- Just like ConfigMap but used to store secrets instead of parameters
Stores the data in base64 encoded format
To encode a base64 string -
echo -n '<string>' | base64- Encryption at rest is not enabled by default. See Encrypting Secret Data at Rest | Kubernetes. Storing secrets in 3rd-party secrets store provided by cloud providers is another good option.
The data stored in the Secret, when the container (pod) is created, is used to set the environment variables. If the Secret gets updated later, the pod will continue to use the old value. We need to re-create the pods by performing a rollout (
k rollout restart deployment <deployment-name>) on the deployment to make the new pods use the new data.Secret definition file
Same as ConfigMap except the
kind and the base64 encoded values.apiVersion: v1 kind: Secret metadata: name: app-secret data: USERNAME: adfcfe== PASSWORD: asdgfgv==
To view the secrets along with their encoded values, run
k get secret <secret-name> -o yamlUsing Secrets in Pods
- Passing the entire Secret of key-values pairs to ENV
apiVersion: v1 kind: Pod metadata: labels: name: app spec: containers: - name: httpd image: httpd:2.4-alpine envFrom: - secretRef: name: app-secret
- Passing a single key-value pair of the secret to ENV
apiVersion: v1 kind: Pod metadata: labels: name: app spec: containers: - name: httpd image: httpd:2.4-alpine env: - name: PASSWORD valueFrom: secretKeyRef: name: app-secret key: PASSWORD
- Passing a file as Secret by mounting the Secret as a volume
apiVersion: v1 kind: Pod metadata: labels: name: app spec: containers: - name: nginx image: nginx volumeMounts: - name: nginx-secret-volume mountPath: /etc/nginx/conf.d/ volumes: - name: nginx-secret-volume secret: name: nginx-secret