Linux Hint Posted January 5 Share Posted January 5 Kubernetes is an open-source tool that is utilized to execute and manage the containerized application inside the cluster. It performs various tasks to control, run, and secure the application’s credentials through secret and ingress. Ingress is used to manage application incoming traffic and also for SSL termination. In contrast, secrets are used to store confidential information and TLS certificates for application. This post will illustrate: What are the Kubernetes Secrets? Prerequisite: Generate Private Key and Certificate How to Create Secret TLS in Kubernetes? How to Create a Secret Through Yaml File? How to Embed Secret With Kubernetes Pod? Conclusion What are the Kubernetes Secrets? The Secrets are one of the Kubernetes resources, used to store confidential information such as user login credentials, keys, certificates, or tokens. The secrets can be created individually and connected to pods. It prevents the developer from providing confidential data in code and also provides an extra layer of security. Different kinds of secrets can be created and used. The most commonly used secrets are: Generic Secret: The generic secrets are utilized to store basic information such as passwords, tokens, API keys, OAuth keys, and so on. TLS Secret: TLS secrets are used to store private keys and certificates that are signed by the CA. To ensure the security of applications running inside Kubernetes and for securing communication within the cluster, the user usually needs to create and embed TLS secrets to the pod. Docker Registry: It is used to store the docker registry credential to easily pull the images from the registry. Prerequisite: Generate Private Key and Certificate To create the certificate and private key for security improvement, utilize OpenSSL that creates the CSR (certificate signing request) and private key. Then, use CSR to generate the self-signed or CA certificates. To utilize the OpenSSL commands on Windows, users are required to install Git. For this purpose, follow our linked “Install git on Windows” article. After installing git, follow the below instructions to generate a private key and signed certificate. Step 1: Launch Git Bash Terminal Make a search for “Git Bash” in the Start menu and launch the terminal: To check the current directory use the “pwd” command: pwd Currently, we are working in the %USERPROFILE% directory: Step 2: Create New Directory Create a new directory to save the certificates and private key: mkdir cert Navigate to the newly created directory using the “cd” command: cd cert Step 3: Generate Private Key Now, generate the private key through the given command. Here, the generated private key will be saved in “mycert.key”: openssl genpkey -algorithm RSA -out mycert.key Step 4: Generate CSR To generate the CSR (certificate service request) to get a signed certificate, use the given command: openssl req -new -key mycert.key -out mycert.csr Step 5: Generate Certificate Lastly, using the generated private key and CSR, create a certificate and save it in the “mycert.crt” file. For this purpose, execute the below command: openssl x509 -req -in mycert.csr -signkey mycert.key -out mycert.crt -days 365 After generating the TLS certificates, the user can create the secret TLS by following the below section. How to Create Secret TLS in Kubernetes? To ensure the application security and secure communication within and outside the Kubernetes cluster, the TLS (Transport Layer Security) certificates are essential that are used in data encrypting. The Kubernetes secret allows us to embed the TLS certificate with running pods through secret TLS. To create a secret TLS in Kubernetes, go through the following instructions. Step 1: Start Minikube Cluster To start the minikube cluster, first, launch the Windows PowerShell as administrator. After that, create and run the cluster using the “minikube start” command: minikube start Step 2: Get Nodes Access the Kubernetes node to check if the cluster is started or not: minikube get nodes Step 3: Create Secret TLS Create the TLS secret in Kubernetes using “kubectl create secret <secret-type> <secret-name> –cert=<path-to-tls certificate> –key=<path-to-private-key>” command. Here, the secret type can be “generic”, “tls”, or “docker-registry”. To create a TLS secret, we have set the secret type as “tls”: kubectl create secret tls demo-secret --cert=C:\Users\Dell\cert\mycert.crt --key=C:\Users\Dell\cert\mycert.key Step 4: Get Secrets For confirmation, list down the Kubernetes secret using the given command: kubectl get secret Here, you can see we have effectively created a “demo-secret” that contains “2” data values: Step 5: Describe Secret To view how data are viewed or stored in secret, describe the secret using the “kubectl describe secret <secret-name>” command: kubectl describe secret demo-secret You can see values are stored in bytes and cannot be directly viewed unlike Kubernetes ConfigMaps: How to Create a Secret TLS Through Yaml File? To create a secret TLS through a yaml file, first, create a “secret.yml” file, add the tls base64 encoded certificate in the “tls.crt” key, and add the base64 encoded key in the “tls.key”. For demonstration, follow the listed steps. Step 1: Create Yaml File Create a file named “secret.yml” and paste the given code: apiVersion: v1 data: tls.crt: "base64 encoded cert" tls.key: "base64 encoded key" kind: Secret metadata: name: mytls-secret namespace: default type: kubernetes.io/tls In the above snippet, replace the “tls.crt” and “tls.key” key values with your original certificate and key values: Step 2: Create a Secret Now, apply the secret yaml file through the “kubectl apply -f <path-to-secret.yml>” command: kubectl apply -f secret.yml The output shows that we have successfully created the “mytls-secret” using yaml file: Note: View TLS Certificate and Private Key To view the base64 encoded certificate and use it in the yaml file, run the “cat <path-to-certificate file> | base64” command in the git bash terminal: cat mycert.crt | base64 In order to view the base64 encoded key, use “cat <path-to-key file> | base64” command: cat mycert.key | base64 How to Embed Secret TLS With Kubernetes Pod? After creating the secret TSL, the user can embed it with the Kubernetes pod. To do so, use the following instructions. Step 1: Create Yaml File Make a file named “pod.yml” file and paste the below snippet into the file: apiVersion: v1 kind: Pod metadata: name: demo-pod spec: containers: - name: html-cont image: rafia098/html-img:1.0 envFrom: - secretRef: name: demo-secret In the above snippet: “kind” key specifies the Kubernetes resource that the user is creating. “name” key will set the pod name. “containers” key will store the container information. “name” key under the “containers” key will set the container name. “image” key will provide the application or container image to create and start the application inside the container. “envFrom” key will set the environment variable from other Kubernetes resources. Here, to embed the secret TLS in a pod, “secretRef” is used to provide a secret reference. To embed the above secret TLS, specify the name of the secret in the “name” key. Step 2: Create or Upgrade the Pod Next, open the folder where the “pod.yml” file is created: cd C:\Users\Dell\Documents\Kubernetes\Secret Apply the yaml file to create or reconfigure the pod using the “kubectl apply” command: kubectl apply -f pod.yml Step 3: Access Kubernetes Pods For verification, list down the Kubernetes pods: kubectl get pod Here, you can see we have created the “demo-pod” successfully: Step 4: Describe the Pod To check if the pod has embedded the secret TLS or not, describe the pod using the below command: kubectl describe pod demo-pod The below output shows that we have successfully embedded the TLS secret with pod: We have covered how to create secret TLS and embed it with the Kubernetes application running in the pod. Conclusion To create the secret TLS in Kubernetes, first, create the TLS signed certificate and private key. After that, start the Kubernetes cluster and run the “kubectl create secret <secret-type> <secret-name> –cert=<path-to-tls certificate> –key=<path-to-private-key>” command. Users can also create the secret TLS using yaml manifest. This post has illustrated how to create the secret TLS and how to embed the secret with a running application or pod. View the full article Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.