Kubernetesdevops~5 mins

Why Secrets manage sensitive data in Kubernetes - Why It Works

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

When you run applications, sometimes they need passwords or keys. Storing these sensitive details safely is important so others cannot see them. Kubernetes Secrets help keep this sensitive data hidden and secure.

When your app needs a database password to connect securely.

When you want to store API keys without putting them in your app code.

When you need to share TLS certificates with your app safely.

When you want to avoid exposing sensitive info in plain text in configuration files.

When you want to update sensitive data without changing your app code.

Config File - secret.yaml

secret.yaml

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
  namespace: default
type: Opaque
data:
  username: bXl1c2Vy
  password: c2VjdXJlcGFzcw==

This file creates a Kubernetes Secret named my-secret in the default namespace.

The data section holds sensitive info encoded in base64. Here, username and password are stored securely.

The type: Opaque means it holds generic secret data.

Commands

This command creates the Secret in Kubernetes using the configuration file. It stores the sensitive data safely inside the cluster.

Terminal

kubectl apply -f secret.yaml

Expected OutputExpected

secret/my-secret created

This command shows the Secret details in YAML format. The sensitive data remains base64 encoded and not shown in plain text.

Terminal

kubectl get secret my-secret -o yaml

Expected OutputExpected

apiVersion: v1 data: password: c2VjdXJlcGFzcw== username: bXl1c2Vy kind: Secret metadata: creationTimestamp: "2024-06-01T12:00:00Z" name: my-secret namespace: default resourceVersion: "12345" uid: abcdef12-3456-7890-abcd-ef1234567890 type: Opaque

→

-o yaml - Outputs the secret details in YAML format

This command shows a summary of the Secret without revealing the actual sensitive data, helping you verify it exists.

Terminal

kubectl describe secret my-secret

Expected OutputExpected

Name: my-secret Namespace: default Labels: <none> Annotations: <none> Type: Opaque Data ==== password: 12 bytes username: 6 bytes

Key Concept

If you remember nothing else from this pattern, remember: Kubernetes Secrets store sensitive data encoded and separate from app code to keep it safe.

Common Mistakes

Storing sensitive data directly in plain text in Pod or Deployment YAML files.

This exposes secrets to anyone who can read those files or see the pod specs, risking leaks.

Use Kubernetes Secrets to store sensitive data separately and reference them in your pods.

Not encoding secret data in base64 before creating the Secret.

Kubernetes requires secret data to be base64 encoded; otherwise, the Secret creation fails.

Encode your sensitive values using base64 before adding them to the Secret YAML.

Using 'kubectl get secret my-secret' without '-o yaml' and expecting to see plain text data.

The data is base64 encoded and not shown in plain text by default, so it looks like gibberish.

Use 'kubectl get secret my-secret -o yaml' and decode base64 values to see actual data.

Summary

Create a Secret YAML file with sensitive data encoded in base64.

Apply the Secret to Kubernetes using 'kubectl apply -f secret.yaml'.

Verify the Secret exists and check its details without exposing the data.