA)
We will look into other tips and tricks in an upcoming article. Let you pass with flying colors 🏄