Skip to content

Secret Management with Kubernetes Secrets

Kubernetes Secrets are secure objects which store sensitive data, such as passwords, tokens, or keys. This information can be attached to a Pod or container image that may require the information to operate. With Kubernetes Secrets, it provides a means to attach confidential data into your application. In this guide, you will see how to create a Kubernetes secret, attach it to your application or service you want to run.

Create Sample Kubernetes Secret

For this section, to experience Kubernetes secrets management in action you'll create a sample Kubernetes Secret which contains your AWS credentials such as AccessKey and SecretAccessKey. See the AWS documentation for more information on obtaining AWS credentials. With your credentials obtained, perform the following commands to create a Kubernetes secret containing your AWS credentials:

kubectl create secret generic <secret-name> \ 
--from-literal=AWS_ACCESS_KEY_ID="<aws_access_key_id>" \ 
--from-literal=AWS_SECRET_ACCESS_KEY="<aws_secret_access_key>"
View the contents of your generated secret with the following command:
# Get content for secret
kubectl get secret <secret-name> -o jsonpath='{.data}'

# Decode secret
kubectl get secret <secret-name> -o jsonpath='{.data.AWS_ACCESS_KEY_ID}' | base64 --decode
kubectl get secret <secret-name> -o jsonpath='{.data.AWS_SECRET_ACCESS_KEY}' | base64 --decode
Output:
{"AWS_ACCESS_KEY_ID":"<base-64-encoded-aws_access_key_id>","AWS_SECRET_ACCESS_KEY":"<base-64-encoded-aws_secret_access_key>"}
The steps above can be used to create Kubernetes secrets for other credentials, such as ElasticSearch, Docker, Helm, and more.

Recommendations

Kubernetes Secrets are, by default, stored unencrypted in the API server's underlying data store (etcd). Anyone with API access can retrieve or modify a Secret, and so can anyone with access to etcd. With this in mind, it is recommended to implement some level of security to prevent unauthorized access to your Kubernetes secrets. You may consider the following for your encryption and security needs: