This page provides a quick introduction to what Kubernetes secrets are, and how Cloud Code helps enable the Secret Manager API to create, use, and store them.
Introduction to Kubernetes secrets
When creating Kubernetes applications, it's often necessary to pass small amounts of sensitive data for passwords, SSH keys, or OAuth tokens. Rather than store this information in a pod specification or container image, Kubernetes secrets can be created to store the sensitive data.
By default, Kubernetes secrets are stored unencrypted in the API server's underlying data store. Anyone with API access can retrieve or modify a secret. The Kubernetes Secrets documentation recommends taking at least the following steps in order to safely use Kubernetes secrets:
- Enable Encryption at Rest for Secrets.
- Enable or configure RBAC rules with least-privilege access to Secrets.
- Restrict Secret access to specific containers.
- Consider using external Secret store providers.
Secret Manager in Cloud Code
Cloud Code helps you use the Secret Manager API to create, version, and store your secrets with encryption at rest from within your IDE. You can use Secret Manager exclusively in Cloud Code, or in addition to other tools you already use for secret management.
Actions available within your IDE with Cloud Code include:
- Enable the Secret Manager API.
- Create Kubernetes secrets using the Secret Manager view or the editor view.
- Version, view, and delete secrets.
- Access secrets from your application.
- Add secrets as environment variables.
- Mount a secret as a volume.
Work with Kubernetes secrets in Cloud Code
For step-by-step instructions on creating, versioning, using, and deleting secrets in Cloud Code, see Manage secrets.
What's next
- Read more about Kubernetes secrets in the Kubernetes documentation.
- Familiarize yourself with good practices for Kubernetes secrets.
- Consider using a service account token or other alternatives to secrets.