Getting and Deleting Orphaned Secrets with Kubectl

Maintaining clean and organized Kubernetes clusters is important for DevOp teams so that they don’t waste computing or financial resources unnecessarily, or in the case of orphaned Secrets, leave exposed resources that could compromise security.

In this guide, we’ll focus on cleaning up your Kubernetes clusters by finding and deleting orphaned Secrets.

Secrets are API objects created to hold small amounts of confidential data like passwords, tokens, or keys. These objects allow the separation of private encrypted data from container images, Pod specifications, and application code, thus providing an extra useful layer of Pod security.

Secrets may get orphaned if they are left isolated from the deployment they were created to support, or if their owners have been purged. By removing orphaned Secrets, you’ll reduce clutter in the cluster and remove security vulnerabilities.

Blink Automation: Find and Delete Orphaned Secrets with Slack Approval

Kubernetes + Slack

Try This Automation

Finding and Deleting Orphaned Secrets

Here are the steps you should take for identify and removing orphaned Secrets:

Step 1: Find all Secrets

To start, you can generate a list of all Secrets with this command:

kubectl get secrets -all-namespaces -o json

This command will return the list of Secrets across all namespaces, but as you’ll see, the Secret object does not reference its owner.

You need to list all Secrets referenced by resources. Secrets can be referenced in several places:

• Pods volumes
• Container environment
• TLS section of ingresses
• ImagePullSecrets
• Custom Resource Definitions

Step 2: Compare with a List of Used Secrets

To list all Secrets of current namespace, you can run the following commands that list all used Secrets and make a diff with the list of existing Secrets:

envSecrets=$(kubectl get pods -o
jsonpath='{.items[*].spec.containers[*].env[*].valueFrom.secretKeyRef.name}' | xargs -n1)
envSecrets2=$(kubectl get pods -o
jsonpath='{.items[*].spec.containers[*].envFrom[*].secretRef.name}' | xargs -n1)
volumeSecrets=$(kubectl get pods -o
jsonpath='{.items[*].spec.volumes[*].secret.secretName}' | xargs -n1)
pullSecrets=$(kubectl get pods -o
jsonpath='{.items[*].spec.imagePullSecrets[*].name}' | xargs -n1)
tlsSecrets=$(kubectl get ingress -o jsonpath='{.items[*].spec.tls[*].secretName}' | xargs -n1)

diff \
<(echo "$envSecrets\n$envSecrets2\n$volumeSecrets\n$pullSecrets\n$tlsSecrets" | sort | uniq) \
<(kubectl get secrets -o jsonpath='{.items[*].metadata.name}' | xargs -n1 | sort | uniq)

Now that you have a list of all the unused orphaned Secrets, you can start cleaning up by deleting them.

Step 3: Delete Orphaned Secrets

Delete the found orphaned Secret with this command:

kubectl delete secret samplesecret

Example output confirming deletion:

secret "samplesecret" deleted

After you’ve deleted all the orphaned Secrets, you’ll have removed unneeded resources from your cluster, freeing up storage space and making your cluster more secure. If you remove orphaned resources regularly, you’ll ensure that your team is maintaining optimal Kubernetes resource management.

Automatically Identify Orphaned Secrets with Blink

Finding and removing orphaned Secrets takes a few steps and you might not remember to make it a part of your routine.

With Blink, you can schedule automated checks like this one so you can maintain your Kubernetes clusters in just a couple clicks:

This automation is available in the Blink library. When it runs, it does the following steps:

1. Finds unused Secrets on the cluster.
2. Finds unused ConfigMaps on the cluster.
3. Finds unused Services on the cluster.
4. Sends a report to a Slack channel.

This simple automation is easy to customize. Run it on a schedule, add approval steps to remove resources, or send the report via email or Teams instead.

There are over 5K automations in the Blink library to choose from, or you can build your own to match your unique needs.

Start a free trial of Blink today and see how easy automation can be.