Kubernetes Secret

by walter

Table of Contents

A Kubernetes Secret is an API object used to store sensitive information (like passwords, tokens, keys, or certificates) separately from application code. This helps keep such data secure and manageable. Yes, you can mount a Secret as a volume in a pod. When mounted as a volume, each key in the Secret becomes a file in the specified directory, with its contents being the decoded (plain text) secret data.

For example, if you have a Secret named “my-secret” with a key called “password,” you can mount it in a pod like this:

apiVersion: v1
kind: Pod
metadata:
  name: secret-volume-pod
spec:
  containers:
  - name: my-container
    image: busybox
    command: ["cat", "/etc/secret/password"]
    volumeMounts:
    - name: secret-volume
      mountPath: /etc/secret
      readOnly: true
  volumes:
  - name: secret-volume
    secret:
      secretName: my-secret

In this setup, the file /etc/secret/password will contain the secret’s decoded data. This approach lets you securely provide secrets to your applications without embedding them in images or pod specs directly.

By default, Kubernetes stores Secrets unencrypted in etcd (they’re only base64‐encoded, which isn’t real encryption). However, you can configure the API server to encrypt Secrets at rest for added security. In addition, Kubernetes uses RBAC and namespace isolation to control access, so only authorized users and pods can read or modify a Secret.

Comments |0|

Legend *) Required fields are marked
**) You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>
Category: 似水流年