K
Q

How to handle secrets in ConfigMaps?

8/5/2019

I would like to use a Secret inside a ConfigMap. Is this possible?

Example:

An example where this might be required is if you would like to write from Fluentd to S3. In the configuration you have to add your AWS credentials.

Alternatives:

Using environment variables on the cluster itself. I do not like this idea, because the variable would still contain the secret as plain text.

Passing the password during set-up. If you are using deployment tools it might be possible to pass the secret during the deployment of your application. This is also not a nice solution since you are still passing the secret as plain text to the deployment tool. An advantage of this approach is that you do not accidentally check-in your secret to git.

-- User12547645
configmap
kubernetes
kubernetes-secrets

Similar Questions

Reduce Cloud Run on GKE costs
Default CNI in Minikube
How I can visualize elasticsearch metrics in prometheus?, both installed in a gke cluster
Deploying Cassandra on kubernetes cluster

2 Answers

8/5/2019

No, it is not possible. You should always use secret for your sensitive data.

By default, secrets are only base64 encoded content of files so you should use something like Vault to secure store you sensitive data.

-- FL3SH
Source: StackOverflow
8/5/2019

Try to avoid making use of aws credentials in kubernetes.

As you can see aws_key_id and aws_sec_key are the optional fields.

Make use of AWS IAM role and assign it to the kubernetes nodes.

And then try to run your fluentd application without aws credentials in its config.

Just give it a try.

Hope this helps.

Update:

This article explain different ways to use aws iam for kubernetes.

Kube2iam and many other tools like this, might help. Give it a try.

-- mchawre
Source: StackOverflow