diff --git a/content/en/docs/concepts/configuration/secret.md b/content/en/docs/concepts/configuration/secret.md index 471f5e6c0f..61995234e3 100644 --- a/content/en/docs/concepts/configuration/secret.md +++ b/content/en/docs/concepts/configuration/secret.md @@ -10,11 +10,10 @@ feature: weight: 50 --- - {{% capture overview %}} -Kubernetes `secret` objects let you store and manage sensitive information, such -as passwords, OAuth tokens, and ssh keys. Putting this information in a `secret` +Kubernetes Secrets let you store and manage sensitive information, such +as passwords, OAuth tokens, and ssh keys. Storing confidential information in a Secret is safer and more flexible than putting it verbatim in a {{< glossary_tooltip term_id="pod" >}} definition or in a {{< glossary_tooltip text="container image" term_id="image" >}}. See [Secrets design document](https://git.k8s.io/community/contributors/design-proposals/auth/secrets.md) for more information. @@ -25,78 +24,94 @@ is safer and more flexible than putting it verbatim in a ## Overview of Secrets A Secret is an object that contains a small amount of sensitive data such as -a password, a token, or a key. Such information might otherwise be put in a -Pod specification or in an image; putting it in a Secret object allows for -more control over how it is used, and reduces the risk of accidental exposure. +a password, a token, or a key. Such information might otherwise be put in a +Pod specification or in an image. Users can create secrets and the system +also creates some secrets. -Users can create secrets, and the system also creates some secrets. +To use a secret, a Pod needs to reference the secret. +A secret can be used with a Pod in two ways: -To use a secret, a pod needs to reference the secret. -A secret can be used with a pod in two ways: as files in a +- As files in a {{< glossary_tooltip text="volume" term_id="volume" >}} mounted on one or more of -its containers, or used by kubelet when pulling images for the pod. +its containers. +- By the kubelet when pulling images for the Pod. ### Built-in Secrets -#### Service Accounts Automatically Create and Attach Secrets with API Credentials +#### Service accounts automatically create and attach Secrets with API credentials Kubernetes automatically creates secrets which contain credentials for -accessing the API and it automatically modifies your pods to use this type of +accessing the API and automatically modifies your Pods to use this type of secret. The automatic creation and use of API credentials can be disabled or overridden -if desired. However, if all you need to do is securely access the apiserver, +if desired. However, if all you need to do is securely access the API server, this is the recommended workflow. -See the [Service Account](/docs/tasks/configure-pod-container/configure-service-account/) documentation for more -information on how Service Accounts work. +See the [ServiceAccount](/docs/tasks/configure-pod-container/configure-service-account/) +documentation for more information on how service accounts work. ### Creating your own Secrets -#### Creating a Secret Using kubectl create secret +#### Creating a Secret Using `kubectl` -Say that some pods need to access a database. The -username and password that the pods should use is in the files -`./username.txt` and `./password.txt` on your local machine. +Secrets can contain user credentials required by Pods to access a database. +For example, a database connection string +consists of a username and password. You can store the username in a file `./username.txt` +and the password in a file `./password.txt` on your local machine. ```shell -# Create files needed for rest of example. +# Create files needed for the rest of the example. echo -n 'admin' > ./username.txt echo -n '1f2d1e2e67df' > ./password.txt ``` -The `kubectl create secret` command -packages these files into a Secret and creates -the object on the Apiserver. +The `kubectl create secret` command packages these files into a Secret and creates +the object on the API server. ```shell kubectl create secret generic db-user-pass --from-file=./username.txt --from-file=./password.txt ``` + +The output is similar to: + ``` secret "db-user-pass" created ``` -{{< note >}} -Special characters such as `$`, `\`, `*`, and `!` will be interpreted by your [shell](https://en.wikipedia.org/wiki/Shell_\(computing\)) and require escaping. In most common shells, the easiest way to escape the password is to surround it with single quotes (`'`). For example, if your actual password is `S!B\*d$zDsb`, you should execute the command this way: -``` +{{< note >}} +Special characters such as `$`, `\`, `*`, and `!` will be interpreted by your [shell](https://en.wikipedia.org/wiki/Shell_(computing)) and require escaping. +In most shells, the easiest way to escape the password is to surround it with single quotes (`'`). +For example, if your actual password is `S!B\*d$zDsb`, you should execute the command this way: + +```shell kubectl create secret generic dev-db-secret --from-literal=username=devuser --from-literal=password='S!B\*d$zDsb' ``` - You do not need to escape special characters in passwords from files (`--from-file`). +You do not need to escape special characters in passwords from files (`--from-file`). {{< /note >}} -You can check that the secret was created like this: +You can check that the secret was created: ```shell kubectl get secrets ``` + +The output is similar to: + ``` NAME TYPE DATA AGE db-user-pass Opaque 2 51s ``` + +You can view a description of the secret: + ```shell kubectl describe secrets/db-user-pass ``` + +The output is similar to: + ``` Name: db-user-pass Namespace: default @@ -112,30 +127,43 @@ username.txt: 5 bytes ``` {{< note >}} -`kubectl get` and `kubectl describe` avoid showing the contents of a secret by -default. -This is to protect the secret from being exposed accidentally to an onlooker, +The commands `kubectl get` and `kubectl describe` avoid showing the contents of a secret by +default. This is to protect the secret from being exposed accidentally to an onlooker, or from being stored in a terminal log. {{< /note >}} -See [decoding a secret](#decoding-a-secret) for how to see the contents of a secret. +See [decoding a secret](#decoding-a-secret) to learn how to view the contents of a secret. -#### Creating a Secret Manually +#### Creating a Secret manually -You can also create a Secret in a file first, in json or yaml format, +You can also create a Secret in a file first, in JSON or YAML format, and then create that object. The -[Secret](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#secret-v1-core) contains two maps: -data and stringData. The data field is used to store arbitrary data, encoded using -base64. The stringData field is provided for convenience, and allows you to provide +[Secret](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#secret-v1-core) +contains two maps: +`data` and `stringData`. The `data` field is used to store arbitrary data, encoded using +base64. The `stringData` field is provided for convenience, and allows you to provide secret data as unencoded strings. -For example, to store two strings in a Secret using the data field, convert -them to base64 as follows: +For example, to store two strings in a Secret using the `data` field, convert +the strings to base64 as follows: ```shell echo -n 'admin' | base64 +``` + +The output is similar to: + +``` YWRtaW4= +``` + +```shell echo -n '1f2d1e2e67df' | base64 +``` + +The output is similar to: + +``` MWYyZDFlMmU2N2Rm ``` @@ -157,11 +185,14 @@ Now create the Secret using [`kubectl apply`](/docs/reference/generated/kubectl/ ```shell kubectl apply -f ./secret.yaml ``` + +The output is similar to: + ``` secret "mysecret" created ``` -For certain scenarios, you may wish to use the stringData field instead. This +For certain scenarios, you may wish to use the `stringData` field instead. This field allows you to put a non-base64 encoded string directly into the Secret, and the string will be encoded for you when the Secret is created or updated. @@ -169,7 +200,7 @@ A practical example of this might be where you are deploying an application that uses a Secret to store a configuration file, and you want to populate parts of that configuration file during your deployment process. -If your application uses the following configuration file: +For example, if your application uses the following configuration file: ```yaml apiUrl: "https://my.api.com/api/v1" @@ -177,7 +208,7 @@ username: "user" password: "password" ``` -You could store this in a Secret using the following: +You could store this in a Secret using the following definition: ```yaml apiVersion: v1 @@ -195,14 +226,14 @@ stringData: Your deployment tool could then replace the `{{username}}` and `{{password}}` template variables before running `kubectl apply`. -stringData is a write-only convenience field. It is never output when +The `stringData` field is a write-only convenience field. It is never output when retrieving Secrets. For example, if you run the following command: ```shell kubectl get secret mysecret -o yaml ``` -The output will be similar to: +The output is similar to: ```yaml apiVersion: v1 @@ -218,8 +249,8 @@ data: config.yaml: YXBpVXJsOiAiaHR0cHM6Ly9teS5hcGkuY29tL2FwaS92MSIKdXNlcm5hbWU6IHt7dXNlcm5hbWV9fQpwYXNzd29yZDoge3twYXNzd29yZH19 ``` -If a field is specified in both data and stringData, the value from stringData -is used. For example, the following Secret definition: +If a field, such as `username`, is specified in both `data` and `stringData`, +the value from `stringData` is used. For example, the following Secret definition: ```yaml apiVersion: v1 @@ -233,7 +264,7 @@ stringData: username: administrator ``` -Results in the following secret: +Results in the following Secret: ```yaml apiVersion: v1 @@ -251,26 +282,31 @@ data: Where `YWRtaW5pc3RyYXRvcg==` decodes to `administrator`. -The keys of data and stringData must consist of alphanumeric characters, +The keys of `data` and `stringData` must consist of alphanumeric characters, '-', '_' or '.'. -**Encoding Note:** The serialized JSON and YAML values of secret data are -encoded as base64 strings. Newlines are not valid within these strings and must -be omitted. When using the `base64` utility on Darwin/macOS users should avoid -using the `-b` option to split long lines. Conversely Linux users *should* add +{{< note >}} +The serialized JSON and YAML values of secret data are +encoded as base64 strings. Newlines are not valid within these strings and must +be omitted. When using the `base64` utility on Darwin/macOS, users should avoid +using the `-b` option to split long lines. Conversely, Linux users *should* add the option `-w 0` to `base64` commands or the pipeline `base64 | tr -d '\n'` if -`-w` option is not available. +the `-w` option is not available. +{{< /note >}} -#### Creating a Secret from Generator -Kubectl supports [managing objects using Kustomize](/docs/tasks/manage-kubernetes-objects/kustomization/) -since 1.14. With this new feature, -you can also create a Secret from generators and then apply it to create the object on -the Apiserver. The generators -should be specified in a `kustomization.yaml` inside a directory. +#### Creating a Secret from a generator + +Since Kubernetes v1.14, `kubectl` supports [managing objects using Kustomize](/docs/tasks/manage-kubernetes-objects/kustomization/). Kustomize provides resource Generators to +create Secrets and ConfigMaps. The Kustomize generators should be specified in a +`kustomization.yaml` file inside a directory. After generating the Secret, +you can create the Secret on the API server with `kubectl apply`. + +#### Generating a Secret from files + +You can generate a Secret by defining a `secretGenerator` from the +files ./username.txt and ./password.txt: -For example, to generate a Secret from files `./username.txt` and `./password.txt` ```shell -# Create a kustomization.yaml file with SecretGenerator cat <./kustomization.yaml secretGenerator: - name: db-user-pass @@ -279,20 +315,39 @@ secretGenerator: - password.txt EOF ``` -Apply the kustomization directory to create the Secret object. + +Apply the directory, containing the `kustomization.yaml`, to create the Secret. + ```shell -$ kubectl apply -k . +kubectl apply -k . +``` + +The output is similar to: + +``` secret/db-user-pass-96mffmfh4k created ``` -You can check that the secret was created like this: +You can check that the secret was created: ```shell -$ kubectl get secrets +kubectl get secrets +``` + +The output is similar to: + +``` NAME TYPE DATA AGE db-user-pass-96mffmfh4k Opaque 2 51s +``` -$ kubectl describe secrets/db-user-pass-96mffmfh4k +```shell +kubectl describe secrets/db-user-pass-96mffmfh4k +``` + +The output is similar to: + +``` Name: db-user-pass Namespace: default Labels: @@ -306,11 +361,13 @@ password.txt: 12 bytes username.txt: 5 bytes ``` -For example, to generate a Secret from literals `username=admin` and `password=secret`, -you can specify the secret generator in `kustomization.yaml` as +#### Generating a Secret from string literals + +You can create a Secret by defining a `secretGenerator` +from literals `username=admin` and `password=secret`: + ```shell -# Create a kustomization.yaml file with SecretGenerator -$ cat <./kustomization.yaml +cat <./kustomization.yaml secretGenerator: - name: db-user-pass literals: @@ -318,24 +375,38 @@ secretGenerator: - password=secret EOF ``` -Apply the kustomization directory to create the Secret object. + +Apply the directory, containing the `kustomization.yaml`, to create the Secret. + ```shell -$ kubectl apply -k . +kubectl apply -k . +``` + +The output is similar to: + +``` secret/db-user-pass-dddghtt9b5 created ``` + {{< note >}} -The generated Secrets name has a suffix appended by hashing the contents. This ensures that a new -Secret is generated each time the contents is modified. +When a Secret is generated, the Secret name is created by hashing +the Secret data and appending this value to the name. This ensures that +a new Secret is generated each time the data is modified. {{< /note >}} #### Decoding a Secret -Secrets can be retrieved via the `kubectl get secret` command. For example, to retrieve the secret created in the previous section: +Secrets can be retrieved by running `kubectl get secret`. +For example, you can view the Secret created in the previous section by +running the following command: ```shell kubectl get secret mysecret -o yaml ``` -``` + +The output is similar to: + +```yaml apiVersion: v1 kind: Secret metadata: @@ -350,26 +421,29 @@ data: password: MWYyZDFlMmU2N2Rm ``` -Decode the password field: +Decode the `password` field: ```shell echo 'MWYyZDFlMmU2N2Rm' | base64 --decode ``` + +The output is similar to: + ``` 1f2d1e2e67df ``` #### Editing a Secret -An existing secret may be edited with the following command: +An existing Secret may be edited with the following command: ```shell kubectl edit secrets mysecret ``` -This will open the default configured editor and allow for updating the base64 encoded secret values in the `data` field: +This will open the default configured editor and allow for updating the base64 encoded Secret values in the `data` field: -``` +```yaml # Please edit the object below. Lines beginning with a '#' will be ignored, # and an empty file will abort the edit. If an error occurs while saving this file will be # reopened with the relevant failures. @@ -392,23 +466,23 @@ type: Opaque ## Using Secrets -Secrets can be mounted as data volumes or be exposed as +Secrets can be mounted as data volumes or exposed as {{< glossary_tooltip text="environment variables" term_id="container-env-variables" >}} -to be used by a container in a pod. They can also be used by other parts of the -system, without being directly exposed to the pod. For example, they can hold +to be used by a container in a Pod. Secrets can also be used by other parts of the +system, without being directly exposed to the Pod. For example, Secrets can hold credentials that other parts of the system should use to interact with external systems on your behalf. -### Using Secrets as Files from a Pod +### Using Secrets as files from a Pod To consume a Secret in a volume in a Pod: -1. Create a secret or use an existing one. Multiple pods can reference the same secret. -1. Modify your Pod definition to add a volume under `.spec.volumes[]`. Name the volume anything, and have a `.spec.volumes[].secret.secretName` field equal to the name of the secret object. -1. Add a `.spec.containers[].volumeMounts[]` to each container that needs the secret. Specify `.spec.containers[].volumeMounts[].readOnly = true` and `.spec.containers[].volumeMounts[].mountPath` to an unused directory name where you would like the secrets to appear. -1. Modify your image and/or command line so that the program looks for files in that directory. Each key in the secret `data` map becomes the filename under `mountPath`. +1. Create a secret or use an existing one. Multiple Pods can reference the same secret. +1. Modify your Pod definition to add a volume under `.spec.volumes[]`. Name the volume anything, and have a `.spec.volumes[].secret.secretName` field equal to the name of the Secret object. +1. Add a `.spec.containers[].volumeMounts[]` to each container that needs the secret. Specify `.spec.containers[].volumeMounts[].readOnly = true` and `.spec.containers[].volumeMounts[].mountPath` to an unused directory name where you would like the secrets to appear. +1. Modify your image or command line so that the program looks for files in that directory. Each key in the secret `data` map becomes the filename under `mountPath`. -This is an example of a pod that mounts a secret in a volume: +This is an example of a Pod that mounts a Secret in a volume: ```yaml apiVersion: v1 @@ -429,17 +503,17 @@ spec: secretName: mysecret ``` -Each secret you want to use needs to be referred to in `.spec.volumes`. +Each Secret you want to use needs to be referred to in `.spec.volumes`. -If there are multiple containers in the pod, then each container needs its -own `volumeMounts` block, but only one `.spec.volumes` is needed per secret. +If there are multiple containers in the Pod, then each container needs its +own `volumeMounts` block, but only one `.spec.volumes` is needed per Secret. You can package many files into one secret, or use many secrets, whichever is convenient. -**Projection of secret keys to specific paths** +#### Projection of Secret keys to specific paths -We can also control the paths within the volume where Secret keys are projected. -You can use `.spec.volumes[].secret.items` field to change target path of each key: +You can also control the paths within the volume where Secret keys are projected. +You can use the `.spec.volumes[].secret.items` field to change the target path of each key: ```yaml apiVersion: v1 @@ -466,17 +540,17 @@ spec: What will happen: * `username` secret is stored under `/etc/foo/my-group/my-username` file instead of `/etc/foo/username`. -* `password` secret is not projected +* `password` secret is not projected. If `.spec.volumes[].secret.items` is used, only keys specified in `items` are projected. To consume all keys from the secret, all of them must be listed in the `items` field. All listed keys must exist in the corresponding secret. Otherwise, the volume is not created. -**Secret files permissions** +#### Secret files permissions -You can also specify the permission mode bits files part of a secret will have. -If you don't specify any, `0644` is used by default. You can specify a default -mode for the whole secret volume and override per key if needed. +You can set the file access permission bits for a single Secret key. +If you don't specify any permissions, `0644` is used by default. +You can also set a default mode for the entire Secret volume and override per key if needed. For example, you can specify a default mode like this: @@ -503,11 +577,11 @@ Then, the secret will be mounted on `/etc/foo` and all the files created by the secret volume mount will have permission `0400`. Note that the JSON spec doesn't support octal notation, so use the value 256 for -0400 permissions. If you use yaml instead of json for the pod, you can use octal +0400 permissions. If you use YAML instead of JSON for the Pod, you can use octal notation to specify permissions in a more natural way. You can also use mapping, as in the previous example, and specify different -permission for different files like this: +permissions for different files like this: ```yaml apiVersion: v1 @@ -538,16 +612,18 @@ in decimal notation. Note that this permission value might be displayed in decimal notation if you read it later. -**Consuming Secret Values from Volumes** +#### Consuming Secret values from volumes Inside the container that mounts a secret volume, the secret keys appear as -files and the secret values are base-64 decoded and stored inside these files. -This is the result of commands -executed inside the container from the example above: +files and the secret values are base64 decoded and stored inside these files. +This is the result of commands executed inside the container from the example above: ```shell ls /etc/foo/ ``` + +The output is similar to: + ``` username password @@ -556,14 +632,19 @@ password ```shell cat /etc/foo/username ``` + +The output is similar to: + ``` admin ``` - ```shell cat /etc/foo/password ``` + +The output is similar to: + ``` 1f2d1e2e67df ``` @@ -571,19 +652,19 @@ cat /etc/foo/password The program in a container is responsible for reading the secrets from the files. -**Mounted Secrets are updated automatically** +#### Mounted Secrets are updated automatically -When a secret being already consumed in a volume is updated, projected keys are eventually updated as well. -Kubelet is checking whether the mounted secret is fresh on every periodic sync. -However, it is using its local cache for getting the current value of the Secret. -The type of the cache is configurable using the (`ConfigMapAndSecretChangeDetectionStrategy` field in -[KubeletConfiguration struct](https://github.com/kubernetes/kubernetes/blob/{{< param "docsbranch" >}}/staging/src/k8s.io/kubelet/config/v1beta1/types.go)). -It can be either propagated via watch (default), ttl-based, or simply redirecting -all requests to directly kube-apiserver. +When a secret currently consumed in a volume is updated, projected keys are eventually updated as well. +The kubelet checks whether the mounted secret is fresh on every periodic sync. +However, the kubelet uses its local cache for getting the current value of the Secret. +The type of the cache is configurable using the `ConfigMapAndSecretChangeDetectionStrategy` field in +the [KubeletConfiguration struct](https://github.com/kubernetes/kubernetes/blob/{{< param "docsbranch" >}}/staging/src/k8s.io/kubelet/config/v1beta1/types.go). +A Secret can be either propagated by watch (default), ttl-based, or simply redirecting +all requests directly to the API server. As a result, the total delay from the moment when the Secret is updated to the moment -when new keys are projected to the Pod can be as long as kubelet sync period + cache -propagation delay, where cache propagation delay depends on the chosen cache type -(it equals to watch propagation delay, ttl of cache, or zero corespondingly). +when new keys are projected to the Pod can be as long as the kubelet sync period + cache +propagation delay, where the cache propagation delay depends on the chosen cache type +(it equals to watch propagation delay, ttl of cache, or zero correspondingly). {{< note >}} A container using a Secret as a @@ -591,16 +672,16 @@ A container using a Secret as a Secret updates. {{< /note >}} -### Using Secrets as Environment Variables +### Using Secrets as environment variables To use a secret in an {{< glossary_tooltip text="environment variable" term_id="container-env-variables" >}} -in a pod: +in a Pod: -1. Create a secret or use an existing one. Multiple pods can reference the same secret. -1. Modify your Pod definition in each container that you wish to consume the value of a secret key to add an environment variable for each secret key you wish to consume. The environment variable that consumes the secret key should populate the secret's name and key in `env[].valueFrom.secretKeyRef`. -1. Modify your image and/or command line so that the program looks for values in the specified environment variables +1. Create a secret or use an existing one. Multiple Pods can reference the same secret. +1. Modify your Pod definition in each container that you wish to consume the value of a secret key to add an environment variable for each secret key you wish to consume. The environment variable that consumes the secret key should populate the secret's name and key in `env[].valueFrom.secretKeyRef`. +1. Modify your image and/or command line so that the program looks for values in the specified environment variables. -This is an example of a pod that uses secrets from environment variables: +This is an example of a Pod that uses secrets from environment variables: ```yaml apiVersion: v1 @@ -625,46 +706,55 @@ spec: restartPolicy: Never ``` -**Consuming Secret Values from Environment Variables** +#### Consuming Secret Values from environment variables Inside a container that consumes a secret in an environment variables, the secret keys appear as -normal environment variables containing the base-64 decoded values of the secret data. +normal environment variables containing the base64 decoded values of the secret data. This is the result of commands executed inside the container from the example above: ```shell echo $SECRET_USERNAME ``` + +The output is similar to: + ``` admin ``` + ```shell echo $SECRET_PASSWORD ``` + +The output is similar to: + ``` 1f2d1e2e67df ``` ### Using imagePullSecrets -An imagePullSecret is a way to pass a secret that contains a Docker (or other) image registry -password to the Kubelet so it can pull a private image on behalf of your Pod. +The `imagePullSecrets` field is a list of references to secrets in the same namespace. +You can use an `imagePullSecrets` to pass a secret that contains a Docker (or other) image registry +password to the kubelet. The kubelet uses this information to pull a private image on behalf of your Pod. +See the [PodSpec API](/docs/reference/generated/kubernetes-api/{{< latest-version >}}/#podspec-v1-core) for more information about the `imagePullSecrets` field. -**Manually specifying an imagePullSecret** +#### Manually specifying an imagePullSecret -Use of imagePullSecrets is described in the [images documentation](/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod) +You can learn how to specify `ImagePullSecrets` from the [container images documentation](/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod). -### Arranging for imagePullSecrets to be Automatically Attached +### Arranging for imagePullSecrets to be automatically attached -You can manually create an imagePullSecret, and reference it from -a serviceAccount. Any pods created with that serviceAccount -or that default to use that serviceAccount, will get their imagePullSecret +You can manually create `imagePullSecrets`, and reference it from +a ServiceAccount. Any Pods created with that ServiceAccount +or created with that ServiceAccount by default, will get their `imagePullSecrets` field set to that of the service account. See [Add ImagePullSecrets to a service account](/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account) for a detailed explanation of that process. -### Automatic Mounting of Manually Created Secrets +### Automatic mounting of manually created Secrets -Manually created secrets (e.g. one containing a token for accessing a github account) +Manually created secrets (for example, one containing a token for accessing a GitHub account) can be automatically attached to pods based on their service account. See [Injecting Information into Pods Using a PodPreset](/docs/tasks/inject-data-application/podpreset/) for a detailed explanation of that process. @@ -673,76 +763,83 @@ See [Injecting Information into Pods Using a PodPreset](/docs/tasks/inject-data- ### Restrictions Secret volume sources are validated to ensure that the specified object -reference actually points to an object of type `Secret`. Therefore, a secret -needs to be created before any pods that depend on it. +reference actually points to an object of type Secret. Therefore, a secret +needs to be created before any Pods that depend on it. -Secret API objects reside in a {{< glossary_tooltip text="namespace" term_id="namespace" >}}. -They can only be referenced by pods in that same namespace. +Secret resources reside in a {{< glossary_tooltip text="namespace" term_id="namespace" >}}. +Secrets can only be referenced by Pods in that same namespace. -Individual secrets are limited to 1MiB in size. This is to discourage creation -of very large secrets which would exhaust apiserver and kubelet memory. -However, creation of many smaller secrets could also exhaust memory. More +Individual secrets are limited to 1MiB in size. This is to discourage creation +of very large secrets which would exhaust the API server and kubelet memory. +However, creation of many smaller secrets could also exhaust memory. More comprehensive limits on memory usage due to secrets is a planned feature. -Kubelet only supports use of secrets for Pods it gets from the API server. -This includes any pods created using kubectl, or indirectly via a replication -controller. It does not include pods created via the kubelets +The kubelet only supports the use of secrets for Pods where the secrets +are obtained from the API server. +This includes any Pods created using `kubectl`, or indirectly via a replication +controller. It does not include Pods created as a result of the kubelet `--manifest-url` flag, its `--config` flag, or its REST API (these are -not common ways to create pods.) +not common ways to create Pods.) -Secrets must be created before they are consumed in pods as environment -variables unless they are marked as optional. References to Secrets that do -not exist will prevent the pod from starting. +Secrets must be created before they are consumed in Pods as environment +variables unless they are marked as optional. References to secrets that do +not exist will prevent the Pod from starting. -References via `secretKeyRef` to keys that do not exist in a named Secret -will prevent the pod from starting. +References (`secretKeyRef` field) to keys that do not exist in a named Secret +will prevent the Pod from starting. -Secrets used to populate environment variables via `envFrom` that have keys +Secrets used to populate environment variables by the `envFrom` field that have keys that are considered invalid environment variable names will have those keys -skipped. The pod will be allowed to start. There will be an event whose +skipped. The Pod will be allowed to start. There will be an event whose reason is `InvalidVariableNames` and the message will contain the list of invalid keys that were skipped. The example shows a pod which refers to the -default/mysecret that contains 2 invalid keys, 1badkey and 2alsobad. +default/mysecret that contains 2 invalid keys: `1badkey` and `2alsobad`. ```shell kubectl get events ``` + +The output is similar to: + ``` LASTSEEN FIRSTSEEN COUNT NAME KIND SUBOBJECT TYPE REASON 0s 0s 1 dapi-test-pod Pod Warning InvalidEnvironmentVariableNames kubelet, 127.0.0.1 Keys [1badkey, 2alsobad] from the EnvFrom secret default/mysecret were skipped since they are considered invalid environment variable names. ``` -### Secret and Pod Lifetime interaction +### Secret and Pod lifetime interaction -When a pod is created via the API, there is no check whether a referenced -secret exists. Once a pod is scheduled, the kubelet will try to fetch the -secret value. If the secret cannot be fetched because it does not exist or -because of a temporary lack of connection to the API server, kubelet will -periodically retry. It will report an event about the pod explaining the -reason it is not started yet. Once the secret is fetched, the kubelet will -create and mount a volume containing it. None of the pod's containers will -start until all the pod's volumes are mounted. +When a Pod is created by calling the Kubernetes API, there is no check if a referenced +secret exists. Once a Pod is scheduled, the kubelet will try to fetch the +secret value. If the secret cannot be fetched because it does not exist or +because of a temporary lack of connection to the API server, the kubelet will +periodically retry. It will report an event about the Pod explaining the +reason it is not started yet. Once the secret is fetched, the kubelet will +create and mount a volume containing it. None of the Pod's containers will +start until all the Pod's volumes are mounted. ## Use cases ### Use-Case: Pod with ssh keys -Create a kustomization.yaml with SecretGenerator containing some ssh keys: +Create a secret containing some ssh keys: ```shell kubectl create secret generic ssh-key-secret --from-file=ssh-privatekey=/path/to/.ssh/id_rsa --from-file=ssh-publickey=/path/to/.ssh/id_rsa.pub ``` +The output is similar to: + ``` secret "ssh-key-secret" created ``` +You can also create a `kustomization.yaml` with a `secretGenerator` field containing ssh keys. + {{< caution >}} -Think carefully before sending your own ssh keys: other users of the cluster may have access to the secret. Use a service account which you want to be accessible to all the users with whom you share the Kubernetes cluster, and can revoke if they are compromised. +Think carefully before sending your own ssh keys: other users of the cluster may have access to the secret. Use a service account which you want to be accessible to all the users with whom you share the Kubernetes cluster, and can revoke this account if the users are compromised. {{< /caution >}} - -Now we can create a pod which references the secret with the ssh key and +Now you can create a Pod which references the secret with the ssh key and consumes it in a volume: ```yaml @@ -768,7 +865,7 @@ spec: When the container's command runs, the pieces of the key will be available in: -```shell +``` /etc/secret-volume/ssh-publickey /etc/secret-volume/ssh-privatekey ``` @@ -777,15 +874,19 @@ The container is then free to use the secret data to establish an ssh connection ### Use-Case: Pods with prod / test credentials -This example illustrates a pod which consumes a secret containing prod -credentials and another pod which consumes a secret with test environment +This example illustrates a Pod which consumes a secret containing production +credentials and another Pod which consumes a secret with test environment credentials. -Make the kustomization.yaml with SecretGenerator +You can create a `kustomization.yaml` with a `secretGenerator` field or run +`kubectl create secret`. ```shell kubectl create secret generic prod-db-secret --from-literal=username=produser --from-literal=password=Y4nys7f11 ``` + +The output is similar to: + ``` secret "prod-db-secret" created ``` @@ -793,23 +894,29 @@ secret "prod-db-secret" created ```shell kubectl create secret generic test-db-secret --from-literal=username=testuser --from-literal=password=iluvtests ``` + +The output is similar to: + ``` secret "test-db-secret" created ``` -{{< note >}} -Special characters such as `$`, `\`, `*`, and `!` will be interpreted by your [shell](https://en.wikipedia.org/wiki/Shell_\(computing\)) and require escaping. In most common shells, the easiest way to escape the password is to surround it with single quotes (`'`). For example, if your actual password is `S!B\*d$zDsb`, you should execute the command this way: -``` +{{< note >}} +Special characters such as `$`, `\`, `*`, and `!` will be interpreted by your [shell](https://en.wikipedia.org/wiki/Shell_(computing)) and require escaping. +In most shells, the easiest way to escape the password is to surround it with single quotes (`'`). +For example, if your actual password is `S!B\*d$zDsb`, you should execute the command this way: + +```shell kubectl create secret generic dev-db-secret --from-literal=username=devuser --from-literal=password='S!B\*d$zDsb' ``` You do not need to escape special characters in passwords from files (`--from-file`). {{< /note >}} -Now make the pods: +Now make the Pods: ```shell -$ cat < pod.yaml +cat < pod.yaml apiVersion: v1 kind: List items: @@ -852,15 +959,16 @@ items: EOF ``` -Add the pods to the same kustomization.yaml +Add the pods to the same kustomization.yaml: + ```shell -$ cat <> kustomization.yaml +cat <> kustomization.yaml resources: - pod.yaml EOF ``` -Apply all those objects on the Apiserver by +Apply all those objects on the API server by running: ```shell kubectl apply -k . @@ -868,17 +976,20 @@ kubectl apply -k . Both containers will have the following files present on their filesystems with the values for each container's environment: -```shell +``` /etc/secret-volume/username /etc/secret-volume/password ``` -Note how the specs for the two pods differ only in one field; this facilitates -creating pods with different capabilities from a common pod config template. +Note how the specs for the two Pods differ only in one field; this facilitates +creating Pods with different capabilities from a common Pod template. -You could further simplify the base pod specification by using two Service Accounts: -one called, say, `prod-user` with the `prod-db-secret`, and one called, say, -`test-user` with the `test-db-secret`. Then, the pod spec can be shortened to, for example: +You could further simplify the base Pod specification by using two service accounts: + +1. `prod-user` with the `prod-db-secret` +1. `test-user` with the `test-db-secret` + +The Pod specification is shortened to: ```yaml apiVersion: v1 @@ -894,10 +1005,11 @@ spec: image: myClientImage ``` -### Use-case: Dotfiles in secret volume +### Use-case: dotfiles in a secret volume -In order to make piece of data 'hidden' (i.e., in a file whose name begins with a dot character), simply -make that key begin with a dot. For example, when the following secret is mounted into a volume: +You can make your data "hidden" by defining a key that begins with a dot. +This key represents a dotfile or "hidden" file. For example, when the following secret +is mounted into a volume, `secret-volume`: ```yaml apiVersion: v1 @@ -929,8 +1041,7 @@ spec: mountPath: "/etc/secret-volume" ``` - -The `secret-volume` will contain a single file, called `.secret-file`, and +The volume will contain a single file, called `.secret-file`, and the `dotfile-test-container` will have this file present at the path `/etc/secret-volume/.secret-file`. @@ -939,17 +1050,17 @@ Files beginning with dot characters are hidden from the output of `ls -l`; you must use `ls -la` to see them when listing directory contents. {{< /note >}} -### Use-case: Secret visible to one container in a pod +### Use-case: Secret visible to one container in a Pod Consider a program that needs to handle HTTP requests, do some complex business -logic, and then sign some messages with an HMAC. Because it has complex +logic, and then sign some messages with an HMAC. Because it has complex application logic, there might be an unnoticed remote file reading exploit in the server, which could expose the private key to an attacker. This could be divided into two processes in two containers: a frontend container which handles user interaction and business logic, but which cannot see the private key; and a signer container that can see the private key, and responds -to simple signing requests from the frontend (e.g. over localhost networking). +to simple signing requests from the frontend (for example, over localhost networking). With this partitioned approach, an attacker now has to trick the application server into doing something rather arbitrary, which may be harder than getting @@ -959,10 +1070,10 @@ it to read a file. ## Best practices -### Clients that use the secrets API +### Clients that use the Secret API -When deploying applications that interact with the secrets API, access should be -limited using [authorization policies]( +When deploying applications that interact with the Secret API, you should +limit access using [authorization policies]( /docs/reference/access-authn-authz/authorization/) such as [RBAC]( /docs/reference/access-authn-authz/rbac/). @@ -978,7 +1089,7 @@ the clients to inspect the values of all secrets that are in that namespace. The `watch` and `list` all secrets in a cluster should be reserved for only the most privileged, system-level components. -Applications that need to access the secrets API should perform `get` requests on +Applications that need to access the Secret API should perform `get` requests on the secrets they need. This lets administrators restrict access to all secrets while [white-listing access to individual instances]( /docs/reference/access-authn-authz/rbac/#referring-to-resources) that @@ -991,33 +1102,32 @@ https://github.com/kubernetes/community/blob/master/contributors/design-proposal to let clients `watch` individual resources has also been proposed, and will likely be available in future releases of Kubernetes. -## Security Properties - +## Security properties ### Protections -Because `secret` objects can be created independently of the `pods` that use +Because secrets can be created independently of the Pods that use them, there is less risk of the secret being exposed during the workflow of -creating, viewing, and editing pods. The system can also take additional -precautions with `secret` objects, such as avoiding writing them to disk where +creating, viewing, and editing Pods. The system can also take additional +precautions with Secrets, such as avoiding writing them to disk where possible. -A secret is only sent to a node if a pod on that node requires it. -Kubelet stores the secret into a `tmpfs` so that the secret is not written -to disk storage. Once the Pod that depends on the secret is deleted, kubelet +A secret is only sent to a node if a Pod on that node requires it. +The kubelet stores the secret into a `tmpfs` so that the secret is not written +to disk storage. Once the Pod that depends on the secret is deleted, the kubelet will delete its local copy of the secret data as well. -There may be secrets for several pods on the same node. However, only the -secrets that a pod requests are potentially visible within its containers. +There may be secrets for several Pods on the same node. However, only the +secrets that a Pod requests are potentially visible within its containers. Therefore, one Pod does not have access to the secrets of another Pod. -There may be several containers in a pod. However, each container in a pod has +There may be several containers in a Pod. However, each container in a Pod has to request the secret volume in its `volumeMounts` for it to be visible within -the container. This can be used to construct useful [security partitions at the +the container. This can be used to construct useful [security partitions at the Pod level](#use-case-secret-visible-to-one-container-in-a-pod). -On most Kubernetes-project-maintained distributions, communication between user -to the apiserver, and from apiserver to the kubelets, is protected by SSL/TLS. +On most Kubernetes distributions, communication between users +and the API server, and from the API server to the kubelets, is protected by SSL/TLS. Secrets are protected when transmitted over these channels. {{< feature-state for_k8s_version="v1.13" state="beta" >}} @@ -1027,11 +1137,11 @@ for secret data, so that the secrets are not stored in the clear into {{< glossa ### Risks - - In the API server secret data is stored in {{< glossary_tooltip term_id="etcd" >}}; + - In the API server, secret data is stored in {{< glossary_tooltip term_id="etcd" >}}; therefore: - - Administrators should enable encryption at rest for cluster data (requires v1.13 or later) - - Administrators should limit access to etcd to admin users - - Administrators may want to wipe/shred disks used by etcd when no longer in use + - Administrators should enable encryption at rest for cluster data (requires v1.13 or later). + - Administrators should limit access to etcd to admin users. + - Administrators may want to wipe/shred disks used by etcd when no longer in use. - If running etcd in a cluster, administrators should make sure to use SSL/TLS for etcd peer-to-peer communication. - If you configure the secret through a manifest (JSON or YAML) file which has @@ -1040,15 +1150,10 @@ for secret data, so that the secrets are not stored in the clear into {{< glossa encryption method and is considered the same as plain text. - Applications still need to protect the value of secret after reading it from the volume, such as not accidentally logging it or transmitting it to an untrusted party. - - A user who can create a pod that uses a secret can also see the value of that secret. Even - if apiserver policy does not allow that user to read the secret object, the user could - run a pod which exposes the secret. - - Currently, anyone with root on any node can read _any_ secret from the apiserver, - by impersonating the kubelet. It is a planned feature to only send secrets to + - A user who can create a Pod that uses a secret can also see the value of that secret. Even + if the API server policy does not allow that user to read the Secret, the user could + run a Pod which exposes the secret. + - Currently, anyone with root permission on any node can read _any_ secret from the API server, + by impersonating the kubelet. It is a planned feature to only send secrets to nodes that actually require them, to restrict the impact of a root exploit on a single node. - - -{{% capture whatsnext %}} - -{{% /capture %}}