In Kubernetes, sensitive data such as passwords, API keys, and certificates should not be stored in plain text inside ConfigMaps or environment variables. The kubectl create secret command provides a secure way to store and manage this sensitive information.
Using Kubernetes Secrets, you can safeguard confidential data while ensuring easy access to applications running in the cluster.
Types of Secrets in Kubernetes
Kubernetes supports multiple types of secrets, including:
- Opaque Secrets (default): Used for generic key-value pairs.
- TLS Secrets: Store TLS certificates and keys.
- Docker Registry Secrets: Store credentials for private Docker registries.
- Basic Authentication Secrets: Store username-password combinations.
- SSH Authentication Secrets: Store SSH credentials.
- Service Account Tokens: Store access tokens for service accounts.
Creating a Secret with kubectl create secret
1. Creating an Opaque Secret
You can create an opaque secret using the following command:
kubectl create secret generic my-secret --from-literal=username=admin --from-literal=password=securepassThis command stores username=admin and password=securepass securely in Kubernetes.
2. Creating a Secret from a File
If you have a file containing sensitive data, such as an API key, you can create a secret from it:
kubectl create secret generic api-secret --from-file=./api-key.txt3. Creating a Secret for TLS Certificates
To store a TLS certificate and private key as a Kubernetes secret:
kubectl create secret tls tls-secret --cert=cert.pem --key=key.pem4. Creating a Secret for Docker Registry Authentication
If your Kubernetes cluster needs to pull images from a private Docker registry, create a Docker registry secret:
kubectl create secret docker-registry my-docker-secret \
--docker-username=myusername \
--docker-password=mypassword \
--docker-email=myemail@example.com5. Creating a Secret from Environment Variables
You can create a secret from an environment variable file:
kubectl create secret generic env-secret --from-env-file=./secrets.envViewing and Managing Secrets
Listing All Secrets
To list all secrets in a namespace, use:
kubectl get secretsDescribing a Secret
To view the details of a specific secret:
kubectl describe secret my-secretDecoding Secret Data
Since secrets are stored in Base64 encoding, you can decode them as follows:
kubectl get secret my-secret -o jsonpath="{.data.username}" | base64 --decodeBest Practices for Using Secrets in Kubernetes
- Use RBAC (Role-Based Access Control): Restrict access to secrets by defining appropriate RBAC policies.
- Enable Encryption: Ensure Kubernetes secrets are encrypted at rest.
- Avoid Checking Secrets into Version Control: Never store secrets in Git repositories.
- Use External Secret Management Tools: Consider tools like HashiCorp Vault or AWS Secrets Manager for additional security.
- Rotate Secrets Regularly: Update and rotate secrets periodically to reduce security risks.
FAQs on kubectl create secret
1. What is the default type of secret in Kubernetes?
The default type is Opaque, which stores arbitrary key-value pairs.
2. How can I edit an existing secret?
You need to delete and recreate the secret, or use:kubectl edit secret my-secret
3. Are Kubernetes secrets encrypted by default?
By default, Kubernetes stores secrets in etcd, which is base64-encoded but not encrypted. You should enable encryption for better security.
4. Can I use secrets with environment variables in Pods?
Yes, you can mount secrets as environment variables in your pod definition.
5. How do I delete a secret in Kubernetes?
Use the following command:kubectl delete secret my-secret
By mastering kubectl create secret, you can securely manage sensitive data in your Kubernetes environment. Following best practices ensures your clusters remain protected against unauthorized access.