Kubernetesdevops~5 mins

Creating Secrets in Kubernetes - Step-by-Step CLI Walkthrough

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Sometimes you need to store sensitive information like passwords or keys safely in your system. Kubernetes Secrets help you keep this data secure and separate from your application code.

When you want to store a database password securely for your app to use.

When you need to keep API keys hidden from your application code.

When you want to share TLS certificates safely between pods.

When you want to avoid putting sensitive data directly in configuration files.

When you want to update sensitive data without rebuilding your app.

Config File - secret.yaml

secret.yaml

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
  namespace: default
type: Opaque
data:
  username: bXl1c2Vy
  password: c2VjdXJlcGFzcw==

This file creates a Secret named my-secret in the default namespace.

The type: Opaque means it holds arbitrary user-defined data.

The data section stores key-value pairs where values are base64 encoded strings. Here, username is "myuser" encoded and password is "securepass" encoded.

Commands

This command creates the Secret in Kubernetes using the configuration file. It stores the sensitive data safely in the cluster.

Terminal

kubectl apply -f secret.yaml

Expected OutputExpected

secret/my-secret created

This command retrieves the Secret details in YAML format so you can verify it was created correctly.

Terminal

kubectl get secret my-secret -o yaml

Expected OutputExpected

apiVersion: v1 data: password: c2VjdXJlcGFzcw== username: bXl1c2Vy kind: Secret metadata: creationTimestamp: "2024-06-01T12:00:00Z" name: my-secret namespace: default resourceVersion: "12345" uid: abcdef12-3456-7890-abcd-ef1234567890 type: Opaque

→

-o yaml - Outputs the secret details in YAML format

This command shows a summary of the Secret without revealing the actual secret data, useful for quick checks.

Terminal

kubectl describe secret my-secret

Expected OutputExpected

Name: my-secret Namespace: default Labels: <none> Annotations: <none> Type: Opaque Data ==== password: 10 bytes username: 6 bytes

Key Concept

If you remember nothing else from this pattern, remember: Kubernetes Secrets store sensitive data encoded and separate from your app to keep it safe.

Common Mistakes

Putting plain text passwords directly in the Secret YAML without base64 encoding.

Kubernetes requires Secret data to be base64 encoded; plain text will cause errors or be rejected.

Always encode your secret values using base64 before adding them to the Secret YAML.

Using 'kubectl get secret' without '-o yaml' and expecting to see the secret values.

By default, secret data is shown as base64 encoded or hidden; you won't see the actual values.

Use 'kubectl get secret my-secret -o yaml' and decode the base64 values to see the real data.

Committing Secret YAML files with sensitive data to public repositories.

Even though data is base64 encoded, it is not encrypted and can be easily decoded by anyone.

Keep Secret files out of public repos or use external secret management tools.

Summary

Create a Secret YAML file with base64 encoded sensitive data.

Apply the Secret to the Kubernetes cluster using 'kubectl apply -f'.

Verify the Secret exists and inspect it safely with 'kubectl get secret' and 'kubectl describe secret'.