Managing Secrets using kubectl

    This page shows you how to create, edit, manage, and delete Kubernetes Secrets using the command-line tool.

    You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using minikube or you can use one of these Kubernetes playgrounds:

    A Secret object stores sensitive data such as credentials used by Pods to access services. For example, you might need a Secret to store the username and password needed to access a database.

    You can create the Secret by passing the raw data in the command, or by storing the credentials in files that you pass in the command. The following commands create a Secret that stores the username admin and the password S!B\*d$zDsb=.

    Run the following command:

    You must use single quotes '' to escape special characters such as $, \, *, =, and ! in your strings. If you don’t, your shell will interpret these characters.

    1. Store the credentials in files:

      1. echo -n 'admin' > ./username.txt
      2. echo -n 'S!B\*d$zDsb=' > ./password.txt

    2. Pass the file paths in the kubectl command:

      2.     --from-file=./password.txt

      The default key name is the file name. You can optionally set the key name using --from-file=[key=]source. For example:

      1. kubectl create secret generic db-user-pass \
      2.     --from-file=username=./username.txt \
      3.     --from-file=password=./password.txt

    With either method, the output is similar to:

    1. secret/db-user-pass created

    Check that the Secret was created:

    The output is similar to:

    1. NAME              TYPE       DATA      AGE
    2. db-user-pass      Opaque     2         51s

    View the details of the Secret:

    1. kubectl describe secret db-user-pass

    The output is similar to:

    1. Name:            db-user-pass
    2. Namespace:       default
    3. Labels:          <none>
    4. Annotations:     <none>
    6. Type:            Opaque
    7. Data
    8. ====
    9. password:    12 bytes
    10. username:    5 bytes

    1. View the contents of the Secret you created:

      1. kubectl get secret db-user-pass -o jsonpath='{.data}'

      The output is similar to:

    2. Decode the password data:

      1. echo 'UyFCXCpkJHpEc2I9' | base64 --decode

      The output is similar to:

      1. S!B\*d$zDsb=

      Caution: This is an example for documentation purposes. In practice, this method could cause the command with the encoded data to be stored in your shell history. Anyone with access to your computer could find the command and decode the secret. A better approach is to combine the view and decode commands.

      1. kubectl get secret db-user-pass -o jsonpath='{.data.password}' | base64 --decode

    You can edit an existing Secret object unless it is . To edit a Secret, run the following command:

    1. kubectl edit secrets <secret-name>

    This opens your default editor and allows you to update the base64 encoded Secret values in the field, such as in the following example:

    1. kubectl delete secret db-user-pass