kubernetes-client / python

Overview

Managing secrets effectively in a Kubernetes environment is crucial to ensuring the security and integrity of applications. The Kubernetes Python client offers utilities for creating, accessing, and using Secrets, allowing for secure management of sensitive data such as passwords, OAuth tokens, and SSH keys.

Creating a Secret

To create a Secret in Kubernetes, a V1Secret object must be constructed and submitted to the Kubernetes API. Below is an example of how to do this with the Kubernetes Python client.

from kubernetes import client, config

# Load kubeconfig
config.load_kube_config()

# Create a Secret object
secret = client.V1Secret(
    api_version="v1",
    kind="Secret",
    metadata=client.V1ObjectMeta(name="mysecret"),
    data={
        "username": "dXNlcm5hbWU=",  # base64 encoded value
        "password": "cGFzc3dvcmQ="   # base64 encoded value
    },
    type="Opaque"  # Custom type
)

# Create the Secret in the default namespace
api_instance = client.CoreV1Api()
api_instance.create_namespaced_secret(namespace="default", body=secret)

This code snippet creates a new Secret named mysecret that contains a username and password, both of which are stored as base64 encoded strings.

Using a Secret in a Pod

Once a Secret is created, it can be utilized within a Pod in several ways. The most common methods are through environment variables or mounted as files. Below is an example of how to reference a Secret as an environment variable.

Environment Variables

To utilize the Secret as environment variables, you can define environment variable sources in your Pod specification as follows:

apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
  - name: mycontainer
    image: myimage
    env:
    - name: USERNAME
      valueFrom:
        secretKeyRef:
          name: mysecret
          key: username
    - name: PASSWORD
      valueFrom:
        secretKeyRef:
          name: mysecret
          key: password

In this configuration, the USERNAME and PASSWORD environment variables in the container will be populated with the values stored in the mysecret Secret.

Mounting as Volume

Secrets can also be mounted as files in a Pod. Below is an example of how to define a Secret volume in a Pod specification:

apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
  - name: mycontainer
    image: myimage
    volumeMounts:
    - name: secret-volume
      mountPath: /etc/secret
  volumes:
  - name: secret-volume
    secret:
      secretName: mysecret

In this example, the Secret’s contents will be mounted to the /etc/secret directory in the container, allowing the application to read the files directly.

Projected Secrets

Kubernetes also allows the use of projected secrets, which can bring multiple secrets together into a single volume. The V1SecretProjection class is used to create and manage projected secrets programmatically.

Example of Projected Secret

from kubernetes import client, config

# Load kubeconfig
config.load_kube_config()

# Create a Pod with projected secrets
pod = client.V1Pod(
    metadata=client.V1ObjectMeta(name="mypod"),
    spec=client.V1PodSpec(
        containers=[client.V1Container(
            name="mycontainer",
            image="myimage",
            volume_mounts=[client.V1VolumeMount(
                name="projected-volume",
                mount_path="/etc/secret"
            )]
        )],
        volumes=[client.V1Volume(
            name="projected-volume",
            projected=client.V1ProjectedVolumeSource(
                sources=[
                    client.V1SecretProjection(
                        name="mysecret",
                        items=[client.V1KeyToPath(key="username", path="username.txt"),
                               client.V1KeyToPath(key="password", path="password.txt")]
                    )
                ]
            )
        )]
    )
)

# Implementation to create the pod
api_instance = client.CoreV1Api()
api_instance.create_namespaced_pod(namespace="default", body=pod)

In this code, the username and password from the mysecret Secret are projected into separate files username.txt and password.txt within the container at the path /etc/secret.

Conclusion

Managing secrets securely is a fundamental aspect of deploying applications in a Kubernetes environment. By utilizing the capabilities of the Kubernetes Python client, developers can create, access, and use Secrets effectively in production. Proper implementation of secrets ensures that sensitive information is not hard-coded into application code or configuration files, thereby enhancing overall security.

References: