This page describes Kubernetes' Secret object and its use in Google Kubernetes Engine.
What is a Secret?
Secrets are secure objects which store sensitive data, such as passwords, OAuth tokens, and SSH keys, in your clusters. Storing sensitive data in Secrets is more secure than plaintext ConfigMaps or in Pod specifications. Using Secrets gives you control over how sensitive data is used, and reduces the risk of exposing the data to unauthorized users.
When you create a Secret, you can secure it with base64-encoded username and password.
Creating a Secret
You create a Secret using the following command:
kubectl create secret [TYPE] [NAME] [DATA]
[TYPE] can be one of the following:
generic: Create a Secret from a local file, directory, or literal value.docker-registry: Creates adockercfgSecret for use with a Docker registry. Used to authenticate against Docker registries.tls: Create a TLS secret from the given public/private key pair. The public/private key pair must exist before hand. The public key certificate must be .PEM encoded and match the given private key.
For most Secrets, you use the generic type.
[DATA] can be one of the following:
- a path to a directory containing one or more configuration files, indicated
using the
--from-fileflag - key-value pairs, each specified using
--from-literalflags
For more information about kubectl create, refer to the
reference documentation.
Alternatively, you can also create a Secret by defining a
Secret object in a YAML manifest file and deploying the
object using kubectl create -f [FILE]. However, you must manually
base64-encode your sensitive data before defining it in the manifest file.
For an example, refer to
Distribute Credentials Securely Using Secrets.
From files
To create a Secret from one or more files, use --from-file. You specify
files in any plaintext format, such as .txt or .env, as long
as the files contain key-value pairs.
You can pass in a single file or multiple files:
kubectl create secret [TYPE] [NAME] --from-file [/PATH/TO/FILE.PROPERTIES] --from-file [/PATH/TO/FILE2.PROPERTIES]
You can also pass in a directory containing multiple files:
kubectl create secret [TYPE] [NAME] --from-file [/PATH/TO/DIRECTORY]
Non-regular files, such as symlinks, devices, and pipes, are ignored by kubectl.
Subdirectories are also ignored; kubectl create secret does not recurse into
subdirectories.
For example, the following command creates a Secret called credentials from
two files, username.txt and password.txt:
kubectl create secret generic credentials --from-file ./username.txt --from-file ./password.txt
Running kubectl get secret credentials -o yaml returns the following output.
Observe that the values are base64-encoded:
apiVersion: v1
data:
password.txt: MTIzNAo=
username.txt: YWRtaW4K
kind: Secret
metadata:
creationTimestamp: ...
name: credentials
namespace: default
resourceVersion: "2011810"
selfLink: /api/v1/namespaces/default/secrets/credentials
uid: ...
type: Opaque
From literal values
To create a Secret from literal values, use --from-literal.
For example, the following command creates a generic Secret named literal-token
with two key-value pairs:
kubectl create secret generic literal-token --from-literal user=admin --from-literal password=1234
You specify --from-literal for each key-value pair. The values are
automatically base64-encoded.
Running kubectl get secret literal-data -o yaml returns the following
output:
apiVersion: v1
data:
password: MTIzNA==
user: YWRtaW4=
kind: Secret
metadata:
creationTimestamp: ...
name: literal-token
namespace: default
resourceVersion: "2012831"
selfLink: /api/v1/namespaces/default/secrets/literal-data
uid: ...
type: Opaque
Using a Secret
To use a Secret with your workloads, you can specify environment variables that reference the Secret's values, or mount a volume containing the Secret.
To learn about using Secrets, refer to Using Secrets.
