Kubernetesdevops~5 mins

Base64 encoding in Secrets in Kubernetes - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Kubernetes Secrets store sensitive data like passwords or tokens. They require data to be encoded in base64 to keep the content safe and compatible with the system.

When you want to store a database password securely in Kubernetes.

When you need to pass an API key to your application without exposing it in plain text.

When configuring TLS certificates as secrets for your services.

When you want to avoid putting sensitive environment variables directly in pod specs.

When sharing credentials between multiple pods securely.

Config File - secret.yaml

secret.yaml

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
  namespace: default
data:
  username: bXl1c2Vy
  password: c2VjdXJlcGFzcw==

This file creates a Secret named my-secret in the default namespace.

The data section holds key-value pairs where values are base64 encoded strings.

Here, username is encoded as bXl1c2Vy which decodes to 'myuser', and password is c2VjdXJlcGFzcw== which decodes to 'securepass'.

Commands

Encode the username 'myuser' to base64 format to store in the Secret.

Terminal

echo -n 'myuser' | base64

Expected OutputExpected

bXl1c2Vy

→

-n - Prevents echo from adding a newline character

Encode the password 'securepass' to base64 format for the Secret.

Terminal

echo -n 'securepass' | base64

Expected OutputExpected

c2VjdXJlcGFzcw==

→

-n - Prevents echo from adding a newline character

Create the Secret in Kubernetes using the base64 encoded data from the YAML file.

Terminal

kubectl apply -f secret.yaml

Expected OutputExpected

secret/my-secret created

Verify the Secret was created and view its base64 encoded data.

Terminal

kubectl get secret my-secret -o yaml

Expected OutputExpected

apiVersion: v1 data: password: c2VjdXJlcGFzcw== username: bXl1c2Vy kind: Secret metadata: creationTimestamp: "2024-06-01T12:00:00Z" name: my-secret namespace: default resourceVersion: "12345" uid: 123e4567-e89b-12d3-a456-426614174000

→

-o yaml - Outputs the Secret details in YAML format

Key Concept

If you remember nothing else from this pattern, remember: Kubernetes Secrets require all data values to be base64 encoded strings.

Common Mistakes

Putting plain text passwords directly in the Secret YAML without base64 encoding.

Kubernetes will reject the Secret or treat the data incorrectly because it expects base64 encoded values.

Always encode your secret values using base64 before adding them to the Secret YAML.

Using echo without the -n flag when encoding, which adds a newline character.

The extra newline changes the encoded value, causing authentication failures or errors.

Use 'echo -n' to avoid adding a newline when encoding secrets.

Summary

Encode secret values using base64 before adding them to Kubernetes Secret YAML files.

Apply the Secret YAML with kubectl to create the secret in the cluster.

Verify the Secret data is stored base64 encoded by retrieving it with kubectl.