Tasks

Kubernetes v1.12 documentation is no longer actively maintained. The version you are currently viewing is a static snapshot. For up-to-date documentation, see latest version.

Edit This Page

Distribute Credentials Securely Using Secrets

This page shows how to securely inject sensitive data, such as passwords and encryption keys, into Pods.

Before you begin

You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. If you do not already have a cluster, you can create one by using Minikube, or you can use one of these Kubernetes playgrounds:

To check the version, enter kubectl version.

Convert your secret data to a base-64 representation

Suppose you want to have two pieces of secret data: a username my-app and a password 39528$vdg7Jb. First, use Base64 encoding to convert your username and password to a base-64 representation. Here’s a Linux example:

echo -n 'my-app' | base64
echo -n '39528$vdg7Jb' | base64

The output shows that the base-64 representation of your username is bXktYXBw, and the base-64 representation of your password is Mzk1MjgkdmRnN0pi.

Create a Secret

Here is a configuration file you can use to create a Secret that holds your username and password:

pods/inject/secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: test-secret
data:
  username: bXktYXBw
  password: Mzk1MjgkdmRnN0pi
  1. Create the Secret

    kubectl create -f https://k8s.io/docs/tasks/inject-data-application/secret.yaml
    Note:

    If you want to skip the Base64 encoding step, you can create a Secret by using the kubectl create secret command:

     kubectl create secret generic test-secret --from-literal=username='my-app' --from-literal=password='39528$vdg7Jb'
  2. View information about the Secret:

    kubectl get secret test-secret

    Output:

    NAME          TYPE      DATA      AGE
    test-secret   Opaque    2         1m
    
  3. View more detailed information about the Secret:

    kubectl describe secret test-secret

    Output:

    Name:       test-secret
    Namespace:  default
    Labels:     <none>
    Annotations:    <none>
    
    Type:   Opaque
    
    Data
    ====
    password:   13 bytes
    username:   7 bytes
    
Note: If you want to skip the Base64 encoding step, you can create a Secret by using the kubectl create secret command:
kubectl create secret generic test-secret --from-literal=username='my-app' --from-literal=password='39528$vdg7Jb'

Create a Pod that has access to the secret data through a Volume

Here is a configuration file you can use to create a Pod:

pods/inject/secret-pod.yaml
apiVersion: v1
kind: Pod
metadata:
  name: secret-test-pod
spec:
  containers:
    - name: test-container
      image: nginx
      volumeMounts:
          # name must match the volume name below
          - name: secret-volume
            mountPath: /etc/secret-volume
  # The secret data is exposed to Containers in the Pod through a Volume.
  volumes:
    - name: secret-volume
      secret:
        secretName: test-secret
  1. Create the Pod:

    kubectl create -f https://k8s.io/docs/tasks/inject-data-application/secret-pod.yaml
  2. Verify that your Pod is running:

    kubectl get pod secret-test-pod

    Output:

    NAME              READY     STATUS    RESTARTS   AGE
    secret-test-pod   1/1       Running   0          42m
  3. Get a shell into the Container that is running in your Pod:

    kubectl exec -it secret-test-pod -- /bin/bash
  4. The secret data is exposed to the Container through a Volume mounted under /etc/secret-volume. In your shell, go to the directory where the secret data is exposed:

    root@secret-test-pod:/# cd /etc/secret-volume
  5. In your shell, list the files in the /etc/secret-volume directory:

    root@secret-test-pod:/etc/secret-volume# ls

    The output shows two files, one for each piece of secret data:

    password username
  6. In your shell, display the contents of the username and password files:

    root@secret-test-pod:/etc/secret-volume# cat username; echo; cat password; echo

    The output is your username and password:

    my-app
    39528$vdg7Jb

Create a Pod that has access to the secret data through environment variables

Here is a configuration file you can use to create a Pod:

pods/inject/secret-envars-pod.yaml
apiVersion: v1
kind: Pod
metadata:
  name: secret-envars-test-pod
spec:
  containers:
  - name: envars-test-container
    image: nginx
    env:
    - name: SECRET_USERNAME
      valueFrom:
        secretKeyRef:
          name: test-secret
          key: username
    - name: SECRET_PASSWORD
      valueFrom:
        secretKeyRef:
          name: test-secret
          key: password
  1. Create the Pod:

    kubectl create -f https://k8s.io/docs/tasks/inject-data-application/secret-envars-pod.yaml
  2. Verify that your Pod is running:

    kubectl get pod secret-envars-test-pod

    Output:

    NAME                     READY     STATUS    RESTARTS   AGE
    secret-envars-test-pod   1/1       Running   0          4m
  3. Get a shell into the Container that is running in your Pod:

    kubectl exec -it secret-envars-test-pod -- /bin/bash
  4. In your shell, display the environment variables:

    root@secret-envars-test-pod:/# printenv

    The output includes your username and password:

    ...
    SECRET_USERNAME=my-app
    ...
    SECRET_PASSWORD=39528$vdg7Jb

What's next

Reference

Feedback