Secret
A Secret in Kubernetes stores confidential data (in key-value pairs).
They allow you to:
Keep sensitive info out of Pod specs and Docker images.
Inject secrets into Pods securely (as env vars or mounted files).
Types of Secrets
Opaque (default) → generic key-value secrets
docker-registry → for private container registry credentials
tls → for SSL certificates
service-account-token → automatically created for service accounts
By default, Secrets are just base64-encoded → not real encryption.
To protect Secrets in production:
Enable encryption at rest in the cluster.
Use RBAC to restrict access (
kubectl get secretshould not be open to all).Consider external secret managers (Vault, AWS Secrets Manager, GCP Secret Manager, Azure Key Vault).
Inside the Pod, secrets ends up as regular decoded Environment variables.
Commands
Create Secret from literal values:
kubectl create secret generic <secret-name> \
--from-literal=db_password=123456\
--from-literal=api_key=abcd1234Create Secret from a file:
kubectl create secret generic <secret-name> --from-file=cert.pemExample
You must base64 encode values when defining Secrets in YAML.
Ex.: echo -n "123456" | base64
apiVersion: v1
kind: Secret
metadata:
name: mysecret
data:
db_password: MTIzNDU2 # "123456" base64 encoded
api_key: YWJjZDEyMzQ= # "abcd1234" base64 encodedHow to use in Deployment example 1 (Individual env variables):
...
spec:
template:
...
spec:
containers:
- name: myapp-container
image: nginx:1.25
ports:
- containerPort: 80
env:
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret # name of the Secret
key: db_passwordHow to use in Deployment example 2 (Injected as a volume):
...
spec:
template:
...
spec:
containers:
- name: myapp-container
image: nginx:1.25
ports:
- containerPort: 80
volumeMounts:
- mountPath: /etc/secret
name: secret-volume
readOnly: true
volumes:
- name: secret-volume
secret:
secretName: mysecretThis will mount files inside
/etc/secret/db_userand/etc/secret/db_pass.
Last updated