[Kubernetes] – How to create a Secret with base64 encode values? Is it safe to store confidential info?

1_fe7IqPpDckaVjjysqq8jhg

The following example will show how to create a secret with base64 encode values. In this example, the values in the Secret will be a username and a password.

  • Let’s first encode the string values.

$echo -n "camilamacedo86" | base64
Y2FtaWxhbWFjZWRvODY=

$ echo -n "test-pwd" | base64
dGVzdC1wd2Q=

  • Now, let’s create the secret as the following example. ($vim secret-base64.yaml)
apiVersion: v1
kind: Secret
metadata:
  name: user-pass-test
type: Opaque
data:
  username: Y2FtaWxhbWFjZWRvODY=
  password: dGVzdC1wd2Q=
  • The following command will apply the secret.
$ kubectl apply -f secret-base64.yaml
  • Then, let’s check it.
$ kubectl get secret | grep user
user-pass-test                    Opaque                                2      92s
$ kubectl describe secret/user-pass-test
Name:         user-pass-test
Namespace:    default
Labels:       
Annotations:
Type:         Opaque

  Data
  ====
password:  8 bytes
username:  14 bytes

NOTE: You can use the command kubectl get secret/user-pass-test --output yaml to output the content in YAML format and redirect it to a file if you wish by adding at the end > name.yaml .

Is it safe? Should confidential data be stored in this way? 

Besides secrets be the most appropriate resources to store passwords you need to be aware that in the base64, it can be easily obtained as the following example.

$ echo `echo dGVzdC1wd2Q= | base64 --decode`
test-pwd

Also, if the secrets are used by ENVIRONMENT variables, then it can be checked in the virtual-filesystem /proc for users which maybe should not have access to it as we will show in the following example.

Pod with secret via env

apiVersion: v1
kind: Pod
metadata:
  name: secret-env-pod
spec:
  containers:
  - name: mycontainer
    image: redis
    env:
      - name: SECRET_USERNAME
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: username
      - name: SECRET_PASSWORD
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: password
  restartPolicy: Never

Then,  find the PID of the pod container which is using the secret.

$ docker ps | grep secret-env-pod
$ docker top <CONTAINER ID>

So, see that it is possible to get this info by :

$ sudo cat /proc/<PID>/environ

In this way, the best approach to keep this data safe would be by encrypting it.

How to encrypt Secret Data?

Following a few possibilities that can be used to do it.

NOTE: See here the Secret k8s documentation to understand how it works better. Also, feel free to check related post by searching for the Kubernetes tag in this website.

Sponsored by:

Logo-horizontalCP Logo Big - vertical invert (1)

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s