kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
website/content/en/docs/tasks/inject-data-application/distribute-credentials-secu...

6.3 KiB
Raw Blame History

title content_template weight
Distribute Credentials Securely Using Secrets templates/task 50

{{% capture overview %}} This page shows how to securely inject sensitive data, such as passwords and encryption keys, into Pods. {{% /capture %}}

{{% capture prerequisites %}}

{{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}

{{% /capture %}}

{{% capture steps %}}

Convert your secret data to a base-64 representation

Suppose you want to have two pieces of secret data: a username my-app and a password 39528$vdg7Jb. First, use Base64 encoding to convert your username and password to a base-64 representation. Here's a Linux example:

echo -n 'my-app' | base64
echo -n '39528$vdg7Jb' | base64

The output shows that the base-64 representation of your username is bXktYXBw, and the base-64 representation of your password is Mzk1MjgkdmRnN0pi.

{{< caution >}} Use a local tool trusted by your OS to decrease the security risks of external tools. {{< /caution >}}

Create a Secret

Here is a configuration file you can use to create a Secret that holds your username and password:

{{< codenew file="pods/inject/secret.yaml" >}}

  1. Create the Secret

    kubectl apply -f https://k8s.io/examples/pods/inject/secret.yaml

  2. View information about the Secret:

    kubectl get secret test-secret

    Output:

    NAME          TYPE      DATA      AGE
test-secret   Opaque    2         1m

  3. View more detailed information about the Secret:

    kubectl describe secret test-secret

    Output:

    Name:       test-secret
Namespace:  default
Labels:     <none>
Annotations:    <none>

Type:   Opaque

Data
====
password:   13 bytes
username:   7 bytes

{{< note >}} If you want to skip the Base64 encoding step, you can create a Secret by using the kubectl create secret command: {{< /note >}}

kubectl create secret generic test-secret --from-literal=username='my-app' --from-literal=password='39528$vdg7Jb'

Create a Pod that has access to the secret data through a Volume

Here is a configuration file you can use to create a Pod:

{{< codenew file="pods/inject/secret-pod.yaml" >}}

  1. Create the Pod:

    kubectl apply -f https://k8s.io/examples/pods/inject/secret-pod.yaml

  2. Verify that your Pod is running:

    kubectl get pod secret-test-pod

    Output:

    NAME              READY     STATUS    RESTARTS   AGE
secret-test-pod   1/1       Running   0          42m

  3. Get a shell into the Container that is running in your Pod:

    kubectl exec -it secret-test-pod -- /bin/bash

  4. The secret data is exposed to the Container through a Volume mounted under /etc/secret-volume. In your shell, go to the directory where the secret data is exposed:

    root@secret-test-pod:/# cd /etc/secret-volume

  5. In your shell, list the files in the /etc/secret-volume directory:

    root@secret-test-pod:/etc/secret-volume# ls

    The output shows two files, one for each piece of secret data:

    password username

  6. In your shell, display the contents of the username and password files:

    root@secret-test-pod:/etc/secret-volume# cat username; echo; cat password; echo

    The output is your username and password:

    my-app
39528$vdg7Jb

Define container environment variables using Secret data

Define a container environment variable with data from a single Secret

  • Define an environment variable as a key-value pair in a Secret:

    kubectl create secret generic backend-user --from-literal=backend-username='backend-admin'

  • Assign the backend-username value defined in the Secret to the SECRET_USERNAME environment variable in the Pod specification.

    {{< codenew file="pods/inject/pod-single-secret-env-variable.yaml" >}}

  • Create the Pod:

    kubectl create -f https://k8s.io/examples/pods/inject/pod-single-secret-env-variable.yaml

  • Now, the Pods output includes environment variable SECRET_USERNAME=backend-admin

Define container environment variables with data from multiple Secrets

  • As with the previous example, create the Secrets first.

      kubectl create secret generic backend-user --from-literal=backend-username='backend-admin' 

  kubectl create secret generic db-user --from-literal=db-username='db-admin'

  • Define the environment variables in the Pod specification.

    {{< codenew file="pods/inject/pod-multiple-secret-env-variable.yaml" >}}

  • Create the Pod:

    kubectl create -f https://k8s.io/examples/pods/inject/pod-multiple-secret-env-variable.yaml

  • Now, the Pods output includes BACKEND_USERNAME=backend-admin and DB_USERNAME=db-admin environment variables.

Configure all key-value pairs in a Secret as container environment variables

{{< note >}} This functionality is available in Kubernetes v1.6 and later. {{< /note >}}

  • Create a Secret containing multiple key-value pairs

    kubectl create secret generic test-secret --from-literal=username='my-app' --from-literal=password='39528$vdg7Jb'

  • Use envFrom to define all of the Secrets data as container environment variables. The key from the Secret becomes the environment variable name in the Pod.

    {{< codenew file="pods/inject/pod-secret-envFrom.yaml" >}}

  • Create the Pod:

    kubectl create -f https://k8s.io/examples/pods/inject/pod-secret-envFrom.yaml

  • Now, the Pods output includes username=my-app and password=39528$vdg7Jb environment variables.

{{% /capture %}}

{{% capture whatsnext %}}

Reference

  • [Secret](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#secret-v1-core)
  • [Volume](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#volume-v1-core)
  • [Pod](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#pod-v1-core)

{{% /capture %}}