What is a Kubernetes Secret?
There are many times when a Kubernetes Pod needs to use sensitive data. Think for examples of:
- SSH keys.
- Database passwords.
- OAuth tokens.
- API keys.
- Image registry keys.
Kubernetes is designed to have a declarative syntax. Object definitions are stored in YAML (or JSON) files and - typically - placed under version control. Adding confidential information to a version-controlled file (that anyone can view) is against any security best practice. For that reason, Kubernetes includes Secrets.
A Secret is just another Kubernetes object that stores restricted data so that it can be used without being revealed. Kubernetes users can create Secrets, and also the system itself establishes and uses Secrets.
You can find Secrets referenced through a file attached to the pod through a volume. The kubelet also makes use of Secrets when it needs to pull an image from an Image Registry that requires authentication (for example, a private Docker Hub account, AWS ECR, or Google GCR). Additionally, Kubernetes makes use of Secrets internally to enable Pods to access and communicate with the apiserver component. The system automatically manages API tokens through Secrets attached to the Pods.