Kubernetes Secret is not stored in encoded format in environment variables

3.2k views Asked by At

I am a beginner to Kubernetes. I have created a secret file and referred it in deployment yaml file.

app-secret.yaml

apiVersion: v1
kind: Secret
metadata:
  name: app-secret
data:
  username: YWRtaW4=
  password: YWRtaW4=

deploy.yaml

env:
          - name: DEPLOY_ENV
            value: ${env}
          - name: NAMESPACE_NAME
            valueFrom:
                fieldRef:
                  fieldPath : metadata.namespace
          - name: APP_USERNAME
            valueFrom:
                secretKeyRef:
                  name: app-secret
                  key: username
          - name: APP_PASSWORD
            valueFrom:
                secretKeyRef:
                  name: app-secret
                  key: password

While using the command kubectl get secret pod-54rfxd -n dev-ns -o json, it is printing the username and password in encoded format only. When i query for the environment variables list using the command kubectl exec pod-54rfxd -n dev-ns -- printenv, it was giving below result.

APP_USERNAME=admin
APP_PASSWORD=admin

Why it was not in encoded format in environment variables. Could you please let me know the reason and is it possible to have it in encoded format?

2

There are 2 answers

0
bigLucas On BEST ANSWER

You could use the stringData format:

apiVersion: v1
kind: Secret
metadata:
  name: app-secret
stringData:
  username: "YWRtaW4="
  password: "YWRtaW4="

From K8s doc: warning about stringData secret type

K8s doc

6
Harsh Manvar On

Secret get stored with the base64 encoded format when you create the secret. hile adding or injecting the secret into the pod or deployment Kubernetes by default decode the secret with base64 so due to that you are getting the plain text from OS as environment variables.

there are some other option to encrypt at rest not encode.

https://cloud.google.com/kubernetes-engine/docs/how-to/encrypting-secrets

https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengencryptingdata.htm

is it possible to have it in encoded format?

what you can do is to save the encoded .env file into secret and mount that file into the deployment path that .env file will be accessible to the application while content inside it will be encoded.

kubectl exec pod-54rfxd -n dev-ns -- printenv

this command only you can run maybe when you have admin permission of cluster otherwise not other can access inside the pod.