This page shows how to securely inject sensitive data, such as passwords and encryption keys, into Pods.
You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. If you do not already have a cluster, you can create one by using Minikube, or you can use one of these Kubernetes playgrounds:
To check the version, enter kubectl version
.
Suppose you want to have two pieces of secret data: a username my-app
and a password
39528$vdg7Jb
. First, use Base64 encoding to
convert your username and password to a base-64 representation. Here’s a Linux
example:
echo -n 'my-app' | base64
echo -n '39528$vdg7Jb' | base64
The output shows that the base-64 representation of your username is bXktYXBw
,
and the base-64 representation of your password is Mzk1MjgkdmRnN0pi
.
Here is a configuration file you can use to create a Secret that holds your username and password:
secret.yaml
|
---|
|
Create the Secret
kubectl create -f https://k8s.io/docs/tasks/inject-data-application/secret.yaml
Note: If you want to skip the Base64 encoding step, you can create a Secret
by using the kubectl create secret
command:
kubectl create secret generic test-secret --from-literal=username='my-app' --from-literal=password='39528$vdg7Jb'
View information about the Secret:
kubectl get secret test-secret
Output:
NAME TYPE DATA AGE
test-secret Opaque 2 1m
View more detailed information about the Secret:
kubectl describe secret test-secret
Output:
Name: test-secret
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
password: 13 bytes
username: 7 bytes
Here is a configuration file you can use to create a Pod:
secret-pod.yaml
|
---|
|
Create the Pod:
kubectl create -f https://k8s.io/docs/tasks/inject-data-application/secret-pod.yaml
Verify that your Pod is running:
kubectl get pod secret-test-pod
Output:
NAME READY STATUS RESTARTS AGE
secret-test-pod 1/1 Running 0 42m
Get a shell into the Container that is running in your Pod:
kubectl exec -it secret-test-pod -- /bin/bash
The secret data is exposed to the Container through a Volume mounted under
/etc/secret-volume
. In your shell, go to the directory where the secret data
is exposed:
root@secret-test-pod:/# cd /etc/secret-volume
In your shell, list the files in the /etc/secret-volume
directory:
root@secret-test-pod:/etc/secret-volume# ls
The output shows two files, one for each piece of secret data:
password username
In your shell, display the contents of the username
and password
files:
root@secret-test-pod:/etc/secret-volume# cat username; echo; cat password; echo
The output is your username and password:
my-app
39528$vdg7Jb
Here is a configuration file you can use to create a Pod:
secret-envars-pod.yaml
|
---|
|
Create the Pod:
kubectl create -f https://k8s.io/docs/tasks/inject-data-application/secret-envars-pod.yaml
Verify that your Pod is running:
kubectl get pod secret-envars-test-pod
Output:
NAME READY STATUS RESTARTS AGE
secret-envars-test-pod 1/1 Running 0 4m
Get a shell into the Container that is running in your Pod:
kubectl exec -it secret-envars-test-pod -- /bin/bash
In your shell, display the environment variables:
root@secret-envars-test-pod:/# printenv
The output includes your username and password:
...
SECRET_USERNAME=my-app
...
SECRET_PASSWORD=39528$vdg7Jb