Secrets & Encryption
Secrets
Secrets are a Kubernetes object that can be referenced in YAML configurations without having to expose secret information. For example, I can create a secret in K8S which contains a password, and then reference that secret in required YAML files without having to expose the real password in each one.
Secret Types
| Opaque | This is the default secret type, where you can store arbitrary key-value pairs. |
| docker-registry | Store credentials for accessing a Docker registry. |
| tls | Store a certificate and private key. |
Commands
View secrets
kubectl get secretsView specified secret
kubectl get secret secretnameView details about specified secret
kubectl describe secretnameDefining Secrets
apiVersion: v1
kind: Secret
metadata:
name: my-secret
type: Opaque
data:
password: cGFzc3dvcmQ= # base64 of 'password'Encryption
Encryption at rest
This involves encrypting the data stored in etcd so that if etcd is compromised, an attacker cannot easily read sensitive information such as secrets, passwords, or private keys. Encryption at rest can be configured via an EncryptionConfiguration YAML file.
Configuring encryption at rest
Encryption in Transit
encryption in transit is enabled by default for most internal Kubernetes components. Kubernetes ensures that communication between core components is secured using TLS (Transport Layer Security), which is crucial for protecting the confidentiality and integrity of data as it moves through the cluster.
What is not enabled by default?
- Pod to pod communication
- Ingress traffic
- Node to node traffic
No Comments