Kubernetes Secrets objects
Overview
Kubernetes has a native object to hold senstive data, Secret.
A Secret is an object that contains a small amount of sensitive data such as a password, a token, or a key. Such information might otherwise be put in a Pod specification or in a container image. Using a Secret means that you don't need to include confidential data in your application code.
Caveats
Remember back when we configured our cluster, and did the encryption at rest stage ? Well, this here is why. That step ensures that Secret data is not stored on-disk unencrypted. It does not mean that they are stored encrypted at GIT or runtime in k8s however, and in theory anyone with enough privileges in either a pod, or cluster can read Secret objects.
Examples
A basic Secret looks like this:
apiVersion: v1
kind: Secret
metadata:
name: my-secret-data
type: Opaque
data:
a_random_key: ZmFpbGVkIHRvIHBhcnNlIGlucHV0
This is an Opaque secret, designed for holding arbitrary data. Notice the key name is plain-text, but the data field is base64 encoded.
There's a number of different secret types, all with specific attributes to help with a certain use-case.
A TLS secret would look like this:
apiVersion: v1
kind: Secret
type: kubernetes.io/tls
metadata:
name: who-cert
data:
tls.crt: LS0tLS1CR...
tls.key: LS0tLS1CR...
You can find details on the different types and working with them here
Solving the shortcomings
Easy, store secrets outside of Kubernetes. We'll look at different tools, starting with Mozilla's SOPS (or Secrets OPerationS) and Hashicorp Vault which we'll cover in a later section