Kubernetes secret is it safe

By studyk8s 0 Comments

If you want to save your password in kubernetes, you must think of using secret

  docker-registry Create a secret for use with a Docker registry
  generic         Create a secret from a local file, directory or literal value
  tls             Create a TLS secret

There are three types of secret. Let’s create a generic secret to save a password

kubectl创建机密的通用secretname——from literal=“mykey=myvalue”

You can simply view this secret with the following command

kubectl get secret secretname -o jsonpath='{.data}'

Secret saves Base64 encoded data and provides it to pod as environment variable or mount volume after decoding

Therefore, some people often mistakenly believe that secret is secure. However, Base64 coding is not an encryption method. From the perspective of security, it is no different from plain text.

echo 'bXl2YWx1ZQ==' | base64 --decode

In fact, the security of secret lies in

  • Only the node running the pod that needs to access secret can have secret
  • On the node, secret is stored in TMPFS memory, never written to physical memory, and will be deleted along with pod

tmpfs has the following advantages:

1。 The size of the dynamic file system, / dev / SHM / one thing to pay attention to is the capacity. Under Linux, the maximum size is half of the memory by default, which can be seen by using the DF – H command. But it will not really occupy this memory. If there is no file under / dev / SHM /, the memory it occupies is actually 0 bytes; If it has a maximum of 1G and 100m files in it, the remaining 900m can still be used by other applications, but the 100m memory it occupies will never be recycled and re-divided by the system

2。 Another major benefit of tmpfs is its lightning speed. Because a typical tmpfs file system will completely reside in RAM, reading and writing can be almost instantaneous.

3。 TMPFS data will not be retained after restart because virtual memory is volatile in nature. Therefore, it is necessary to do some scripts to do operations such as loading and binding.

Here I create an Nginx deployment and mount the secret I just created

This pod is assigned to node 2

The size of secret cannot exceed 1MB. It cannot be used to store too large data, nor is it suitable for non configured data.

Because of Base64 encoding, the stored data can only be about 700kb


Related Posts:
Previous Post

Crashloopbackoff
Next Post

kubernetes-downward-api

Send a Message