Kubernetes-native Encryption for AI Environment Variables

Question

Pulumi · Accepted Answer

When dealing with sensitive information, such as environment variables for AI or other applications running on Kubernetes, it's crucial to keep this data encrypted and secure. Kubernetes Secrets are designed to store and manage such sensitive information, which makes them a suitable solution for your needs.

Kubernetes Secrets can contain data like tokens, passwords, or keys, and provide a higher degree of control over how this information is used and accessed. By storing environment variables in Secrets and referencing them in your application deployment configurations, you can reduce the risk of accidental exposure.

Here's a step-by-step guide and a Pulumi program written in Python to create a Kubernetes Secret for encrypting AI environment variables:

1. **Define the Secret**: You'll start by creating a Kubernetes Secret resource.
2. **Encode Data**: The sensitive data stored in Secrets must be base64 encoded.
3. **Use the Secret in a Pod**: Reference the Secret in the Pod specification where your application runs.
4. **Apply the Program**: Deploy the Secret to your Kubernetes cluster using Pulumi.

Below is a complete Pulumi program to create a Kubernetes Secret:

```python
import pulumi
import pulumi_kubernetes as kubernetes
import base64

# Convert your sensitive data into base64 encoding
# Replace 'your-sensitive-data' with the actual data you want to encrypt
sensitive_data_plain = "your-sensitive-data"
sensitive_data_encoded = base64.b64encode(sensitive_data_plain.encode('utf-8')).decode('utf-8')

# Create a Kubernetes Secret resource named 'ai-secret'
ai_secret = kubernetes.core.v1.Secret(
    "ai-secret",
    metadata=kubernetes.meta.v1.ObjectMetaArgs(
        name="ai-secret",
    ),
    # Store the base64 encoded data in the Secret's 'data' field
    data={
        "environment_variable": sensitive_data_encoded,
    }
)

# Export the name of the secret
pulumi.export('secret_name', ai_secret.metadata['name'])

# For more documentation on `kubernetes.core.v1.Secret`, visit:
# https://www.pulumi.com/registry/packages/kubernetes/api-docs/core/v1/secret/
```

In this program, we create a Secret named `ai-secret` with a single environment variable encoded in base64. The Secret's metadata includes a name, which is used to reference it within the Kubernetes API. Once created, you can reference the Secret in a Pod's environment variables like so:

```python
# Assume there's an existing Deployment where you want to use the Secret
app_deployment = kubernetes.apps.v1.Deployment.get('app-deployment', 'existing-deployment-name')

# Modify the container spec to include the Secret as an environment variable
container = app_deployment.spec.template.spec.containers[0]
container.env = [kubernetes.core.v1.EnvVarArgs(
    name='SENSITIVE_ENV_VAR',
    value_from=kubernetes.core.v1.EnvVarSourceArgs(
        secret_key_ref=kubernetes.core.v1.SecretKeySelectorArgs(
            name=ai_secret.metadata['name'],
            key='environment_variable',
        ),
    ),
)]

# Apply the updated Deployment
app_deployment.spec.template.spec.containers[0] = container
app_deployment.apply()

# More documentation on referencing a Secret in a Pod:
# https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets
```

After running the Pulumi program, the Secret will be created in your Kubernetes cluster, and the data can be used securely in your AI environment without exposing the sensitive information in your source code or version control system. When you need to access the data, your application can read the environment variables that Kubernetes injects at runtime. This is a Kubernetes-native approach, leveraging built-in capabilities to provide encryption for sensitive information.