Creating and Managing Secrets in Kubernetes

A Kubernetes secret is an object that contains sensitive or confidential data such as a password, a token, or a key. Such information might otherwise be put in a Pod specification or in a container image.

Secrets are normally created independently of the pods that use them. This means that there is less risk of the secret data being exposed when the pods are beeing created, updated, viewed or managed.

Secrets are similar to ConfigMaps but are specifically intended to hold confidential data.

Prerequisites

Before you begin, you need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster.

Use raw data

Create a Secret directly with kubectl

1
2
3
4
kubectl create secret generic db-user-pass \
  -n dev \
  --from-literal=username=app \
  --from-literal=password='S!B\*d$zDsb='

You must use single quotes '' to escape special characters such as $, \, *, =, and ! in your strings. If you don’t, your shell will interpret these characters.

Use source files

Store the credentials in files:

1
2
echo -n 'admin' > ./username.txt
echo -n 'S!B\*d$zDsb=' > ./password.txt

The -n flag ensures that the generated files do not have an extra newline character at the end of the text. This is important because when kubectl reads a file and encodes the content into a base64 string, the extra newline character gets encoded too. You do not need to escape special characters in strings that you include in a file.

Pass the file paths in the kubectl command:

1
2
3
kubectl create secret generic db-user-pass \
 --from-file=./username.txt \
 --from-file=./password.txt

The default key name is the file name. You can optionally set the key name using --from-file=[key=]source. For example:

1
2
3
kubectl create secret generic db-user-pass \
 --from-file=username=./username.txt \
 --from-file=password=./password.txt

Convert your secret data to a base-64 representation

Use a base64 encoding tool to convert your username and password to a base64 representation. Here’s an example using the commonly available base64 program:

1
2
echo -n "app" | base64
echo -n "secret" | base64

Here is a configuration file you can use to create a Secret that holds your username and password:

1
2
3
4
5
6
7
apiVersion: v1
kind: Secret
metadata:
  name: test-secret
data:
  username: YXBw
  password: c2VjcmV0

Create the Secret with this command:

1
kubectl apply -f ./secret.yaml

Check information in the secret:

1
kubectl get secret test-secret

Getting more more detailed information about the Secret:

1
kubectl describe secret test-secret

Decode the Secret

View the contents of the Secret you created:

1
kubectl get secret db-user-pass -o jsonpath='{.data}'

The output is similar to:

1
{ "password": "UyFCXCpkJHpEc2I9", "username": "YWRtaW4=" }

Decode the password data:

1
echo 'UyFCXCpkJHpEc2I9' | base64 --decode

The output is similar to:

1
S!B\*d$zDsb=

You can combine the view and decode commands.

1
kubectl get secret db-user-pass -o jsonpath='{.data.password}' | base64 --decode

Edit a Secret

You can edit an existing Secret object unless it is immutable. To edit a Secret, run the following command:

1
kubectl edit secrets <secret-name>

This opens your default editor and allows you to update the base64 encoded Secret values in the data field,

Clean up

To delete a Secret, run the following command:

1
kubectl delete secret db-user-pass