Securing sensitive application data (secrets)
Sometimes, our application needs to hold sensitive information. This can be credentials or tokens to log in to a database or service. Storing this sensitive information in the image itself is something to be avoided. Here, Kubernetes provides us a solution in the construct of secrets.
Secrets give us a way to store sensitive information without including plaintext versions in our resource definition files. Secrets can be mounted to the pods that need them and then accessed within the pod as files with the secret values as content. Alternatively, you can also expose the secrets via environment variables.
We can easily create a secret either with YAML or on the command line. Secrets do need to be base-64 encoded, but if we use the kubectl
command line, this encoding is done for us.
Let's start with the following Secret:
$ kubectl create secret generic secret-phrases --from-literal=quiet-phrase="Shh! Dont' tell"
We can then check for the Secret with...