DEV Community

Cover image for Kubernetes Secrets | Secure Data Management
Labby for LabEx

Posted on

Kubernetes Secrets | Secure Data Management

Introduction

This article covers the following tech skills:

Skills Graph

In this lab, you will learn how to use Kubernetes Secrets to securely manage sensitive information such as passwords, API keys, and other confidential data. You will create a secret, use it in your application, and verify that the application is properly configured. Each step builds upon the previous one, so make sure you follow along carefully.

Create A Secret

In this step, you will create a Kubernetes Secret that contains a database password.

Create a file named my-secret.yaml with the following contents:

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
type: Opaque
data:
  password: dXNlcm5hbWU6cGFzc3dvcmQ=
Enter fullscreen mode Exit fullscreen mode

In this file, we specify the name of the Secret (my-secret), the type of data it contains (Opaque), and the actual data in Base64-encoded format.

Apply the Secret to your cluster by running the following command:

kubectl apply -f my-secret.yaml
Enter fullscreen mode Exit fullscreen mode

Verify that the Secret was created by running the following command:

kubectl get secrets
Enter fullscreen mode Exit fullscreen mode

You should see the my-secret Secret listed.
lab-configuring-apps-with-secrets-1

Use The Secret In Your Application

In this step, you will modify your application to use the my-secret Secret to retrieve the database password.

Create a file named my-app.yaml with the following contents:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
spec:
  replicas: 1
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      containers:
        - name: my-app
          image: nginx:latest
          env:
            - name: DATABASE_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: my-secret
                  key: password
Enter fullscreen mode Exit fullscreen mode

In this file, we specify the name of the Deployment (my-app), the image to use (my-image), and the environment variable to set (DATABASE_PASSWORD). We also use a secretKeyRef to retrieve the password key from the my-secret Secret.

Apply the Deployment to your cluster by running the following command:

kubectl apply -f my-app.yaml
Enter fullscreen mode Exit fullscreen mode

Verify that the Deployment was created by running the following command:

kubectl get deployments
Enter fullscreen mode Exit fullscreen mode

You should see the my-app Deployment listed.
lab-configuring-apps-with-secrets-2

Verify The Configuration

In this step, you will verify that your application is properly configured with the database password from the my-secret Secret.

Find the name of the pod running your application by running the following command:

kubectl get pods -l app=my-app
Enter fullscreen mode Exit fullscreen mode

You should see a single pod running your application. Note the name of the pod.

Next, run the following command to open a shell session in the container running your application:

kubectl exec -it sh < pod-name > --
Enter fullscreen mode Exit fullscreen mode

Replace <pod-name> with the name of the pod that you noted earlier.

Once you are in the shell session, run the following command to print the value of the DATABASE_PASSWORD environment variable:

echo $DATABASE_PASSWORD
Enter fullscreen mode Exit fullscreen mode

You should see the database password that was retrieved from the my-secret Secret.
lab-configuring-apps-with-secrets-3

Mount The Secret As A Volume In A Pod

Now that we have created the secret, we can mount it as a volume in a pod. We will create a simple pod that reads the secret value from the mounted volume and outputs it to the console.

Create a file named pod.yaml with the following contents:

apiVersion: v1
kind: Pod
metadata:
  name: secret-pod
spec:
  containers:
    - name: secret-container
      image: nginx
      volumeMounts:
        - name: secret-volume
          mountPath: /etc/secret-volume
  volumes:
    - name: secret-volume
      secret:
        secretName: my-secret
Enter fullscreen mode Exit fullscreen mode

Apply the pod configuration:

kubectl apply -f pod.yaml
Enter fullscreen mode Exit fullscreen mode

Verify The Secret As A Volume In A Pod

In this step, you will verify that your application is properly configured with the database password from the my-secret Secret.

First, run the following command to open a shell session in the container running your application:

kubectl exec -it secret-pod -- sh
Enter fullscreen mode Exit fullscreen mode

Once you are in the shell session, run the following command to print the value:

cat /etc/secret-volume/password
Enter fullscreen mode Exit fullscreen mode

The output should be the value of the secret.
lab-configuring-apps-with-secrets-5

Summary

In this lab, we learned how to use Kubernetes secrets to store sensitive information and how to use them in a pod. Secrets provide a secure way to manage sensitive information and should be used whenever possible to avoid exposing secrets in plaintext.

MindMap


🚀 Practice Now: Configuring Apps with Secrets


Want to Learn More?

Top comments (0)