How to explain Kubernetes Secrets in plain English

How to explain Kubernetes Secrets in plain English

What is a Kubernetes secret? How does this type of Kubernetes object increase security? How do you create a Kubernetes secret? What are some best practices? Experts break it down

130 readers like this

Kubernetes secrets best practices: 4 questions to ask

Korren also advises asking these questions to ensure the proper use of Secrets. (These may be particularly important to ask if you’re not running a commercial or managed Kubernetes platform, using a cloud provider’s Secrets management system, and/or using third-party security tools.)

1. How is the Secret kept inside of Kubernetes?

“Kubernetes uses its etcd database to store Secrets. Depending on how the system was configured, the etcd might not be encrypted, allowing the Secret to be retrieved from Kubernetes in Base64 format, which is easily reversible,” Korren says. (Duan also pointed out that Base64 is easily decoded.) “So access control to the Secret is important. For audit purposes, Kubernetes should log access to each Secret, but it doesn’t by default.”

2. How is the Secret handed over to the workload?

“The Secrets are encrypted inside the Kubernetes system, but when handed over to the workload, they could be in clear-text, especially if passed as an environment variable,” Korren says.

3. Can the Secret be exposed inadvertently?

“The workloads themselves could potentially expose passwords or keys in the log files or in debug information,” Korren says. “This is a common mistake that is also relevant outside Kubernetes.”

4. What is the operational impact of changing a Secret?

“Changing a Secret in the Secret store doesn’t automatically hand it over to the workloads. Workload pods need to be restarted to receive the new Secret.”

It’s kind of like that other kind of secret: If you go around sharing one with everyone, it’s not much of a secret, is it? Getting back to the Kubernetes context, access control is important, as is a bigger picture security strategy.

“While Kubernetes Secrets do help with protecting sensitive information, you still need to ensure you follow good security practices and be aware of who and what has access to a Secret,” Katz from Crunchy Data says.

[ Want to learn more about building cloud-native apps and containers? Get the whitepaper: Principles of container-based application design. ]


7 New CIO Rules of Road

CIOs: We welcome you to join the conversation

Related Topics

Submitted By Enterprisers Project
April 03, 2020

Kubernetes helps orchestrate and automate tasks associated with containers - an essential need as you scale. Here's a deep dive for IT leaders on what Kubernetes can do, key terms, best practices, trends for 2020, and more.

Submitted By Ginny Hamilton
April 03, 2020

Tackling a large technical migration is never easy, especially with added pressure of a newly-remote workforce. ATW Head of IT Rose Manjarres shares her team's recent win. 

Submitted By Chris Fielding
April 03, 2020

Don’t let these common misconceptions about master data management (MDM) derail your digital transformation efforts, writes Sungard AS CIO.


Email Capture

Keep up with the latest thoughts, strategies, and insights from CIOs & IT leaders.