Kubernetes Secrets in 5 Minutes!
Вставка
- Опубліковано 11 чер 2024
- Everything you need to know to get started using Kubernetes (k8s) secrets to pass sensitive information into your application containers!
I cover what they are, how to create them, how to consume them, and some potential "gotchas".
---
I created this quick video because I joined @eddiejaoude for a live stream ( • Deploy Docker to Kuber... ) and we needed to pass a secret token to the discord bot we were deploying!
---
Join the Community:
💬 Discord: / discord
💻 GitHub: github.com/sidpalas/devops-di...
🐥 Twitter: / sidpalas
👨💼 LinkedIn: / sid-palas
🌐 Website: devopsdirective.com
---
Timestamps:
00:00 - Intro
00:25 - What are kubernetes secrets
00:46 - Types of kubernetes secrets
01:08 - Creating secret with yaml manifest
01:37 - Base64 encoding
02:07 - Kubectl create secret
02:46 - Consuming Secrets
02:54 - Environment variable
03:36 - Mounted volume
04:21 - Potential gotchas
05:10 - Suggested follow up
---
Community size at time of posting:
- Subscribers: 9541
- Channel Views: 224142 - Наука та технологія
Come join the channel discord server to discuss DevOps and Cloud topics! discord.gg/z7Yr7q2DPY
best explanation ever
Clear and concise, without any useless noise ! you got my sub
🎉
Awesome video!! This is so important and so often overlooked. Thank you!
Thanks Eddie -- UA-cam tutorials too often overlook security for the sake of brevity! I cringe to think of how many MongoDB databases are deployed out there with no access controls because someone followed a tutorial without understanding the risks! 🥶
Right to the point 👉 Very clear. Thanks 😊
Thanks, Mario!
The code snippets are extremely helpful 🔥
Glad to hear it!
Loved your video man! Thank you so much!!!!
Thank you @Ali! 🙏
Nice explanation! Thank you!
You are welcome @Liam! 🎉
Great! Thanks.
You are welcome!
the best explanation
🎉🎉🎉
Awesome Bro 👌👌👌👌👌👌👌
good orator with greater knowledge
Thanks for the kind words @Keshav! 🙏
I'm pretty paranoid when it comes to secret management. When pulling repos and deploying, I use a webhook to my secret manager (key manager, vault, whatever you wanna call it), and encrypt with SOPS. We automate so we can be lazy, when handling mass deployment and sometimes it is impractical to manage secrets and their versions manually. Do you have any other ways that you go about secret encryption and storage prior the CI portion of it all? I would just like to see what others are doing, so I could expand on future options. As I already have a system in place for such things, it wouldn't hurt to gain further insight. I look at it this way. The secret has to become a K8s resource some how, whether it's you manually applying it, or with a pipeline of sorts...and if automating such a process, which method is more efficient and secure?
Nice video btw
That helped a lot man! TNX but why base64 is an option in the first place when its not even an irreversible encryption to begin with! I'm about to go and search that one up... Thank you.
This provides a good explanation of why the secrets are base64 encoded stackoverflow.com/questions/49046439/why-does-k8s-secrets-need-to-be-base64-encoded-when-configmaps-does-not
why is a secret base64 encoded if anyone can simply decode ist? is it only because of the compatibilty concerning whitespaces?
Yes, the base64 encoding is to help handle of whitespace and special characters. Access to the secret data can be managed via RBAC (role based access control) to determine which users are able to get those data
hi my guy nice video any way awesome but a quick one what about storing the secret info in Git
Hello!
Can you be more specific? are you asking about how to manage/store the configuration for these secrets because you don't want them to be included in the git repo?
@@DevOpsDirective yes exactly because if its in the Git repo other members of the team could fork the repo and see it, then its no longer a secret and not safe and if it must be in the GIt repo how best to do that to avoid the those can of security challenges
@@ayencoscolfield3312 got it! I have this video about the different options for managing credentials: ua-cam.com/video/7NTFZoDpzbQ/v-deo.html
Hopefully that helps!
New subbbbb :)
🤝
@@DevOpsDirective I really learned from you thanks!
In ur video it's encrypting secrets only once...But I have seen two times encryption..Why is that?
The base64 encoding shown in the video is not the same as encryption (it does not protect the secret because anybody can decode it). Here is a good explanation of why: stackoverflow.com/questions/49046439/why-does-k8s-secrets-need-to-be-base64-encoded-when-configmaps-does-not
There are a couple of places the data can be encrypted:
1) You could encrypt before submitting the secret and then decrypt at the application layer. This would require distributing the key to your application to decrypt. (cloud.google.com/kubernetes-engine/docs/how-to/encrypting-secrets)
2) You can set up the kube-apiserver with an `EncryptionConfiguration` that will encrypt and decrypt automatically when storing data (to etcd). This is what I mention at 4:39.
If you are using a managed cluster (something like GKE or EKS) #2 is likely handled for your automatically. You can make the decision as to whether or not you also want to do #1.
@@DevOpsDirective thank you so much sir for the explanation.
Wait, it's pronounced koob cuddle? I thought it was pronounced koob control :O
Thank you very much for this tutorial
Dude nice video, but you got typo in 1:25 I guess you want to wrote secret.yaml instead of secret.ymal :)