Here are the second set of sample questions for CKA (Certified Kubernetes exams). This set of questions are related to Kubernetes secrets. A secret is an object that contains a small amount of sensitive data such as a password, a token, or a key. This helps to avoid the plain text passwords in the application codes. The secret can be created independently and expose to the required application pods. This reduces the risk of the secret being exposed during the workflow of creating, viewing, and editing Pods.
From the exam point of view, keep in mind that, Secrets are specially intended to hold confidential data. Kubernetes Secrets are, by default, stored unencrypted in the API server’s underlying data store (etcd). Anyone with API access can retrieve or modify a Secret, and so can anyone with access to etcd.
Here are the sample CKA exam questions related to secrets.
Create a Kubernetes secret and expose using a file in the pod.
Name: secret1
password: mysecretpass
1. Login to the Kubernetes cluster and create a secret.
[root@kmaster ~]# kubectl create secret generic secret1 --from-literal=password=mysecretpass
secret/super-secret created
[root@kmaster ~]# kubectl get secrets
NAME TYPE DATA AGE
default-token-lwj7d kubernetes.io/service-account-token 3 83m
secret1 Opaque 1 50s
[root@kmaster ~]#
2. Export secret as a plain text file on the pod. Create a new pod config file like below.
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
name: pod-secrets-via-file
spec:
containers:
- image: redis
name: redis
volumeMounts:
- name: foo
mountPath: "/secrets"
volumes:
- name: foo
secret:
secretName: secret1
3. Create the pod using the pod configuration file.
[root@kmaster ~]# kubectl create -f redis_file.yaml pod/redis created [root@kmaster ~]# kubectl get po NAME READY STATUS RESTARTS AGE redis 1/1 Running 0 6s [root@kmaster ~]#
4. Validate our work. The newly created secret should be available in the pod for use.
[root@kmaster ~]# kubectl exec -it pod-secrets-via-file -- ls /secrets password [root@kmaster ~]# kubectl exec -it pod-secrets-via-file -- cat /secrets/password mysecretpass [root@kmaster ~]#
Expose the secret using environment variable to the pod.
- Since we have already created secret in the step#1 , we can refer the same secret.
2. Create a new pod configuration file like below by referring the secret as environment variable.
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
name: pod-secrets-env
spec:
containers:
- image: redis
name: redis
env:
- name: PASSWORD
valueFrom:
secretKeyRef:
name: secret1
key: password
3. Create the pod using the above YAML file.
[root@kmaster ~]# kubectl create -f redis_env.yaml pod/pod-secrets-env created [root@kmaster ~]# kubectl get pods NAME READY STATUS RESTARTS AGE pod-secrets-env 1/1 Running 0 7s [root@kmaster ~]#
4. Verify the secret environment available by accessing the pod.
[root@kmaster ~]# kubectl exec -it pod-secrets-via-env -- env |grep -i password PASSWORD=mysecretpass [root@kmaster ~]#
We have created a secret and exposed it using different methods. In first method, we have shared the secrets using volume by creating the file and in the second method, exposed the secret using environment variable.