Storing AI Workload Sensitive Data with Kubernetes Secrets
PythonStoring sensitive information such as passwords, OAuth tokens, and ssh keys within Kubernetes can be managed securely using Kubernetes Secrets. Secrets provide a mechanism to hold sensitive information and Kubernetes ensures the data is encrypted at rest and provides controlled access via Pods.
Below I will guide you through the creation of Kubernetes Secret using Pulumi and the Python programming language. We will define a new Secret resource, illustrating how you can encode your sensitive data.
Pulumi Program to Create Kubernetes Secret
The following Pulumi program demonstrates how to create a Kubernetes Secret. This secret will store a dummy password and an API key. In real scenarios, you would replace the dummy values with your actual sensitive data.
import pulumi import pulumi_kubernetes as k8s # Creating a Kubernetes Secret resource # Secrets are a way to store sensitive information like passwords, OAuth tokens, and ssh keys. # They can be consumed by pods in a variety of ways: # - As files in a volume mounted on one or more containers in a pod # - By the system for performing actions on behalf of a pod # - Via the Kubernetes API secret = k8s.core.v1.Secret( "my-secret", # The name of the secret resource metadata={ "name": "my-sensitive-data" # Name of the secret in Kubernetes }, # Literal data to store in the secret. # This example uses a dummy password and api_key. # Remember: real secrets should be handled with care and not hardcoded! string_data={ "password": "dummypassword", # Your secret password "api_key": "dummyapikey" # Your secret API key } ) # Export the name of the secret pulumi.export("secret_name", secret.metadata["name"])
Explanation
Here's a breakdown of the Pulumi program components:
- Importing Pulumi packages:
pulumi
andpulumi_kubernetes
are imported to interact with the Pulumi framework and to manage Kubernetes resources, respectively. - Creating a Kubernetes Secret: The
k8s.core.v1.Secret
class is used to represent a Kubernetes Secret resource. We instantiate this class, giving it a logical name"my-secret"
for Pulumi to reference it. - Metadata: We define metadata for the Kubernetes resource. The
name
field is the name Kubernetes will use to identify the secret. - Data:
string_data
is the dictionary where you can put your sensitive data. In this example'password': 'dummypassword'
and'api_key': 'dummyapikey'
are placeholder values.string_data
keys are the secret’s keys, and their values must be provided as strings. Note that real sensitive values should not be hard-coded like this. - Exporting the secret's name: With
pulumi.export()
, we make the name of the secret available as an output of our Pulumi program. This is helpful for when you need to reference the name of your secret elsewhere.
Now, this is a basic example showcasing how to store sensitive data. In production environments, you'd ensure that the actual sensitive data is not stored in plaintext in your Pulumi code. Instead, it's a best practice to use mechanisms such as Pulumi's config secrets, environment variables, or external secret management systems like HashiCorp Vault.
Remember to use
pulumi up
to deploy this code to your Kubernetes cluster, andpulumi destroy
to tear it down when you're finished with it. To run this program, you'll need a working Pulumi setup and configured access to a Kubernetes cluster.- Importing Pulumi packages: