Managing Secrets using kubectl

Creating Secret objects using kubectl command line.

This page shows you how to create, edit, manage, and delete KubernetesSecrets using thekubectlcommand-line tool.

Before you begin

You need to have a Kubernetes cluster, and the kubectl command-line tool mustbe configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have acluster, you can create one by usingminikubeor you can use one of these Kubernetes playgrounds:

Create a Secret

ASecret object stores sensitive data such as credentialsused by Pods to access services. For example, you might need a Secret to storethe username and password needed to access a database.

You can create the Secret by passing the raw data in the command, or by storingthe credentials in files that you pass in the command. The following commandscreate a Secret that stores the usernameadmin and the passwordS!B\*d$zDsb=.

Use raw data

Run the following command:

kubectl create secret generic db-user-pass\    --from-literal=username=admin\    --from-literal=password='S!B\*d$zDsb='

You must use single quotes'' to escape special characters such as$,\,*,=, and! in your strings. If you don't, your shell will interpret thesecharacters.

Note:

ThestringData field for a Secret does not work well with server-side apply.

Use source files

  1. Store the credentials in files:

    echo -n'admin' > ./username.txtecho -n'S!B\*d$zDsb=' > ./password.txt

    The-n flag ensures that the generated files do not have an extra newlinecharacter at the end of the text. This is important because whenkubectlreads a file and encodes the content into a base64 string, the extranewline character gets encoded too. You do not need to escape specialcharacters in strings that you include in a file.

  2. Pass the file paths in thekubectl command:

    kubectl create secret generic db-user-pass\    --from-file=./username.txt\    --from-file=./password.txt

    The default key name is the file name. You can optionally set the key nameusing--from-file=[key=]source. For example:

    kubectl create secret generic db-user-pass\    --from-file=username=./username.txt\    --from-file=password=./password.txt

With either method, the output is similar to:

secret/db-user-pass created

Verify the Secret

Check that the Secret was created:

kubectl get secrets

The output is similar to:

NAME              TYPE       DATA      AGEdb-user-pass      Opaque     2         51s

View the details of the Secret:

kubectl describe secret db-user-pass

The output is similar to:

Name:            db-user-passNamespace:       defaultLabels:          <none>Annotations:     <none>Type:            OpaqueData====password:    12 bytesusername:    5 bytes

The commandskubectl get andkubectl describe avoid showing the contentsof aSecret by default. This is to protect theSecret from being exposedaccidentally, or from being stored in a terminal log.

Decode the Secret

  1. View the contents of the Secret you created:

    kubectl get secret db-user-pass -ojsonpath='{.data}'

    The output is similar to:

    {"password":"UyFCXCpkJHpEc2I9","username":"YWRtaW4=" }

  2. Decode thepassword data:

    echo'UyFCXCpkJHpEc2I9' | base64 --decode

    The output is similar to:

    S!B\*d$zDsb=

    Caution:

    This is an example for documentation purposes. In practice,this method could cause the command with the encoded data to be stored inyour shell history. Anyone with access to your computer could find thecommand and decode the secret. A better approach is to combine the view anddecode commands.
    kubectl get secret db-user-pass -ojsonpath='{.data.password}' | base64 --decode

Edit a Secret

You can edit an existingSecret object unless it isimmutable. To edit aSecret, run the following command:

kubectl edit secrets <secret-name>

This opens your default editor and allows you to update the base64 encodedSecret values in thedata field, such as in the following example:

# Please edit the object below. Lines beginning with a '#' will be ignored,# and an empty file will abort the edit. If an error occurs while saving this file, it will be# reopened with the relevant failures.#apiVersion:v1data:password:UyFCXCpkJHpEc2I9username:YWRtaW4=kind:Secretmetadata:creationTimestamp:"2022-06-28T17:44:13Z"name:db-user-passnamespace:defaultresourceVersion:"12708504"uid:91becd59-78fa-4c85-823f-6d44436242actype:Opaque

Clean up

To delete a Secret, run the following command:

kubectl delete secret db-user-pass

What's next

Last modified October 24, 2023 at 2:54 PM PST:Document snag with stringData and server-side apply (920a68b536)