se
Why would it not be smart to move important configuration details like passwords into a configMap?
Because the data is stored in plain text format
What are Secrets used for? And why?
For storing sensitive information like passwords or keys.
Stored in an encoded format
How are the steps for working with secrets?
- Create Secret
- Inject into Pod
How can a secret be created?
Imperatively, without yaml file
Declaratively with yaml file
How does one create imperatively a secret?
‘kubectl create secret generic < secret-name> –from-literal=< key>=< value>’
Key value pairs directly in CI
Or from a file
‘kubectl create secret generic –from-file=< path-tofile>’
How does a yaml for a secret look like?
apiVersion: v1 kind: Secret metadata: name: app-secret data: DB_HOST: bxWLSD( DB_User: ASJDEL( DB_password: POMSR%
Important: Data needs to be specified in an encoded format
How do you encode text on linux in the cl?
echo -n 'mysql' | base64
echso -n root | base 64
How can you view the for a created secret used values?
kubectl get descret app-secret -o yaml
How do you decode base64 encoded values in Linux?
echo -n ‘bXlzcWw=’ | base64 –decode
How do you inject Secrets into pods?
in Yaml
spec: ... envFrom: - secretRef: name: app-secret
What are ways for a secret to be injected into pods?
envFrom:
- secretRef:
name: app-secret
env:
- name: DB_Password
valueFrom:
secretKeyRef:
name: app-secret
key: DB_password
---
volumes:
- name: app-secret-volume
secret:
secretName: app-secretWhat is important about secrets?
- secrets are not encrypted, only encoded
- secrets are not encrypted in etcd by default
- anyone able to create pods/deployments in the same namespace can access the secrets
- consider third-party secrets store providers
How do you install the etcd client in order to encrypt data at rest
‘apt-get install etcd-client’
-
Recap Core Concepts30
-
Configuration15
-
Config - ConfigMaps11
-
Config - Secrets13
-
Config - Security in Docker6
-
Config - Security Kontext8
-
Config - Service Accounts18
-
Config - Resource Requirements19
-
Config - Taints and Tolerations13
-
Config - Node Selectors4
-
Config - Node Affinity12
-
Multi-Container Pods13
-
Observability - Readiness Probes7
-
Observability - Liveness Probes5
-
Observability - Container Logging3
-
Observability - Monitor and Debug Applications7
-
POD Design - Labels, Selectors, Annotations7
-
POD Design - Rolling Updates & Rollbacks in Deployments4
-
POD Design - Deployment Strategies8
-
POD Design - Jobs and Cron Jobs17
-
S&N - Services and Ingress17
-
S&N Network Policies13
-
State Persistence - Volumes17
-
Optional - Storage Classes, StatefulSets13
-
Security - Authentication, Authorization, Admission Control11
-
Security - KubeConfig14
-
Security - API Groups7
-
Security Authorization11
-
Security - Role Based Access Control12
-
Security - Admission Controllers14
-
Security - API Versions13
-
Security - Custom Resource Definition & Custom Controllers11
-
Helm - Introduction and Concepts16
-
Testfragen3
-
Kustomize9
