How to use secrets for sensitive data

KubernetesHow-ToBeginner · 4 min read

How to Use Kubernetes Secrets for Sensitive Data

In Kubernetes, use Secrets to store sensitive data like passwords or tokens securely. Create a Secret object and reference it in your pods to keep sensitive information out of your container images and configuration files.

📐

Syntax

A Kubernetes Secret is a resource object that stores sensitive data encoded in base64. It has a metadata section for naming, a type to specify the secret kind, and a data section where keys hold base64-encoded values.

You can create secrets using YAML or kubectl commands, then mount them as files or environment variables inside pods.

yaml

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
type: Opaque
data:
  username: bXl1c2Vy
  password: cGFzc3dvcmQ=

💻

Example

This example shows how to create a secret with a username and password, then use it as environment variables in a pod.

yaml

apiVersion: v1
kind: Secret
metadata:
  name: db-secret
type: Opaque
data:
  username: YWRtaW4=  # base64 for 'admin'
  password: MWYyZDFlMmU2N2Rm  # base64 for '1f2d1e2e67df'
---
apiVersion: v1
kind: Pod
metadata:
  name: secret-demo-pod
spec:
  containers:
  - name: demo-container
    image: busybox
    command: ["sh", "-c", "echo Username: $DB_USERNAME && echo Password: $DB_PASSWORD && sleep 3600"]
    env:
    - name: DB_USERNAME
      valueFrom:
        secretKeyRef:
          name: db-secret
          key: username
    - name: DB_PASSWORD
      valueFrom:
        secretKeyRef:
          name: db-secret
          key: password

Output

Username: admin Password: 1f2d1e2e67df

⚠️

Common Pitfalls

Not encoding secret data in base64 before creating the secret causes errors.
Storing secrets in plain text files or container images exposes sensitive data.
Forgetting to reference the secret correctly in pod specs leads to missing environment variables.
Using kubectl create secret generic without specifying keys properly can create empty or wrong secrets.

bash

Wrong way:
kubectl create secret generic mysecret --from-literal=password=password123

Right way:
kubectl create secret generic mysecret --from-literal=password=password123

# Then reference in pod spec with correct key 'password'

📊

Quick Reference

Command / Concept	Description
kubectl create secret generic --from-literal=key=value	Create a secret from literal key-value pairs
kubectl get secret -o yaml	View secret details (data is base64 encoded)
secretKeyRef	Reference a secret key in pod environment variables
mount secret as volume	Use `volumes` and `volumeMounts` to expose secrets as files
base64 encode	Secret data must be base64 encoded in YAML manifests

✅

Key Takeaways

Always store sensitive data in Kubernetes Secrets, not in plain config files or images.

Encode secret data in base64 when creating YAML manifests manually.

Reference secrets in pods via environment variables or mounted files for secure access.

Avoid exposing secrets in logs or command outputs.

Use kubectl commands to create and manage secrets safely.