Kubernetes Secrets¶

1. Introduction¶

Kubernetes Secrets allow you to store and manage sensitive information, such as passwords, OAuth tokens, and SSH keys, securely in your cluster. Unlike ConfigMaps, Secrets are designed for confidential data and are base64-encoded.

2. Types of Secrets¶

There are three main types of secrets in Kubernetes:

1. Docker Registry Secret (docker-registry) - Used for pulling images from private registries.
2. Generic Secret (generic) - Used for storing arbitrary data, such as configuration files, credentials, or certificates.
3. TLS Secret (tls) - Stores TLS certificate and key pairs for HTTPS communication.

3. Creating Secrets Imperatively¶

Kubernetes provides multiple ways to create secrets using the kubectl create secret command.

3.1 Creating Generic Secrets¶

1. From Files (All Keys Automatically Generated)¶

kubectl create secret generic my-secret --from-file=path/to/bar

2. From Specific Files (Defining Custom Keys)¶

kubectl create secret generic my-secret \
  --from-file=ssh-privatekey=path/to/id_rsa \
  --from-file=ssh-publickey=path/to/id_rsa.pub

3. From Literal Values¶

kubectl create secret generic my-secret \
  --from-literal=key1=supersecret \
  --from-literal=key2=topsecret

4. Combining Files and Literals¶

kubectl create secret generic my-secret \
  --from-file=ssh-privatekey=path/to/id_rsa \
  --from-literal=passphrase=topsecret

5. From Environment Files¶

kubectl create secret generic my-secret \
  --from-env-file=path/to/foo.env \
  --from-env-file=path/to/bar.env

3.2 Creating a TLS Secret¶

kubectl create secret tls my-tls-secret \
  --cert=path/to/tls.crt --key=path/to/tls.key

Good question 👍

The file extension does not matter to Kubernetes. What matters is the content inside the file:

• --cert → must be a PEM-encoded certificate (it could be named cert.pem, cert.crt, or even myserver.cert).
• --key → must be a PEM-encoded private key (usually key.pem or key.key).

So both of these work the same way:

kubectl create secret tls my-tls-secret \
  --cert=cert.pem \
  --key=key.pem

or

kubectl create secret tls my-tls-secret \
  --cert=cert.crt \
  --key=cert.key

✅ As long as:

• The cert file contains something like:

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----

3.3 Creating a Docker Registry Secret¶

kubectl create secret docker-registry my-reg-secret \
  --docker-server=<registry-server> \
  --docker-username=<username> \
  --docker-password=<password> \
  --docker-email=<email>

4. Understanding Secret Types¶

The --type flag in kubectl create secret generic allows you to specify a custom type for the secret. By default, secrets created using generic have the type Opaque, but you can define your own type if needed.

Usage Example¶

kubectl create secret generic my-secret --from-literal=username=admin --from-literal=password=supersecret --type=my-custom-type

Common Built-in Secret Types¶

Example: Creating a TLS Secret¶

kubectl create secret tls my-tls-secret --cert=path/to/tls.crt --key=path/to/tls.key --type=kubernetes.io/tls

How to Check the Type of a Secret¶

kubectl get secret my-secret -o jsonpath='{.type}'

5. Viewing Secrets¶

kubectl get secrets

kubectl describe secret my-secret

6. Decoding Secret Data¶

By default, secrets are stored in base64 encoding. To decode them:

kubectl get secret my-secret -o jsonpath='{.data.key1}' | base64 --decode

7. Summary¶

• Kubernetes Secrets are used to store sensitive data securely.
• They can be created from files, literals, environment files, TLS certificates, and Docker credentials.
• Secrets are base64-encoded, not encrypted—additional security measures (RBAC, encryption at rest) should be applied.

By mastering secrets, you can ensure secure configuration management within your Kubernetes cluster. 🚀