How to explain Kubernetes Secrets in plain English

How to explain Kubernetes Secrets in plain English

What is a Kubernetes secret? How does this type of Kubernetes object increase security? How do you create a Kubernetes secret? What are some best practices? Experts break it down

251 readers like this

Kubernetes secrets best practices: 4 questions to ask

Korren also advises asking these questions to ensure the proper use of Secrets. (These may be particularly important to ask if you’re not running a commercial or managed Kubernetes platform, using a cloud provider’s Secrets management system, and/or using third-party security tools.)

1. How is the Secret kept inside of Kubernetes?

“Kubernetes uses its etcd database to store Secrets. Depending on how the system was configured, the etcd might not be encrypted, allowing the Secret to be retrieved from Kubernetes in Base64 format, which is easily reversible,” Korren says. (Duan also pointed out that Base64 is easily decoded.) “So access control to the Secret is important. For audit purposes, Kubernetes should log access to each Secret, but it doesn’t by default.”

2. How is the Secret handed over to the workload?

“The Secrets are encrypted inside the Kubernetes system, but when handed over to the workload, they could be in clear-text, especially if passed as an environment variable,” Korren says.

3. Can the Secret be exposed inadvertently?

“The workloads themselves could potentially expose passwords or keys in the log files or in debug information,” Korren says. “This is a common mistake that is also relevant outside Kubernetes.”

4. What is the operational impact of changing a Secret?

“Changing a Secret in the Secret store doesn’t automatically hand it over to the workloads. Workload pods need to be restarted to receive the new Secret.”

It’s kind of like that other kind of secret: If you go around sharing one with everyone, it’s not much of a secret, is it? Getting back to the Kubernetes context, access control is important, as is a bigger picture security strategy.

“While Kubernetes Secrets do help with protecting sensitive information, you still need to ensure you follow good security practices and be aware of who and what has access to a Secret,” Katz from Crunchy Data says.

[ Want to learn more about building cloud-native apps and containers? Get the whitepaper: Principles of container-based application design. ]


7 New CIO Rules of Road

CIOs: We welcome you to join the conversation

Related Topics

Submitted By Stephanie Overby
November 30, 2020

What is edge computing? How does it relate to cloud computing? We cut through the confusion and help you explain this term, even to non-technical audiences

Submitted By Jiani Zhang
November 30, 2020

Is your organization ready to fully embrace containers? Consider these best practices to ease the transition as you adopt containers at scale.

Submitted By Jennifer Gallego
November 30, 2020

Pandemic burnout is real. Consider these strategies to address remote work-related burdens and help working parents be the best employees — and best parents — they can be.


Email Capture

Keep up with the latest thoughts, strategies, and insights from CIOs & IT leaders.