What Is a Kubernetes Secret?

Kubernetes secrets hold sensitive information such as passwords, tokens, and so on. Pods that require this sensitive information reference the secret in their Pod definition. Secrets are the method Kubernetes uses to move sensitive data into pods.

Because secrets contain your sensitive information, Kubernetes obfuscates secrets by encoding them in Base64. Base64 encoding is not encryption. The secret is made secure in transit through standard wire-level encryption. Wire-level encryption protects the secret during transit to your pods. Secret security also relies on Kubernetes RBAC for protection. If secrets are not protected from viewing, anyone can read your secret.

You should protect secrets at rest via encryption either by replacing the Kubernetes secret store with something like Hashicorp’s Vault or by turning on encryption on Kubernetes v1.13 or later.

It is essential that you understand how secrets are made secure in Kubernetes. Please read and understand the documentation on Kubernetes Secrets.

By default, system user and LDAP secrets, and image pull secrets (named mapr-imagepull-secrets) are created by the bootstrapping process in the mapr-system namespace. These secrets are critical for later steps. Many secrets are created or copied by the various operators in the cluster and Compute Space namespaces. Spark jobs and Drillbits require MapR tickets deployed in secrets to connect securely to MapR storage clusters. Some secrets can be generated by tools distributed with this release:
  • The ticketcreator.sh can create the user's ticket secret and Spark user secrets.
  • The gen-external-secrets.sh can create host information and user, client, and server secrets for external clusters.

Templates for the various secret types are provided in the examples/secrettemplates directory.