What Are Kubernetes Secrets?
Secrets store sensitive data such as passwords, API keys, and TLS certificates separately from your application code. Kubernetes Secrets are base64-encoded and can be mounted as files or injected as environment variables into Pods on your Breeze.
Create a Secret from Literals
kubectl create secret generic app-secrets \
--from-literal=db-password=MySecurePass123 \
--from-literal=api-key=abc123def456Create a Secret from a YAML File
apiVersion: v1
kind: Secret
metadata:
name: app-secrets
type: Opaque
data:
db-password: TXlTZWN1cmVQYXNzMTIz
api-key: YWJjMTIzZGVmNDU2Values must be base64-encoded:
echo -n "MySecurePass123" | base64Use Secrets as Environment Variables
spec:
containers:
- name: app
image: my-app:latest
env:
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: app-secrets
key: db-passwordMount Secrets as Files
spec:
containers:
- name: app
image: my-app:latest
volumeMounts:
- name: secret-vol
mountPath: /etc/secrets
readOnly: true
volumes:
- name: secret-vol
secret:
secretName: app-secretsView and Manage Secrets
kubectl get secrets
kubectl describe secret app-secrets
kubectl get secret app-secrets -o jsonpath='{.data.db-password}' | base64 -dBest Practices
- Never commit Secrets to version control
- Enable encryption at rest in the Kubernetes API server
- Use RBAC to restrict Secret access
- Rotate Secrets regularly
- Consider sealed-secrets or external secret operators for production