
Administer a Cluster
Access Clusters Using the Kubernetes API
Access Services Running on Clusters
Advertise Extended Resources for a Node
Autoscale the DNS Service in a Cluster
Change the default StorageClass
Change the Reclaim Policy of a PersistentVolume
Cluster Management
Configure Multiple Schedulers
Configure Out of Resource Handling
Configure Quotas for API Objects
Control CPU Management Policies on the Node
Control Topology Management Policies on a node
Customizing DNS Service
Debugging DNS Resolution
Declare Network Policy
Developing Cloud Controller Manager
Enabling EndpointSlices
Enabling Service Topology
Encrypting Secret Data at Rest
Guaranteed Scheduling For Critical Add-On Pods
IP Masquerade Agent User Guide
Kubernetes Cloud Controller Manager
Limit Storage Consumption
Namespaces Walkthrough
Operating etcd clusters for Kubernetes
Reconfigure a Node's Kubelet in a Live Cluster
Reserve Compute Resources for System Daemons
Safely Drain a Node while Respecting the PodDisruptionBudget
Securing a Cluster
Set Kubelet parameters via a config file
Set up High-Availability Kubernetes Masters
Share a Cluster with Namespaces
Using a KMS provider for data encryption
Using CoreDNS for Service Discovery
Using NodeLocal DNSCache in Kubernetes clusters
Using sysctls in a Kubernetes Cluster
Extend kubectl with plugins
Manage HugePages
Schedule GPUs

Edit This Page

Distribute Credentials Securely Using Secrets

This page shows how to securely inject sensitive data, such as passwords and encryption keys, into Pods.

Before you begin

You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. If you do not already have a cluster, you can create one by using Minikube, or you can use one of these Kubernetes playgrounds:

Convert your secret data to a base-64 representation

Suppose you want to have two pieces of secret data: a username my-app and a password 39528$vdg7Jb. First, use a base64 encoding tool to convert your username and password to a base64 representation. Here’s an example using the commonly available base64 program:

echo -n 'my-app' | base64
echo -n '39528$vdg7Jb' | base64

The output shows that the base-64 representation of your username is bXktYXBw, and the base-64 representation of your password is Mzk1MjgkdmRnN0pi.

Caution: Use a local tool trusted by your OS to decrease the security risks of external tools.

Create a Secret

Here is a configuration file you can use to create a Secret that holds your username and password:

apiVersion: v1
kind: Secret
  name: test-secret
  username: bXktYXBw
  password: Mzk1MjgkdmRnN0pi
  1. Create the Secret

    kubectl apply -f https://k8s.io/examples/pods/inject/secret.yaml
  2. View information about the Secret:

    kubectl get secret test-secret


    NAME          TYPE      DATA      AGE
    test-secret   Opaque    2         1m
  3. View more detailed information about the Secret:

    kubectl describe secret test-secret


    Name:       test-secret
    Namespace:  default
    Labels:     <none>
    Annotations:    <none>
    Type:   Opaque
    password:   13 bytes
    username:   7 bytes
Note: If you want to skip the Base64 encoding step, you can create a Secret by using the kubectl create secret command:
kubectl create secret generic test-secret --from-literal=username='my-app' --from-literal=password='39528$vdg7Jb'

Create a Pod that has access to the secret data through a Volume

Here is a configuration file you can use to create a Pod:

apiVersion: v1
kind: Pod
  name: secret-test-pod
    - name: test-container
      image: nginx
        # name must match the volume name below
        - name: secret-volume
          mountPath: /etc/secret-volume
  # The secret data is exposed to Containers in the Pod through a Volume.
    - name: secret-volume
        secretName: test-secret
  1. Create the Pod:

    kubectl apply -f https://k8s.io/examples/pods/inject/secret-pod.yaml
  2. Verify that your Pod is running:

    kubectl get pod secret-test-pod


    NAME              READY     STATUS    RESTARTS   AGE
    secret-test-pod   1/1       Running   0          42m
  3. Get a shell into the Container that is running in your Pod:

    kubectl exec -it secret-test-pod -- /bin/bash
  4. The secret data is exposed to the Container through a Volume mounted under /etc/secret-volume. In your shell, go to the directory where the secret data is exposed:

    root@secret-test-pod:/# cd /etc/secret-volume
  5. In your shell, list the files in the /etc/secret-volume directory:

    root@secret-test-pod:/etc/secret-volume# ls

    The output shows two files, one for each piece of secret data:

    password username
  6. In your shell, display the contents of the username and password files:

    root@secret-test-pod:/etc/secret-volume# cat username; echo; cat password; echo

    The output is your username and password:


Define container environment variables using Secret data

Define a container environment variable with data from a single Secret

  • Define an environment variable as a key-value pair in a Secret:

    kubectl create secret generic backend-user --from-literal=backend-username='backend-admin'
  • Assign the backend-username value defined in the Secret to the SECRET_USERNAME environment variable in the Pod specification.

apiVersion: v1
kind: Pod
  name: env-single-secret
  - name: envars-test-container
    image: nginx
          name: backend-user
          key: backend-username
  • Create the Pod:

    kubectl create -f https://k8s.io/examples/pods/inject/pod-single-secret-env-variable.yaml
  • Now, the Pod’s output includes environment variable SECRET_USERNAME=backend-admin

Define container environment variables with data from multiple Secrets

  • As with the previous example, create the Secrets first.

     kubectl create secret generic backend-user --from-literal=backend-username='backend-admin' 
    	 kubectl create secret generic db-user --from-literal=db-username='db-admin' 
  • Define the environment variables in the Pod specification.

apiVersion: v1
kind: Pod
  name: envvars-multiple-secrets
  - name: envars-test-container
    image: nginx
          name: backend-user
          key: backend-username
    - name: DB_USERNAME
          name: db-user
          key: db-username
  • Create the Pod:

    kubectl create -f https://k8s.io/examples/pods/inject/pod-multiple-secret-env-variable.yaml 
  • Now, the Pod’s output includes BACKEND_USERNAME=backend-admin and DB_USERNAME=db-admin environment variables.

Configure all key-value pairs in a Secret as container environment variables

Note: This functionality is available in Kubernetes v1.6 and later.
  • Create a Secret containing multiple key-value pairs

    kubectl create secret generic test-secret --from-literal=username='my-app' --from-literal=password='39528$vdg7Jb'
  • Use envFrom to define all of the Secret’s data as container environment variables. The key from the Secret becomes the environment variable name in the Pod.

apiVersion: v1
kind: Pod
  name: envfrom-secret
  - name: envars-test-container
    image: nginx
    - secretRef:
        name: test-secret
  • Create the Pod:

    kubectl create -f https://k8s.io/examples/pods/inject/pod-secret-envFrom.yaml
  • Now, the Pod’s output includes username=my-app and password=39528$vdg7Jb environment variables.

What's next

