Manage Secrets in Kubernetes
This is part five of a series of lab tasks from KodeKloud for Kubernetes. Master blog listing all parts can be seen here. Make sure to follow setup instructions for minikube on your PC.
The Nautilus DevOps team is working to deploy some tools in Kubernetes cluster. Some of the tools are licence based so that licence information needs to be stored securely within Kubernetes cluster. Therefore, the team wants to utilize Kubernetes secrets to store those secrets. Below you can find more details about the requirements:
- We already have a secret key file
official.txt
under/opt
location onjump host
. Create ageneric secret
namedofficial
, it should contain the password/license-number present inofficial.txt
file.
$ kubectl create secret generic official --from-file=/opt/official.txt
secret/official created
$
$ kubectl get secrets
NAME TYPE DATA AGE
official Opaque 1 8s
Also create a
pod
namedsecret-nautilus
.Configure pod's
spec
as container name should besecret-container-nautilus
, image should beubuntu
preferably withlatest
tag (remember to mention the tag with image). Usesleep
command for container so that it remains in running state. Consume the created secret and mount it under/opt/games
within the container.
apiVersion: v1
kind: Pod
metadata:
name: secret-nautilus
labels:
name: myapp
spec:
volumes:
- name: secret-volume-nautilus
secret:
secretName: official # Important! must match secret
containers:
- name: secret-container-nautilus
image: ubuntu:latest
command: ["/bin/bash", "-c", "sleep 10000"]
volumeMounts:
- name: secret-volume-nautilus
mountPath: /opt/games
readOnly: true
- To verify you can exec into the container
secret-container-nautilus
, to check the secret key under the mounted path/opt/games
. Before hitting theCheck
button please make sure pod/pods are in running state, also validation can take some time to complete so keep patience.
$ kubectl apply -f manage-secrets/pod.yaml
pod/secret-nautilus created
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
secret-nautilus 0/1 ContainerCreating 0 8s
$ kubectl get pods --watch
NAME READY STATUS RESTARTS AGE
secret-nautilus 1/1 Running 0 11s
$ kubectl exec secret-nautilus -- ls -l /opt/apps
total 0
lrwxrwxrwx 1 root root 19 Jul 31 13:23 official.txt -> ..data/official.txt
$ kubectl exec secret-nautilus -- ls -l /opt/apps/official.txt
lrwxrwxrwx 1 root root 19 Jul 31 13:23 /opt/apps/official.txt -> ..data/official.txt
$ kubectl exec secret-nautilus -- cat /opt/apps/official.txt
5ecur3!
Clean up
$ kubectl delete pod secret-nautilus
pod "secret-nautilus" deleted
$ kubectl delete secret official
secret "official" deleted