The Ops Community

Cover image for Getting and Deleting Orphaned Secrets with Kubectl
Patrick Londa for Blink Ops

Posted on • Originally published at blinkops.com

Getting and Deleting Orphaned Secrets with Kubectl

Maintaining clean and organized Kubernetes clusters is important for DevOp teams so that they don’t waste computing or financial resources unnecessarily, or in the case of orphaned secrets, leave exposed resources that could compromise security.

In this guide, we’ll focus on cleaning up your Kubernetes clusters by finding and deleting orphaned Secrets.

Secrets are API objects created to hold small amounts of confidential data like passwords, tokens, or keys. These objects allow the separation of private encrypted data from container images, Pod specifications, and application code, thus providing an extra useful layer of Pod security.

Secrets may get orphaned if they are left isolated from the deployment they were created to support, or if their owners have been purged. By removing orphaned Secrets, you’ll reduce clutter in the cluster and remove security vulnerabilities.

Finding and Deleting Orphaned Secrets

Here are the steps you should take for identify and removing orphaned Secrets:

Step 1: Find all Secrets

To start, you can generate a list of all Secrets with this command:

kubectl get secrets -all-namespaces -o json
Enter fullscreen mode Exit fullscreen mode

This command will return the list of Secrets across all namespaces, but as you’ll see, the Secret object does not reference its owner.

You need to list all Secrets referenced by resources. Secrets can be referenced in several places:

  • Pods volumes
  • Container environment
  • TLS section of ingresses
  • ImagePullSecrets
  • Custom Resource Definitions

Step 2: Compare with a List of Used Secrets

To list all secrets of current namespace, you can run the following commands that list all used Secrets and make a diff with the list of existing secrets:

envSecrets=$(kubectl get pods -o
jsonpath='{.items[*].spec.containers[*].env[*].valueFrom.secretKeyRef.name}' | xargs -n1)
envSecrets2=$(kubectl get pods -o
jsonpath='{.items[*].spec.containers[*].envFrom[*].secretRef.name}' | xargs -n1)
volumeSecrets=$(kubectl get pods -o
jsonpath='{.items[*].spec.volumes[*].secret.secretName}' | xargs -n1)
pullSecrets=$(kubectl get pods -o
jsonpath='{.items[*].spec.imagePullSecrets[*].name}' | xargs -n1)
tlsSecrets=$(kubectl get ingress -o jsonpath='{.items[*].spec.tls[*].secretName}' | xargs -n1)

diff \
<(echo "$envSecrets\n$envSecrets2\n$volumeSecrets\n$pullSecrets\n$tlsSecrets" | sort | uniq) \
<(kubectl get secrets -o jsonpath='{.items[*].metadata.name}' | xargs -n1 | sort | uniq)
Enter fullscreen mode Exit fullscreen mode

Now that you have a list of all the unused orphaned Secrets, you can start cleaning up by deleting them.

Step 3: Delete Orphaned Secrets

Delete the found orphaned Secret with this command:

kubectl delete secret samplesecret
Enter fullscreen mode Exit fullscreen mode

Example output confirming deletion:

secret "samplesecret" deleted
Enter fullscreen mode Exit fullscreen mode

After you’ve deleted all the orphaned Secrets, you’ll have removed unneeded resources from your cluster, freeing up storage space and making your cluster more secure. If you remove orphaned resources regularly, you’ll ensure that your team is maintaining optimal Kubernetes resource management.

Hope this guide helps you clean up your Kubernetes cluster!

Discussion (0)