0
0
Kubernetesdevops~5 mins

Secrets are not encrypted by default in Kubernetes - Commands & Configuration

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Introduction
Kubernetes stores Secrets in its database without encryption by default. This means sensitive data like passwords or tokens can be exposed if someone accesses the database directly.
When you want to store sensitive information like API keys or passwords in Kubernetes.
When you need to share credentials securely between your application and Kubernetes.
When you want to avoid exposing secrets in plain text in configuration files.
When you want to understand the risks of default Kubernetes secret storage.
When you plan to enable encryption for better security of your secrets.
Commands
This command creates a secret named 'my-secret' with a password stored as base64 encoded in Kubernetes.
Terminal
kubectl create secret generic my-secret --from-literal=password=supersecret123
Expected OutputExpected
secret/my-secret created
--from-literal - Creates a secret from a literal value directly in the command line
This command shows the secret data in base64 encoded form, demonstrating that the secret is not encrypted by default in the cluster.
Terminal
kubectl get secret my-secret -o yaml
Expected OutputExpected
apiVersion: v1 kind: Secret metadata: name: my-secret data: password: c3VwZXJzZWNyZXQxMjM= type: Opaque
-o yaml - Outputs the secret in YAML format to see the stored data
Key Concept

If you remember nothing else from this pattern, remember: Kubernetes stores secrets base64 encoded but not encrypted by default, so extra steps are needed to protect sensitive data.

Common Mistakes
Assuming Kubernetes encrypts secrets automatically
Secrets are only base64 encoded, which is not encryption and can be easily decoded.
Enable encryption at rest in Kubernetes or use external secret management tools.
Storing secrets in plain text files or environment variables without encryption
This exposes sensitive data to anyone with access to those files or environment.
Use Kubernetes Secrets and enable encryption or external vaults to secure sensitive data.
Summary
Create a secret using kubectl with sensitive data stored base64 encoded.
View the secret in YAML format to see that data is not encrypted by default.
Understand that base64 encoding is not secure encryption and additional protection is needed.