Infosec Consultant & Pentester

62/100 Manage Secrets in Kubernetes

Chris Young -

The Nautilus DevOps team is working to deploy some tools in Kubernetes cluster. Some of the tools are licence based so that licence information needs to be stored securely within Kubernetes cluster. Therefore, the team wants to utilize Kubernetes secrets to store those secrets.

  1. We already have a secret key file ecommerce.txt under /opt location on jump host. Create a generic secret named ecommerce, it should contain the password/license-number present in ecommerce.txt file.
  2. Also create a pod named secret-datacenter.
  3. Configure pod's spec as container name should be secret-container-datacenter, image should be debian with latest tag (remember to mention the tag with image). Use sleep command for container so that it remains in running state. Consume the created secret and mount it under /opt/cluster within the container.
  4. To verify you can exec into the container secret-container-datacenter, to check the secret key under the mounted path /opt/cluster. Before hitting the Check button please make sure pod/pods are in running state, also validation can take some time to complete so keep patience.

Create the secret from the file we already have in /opt/ecommerce.txt which is present on the jump host.

thor@jumphost ~$ kubectl create secret generic ecommerce --from-file=/opt/ecommerce.txt
secret/ecommerce created

This will create a secret where:
Key = ecommerce.txt
Value = the contents of /opt/ecommerce.txt (password/license-number)

This can then be verified:

thor@jumphost ~$ kubectl get secrets
NAME        TYPE     DATA   AGE
ecommerce   Opaque   1      50s
thor@jumphost ~$ kubectl describe secret ecommerce
Name:         ecommerce
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
ecommerce.txt:  7 bytes

Next step is then to create the pod yaml file, named secret-datacenter.yaml

apiVersion: v1
kind: Pod
metadata:
  name: secret-datacenter
spec:
  containers:
    - name: secret-container-datacenter
      image: debian:latest
      command: ["sleep", "infinity"]
      volumeMounts:
        - name: secret-volume
          mountPath: /opt/cluster
  volumes:
    - name: secret-volume
      secret:
        secretName: ecommerce

Next, apply the pod configuration and then check the pod status:

thor@jumphost ~$ kubectl apply -f secret-datacenter.yaml
pod/secret-datacenter created

thor@jumphost ~$ kubectl get pods
NAME                READY   STATUS    RESTARTS   AGE
secret-datacenter   1/1     Running   0          31s

Finally, verify the secret inside the container:

thor@jumphost ~$ kubectl exec -it secret-datacenter -- bash
root@secret-datacenter:/# ls /opt/cluster
ecommerce.txt
root@secret-datacenter:/# cat /opt/cluster/ecommerce.txt
5ecur3