Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why does k8s secrets need to be base64 encoded when configmaps does not?

Tags:

base64

kubernetes

Why does k8s secrets need to be base64 encoded when configmaps does not?

When creating a configmap you simply do somthing like this:

apiVersion: v1 kind: ConfigMap metadata:   name: my-configmap data:   SOME_KEY: a string value

But when you want to create a secret you have to echo -n "some secret string" | base64 and then put the result of that in a file looking something like this:

apiVersion: v1 kind: Secret metadata:   name: my-secret type: Opaque data:   SOME_KEY: c29tZSBzZWNyZXQgc3RyaW5n

I really wonder why there is this difference? Are kubernetes secrets simply base64 encoded strings? I would expect that secrets were stored encrypted in kubernetes.

like image 816
Benjamin Hammer Nørgaard Avatar asked Mar 01 '18 09:03

Benjamin Hammer Nørgaard

People also ask

Do Kubernetes secrets have to be Base64 encoded?

The data and the stringData fields are optional. The values for all keys in the data field have to be base64-encoded strings.

Why do we need to encode to Base64?

Base64 encoding schemes are commonly used when there is a need to encode binary data that needs to be stored and transferred over media that are designed to deal with ASCII. This is to ensure that the data remain intact without modification during transport.

What's the difference between Kubernetes secrets and ConfigMaps?

Secrets in Kubernetes Both ConfigMaps and secrets store the data the same way, with key/value pairs, but ConfigMaps are meant for plain text data, and secrets are meant for data that you don't want anything or anyone to know about except the application.

Are Kubernetes secrets encoded?

Kubernetes encodes the Secret data in base64 format. When you need to reveal a Secret text, you must base64-decode it. To enable containers to access Secrets, you have the option to mount the Secret as a volume.

2 Answers

Secrets can contain binary data (the type is map[string][]byte), and byte arrays are base64-encoded in JSON serialization.

ConfigMaps only contain string data (the type is map[string]string), so the JSON serialization just outputs the string.

In 1.10, ConfigMaps have a new binaryData field that allows storing binary data, which is base64-encoded, just like secrets. https://github.com/kubernetes/kubernetes/pull/57938

like image 81
Jordan Liggitt Avatar answered Sep 23 '22 21:09

Jordan Liggitt

Why does k8s secrets need to be base64 encoded

This allows you to provide binary data (certificates etc.) as secret, and also escape any tricky characters such as " ' \ etc.

Are kubernetes secrets simply base64 encoded strings?

Yes, kubernetes secrets are not encrypted by default. You have to set up encryption at rest on your own, see https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/

like image 41
Victor Wong Avatar answered Sep 21 '22 21:09

Victor Wong
Sign in to Comment

Related questions

Is it ok to remove the equal signs from a base64 string?
base64 doesnt have -w option in Mac
Calculate the size to a Base 64 encoded message
MD5 Hash and Base64 encoding
C# Byte[] to Url Friendly String
Angular 2 encode image to base64
url-Encode vs Base64 encoding ( usages)?
how to display base64 encoded pdf?
Loading image src using a variable containing base64 data in AngularJS
Validating base64 encoded images
How to encode md5 sum into base64 in BASH
Take picture and convert to Base64
Is there any difference between Apache's Base64.encodeBase64 and Android's Base64.encode with Base64.Default flag?
possible characters base64 url safe function
Convert PDF to a Base64-encoded string in Javascript
Convert HTML to data:text/html link using JavaScript
Base64 video encoding - good\bad idea? [closed]
Base64 encoding and decoding with OpenSSL
Rendering a Base64 PNG with Express
Powershell base64 vs regular base64

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!