The following example will show how to create a secret with base64 encode values. In this example, the values in the Secret will be a username and a password.
- Let’s first encode the string values.
$echo -n "camilamacedo86" | base64
$ echo -n "test-pwd" | base64
- Now, let’s create the secret as the following example. ($vim secret-base64.yaml)
apiVersion: v1 kind: Secret metadata: name: user-pass-test type: Opaque data: username: Y2FtaWxhbWFjZWRvODY= password: dGVzdC1wd2Q=
- The following command will apply the secret.
$ kubectl apply -f secret-base64.yaml
- Then, let’s check it.
$ kubectl get secret | grep user user-pass-test Opaque 2 92s
$ kubectl describe secret/user-pass-test Name: user-pass-test Namespace: default Labels: Annotations: Type: Opaque Data ==== password: 8 bytes username: 14 bytes
NOTE: You can use the command
kubectl get secret/user-pass-test --output yaml to output the content in YAML format and redirect it to a file if you wish by adding at the end
> name.yaml .
Is it safe? Should confidential data be stored in this way?
Besides secrets be the most appropriate resources to store passwords you need to be aware that in the base64, it can be easily obtained as the following example.
$ echo `echo dGVzdC1wd2Q= | base64 --decode` test-pwd
Also, if the secrets are used by ENVIRONMENT variables, then it can be checked in the virtual-filesystem /proc for users which maybe should not have access to it as we will show in the following example.
Pod with secret via env
apiVersion: v1 kind: Pod metadata: name: secret-env-pod spec: containers: - name: mycontainer image: redis env: - name: SECRET_USERNAME valueFrom: secretKeyRef: name: mysecret key: username - name: SECRET_PASSWORD valueFrom: secretKeyRef: name: mysecret key: password restartPolicy: Never
Then, find the PID of the pod container which is using the secret.
$ docker ps | grep
$ docker top <CONTAINER ID>
So, see that it is possible to get this info by :
$ sudo cat /proc/<PID>/environ
In this way, the best approach to keep this data safe would be by encrypting it.
How to encrypt Secret Data?
Following a few possibilities that can be used to do it.
- By Using a KMS provider for data encryption
- By Encrypting Secret Data at Rest
- By Using “Sealed Secrets” for Kubernetes
NOTE: See here the Secret k8s documentation to understand how it works better. Also, feel free to check related post by searching for the Kubernetes tag in this website.