Secrets

184

A Secret in Kubernetes is an object that contains a small amount of sensitive data such as a password, a token, or a key. With Secrets, you can avoid including sensitive or confidential data in your application code. (Yep; Secrets are similar to ConfigMaps; but are specifically intended to hold confidential data.)

Stuff you wanna know:

  1. Secrets can be created independently of the Pods that use them.
  2. Secrets are, by default, stored unencrypted in the API server’s underlying data store (etcd).
  3. Secrets can be used by a Pod as files in a volume mounted on one or more of its containers, or as a container environment variable.
  4. Secrets can be used by the kubelet when pulling images for the pod.
  5. The Kubernetes control plane can also use Secrets; for example, bootstrap token Secrets are a mechanism to help automate node registration.
  6. The name of a Secret object must be a valid DNS subdomain name.
  7. Individual secrets are limited to 1MiB in size.
  8. Secrets can be mounted as data volumes or exposed as environment variables to be used by a container in a Pod.
  9. Secrets can hold credentials that other parts of the system should use to interact with external systems on your behalf.
  10. A Secret needs to be created before any Pods that depend on it.
  11. When you define a container environment variable based on a Secret, you can mark it as optional. The default is for the Secret to be required.
  12. If you want to access data from a Secret in a Pod, one way to do that is to have Kubernetes make the value of that Secret be available as a file inside the filesystem of one or more of the Pod’s containers.
  13. Multiple Pods can reference the same Secret.
  14. You can create a Secret using the kubectl command, from config files, or using kustomize.
  15. Secrets can be edited using kubectl.

More stuff: