Kubernetes

Secrets Commands

Store and manage sensitive information securely. Learn to create, mount, and rotate secrets for passwords, API keys, and certificates in your Kubernetes applications.

7 commands

Pro Tips

Use 'kubectl create secret generic' for most cases, or 'docker-registry' type for image pull secrets.

Mount secrets as files instead of environment variables for better security - files can be updated without pod restart.

Consider external secret management (Vault, AWS Secrets Manager) for production workloads.

Common Mistakes

Kubernetes secrets are only base64 encoded, not encrypted. Enable encryption at rest in etcd for security.

Never commit secrets to git repositories. Use sealed-secrets or external secret operators.

Commands

List secrets

$ kubectl get secrets

List all secrets in namespace.

Create secret from literal

$ kubectl create secret generic <name> --from-literal=key=value

Create secret with key-value pair.

Create secret from file

$ kubectl create secret generic <name> --from-file=./secret.txt

Create secret from file contents.

Create TLS secret

$ kubectl create secret tls <name> --cert=cert.crt --key=key.key

Create TLS secret from certificate files.

Create Docker registry secret

$ kubectl create secret docker-registry <name> --docker-server=<server> --docker-username=<user> --docker-password=<pass>

Create secret for Docker registry auth.

Decode secret value

$ kubectl get secret <name> -o jsonpath='{.data.key}' | base64 -d

Decode and display secret value.

Decode all secrets

$ kubectl get secret <name> -o go-template='{{range $k,$v := .data}}{{$k}}: {{$v|base64decode}}{{"\n"}}{{end}}'

Decode and display all secret values.