A Secret object in kubernetes contains sensitive data such as client secret, password, token or a key.
Secrets provide a way to store these sensitive informations separately from Pod definitions or container images.
Since these secret objects can be created independently from Pod, there is a less risk of these information being exposed during the workflow of creating, viewing, and editing Pods.
By default all the secrets are stored unencrypted in the API server’s underlying data store (etcd).
Anyone with API access or access to etcd can retrieve or modify a Secret
Additionally, anyone who is authorized to create a Pod in a namespace can use that access to read any Secret in that namespace; this includes indirect access such as the ability to create a Deployment.
Therefore , the recommended steps to safely use the secrets are
Enable Encryption at Rest for Secrets.
Enable or configure RBAC rules with least-privilege access to Secrets.
Restrict Secret access to specific containers.
Consider using external Secret store providers (AWS Secret Manager, Vault etc.)
Secrets in Kubernetes are, at their most basic form, a collection of keys and values.
The above yaml when applied will create a secret object with name redis-credsyaml with two secret keys: username and password.
The values of the username and password are encoded as base64. It is an encoding algorithm, not an encryption algorithm. This is done to help facilitate data that may not be entirely alpha-numeric, and instead could include binary data, non-ASCII data, etc
To create the above given secret object use the command – kubectl apply -f redis-cred.yaml
To use these secrets in a POD, you can mount is as data volumes or exposed as environment variables to be used by a container in a Pod
Secret volume sources are validated to ensure that the specified object reference actually points to an object of type Secret. Therefore, a Secret needs to be created before any Pods that depend on it.
The below example , will create a Redis pod and will use the secrets created above as an environment variable