From the Enterprisers Project: What Are Kubernetes Secrets?
August 21, 2019 | by
The Enterprisers Project always has terrific information that can help you and your team communicate those complex cloud computing concepts to the C-levels. This past week, they published an excellent article describing what exactly secrets are in Kubernetes, how to manage them and what security benefits they provide. From the article:
Kubernetes Secrets defined, three ways
Let’s add a few more clear-cut definitions of Secrets to your arsenal that should help you either get up to speed as necessary or explain the concept to others on the team.
1. “As applications run in Kubernetes, apps need credentials to interact with the surrounding infrastructure or another application. Those credentials are kept in Kubernetes, and your applications can use a credential by specifying the name of a Secret as opposed to having the application keep the contents of the Secret.” –Eric Han, VP of product management at Portworx. (Han was also the first Kubernetes product manager when it was still an internal system at Google.)
2. “Kubernetes Secrets provide a means to protect sensitive information in a way that limits accidental exposure and provides flexibility in how the information is utilized. Secrets are only accessible to Pods if they are explicitly part of a mounted volume or at the time when the Kubelet is pulling the image to be used for the Pod. This prevents the need to store sensitive information in a Pod image, which mitigates the risk that data is compromised and makes it easier to vary things like credentials, cryptographic keys, etc. for different pods.” –Jonathan Katz, director of customer success & communications at Crunchy Data
3. “Kubernetes Secrets are a way to store and distribute sensitive information – think passwords, or an SSL certificate – that are used by applications in your Kubernetes cluster. Importantly, the declarative nature of Kubernetes definitions allows third-party solutions to be integrated with the Secret management.” –Gary Duan, CTO at NeuVector
In this blog post I want to introduce a nice little trick to make canary deployments possible only with Kubernetes StatefulSets and Services. First, let me give a bit of background on why I went down ...