Manage Secrets in Kubernetes

This is part five of a series of lab tasks from KodeKloud for Kubernetes. Master blog listing all parts can be seen here. Make sure to follow setup instructions for minikube on your PC.

The Nautilus DevOps team is working to deploy some tools in Kubernetes cluster. Some of the tools are licence based so that licence information needs to be stored securely within Kubernetes cluster. Therefore, the team wants to utilize Kubernetes secrets to store those secrets. Below you can find more details about the requirements:

  1. We already have a secret key file official.txt under /opt location on jump host. Create a generic secret named official, it should contain the password/license-number present in official.txt file.
💡
Make sure to create a file at suitable location with your secret.
$ kubectl create secret generic official --from-file=/opt/official.txt
secret/official created
$ 
$ kubectl get secrets
NAME        TYPE     DATA   AGE
official    Opaque   1      8s
  1. Also create a pod named secret-nautilus.

  2. Configure pod's spec as container name should be secret-container-nautilus, image should be ubuntu preferably with latest tag (remember to mention the tag with image). Use sleep command for container so that it remains in running state. Consume the created secret and mount it under /opt/games within the container.

apiVersion: v1
kind: Pod
metadata:
  name: secret-nautilus
  labels:
    name: myapp
spec:
  volumes:
    - name: secret-volume-nautilus
      secret:
        secretName: official # Important! must match secret
  containers:
    - name: secret-container-nautilus
      image: ubuntu:latest
      command: ["/bin/bash", "-c", "sleep 10000"]
      volumeMounts:
        - name: secret-volume-nautilus
          mountPath: /opt/games
          readOnly: true
  1. To verify you can exec into the container secret-container-nautilus, to check the secret key under the mounted path /opt/games. Before hitting the Check button please make sure pod/pods are in running state, also validation can take some time to complete so keep patience.
💡
Test all this locally with miniKube. Please refer parent blog for setting up miniKube.
$ kubectl apply -f manage-secrets/pod.yaml 
pod/secret-nautilus created
$ kubectl get pods 
NAME              READY   STATUS              RESTARTS   AGE
secret-nautilus   0/1     ContainerCreating   0          8s
$ kubectl get pods --watch
NAME              READY   STATUS    RESTARTS   AGE
secret-nautilus   1/1     Running   0          11s
$ kubectl exec secret-nautilus -- ls -l /opt/apps
total 0
lrwxrwxrwx 1 root root 19 Jul 31 13:23 official.txt -> ..data/official.txt
$ kubectl exec secret-nautilus -- ls -l /opt/apps/official.txt
lrwxrwxrwx 1 root root 19 Jul 31 13:23 /opt/apps/official.txt -> ..data/official.txt
$ kubectl exec secret-nautilus -- cat /opt/apps/official.txt
5ecur3!

Clean up

$ kubectl delete pod secret-nautilus
pod "secret-nautilus" deleted
$ kubectl delete secret official
secret "official" deleted