How to use Secrets in Kubernetes?

· Category: Kubernetes

Short answer

Kubernetes Secrets store sensitive data such as passwords, tokens, and keys. They can be mounted as files or injected as environment variables. By default, Secrets are base64-encoded and stored in etcd.

Steps

  1. Create a Secret from literals or files.
  2. Reference it in a Pod spec.
  3. Restrict access with RBAC.

Example

kubectl create secret generic db-secret   --from-literal=password=mysecretpassword

Use in a Pod:

env:
- name: DB_PASSWORD
  valueFrom:
    secretKeyRef:
      name: db-secret
      key: password

Tips

  • Enable etcd encryption at rest for Secrets.
  • Use external secret managers like Vault or AWS Secrets Manager for enhanced security.
  • Mount Secrets as read-only volumes to prevent accidental modification.

Common issues

  • Secrets are base64-encoded, not encrypted by default.
  • Anyone with read access to a Secret can decode its values.
  • Large Secrets may exceed etcd size limits.
  • Environment variable injection can expose secrets in process listings.