Secrets in Kubernetes

By
Nash N Sulthan
Published on
07 Nov 2023
11 min read
Secrets Management

Kubernetes has emerged as the primary choice for container orchestration, offering organizations the capability to create, deploy, and expand contemporary applications with increased efficiency and flexibility.

As Kubernetes adoption continues to rise, the significance of safeguarding and regulating sensitive data within these ecosystems has grown substantially.

Among the key elements in establishing a secure Kubernetes infrastructure is the proficient handling of secrets, including API keys, passwords, and tokens.

In this article, we will take an in-depth look at secret management within Kubernetes, examining different strategies and recommended methods for maintaining the security of your confidential information and ensuring that it remains accessible solely to authorized components.

What are the secrets in Kubernetes?

In the Kubernetes context, secrets are entities designed to safeguard sensitive data, including passwords, API keys, OAuth tokens, and Secure Shell (SSH) keys.

These secrets play a pivotal role in ensuring the smooth operation of applications and services within a Kubernetes cluster, as they frequently provide access to critical resources and authentication mechanisms.

A thorough grasp of secrets and their effective management is fundamental for preserving the security and reliability of your Kubernetes environment.

Insufficient handling of secrets can result in unauthorized access, data breaches, and compromised infrastructure.

Hence, it is imperative to guarantee that secrets are securely stored, transmitted, and utilized within your cluster to maintain the highest level of security.

How can you manage secrets in Kubernetes?

There are many ways to manage secrets in Kubernetes. We will focus on some of the most important ways to manage the secrets in Kubernetes.

1. Utilizing kubectl

You have the option to create a Kubernetes Secret using the kubectl command-line tool, where you furnish the necessary data in key-value pairs. For instance:

kubectl create secret generic my-secret --from-literal=username=myuser --from-literal=password=mypassword

This command generates a Kubernetes Secret titled “my-secret,” housing a pair of key-value entries for both the username and password.

Creating a Kubernetes Secret through a Configuration File An alternative method for crafting a Kubernetes Secret involves using a YAML configuration file.

Initially, encode your sensitive information in base64 format, and subsequently, construct a YAML file structured as follows:

apiVersion: v1
kind: Secret
metadata:
  name: secretname
  namespace: beagle
type: Opaque
data:
  aws-s3-key: YOUR_KEY_NAME
  aws-s3-key-secret: YOUR_SECRET_KEY
  aws-s3-bucket: YOUR_BUCKET_NAME
  aws-s3-region: YOUR_REGION

2. Using the Kustomize tool

Kustomize is a standalone tool to tailor Kubernetes objects using a “kustomization.yaml” file, you can employ it to create a secret generator, as demonstrated below:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

generators:
- secret.yaml

secretGenerator:
- name: my-secret
  literals:
  - username=admin
  - password=secret

How can you employ secrets within pods?

Incorporating secrets into Pods can be accomplished through the following methods:

1. Mounting secrets as files in a volume for containers

You have the option to attach a secret as a volume within a container, where each key-value pair from the secret is presented as distinct files within the mounted volume.

2. Setting secrets as container environment variables

Secrets can be exposed as environment variables within containers.

This approach empowers your application to access the secret value without necessitating alterations to the code, thus enhancing security and ease of management.

3. Leveraging kubelet for image retrieval with secrets

Kubelet, acting as the Kubernetes node agent, can utilize secrets for fetching container images from private registries.

This is accomplished by specifying the secret in the Pod’s “imagePullSecrets” field, enabling Kubernetes to authenticate with the registry using the provided credentials.

How can you access secrets in containers?

After a secret is mounted as a file or exposed as an environment variable, the application within the container gains access to the secret data.

In the event an unauthorized entity gains access to the container, they may potentially view the secret data and exploit it to jeopardize other system components.

As a result, it becomes crucial to enforce measures that limit access to these secrets to authorized containers and users.

  1. This can be accomplished through various means, such as employing RBAC (Role-Based Access Control) to confine access to the secrets or implementing encryption for the secrets, both at rest and during transmission.

  2. Regularly updating and rotating secrets is a critical security practice. Although you can update a secret using “kubectl edit,” this method is not recommended because it can introduce errors and potentially lead to unintended consequences.

  3. When you modify a secret using “kubectl edit,” you are essentially editing the existing secret in place.

This means that any existing references to the secret, such as environment variables or volume mounts, will continue to use the old secret data until the application is restarted, or the pod is deleted and recreated.

What are the limitations of Kubernetes?

Kubernetes Secrets Limitations While Kubernetes Secrets provide a convenient means of managing sensitive data, they come with certain limitations:

1. Limited encryption

By default, secrets are stored unencrypted in etcd. Kubernetes does support encryption, but the encryption keys require separate management.

2. Limited rotation

Kubernetes secrets are designed to be immutable, meaning they cannot be modified or versioned once created. This makes secret rotation difficult, and they can’t be audited either.

3. Limited access control

While Kubernetes offers RBAC (Role-Based Access Control) for managing access to secrets, it is still possible for unauthorized users to access secrets if they compromise the cluster or underlying infrastructure.

For large-scale or highly regulated environments, more advanced secret management solutions might be necessary.

Kubernetes External Secrets Kubernetes External Secrets present an alternative approach to managing secrets in Kubernetes by integrating with external secret management solutions. This allows you to keep sensitive data outside of your Kubernetes cluster while still enabling seamless access for applications within the cluster.

External secrets of Kubernetes

External Secrets are custom resources that act as an intermediary between your Kubernetes cluster and external secret management systems.

Rather than storing secrets directly in Kubernetes, External Secrets retrieve and synchronize secrets from external systems, presenting them as native Kubernetes Secrets.

This ensures that your applications can access sensitive data without requiring code changes while benefiting from the security features provided by external secret management solutions.

Integration with external secret management solutions

Kubernetes External Secrets can integrate with various external secret management solutions, including HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, and Google Cloud Secret Manager.

To set up External Secrets with your chosen secret management system, you need to deploy the relevant External Secrets controller in your cluster and configure it to communicate with the external system.

For instance, if you want to integrate with HashiCorp Vault, you need to deploy the Kubernetes External Secrets controller for Vault and configure it with the necessary Vault authentication and connection details.

Some best practices for managing secrets in Kubernetes?

To uphold the security and integrity of your sensitive data, adhering to best practices for secret management in Kubernetes is of paramount importance.

In this section, we will delve into some of the most critical practices to safeguard your secrets and maintain a robust Kubernetes environment.

1. Role-Based Access Control (RBAC)

RBAC serves as a cornerstone for secure secrets management by granting you the ability to regulate which users and components can create, read, update, or delete secrets.

By implementing fine-grained access control, you can significantly mitigate the risk of unauthorized access and potential data breaches.

To establish RBAC for secrets management, it is advisable to craft roles and role bindings that specify the permissible actions on secrets for each user or group.

For instance, you can generate a role that permits read-only access to secrets within a designated namespace and subsequently bind it to a specific user or group:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

generators:
- secret.yaml

secretGenerator:
- name: test-secret
  literals:
  - username=admin
  - password=secret

2. Securing secrets through encryption for data at rest and in transit

Encrypting Secrets for Data Protection Securing secrets through encryption is of paramount importance to shield sensitive data from unauthorized access.

This entails safeguarding secrets both when they are stored in etcd (at rest) and when they are in transit within the cluster.

Kubernetes provides built-in encryption options, including enabling etcd encryption to safeguard secrets at rest and implementing TLS to secure communications within the cluster.

It is crucial to configure and activate these options to maintain the confidentiality of your secrets.

In addition to Kubernetes’ native encryption capabilities, you also have the option to integrate third-party encryption solutions.

Solutions like HashiCorp Vault or cloud-based key management services can be leveraged to further fortify the security of your secrets.

3. Secret rotation and expiry

rotating secrets is a fundamental security practice that mitigates the risk of unauthorized access and potential data breaches.

Strategies for secret rotation encompass both manual updates using “kubectl” and automated rotation facilitated by custom controllers or third-party secret management solutions.

Automation of secret rotation can be realized through various means, including Kubernetes operators, external secret management systems, or custom scripts that periodically refresh secrets in accordance with a predefined schedule or events.

4. Auditing and monitoring

Auditing and monitoring are indispensable components of maintaining the security and integrity of your secrets.

These practices empower you to trace and analyze secret access, usage, modifications, and promptly detect potential security incidents.

5. Implementing proactive measures by configuring alerts and notifications

These alerts can promptly inform administrators of potential security incidents or any irregular patterns of secret access, facilitating timely investigations and responses to potential threats.

Summing up

In this comprehensive blog post, we have underscored the critical significance of secrets management in Kubernetes and have explored a plethora of methods and best practices to ensure the secure handling of sensitive information within your applications.

Continuously exploring additional resources and tools can further elevate your secret management processes.

In short, the secure management of secrets within Kubernetes is not merely a best practice but an imperative necessity for preserving the confidentiality and integrity of your sensitive data.

By adhering to best practices and deploying the appropriate tools and methodologies, you can establish a resilient and secure Kubernetes environment, effectively shielding your applications and data from potential security threats.


Written by
Nash N Sulthan
Nash N Sulthan
Cyber Security Lead Engineer
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days