This page describes Kubernetes' Secret object and its use in Google Kubernetes Engine.

What is a Secret?

Secrets are secure objects which store sensitive data, such as passwords, OAuth tokens, and SSH keys, in your clusters. Storing sensitive data in Secrets is more secure than plaintext ConfigMaps or in Pod specifications. Using Secrets gives you control over how sensitive data is used, and reduces the risk of exposing the data to unauthorized users.

When you create a Secret, you can secure it with base64-encoded username and password.

Creating a Secret

You create a Secret using the following command:

kubectl create secret [TYPE] [NAME] [DATA]

[TYPE] can be one of the following:

  • generic: Create a Secret from a local file, directory, or literal value.
  • docker-registry: Creates a dockercfg Secret for use with a Docker registry. Used to authenticate against Docker registries.
  • tls: Create a TLS secret from the given public/private key pair. The public/private key pair must exist before hand. The public key certificate must be .PEM encoded and match the given private key.

For most Secrets, you use the generic type.

[DATA] can be one of the following:

  • a path to a directory containing one or more configuration files, indicated using the --from-file flag
  • key-value pairs, each specified using --from-literal flags

For more information about kubectl create, refer to the reference documentation.

Alternatively, you can also create a Secret by defining a Secret object in a YAML manifest file and deploying the object using kubectl create -f [FILE]. However, you must manually base64-encode your sensitive data before defining it in the manifest file. For an example, refer to Distribute Credentials Securely Using Secrets.

From files

To create a Secret from one or more files, use --from-file. You specify files in any plaintext format, such as .txt or .env, as long as the files contain key-value pairs.

You can pass in a single file or multiple files:

kubectl create secret [TYPE] [NAME] --from-file [/PATH/TO/FILE.PROPERTIES] --from-file [/PATH/TO/FILE2.PROPERTIES]

You can also pass in a directory containing multiple files:

kubectl create secret [TYPE] [NAME] --from-file [/PATH/TO/DIRECTORY]

Non-regular files, such as symlinks, devices, and pipes, are ignored by kubectl. Subdirectories are also ignored; kubectl create secret does not recurse into subdirectories.

For example, the following command creates a Secret called credentials from two files, username.txt and password.txt:

kubectl create secret generic credentials --from-file ./username.txt --from-file ./password.txt

Running kubectl get secret credentials -o yaml returns the following output. Observe that the values are base64-encoded:

apiVersion: v1
  password.txt: MTIzNAo=
  username.txt: YWRtaW4K
kind: Secret
  creationTimestamp: ...
  name: credentials
  namespace: default
  resourceVersion: "2011810"
  selfLink: /api/v1/namespaces/default/secrets/credentials
  uid: ...
type: Opaque

From literal values

To create a Secret from literal values, use --from-literal.

For example, the following command creates a generic Secret named literal-token with two key-value pairs:

kubectl create secret generic literal-token --from-literal user=admin --from-literal password=1234

You specify --from-literal for each key-value pair. The values are automatically base64-encoded.

Running kubectl get secret literal-data -o yaml returns the following output:

apiVersion: v1
  password: MTIzNA==
  user: YWRtaW4=
kind: Secret
  creationTimestamp: ...
  name: literal-token
  namespace: default
  resourceVersion: "2012831"
  selfLink: /api/v1/namespaces/default/secrets/literal-data
  uid: ...
type: Opaque

Using a Secret

To use a Secret with your workloads, you can specify environment variables that reference the Secret's values, or mount a volume containing the Secret.

To learn about using Secrets, refer to Using Secrets.

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

Kubernetes Engine