...

Hands-On with Secrets

Get introduced to Kubernetes Secrets.

We'll cover the following...

Are Kubernetes Secrets secure?
Creating Secrets
Using Secrets in Pods
Clean up

Secrets are almost identical to ConfigMaps — they hold application configuration data that Kubernetes injects into containers at runtime. However, Secrets are designed to hold sensitive data such as passwords, certificates, and OAuth tokens.

Are Kubernetes Secrets secure?

The quick answer to this question is no. But here’s the slightly longer answer…

Despite being designed for sensitive data, Kubernetes does not encrypt Secrets in the cluster store. It only obscures them as base-64 encoded values, which anyone can decode without a key. Fortunately, most service meshes encrypt network traffic, and we can configure encryption-at-rest with EncryptionConfiguration objects. However, many people use tools such as HashiCorp’s Vault for a more complete and secure secrets management solution.

We’ll focus on the basic secrets management functionality provided natively by Kubernetes as it’s still useful if augmented with third-party tools.

A typical secrets workflow looks like this:

We create the Secret and it gets persisted to the cluster store as an un-encrypted object. ...

Kubernetes Primer

Kubernetes Principles of Operation

Getting Kubernetes

Working With Pods: Theory

Working with Pods: Hands-On

Virtual Clusters with Namespaces

Kubernetes Deployments

Kubernetes Services: Theory

Kubernetes Services: Hands-On

Ingress

WebAssembly on Kubernetes

Service Discovery: Deep Dive

Kubernetes Storage

ConfigMaps

StatefulSets

API Security and RBAC

Kubernetes API

Threat Modeling Kubernetes

Real-World Kubernetes Security

Conclusion

Hands-On with Secrets

Are Kubernetes Secrets secure?