A Secret in Kubernetes is an object that contains a small amount of sensitive data such as a password, a token, or a key. With Secrets, you can avoid including sensitive or confidential data in your application code. (Yep; Secrets are similar to ConfigMaps; but are specifically intended to hold confidential data.)
Stuff you wanna know:
- Secrets can be created independently of the Pods that use them.
- Secrets are, by default, stored unencrypted in the API server’s underlying data store (etcd).
- Secrets can be used by a Pod as files in a volume mounted on one or more of its containers, or as a container environment variable.
- Secrets can be used by the kubelet when pulling images for the pod.
- The Kubernetes control plane can also use Secrets; for example, bootstrap token Secrets are a mechanism to help automate node registration.
- The name of a Secret object must be a valid DNS subdomain name.
- Individual secrets are limited to 1MiB in size.
- Secrets can be mounted as data volumes or exposed as environment variables to be used by a container in a Pod.
- Secrets can hold credentials that other parts of the system should use to interact with external systems on your behalf.
- A Secret needs to be created before any Pods that depend on it.
- When you define a container environment variable based on a Secret, you can mark it as optional. The default is for the Secret to be required.
- If you want to access data from a Secret in a Pod, one way to do that is to have Kubernetes make the value of that Secret be available as a file inside the filesystem of one or more of the Pod’s containers.
- Multiple Pods can reference the same Secret.
- You can create a Secret using the kubectl command, from config files, or using kustomize.
- Secrets can be edited using kubectl.
More stuff:
- Kubernetes documentation on Secrets — https://kubernetes.io/docs/concepts/configuration/secret/
- Encrypting Secret data — https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/
- Information security for Secrets — https://kubernetes.io/docs/concepts/configuration/secret/#information-security-for-secrets