Kubernetes Secrets: How to create and use them safely

Learn how to create Kubernetes ConfigMaps and use them in three ways: as environment variables, with envFrom, and as volume mounts. Includes working YAML examples.

4 lessons · 10 min · Advanced

2 minutes reading time

Written by

Civo Team
Civo Team

Marketing Team at Civo

Secrets store sensitive data in Kubernetes: passwords, OAuth tokens, SSH keys, TLS certificates, and API keys. They work similarly to ConfigMaps but are intended for confidential values that should not appear in plain text in your application code or container images.

Before using Secrets, there is one critical thing to understand.

Warning: base64 is not encryption. Kubernetes Secrets are base64-encoded by default, not encrypted. Anyone with kubectl get secret access can decode a Secret value in seconds with echo <value> | base64 -d. Secrets are not secure by default. They require RBAC to restrict who can read them, and encryption at rest for production workloads. See the security best practices section below.

secrets-security-spectrum

Create a Secret from a YAML file

Base64-encode your values first:

echo -n "admin" | base64

Expected output:

YWRtaW4=
echo -n "passcode" | base64

Expected output:

cGFzc2NvZGU=

Create a Secret manifest using the encoded values:

apiVersion: v1
kind: Secret
metadata:
name: demo
type: Opaque
data:
username: YWRtaW4=
password: cGFzc2NvZGU=

Apply it:

kubectl create -f sec.yaml

Verify the Secret was created:

kubectl get secrets

Expected output:

NAME TYPE DATA AGE
demo Opaque 2 5s

Create a Secret imperatively

kubectl create secret generic admin --from-literal=admin-user=admin --from-literal=dev-user=dev

Verify:

kubectl get secrets

Use a Secret as a volume mount

Each key in the Secret becomes a file at the mount path. The file contents are the decoded value.

apiVersion: v1
kind: Pod
metadata:
name: secret-pod-volume
spec:
containers:
- name: nginx
image: nginx
volumeMounts:
- name: secret-volume
mountPath: /etc/secrets
volumes:
- name: secret-volume
secret:
secretName: demo
kubectl create -f pod2.yaml
kubectl get pods

Exec into the pod and inspect the mounted files:

kubectl exec -it secret-pod-volume -- sh
ls /etc/secrets

Expected output:

password username
cat /etc/secrets/username

Expected output:

admin

Use a Secret as an environment variable

apiVersion: v1
kind: Pod
metadata:
name: secret-env
spec:
containers:
- name: busybox
image: busybox
command: ["env"]
env:
- name: ADMIN_USER
valueFrom:
secretKeyRef:
name: admin
key: admin-user
- name: DEV_USER
valueFrom:
secretKeyRef:
name: admin
key: dev-user
restartPolicy: Never
kubectl create -f pod.yaml
kubectl logs secret-env

Expected output:

ADMIN_USER=admin
DEV_USER=dev

Security best practices

Base64 encoding is not a security control. It is a data encoding format that any user with access to the Secret can reverse immediately. Treat Secrets as sensitive resources and apply the following practices.

  • Restrict access with RBAC: Apply the principle of least privilege. Only the service accounts and users that genuinely need to read a Secret should have permission to do so. Avoid granting broad get or list permissions on Secrets across a namespace.
  • Enable encryption at rest: By default, Secrets are stored unencrypted in etcd. Anyone with direct access to etcd can read them. Enable EncryptionConfiguration in your cluster to encrypt Secret values before they are written to etcd. For managed clusters like Civo, check your provider's documentation for encryption at rest settings.
  • Use external secret stores for production: The most secure approach removes credentials from the cluster entirely and fetches them from a dedicated secrets management system at runtime.

External secret stores

Sealed Secrets encrypts your Secret manifests using a key held by a controller running in your cluster. The encrypted manifest is safe to commit to Git. When applied to the cluster, the controller decrypts it and creates a standard Kubernetes Secret. Sealed Secrets on GitHub

External Secrets Operator syncs secrets from external providers including HashiCorp Vault. Your credentials live in your secrets manager and the operator keeps the cluster in sync. external-secrets.io

Civo Team
Civo Team

Marketing Team at Civo

Civo is the Sovereign Cloud and AI platform designed to help developers and enterprises build without limits. We bridge the gap between the openness of the public cloud and the rigorous security of private environments, delivering full cloud parity across every deployment. As a team, we are dedicated to providing scalable compute, lightning-fast Kubernetes, and managed services that are ready in minutes. Through CivoStack Enterprise and our FlexCore appliance, we empower organizations to maintain total data sovereignty on their own hardware.

Our mission is to make the cloud faster, simpler, and fairer. By providing enterprise-grade NVIDIA GPUs and streamlined model management, we ensure that high-performance AI and machine learning are accessible to everyone. Built for transparency and performance, the Civo Team is here to give you total control over your infrastructure, your data, and your spend.

View author profile