DEV Community

Cover image for Kubernetes Secrets 101
Ahmed Atef
Ahmed Atef

Posted on • Originally published at

Kubernetes Secrets 101

What is a Kubernetes Secret?
There are many times when a Kubernetes Pod needs to use sensitive data. Think for examples of:

  • SSH keys.
  • Database passwords.
  • OAuth tokens.
  • API keys.
  • Image registry keys.

Kubernetes is designed to have a declarative syntax. Object definitions are stored in YAML (or JSON) files and - typically - placed under version control. Adding confidential information to a version-controlled file (that anyone can view) is against any security best practice. For that reason, Kubernetes includes Secrets.

A Secret is just another Kubernetes object that stores restricted data so that it can be used without being revealed. Kubernetes users can create Secrets, and also the system itself establishes and uses Secrets.

You can find Secrets referenced through a file attached to the pod through a volume. The kubelet also makes use of Secrets when it needs to pull an image from an Image Registry that requires authentication (for example, a private Docker Hub account, AWS ECR, or Google GCR). Additionally, Kubernetes makes use of Secrets internally to enable Pods to access and communicate with the apiserver component. The system automatically manages API tokens through Secrets attached to the Pods.

Top comments (1)

orbjet profile image

Using secrets for highly sensitive data is just wrong. At least mention vault as a proper authorization/authentication implementation. Secrets are just base64 encoded no encryption what so ever. Secrets may be good for pet projects but not for production environments.