This is the 7th day of my participation in Gwen Challenge

Secret Many scenarios will use sensitive information, such as OAuth token, various passwords, private key files. However, K8S uses Declarative to define various resources, which means that some configuration information of the resources is stored in a defined YAML or JSON file. Putting this sensitive information directly into a YAML file is obviously very insecure. Thus, k8S introduced the Secret component.

Secret, like ConfigMap, is a separate resource in K8S for storing sensitive information. Think of Secret as a more secure ConfigMap, and you’ll understand how to create and use it next.

Like ConfigMap, you can add longer content to Secret via files or folders, or add shorter content to Secret via yamL files and the command line.

Let’s break it down for demonstration.

Create Secret from a file or folder using the following format

kubectl create secret generic NAME --from-file=xxx
Copy the code
[root@k8s-master Secret]# ll
total 8
-rw-r--r--. 1 root root 68 May 10 16:40 secret1
-rw-r--r--. 1 root root 58 May 10 16:40 secret2
[root@k8s-master Secret]# cat secret1
d23hehuye8rq340p98du312rpur9er3eru038dfh3ry2098iuerewriu32987er98er
[root@k8s-master Secret]# cat secret2
jp3oiur98sd7re=er=23r-sdf13i4%(eiru2p398(eur1p8u+o3iru2o3
Copy the code

Create two Secret, one based on file and one based on folder

[root@k8s-master Secret]# kubectl create secret generic test-secret-1 --from-file=secret1
secret/test-secret-1 created
[root@k8s-master Secret]# kubectl create secret generic test-secret-2 --from-file=.
secret/test-secret-2 created
Copy the code

You can’t see the secret content directly using Describe

[root@k8s-master Secret]# kubectl describe secret test-secret-1
Name:         test-secret-1
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
secret1:  68 bytes
Copy the code

You can view the content in the following ways

[root@k8s-master Secret]# kubectl get secret test-secret-1 -o yaml
apiVersion: v1
data:
  secret1: ZDIzaGVodXllOHJxMzQwcDk4ZHUzMTJycHVyOWVyM2VydTAzOGRmaDNyeTIwOThpdWVyZXdyaXUzMjk4N2VyOThlcgo=
kind: Secret
metadata:
  creationTimestamp: "2020-05-10T08:41:18Z"
  name: test-secret-1
  namespace: default
  resourceVersion: "1416449"
  selfLink: /api/v1/namespaces/default/secrets/test-secret-1
  uid: 2e43bebe-dda8-485a-9592-b7ecb32852f6
type: Opaque
Copy the code

A few things to note:

In Opaque secret, the information is stored in key-value pairs. The key is the file name, and the value is the content of the file. But the value is not the original content of the file, but the original data is encoded in Base64. Note that encoding is not encryption, and encoding usually means that it is easy to decode the raw data.

We can also use the Base64 command to decode it

[root@k8s-master Secret]# echo ZDIzaGVodXllOHJxMzQwcDk4ZHUzMTJycHVyOWVyM2VydTAzOGRmaDNyeTIwOThpdWVyZXdyaXUzMjk4N2VyOThlcgo= | base64 -d -
d23hehuye8rq340p98du312rpur9er3eru038dfh3ry2098iuerewriu32987er98er
Copy the code