Secrets
A Secret stores sensitive data such as passwords, tokens, and keys.
- Similar to ConfigMaps but intended for confidential data
- Values are base64-encoded (not encrypted by default)
- Can be consumed as environment variables or mounted as files in a volume
- Maximum size: 1 MiB
More Information
Secret Typesโ
Opaque(default): arbitrary user-defined datakubernetes.io/tls: TLS certificate and keykubernetes.io/dockerconfigjson: Docker registry credentialskubernetes.io/basic-auth: basic authentication credentialskubernetes.io/service-account-token: ServiceAccount token
Creating a Secretโ
From literal valuesโ
kubectl create secret generic my-secret --from-literal=DB_PASSWORD=s3cur3 --from-literal=API_KEY=abc123
From a manifestโ
apiVersion: v1
kind: Secret
metadata:
name: my-secret
type: Opaque
data:
DB_PASSWORD: czNjdXIz # base64 encoded
API_KEY: YWJjMTIz # base64 encoded
tip
Use stringData to provide values in plain text (Kubernetes encodes them automatically):
stringData:
DB_PASSWORD: "s3cur3"
Using as Environment Variablesโ
spec:
containers:
- name: app
image: my-app:latest
env:
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: my-secret
key: DB_PASSWORD
Using as a Volumeโ
spec:
containers:
- name: app
image: my-app:latest
volumeMounts:
- name: secret-volume
mountPath: /etc/secrets
readOnly: true
volumes:
- name: secret-volume
secret:
secretName: my-secret
Encryption at Restโ
- By default, Secrets are stored unencrypted in etcd
- Encryption at rest can be enabled by configuring an
EncryptionConfigurationon the API server - Consider using external secret management tools (e.g. HashiCorp Vault, AWS Secrets Manager) for enhanced security
More Information