Loading
MindXchange
MindXchange
MindXchange

Quipoin Menu

Learn • Practice • Grow

Tutorial Exercises MCQs Interview Q & A Tests
kubernetes / Secrets
tutorial
VideosDiscussion

Secrets

ConfigMaps are for non‑sensitive data. For sensitive information like passwords, tokens, or keys, Kubernetes provides Secrets. Secrets are similar to ConfigMaps but are stored and handled more securely.

What Is a Secret?

A Secret is an object that contains a small amount of sensitive data (e.g., a password, SSH key, TLS certificate). Kubernetes stores Secrets in etcd, but can be configured to encrypt them at rest. Secrets are only sent to nodes that need them, and are never written to disk without encryption.

Secrets are the Kubernetes way to manage confidential information.

Creating a Secret

From literal values:
kubectl create secret generic db-secret --from-literal=username=admin --from-literal=password=S3cr3t
From a file:
kubectl create secret generic tls-secret --from-file=tls.crt --from-file=tls.key
YAML manifest (values must be base64 encoded):
apiVersion: v1
kind: Secret
metadata:
  name: db-secret
type: Opaque
data:
  username: YWRtaW4=      # base64 for "admin"
  password: UzNjcjN0       # base64 for "S3cr3t"
Encode a string to base64:
echo -n 'admin' | base64

Using a Secret as Environment Variables

In a Pod spec:
apiVersion: v1
kind: Pod
metadata:
  name: secret-pod
spec:
  containers:
  - name: app
    image: busybox
    command: ["sh", "-c", "echo $DB_USERNAME $DB_PASSWORD; sleep 3600"]
    env:
    - name: DB_USERNAME
      valueFrom:
        secretKeyRef:
          name: db-secret
          key: username
    - name: DB_PASSWORD
      valueFrom:
        secretKeyRef:
          name: db-secret
          key: password

Mounting a Secret as a Volume

Each key becomes a file with the secret value (decoded):
volumes:
- name: secret-volume
  secret:
    secretName: db-secret
containers:
- name: app
  volumeMounts:
  - name: secret-volume
    mountPath: /etc/secrets
Now /etc/secrets/username and /etc/secrets/password contain the values.

Important Security Notes

  • Secrets are base64 encoded, not encrypted. Never commit raw secret YAML to version control without additional encryption (e.g., using SealedSecrets, Vault, or encryption at rest).
  • Use RBAC to restrict who can access Secrets.
  • Consider using a dedicated secrets management tool (like HashiCorp Vault) for production.


Two Minute Drill
  • Secrets store sensitive data like passwords and tokens.
  • Create with kubectl create secret generic or YAML with base64 values.
  • Inject as environment variables or mounted volumes.
  • Secrets are base64 encoded; enable encryption at rest for production.

Need more clarification?

Drop us an email at career@quipoinfotech.com