Getting and Deleting Orphaned Secrets with Kubectl

Maintaining clean and organized Kubernetes clusters is important for DevOp teams so that they don’t waste computing or financial resources unnecessarily, or in the case of orphaned secrets, leave exposed resources that could compromise security.

In this guide, we’ll focus on cleaning up your Kubernetes clusters by finding and deleting orphaned Secrets.

Secrets are API objects created to hold small amounts of confidential data like passwords, tokens, or keys. These objects allow the separation of private encrypted data from container images, Pod specifications, and application code, thus providing an extra useful layer of Pod security.

Secrets may get orphaned if they are left isolated from the deployment they were created to support, or if their owners have been purged. By removing orphaned Secrets, you’ll reduce clutter in the cluster and remove security vulnerabilities.

Finding and Deleting Orphaned Secrets

Here are the steps you should take for identify and removing orphaned Secrets:

Step 1: Find all Secrets

To start, you can generate a list of all Secrets with this command:

kubectl get secrets -all-namespaces -o json

This command will return the list of Secrets across all namespaces, but as you’ll see, the Secret object does not reference its owner.

You need to list all Secrets referenced by resources. Secrets can be referenced in several places:

• Pods volumes
• Container environment
• TLS section of ingresses
• ImagePullSecrets
• Custom Resource Definitions

Step 2: Compare with a List of Used Secrets

To list all secrets of current namespace, you can run the following commands that list all used Secrets and make a diff with the list of existing secrets:

envSecrets=$(kubectl get pods -o
jsonpath='{.items[*].spec.containers[*].env[*].valueFrom.secretKeyRef.name}' | xargs -n1)
envSecrets2=$(kubectl get pods -o
jsonpath='{.items[*].spec.containers[*].envFrom[*].secretRef.name}' | xargs -n1)
volumeSecrets=$(kubectl get pods -o
jsonpath='{.items[*].spec.volumes[*].secret.secretName}' | xargs -n1)
pullSecrets=$(kubectl get pods -o
jsonpath='{.items[*].spec.imagePullSecrets[*].name}' | xargs -n1)
tlsSecrets=$(kubectl get ingress -o jsonpath='{.items[*].spec.tls[*].secretName}' | xargs -n1)

diff \
<(echo "$envSecrets\n$envSecrets2\n$volumeSecrets\n$pullSecrets\n$tlsSecrets" | sort | uniq) \
<(kubectl get secrets -o jsonpath='{.items[*].metadata.name}' | xargs -n1 | sort | uniq)

Now that you have a list of all the unused orphaned Secrets, you can start cleaning up by deleting them.

Step 3: Delete Orphaned Secrets

Delete the found orphaned Secret with this command:

kubectl delete secret samplesecret

Example output confirming deletion:

secret "samplesecret" deleted

After you’ve deleted all the orphaned Secrets, you’ll have removed unneeded resources from your cluster, freeing up storage space and making your cluster more secure. If you remove orphaned resources regularly, you’ll ensure that your team is maintaining optimal Kubernetes resource management.

Simplify Locating Orphaned Secrets with Blink

Finding and removing orphaned Secrets takes a few steps and you might not remember to make it a part of your routine.

With a free Blink account, you can schedule automated checks just like this one so you can maintain your Kubernetes clusters in just a couple clicks.

Get started and create your free Blink account today.