ANNOUNCEMENT: Legit Secrets Detection & Prevention 2.0! Read more about all the new capabilities --> 

Blog Contact Us Sign In
Platform
Platform - ASPM Icon
Application Security Posture Management (ASPM)
Platform - Secrets Detection & Prevention
Secrets Detection & Prevention
Platform - Continuous Compliance and SBOM Icon
Continuous Compliance and SBOM
Platform - Software Supply Chain Security SSCS Icon
Software Supply Chain Security (SSCS)
Platform - AI Security Posture Management (AI-SPM) Icon
AI Security Posture Management (AI-SPM)
Platform - AppSec Vulnerability Management Icon
AppSec Vulnerability Management
Integrations
Why Legit
Why Legit - Customers Icon
Customers
Resources
header mobile nav icon
Resources
Resources - Blog Icon
Blog
Resources - Resource Library Icon
Resource Library
Resources - Open Source with Legitify Icon
Open Source w/ Legitify
Resources - Events Icon
Events
Company
Company - Partners Icon
Partners
Company - About Legit Icon 2
About Legit
Company - Press Releases Icon 1
Press Releases
Company - In the News Icon
In the News
Company - Careers Icon
Careers
  • Blog
  • Kubernetes Secrets: How to Create and Use Them

Blog

Kubernetes Secrets: How to Create and Use Them

Legit Security
Published on
December 19, 2024

Kubernetes, also known as K8s, is a powerful platform for orchestrating containers in complex, distributed environments. Among its many features, Kubernetes has Secrets, which safeguard sensitive information like API keys, passwords, and tokens in a cluster. By separating confidential data from application code, Kubernetes Secrets reduce the risk of exposure during workflows and deployments. 

When implemented correctly, Secrets offers a secure way to manage and transmit sensitive information within the dynamic, and often complex, environment of Kubernetes clusters. 

What Are Kubernetes Secrets?

Kubernetes Secrets are objects that store and manage sensitive information such as passwords, API tokens, and certificates. Unlike embedding sensitive data directly into application code or configuration files, Secrets lets you decouple confidential information from the application logic. 

This approach reduces the risk of accidental secret exposure during workflows like deployment or debugging. By default, Kubernetes stores Secrets as base64-encoded strings without encryption, which provides minimal obfuscation. But additional security measures, like encryption at rest, are still necessary to prevent unauthorized access.

Types of Kubernetes Secrets

Kubernetes supports various Secret types to handle specific use cases, such as Opaque Secrets for arbitrary key-value pairs and TLS Secrets for certificates. Understand these types to securely manage sensitive information in your cluster.

Opaque Secrets

Opaque Secrets are the most flexible and widely used type of K8s Secrets. They let you store arbitrary user-defined key-value pairs, making them suitable for various use cases, including storing sensitive data like passwords, tokens, or application configurations. As the default Secret type, they’re ideal when no predefined type fits your needs.

ServiceAccount Token Secrets

ServiceAccount Token Secrets store authentication tokens tied to ServiceAccounts, enabling Pods to interact with the Kubernetes API securely. These tokens provide a way to scope API access for specific applications running in the cluster. 

Docker Config Secrets

Docker Config Secrets store credentials for private container registries. Kubernetes supports the legacy dockercfg format and the more modern dockerconfigjson format.

Basic Authentication Secrets

Basic Authentication Secrets store basic HTTP authentication credentials in two predefined keys: username and password. They’re useful for services requiring basic authentication. 

SSH Authentication Secrets

SSH Authentication Secrets store private SSH keys that enable secure access to remote servers or other resources. Deployment automation and remote infrastructure management commonly use these.

TLS Secrets

TLS Secrets store TLS certificates and private keys to secure HTTPS communication. They include two key fields: tls.crt for the certificate and tls.key for the private key. People use TLS Secrets to secure ingress traffic or ensure encrypted service communication.

How to Create Kubernetes Secrets

Creating Kubernetes Secrets involves multiple approaches suited to specific workflows and preferences. Here are three common methods:

1. Using kubectl


The kubectl tool provides a quick and efficient way to create K8s Secrets directly from the command line. For instance, if you need to manage sensitive application configurations stored in a file, you can use the kubectl create secret from file command to streamline the process. Alternatively, you can create an Opaque Secret to store credentials for a database, securely managing sensitive information without embedding it in your codebase.

2. Using a Configuration File


For more complex setups, a configuration file offers flexibility and reusability. This method is ideal for integrating Secrets into a version-controlled workflow or CI/CD pipeline.

3. Using Kustomize


Kustomize simplifies Secret creation during deployments by allowing dynamic generation. This is particularly helpful when managing multiple environments with slightly different configurations, as it eliminates the need for manual adjustments.

How To Manage Kubernetes Secrets

Kubernetes Secrets can be mounted into a Pod, enabling applications to access sensitive data securely. Proper management ensures your clusters remain secure and compliant with organizational and regulatory standards.

Using Secrets as Environment Variables

One of the simplest ways to use Secrets is by injecting them as environment variables into your application containers. This allows your application to access sensitive data, like API keys or credentials, without embedding them directly in your code or configuration files. This setup ensures the application dynamically fetches these values from the Secret during runtime.

Using Secrets as Files Mounted in Containers

You can also make Secrets available as files mounted into a container's filesystem. Applications that read configuration data or credentials from files find this approach particularly useful. The application can use the data from the Secret by writing it to files in the /etc/ssl directory.

Using Secrets for Pulling Images from Private Registries

Secrets can store the necessary authentication credentials when your application requires container images from private registries. Kubernetes then references these credentials in the Pod configuration to pull the images securely. This approach ensures that the kubelet uses the stored credentials to authenticate with the private registry.

4 Kubernetes Secrets Best Practices

Effective Kubernetes Secrets management requires using them effectively and following best practices to ensure their security and maintain compliance. Here are some key strategies to keep secrets safe:

1. Implement Encryption at Rest


Kubernetes stores Secrets as base64-encoded strings by default, providing minimal obfuscation but no absolute security. To protect sensitive data, enable encryption at rest for Secrets stored in etcd, securing them even in the event of a compromise in the etcd data. Kubernetes provides configuration options for encrypting Secrets at rest, which should be a standard part of your cluster setup.

2. Use Role-Based Access Control


Limit access to Secrets through Kubernetes Role-Based Access Control (RBAC). Grant permissions on a need-to-know basis to only those users or applications that require them. For example, you may need access to certain Secrets during development but should not have access to production-level Secrets.

3. Integrate Third-Party Secrets Management Solutions


Use third-party tools like Legit Security to manage sensitive data. You can securely scan for, store, and remediate secrets outside the Kubernetes cluster. Kubernetes also provides a Secrets Store CSI driver that can mount external Secrets directly into your Pods, reducing the risk of exposing data within the cluster.

4. Rotate Secrets Regularly


Set up processes to rotate secrets regularly. Regular rotation minimizes the potential impact of a leaked or compromised secret. Automation tools can rotate them without your intervention, ensuring seamless updates to applications that depend on them.

Manage Your Secrets With Legit Security 

While Kubernetes provides good tools for managing sensitive data, complementing its capabilities with a solution like Legit Secrets Scanning is critical. 

Legit delivers the industry’s most comprehensive and accurate secrets detection and prevention, including the ability to detect secrets in containers used in Kubernetes environments and any Kubernetes secrets listed in IaC files. In addition, it offers: 

  • One clear dashboard offering all secrets activity at a glance
  • Secrets detection well beyond source code, including personal GitHub repos
  • AI-powered secrets detection that delivers highly accurate results
  • A secrets CLI that provides extensive prevention capabilities 

Book a demo of Legit Security today.
Legit Security

Share this guide

Published on
December 19, 2024
Blog

Related posts

See more

A Foundation You Can Trust

Get a stronger AppSec foundation you can trust and prove it’s doing the job right.

Request a Demo