Getting and Deleting Orphaned Secrets with Kubectl
Maintaining clean and organized Kubernetes clusters is important for DevOp teams so that they don’t waste computing or financial resources unnecessarily, or in the case of orphaned Secrets, leave exposed resources that could compromise security.
In this guide, we’ll focus on cleaning up your Kubernetes clusters by finding and deleting orphaned Secrets.
Secrets are API objects created to hold small amounts of confidential data like passwords, tokens, or keys. These objects allow the separation of private encrypted data from container images, Pod specifications, and application code, thus providing an extra useful layer of Pod security.
Secrets may get orphaned if they are left isolated from the deployment they were created to support, or if their owners have been purged. By removing orphaned Secrets, you’ll reduce clutter in the cluster and remove security vulnerabilities.
Finding and Deleting Orphaned Secrets
Here are the steps you should take for identify and removing orphaned Secrets:
Step 1: Find all Secrets
To start, you can generate a list of all Secrets with this command:
This command will return the list of Secrets across all namespaces, but as you’ll see, the Secret object does not reference its owner.
You need to list all Secrets referenced by resources. Secrets can be referenced in several places:
- Pods volumes
- Container environment
- TLS section of ingresses
- ImagePullSecrets
- Custom Resource Definitions
Step 2: Compare with a List of Used Secrets
To list all Secrets of current namespace, you can run the following commands that list all used Secrets and make a diff with the list of existing Secrets:
Now that you have a list of all the unused orphaned Secrets, you can start cleaning up by deleting them.
Step 3: Delete Orphaned Secrets
Delete the found orphaned Secret with this command:
Example output confirming deletion:
After you’ve deleted all the orphaned Secrets, you’ll have removed unneeded resources from your cluster, freeing up storage space and making your cluster more secure. If you remove orphaned resources regularly, you’ll ensure that your team is maintaining optimal Kubernetes resource management.
Automatically Identify Orphaned Secrets with Blink
Finding and removing orphaned Secrets takes a few steps and you might not remember to make it a part of your routine.
With a free Blink account, you can schedule automated checks just like this one so you can maintain your Kubernetes clusters in just a couple clicks.
Get started and create your free Blink account today.