Config - Secrets Flashcards
se
Why would it not be smart to move important configuration details like passwords into a configMap?
Because the data is stored in plain text format
What are Secrets used for? And why?
For storing sensitive information like passwords or keys.
Stored in an encoded format
How are the steps for working with secrets?
- Create Secret
- Inject into Pod
How can a secret be created?
Imperatively, without yaml file
Declaratively with yaml file
How does one create imperatively a secret?
‘kubectl create secret generic < secret-name> –from-literal=< key>=< value>’
Key value pairs directly in CI
Or from a file
‘kubectl create secret generic –from-file=< path-tofile>’
How does a yaml for a secret look like?
apiVersion: v1 kind: Secret metadata: name: app-secret data: DB_HOST: bxWLSD( DB_User: ASJDEL( DB_password: POMSR%
Important: Data needs to be specified in an encoded format
How do you encode text on linux in the cl?
echo -n 'mysql' | base64
echso -n root | base 64
How can you view the for a created secret used values?
kubectl get descret app-secret -o yaml
How do you decode base64 encoded values in Linux?
echo -n ‘bXlzcWw=’ | base64 –decode
How do you inject Secrets into pods?
in Yaml
spec: ... envFrom: - secretRef: name: app-secret
What are ways for a secret to be injected into pods?
envFrom:
- secretRef:
name: app-secret
env:
- name: DB_Password
valueFrom:
secretKeyRef:
name: app-secret
key: DB_password
---
volumes:
- name: app-secret-volume
secret:
secretName: app-secretWhat is important about secrets?
- secrets are not encrypted, only encoded
- secrets are not encrypted in etcd by default
- anyone able to create pods/deployments in the same namespace can access the secrets
- consider third-party secrets store providers
How do you install the etcd client in order to encrypt data at rest
‘apt-get install etcd-client’
