🔐 Secure Secrets Management
Passwords, tokens, keys — never hardcode. Kubernetes Secrets store sensitive data securely. Use in pods via environment variables or volumes.
📝 Creating Secrets
# Create from literal values
kubectl create secret generic app-secret \
--from-literal=db-password=SecurePass123 \
--from-literal=api-key=abc-123-xyz
# Create from file
kubectl create secret generic app-secret \
--from-file=./secrets/db-password.txt \
--from-file=./secrets/api-key.txt
# Create from YAML
apiVersion: v1
kind: Secret
metadata:
name: app-secret
type: Opaque
data:
db-password: U2VjdXJlUGFzczEyMw== # base64 encoded
api-key: YWJjLTEyMy14eXo=
---
# Or using stringData (plain text, auto-encoded)
apiVersion: v1
kind: Secret
metadata:
name: app-secret
type: Opaque
stringData:
db-password: SecurePass123
api-key: abc-123-xyz
🎯 Using Secrets in Pods
# As environment variables
apiVersion: v1
kind: Pod
metadata:
name: myapp
spec:
containers:
- name: app
image: myapp:latest
env:
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: app-secret
key: db-password
- name: API_KEY
valueFrom:
secretKeyRef:
name: app-secret
key: api-key
# As volume mount
apiVersion: v1
kind: Pod
metadata:
name: myapp
spec:
containers:
- name: app
image: myapp:latest
volumeMounts:
- name: secret-volume
mountPath: /etc/secrets
readOnly: true
volumes:
- name: secret-volume
secret:
secretName: app-secret
💡 Security Best Practices
- Never hardcode secrets in code
- Use stringData for easy creation
- Enable encryption at rest
- Use RBAC to restrict access
- Rotate secrets regularly
- Use external secret management (Vault)
“Secrets keep sensitive data safe. Never hardcode passwords. Essential for Kubernetes security.”
