Table: kubernetes_secret - Query Kubernetes Secrets using SQL
Kubernetes Secrets is a resource that manages sensitive data such as passwords, OAuth tokens, ssh keys, etc. It provides a more secure and flexible solution to manage sensitive data in a Kubernetes cluster, compared to the alternative of putting this information directly into pod specification or in docker images. Kubernetes Secrets offers the ability to decouple sensitive content from the pod specification and isolate the visibility of such sensitive information to just the system components which require access to it.
Table Usage Guide
The kubernetes_secret table provides insights into Kubernetes Secrets within a Kubernetes cluster. As a DevOps engineer, explore secret-specific details through this table, including the type of secret, the namespace it belongs to, and associated metadata. Utilize it to uncover information about secrets, such as those that are not in use, those that are exposed, or those that are stored in a non-compliant manner.
Examples
Basic Info
Explore the age and details of various Kubernetes secrets to understand their creation and configuration for better resource management and security. This could be particularly useful in identifying outdated or potentially vulnerable secrets that may need updating or removal.
select name, namespace, data.key, data.value, age(current_timestamp, creation_timestamp)from kubernetes_secret, jsonb_each(data) as dataorder by namespace, name;select name, namespace, data.key, data.value, (julianday('now') - julianday(creation_timestamp)) * 24 * 60 * 60from kubernetes_secret, json_each(data) as dataorder by namespace, name;List and base64 decode secret values
Explore the decoded values of secrets in your Kubernetes environment to better understand the information they hold. This can be particularly useful for troubleshooting or auditing purposes.
select name, namespace, data.key, decode(data.value, 'base64') as decoded_data, age(current_timestamp, creation_timestamp)from kubernetes_secret, jsonb_each_text(data) as dataorder by namespace, name;select name, namespace, data.key, data.value as decoded_data, julianday('now') - julianday(creation_timestamp)from kubernetes_secret, json_each(data) as dataorder by namespace, name;List manifest resources
Explore which encrypted data is associated with each resource in your Kubernetes environment. This can help you assess the elements within your system configuration and identify potential areas of concern.
select name, namespace, data.key, data.value, pathfrom kubernetes_secret, jsonb_each(data) as datawhere path is not nullorder by namespace, name;select name, namespace, data.key, data.value, pathfrom kubernetes_secret, json_each(data) as datawhere path is not nullorder by namespace, name;Control examples
Schema for kubernetes_secret
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form, e.g. connection_name. | |
| annotations | jsonb | Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. | |
| context_name | text | Kubectl config context name. | |
| creation_timestamp | timestamp with time zone | CreationTimestamp is a timestamp representing the server time when this object was created. | |
| data | jsonb | Contains the secret data. | |
| deletion_grace_period_seconds | bigint | Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. | |
| deletion_timestamp | timestamp with time zone | DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. | |
| end_line | bigint | The path to the manifest file. | |
| finalizers | jsonb | Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. | |
| generate_name | text | GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. | |
| generation | bigint | A sequence number representing a specific generation of the desired state. | |
| immutable | boolean | If set to true, ensures that data stored in the Secret cannot be updated (only object metadata can be modified). If not set to true, the field can be modified at any time. Defaulted to nil. | |
| labels | jsonb | Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. | |
| name | text | Name of the object. Name must be unique within a namespace. | |
| namespace | text | Namespace defines the space within which each name must be unique. | |
| owner_references | jsonb | List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller. | |
| path | text | The path to the manifest file. | |
| resource_version | text | An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. | |
| source_type | text | The source of the resource. Possible values are: deployed and manifest. If the resource is fetched from the spec file the value will be manifest. | |
| start_line | bigint | The path to the manifest file. | |
| string_data | jsonb | Contains the configuration binary data. | |
| tags | jsonb | A map of tags for the resource. This includes both labels and annotations. | |
| title | text | Title of the resource. | |
| type | text | Type of the secret data. | |
| uid | text | UID is the unique in time and space value for this object. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- kubernetesYou can pass the configuration to the command with the --config argument:
steampipe_export_kubernetes --config '<your_config>' kubernetes_secret