What are Secrets ? in Kubernetes
Secrets should be stored as Encrypted
Secrets transmitted between Services/Nodes as Encrypted
Secrets only Decrypted in memory
Each Secret in a Secret Server/Database, is a independent Object
Secret attributes — Name,ID,Hash Key value,creation Date
IAM and RBAC — Secret access by Role (Who can access, When, from Where, Tokens for Access)
Role based access of Secrets to -> Users, Groups, Service Accounts, IAM Role
At runtime, Inject Secret to only that Container, which has access to this Secret.
Inject the Decrypted Secret inside a Container.
Write Only Access to Secrets (Permission granted) — An Entity, can only create a new Secret or change Secret, but cannot Read that Secret.
Life Cycle of a Secret:
- Rotation
- Revocation
- Audit logging (compliance)
- If a Secret stays unchanged longer, then there is a Risk of Secret getting Leaked
- Secret value should be Short Lived
Bad and worst ways to use Secrets:
- GitHub or GitLab
- Source Code
- Environment Variables
- Properties files
- Scripts
- Dockerfile
- Docker Images
How to Create a new Secret:
- Secret Store Name
- Secret Name
- Secret Value (K:V)
- Secret Description
- Secret Labels
