Kubernetes > Secrets

Reference:
https://kubernetes.io/docs/concepts/configuration/secret/

Secrets can be used for accessing the API Server, Secrets can be either built in or user defined.

Built in secrets are automatically created by Service Accounts to let objects such as Pods access the API server.

To view the list of secrets
[root@master cka]# kubectl get secrets

NAME                  TYPE                                  DATA   AGE

default-token-r4dvr   kubernetes.io/service-account-token   3      2d

This secret was created by the default service account
To see this secret under the default service account configuration

[root@master cka]# kubectl get sa

NAME      SECRETS   AGE

default   1         2d

[root@master cka]# kubectl get sa/default -o yaml

apiVersion: v1

kind: ServiceAccount

metadata:

creationTimestamp: "2019-04-01T12:59:08Z"

name: default

namespace: default

resourceVersion: "396"

selfLink: /api/v1/namespaces/default/serviceaccounts/default

uid: efca8017-547d-11e9-a3f2-5668a099244e

secrets:

- name: default-token-r4dvr

To view the token associated with this secret

[root@master cka]# kubectl describe secret/default-token-r4dvr

Name:         default-token-r4dvr

Namespace:    default

Labels:

Annotations:  kubernetes.io/service-account.name: default

kubernetes.io/service-account.uid: efca8017-547d-11e9-a3f2-5668a099244e

Type:  kubernetes.io/service-account-token

Data

====

ca.crt:     1025 bytes

namespace:  7 bytes

token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9rZW4tcjRkdnIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImVmY2E4MDE3LTU0N2QtMTFlOS1hM2YyLTU2NjhhMDk5MjQ0ZSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.Nw1Yt7Zai8cSQE_8ETxqQ_-q05LWFzY9GId0xjKlBcD-fhb5NjA4wwWoZgOM_W7WMYiDGklZplpN9y3UiyF9iaS7F4TwoJHGkd5y4xRX7t-Ymx8YF1V_FWJGuvDMBM1bi0qWQ7MGZMDjYAZrrS1-tOX9aeBw73lrUw4vMfOqOKKHuiXuLrSMYO3485QaFMVFz773RnhplgflzhtKI4D74EgPfcPoakILSDFpf1vOwn_iudH-Kn9mw-YaHbc6zk2ximrFlvDu4-3oNjC0JobWv4NIHfIkMMFYkOCJhl6fEU7EL7eWXQe8YEr24GO7uhXZf5V-fGaCKPowCdMRANbJAg

User defined secrets can be created using files or command line input

Using files

[root@master cka]# echo "admin" > username.txt

[root@master cka]# echo "p@sswd" > password.txt

[root@master cka]# kubectl create secret generic test-secret-1 --from-file=./username.txt --from-file=./password.txt

secret/test-secret-1 created

[root@master cka]# kubectl get secrets

NAME                  TYPE                                  DATA   AGE

default-token-r4dvr   kubernetes.io/service-account-token   3      2d1h

test-secret-1         Opaque                                2      7s

Using cli

[root@master cka]# kubectl create secret generic test-secret-2 --from-literal=username=admin --from-literal=password=p@ssword

secret/test-secret-2 created

[root@master cka]# kubectl get secrets/test-secret-2

NAME            TYPE     DATA   AGE

test-secret-2   Opaque   2      13s

[root@master cka]#

Note: if the password (only in the —from-literal way) contains special characters /, *, !, or $ an additional escape character has to be included before each such character like //, /*, /!, /$ respectively

Let’s define and create a secret using yaml

[root@master cka]# cat ex9.yml

---

apiVersion: v1

kind: Secret

metadata:

  name: secret9

  namespace: default

type: Opaque

stringData:

  username: admin

  password: p@ssword

...

[root@master cka]# kubectl create -f ex9.yml

secret/secret9 created

[root@master cka]# kubectl get secret/secret9

NAME      TYPE     DATA   AGE

secret9   Opaque   2      20s

However we have defined the credentials in clear text form above, we can also define it in base64 form as follows

root@task-pv-pod:/# echo -n "admin" | base64  #-n is used to avoid trailing newline

YWRtaW4=

[root@master cka]# echo "p@ssword" | base64

cEBzc3dvcmQK

[root@master cka]# cat ex9~.yml 

---

apiVersion: v1

kind: Secret

metadata:

  name: secret9-2

  namespace: default

type: Opaque

data:

  username: YWRtaW4K

  password: cEBzc3dvcmQK

...

[root@master cka]# cat ex9~.yml 

---

apiVersion: v1

kind: Secret

metadata:

  name: secret9-2

  namespace: default

type: Opaque

data:

  username: YWRtaW4K

  password: cEBzc3dvcmQK

...

[root@master cka]# kubectl create -f ex9~.yml

secret/secret9-2 created

[root@master cka]# kubectl get secret/secret9-2

NAME        TYPE     DATA   AGE

secret9-2   Opaque   2      29s

We can decode the base64 string back to clear text as follows

[root@master cka]# echo cEBzc3dvcmQK | base64 --decode
p@ssword

Clean up

[root@master cka]# kubectl delete secrets --all

secret "default-token-r4dvr" deleted

secret "secret9" deleted

secret "secret9-2" deleted

secret "test-secret-1" deleted

secret "test-secret-2" deleted

The default secret token will be created automatically by the service account, even if it's deleted

[root@master cka]# kubectl get secrets

NAME                  TYPE                                  DATA   AGE

default-token-5qg8g   kubernetes.io/service-account-token   3      8s

--end-of-post--