Kubernetes Secrets Example
Download the YAML configuration files for the Secrets example
Base64 Encoding/Decoding
To quickly encode/decode strings into base64:
Online Tools:
Windows:
Linux/Mac:
Create the Secrets
Applies the configuration from the secrets.yaml file to create the Kubernetes secret.
Look at the Secrets
These commands allow you to inspect the created secret in different formats.
Deploy the Pod
Deploys the pod that uses the secrets as environment variables.
Connect to the Busybox
Opens a shell inside the running Busybox container.
Display Environment Variables
Display the environment variables that were set from the secret and exit the container.
Cleanup
Deletes all resources defined in the YAML configuration files.
secrets.yaml Configuration File
apiVersion: v1
kind: Secret
metadata:
name: secrets
type: Opaque
data:
username: VGhlVXNlck5hbWU=
password: bXlwYXNzd29yZA==secrets.yaml Configuration Explanation:
Secret Structure:
- apiVersion: v1 → Specifies the Kubernetes API version
- kind: Secret → Defines this as a Secret resource
- metadata.name: secrets → Names the secret "secrets"
- type: Opaque → The default type for arbitrary user-defined data
Data Section:
- username: VGhlVXNlck5hbWU= → Base64 encoded value for "TheUserName"
- password: bXlwYXNzd29yZA== → Base64 encoded value for "mypassword"
- All values in Kubernetes secrets must be base64 encoded
- Kubernetes automatically decodes these values when they're used
How It Works:
This YAML file creates a Kubernetes Secret named "secrets" that stores two key-value pairs. The values are base64 encoded to ensure they can safely contain any binary data. When pods reference this secret, Kubernetes will automatically decode the values and make them available to the containers.
pod.yaml Configuration File
apiVersion: v1
kind: Pod
metadata:
name: mybox
spec:
restartPolicy: Always
containers:
- name: mybox
image: busybox
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 250m
memory: 256Mi
command:
- sleep
- "3600"
env:
- name: USERNAME
valueFrom:
secretKeyRef:
name: secrets
key: username
- name: PASSWORD
valueFrom:
secretKeyRef:
name: secrets
key: passwordpod.yaml Configuration Explanation:
Pod Structure:
- apiVersion: v1 → Specifies the Kubernetes API version
- kind: Pod → Defines this as a Pod resource
- metadata.name: mybox → Names the pod "mybox"
- restartPolicy: Always → Specifies the restart policy for the pod
Container Configuration:
- name: mybox → Names the container "mybox"
- image: busybox → Uses the lightweight BusyBox image
- resources → Defines CPU and memory requests/limits
- command: sleep "3600" → Runs the sleep command for 3600 seconds (1 hour)
Environment Variables from Secrets:
- USERNAME → Environment variable name
- valueFrom.secretKeyRef → Indicates the value comes from a secret
- name: secrets → References the secret named "secrets"
- key: username → Uses the value from the "username" key in the secret
- Similarly for PASSWORD environment variable
How It Works:
This pod runs a BusyBox container that sleeps for 1 hour. The environment variables USERNAME and PASSWORD are populated from the Kubernetes secret named "secrets". When the container starts, it will have these environment variables available with the decoded values from the secret. This is a secure way to pass sensitive information to containers without exposing them in the pod specification.