You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -65,8 +65,8 @@ To verify that secrets and data has been encrypted using a KMS plugin, [see the
65
65
kubectl exec --stdin --tty <etcd pod name> -n kube-system --etcdctl --cacert /etc/kubernetes/pki/etcd/ca.crt --key /etc/kubernetes/pki/etcd/server.key --cert /etc/kubernetes/pki/etcd/server.crt get /registry/secrets/default/db-user-pass -w fields
66
66
```
67
67
68
-
-`kubectl exec`: This is the kubectl command used to execute a command inside a running pod. It allows you to run commands within the container of a pod.
69
-
-`--stdin`: This flag allows you to send input (stdin) to the command you are running inside the pod.
68
+
-`kubectl exec`: This is the kubectl command used to execute a command inside a running pod. It enables you to run commands within the container of a pod.
69
+
-`--stdin`: This flag enables you to send input (stdin) to the command you are running inside the pod.
70
70
-`--tty`: This flag allocates a TTY (terminal) for the command, making it behave as though you're interacting with a terminal session.
71
71
-`<etcd pod name>`: to find the etcd pod name, run the following command:
-`-n kube-system`: Specifies the namespace where the pod is located. **kube-system** is the default namespace used by Kubernetes for system components, such as etcd and other control plane services.
78
-
-`--etcdctl`: Reads the secret from etcd. Additional fields are used for authentication prior to getting access to etcd.
78
+
-`--etcdctl`: Reads the secret from etcd. Additional fields are used for authentication before you get access to etcd.
79
79
80
80
The following fields are returned in the command output:
81
81
@@ -94,7 +94,7 @@ The following fields are returned in the command output:
94
94
"Count" : <number of key-value pairs returned>
95
95
```
96
96
97
-
After you run the command, examine the `Value` field in the output in the terminal window. This output shows the value stored in etcd secret store for this key, which is the encrypted value of the secret. The value is encrypted using a KMS plugin. The `k8s:enc:kms:v1:` prefix indicates that Kubernetes is using the KMS v1 plugin to store the secret in an encrypted format.
97
+
After you run the command, examine the `Value` field in the output in the terminal window. This output shows the value stored in the etcd secret store for this key, which is the encrypted value of the secret. The value is encrypted using a KMS plugin. The `k8s:enc:kms:v1:` prefix indicates that Kubernetes is using the KMS v1 plugin to store the secret in an encrypted format.
98
98
99
99
> [!NOTE]
100
100
> If you use the `kubectl describe secrets` command to retrieve secrets, it returns them in base64-encoded format, but unencrypted. The `kubectl describe` command retrieves the details of a Kubernetes resource via the API server, which manages encryption and decryption automatically. For sensitive data such as secrets, even if they are mounted on a pod, the API server ensures that they are decrypted when accessed. As a result, running the `kubectl describe` command does not display secrets in their encrypted form, but rather in their decrypted form if they are being used by a resource.
0 commit comments