Certified Kubernetes Administrator (CKA) — Tips and Tricks — Part 6

How to store sensitive information into the cluster with kubernetes secrets ㊙️

Arun Ramakani
Jan 3 · 5 min read

I wish you all a Very Happy New Year! Let your certification dreams come true this year 🏄

Kubernetes secrets are one of the high-value questions in the CKA exam. I don’t think that there is another question in the exam where the concept is simple but the marks are maximum. One cannot afford to get this question wrong. Lets quickly look into the basics of Kubernetes secrets and various ways in which you may face an exam question.

What are Kubernetes secrets?

Do you have a small amount of sensitive data that can not be exposed in a pod specification or ConfigMaps, then Kubernetes secrets is the way to store them in the cluster. Let’s quickly see some facts about Kubernetes secrets.

  • Kubernetes secrets are namespaced object and lives in the context of the namespace.
  • Having a separate Kubernetes resource type for secrets enables us a precise RBAC control.
  • Secrets can be made available to a pod via environment variable or volume.
  • The limit for the size of data in secrets is 1MB
  • Securing ETCD access is very critical, as secrets are stored as Base64 encoding in ETCD. This is the same as storing in a plaintext.
  • If you are running some serious production workloads, try sealed secrets or a vault solution which is more production hardened. We will not look into this as it’s out of the scope for the exam.

Of all the above facts, the fact below is very critical for the exam

Secrets can be made available to a pod via environment variable or volume

Let’s understand this in a quick picture

How should I create secret ?

kubectl create secret [TYPE] [NAME] [DATA]


  • generic To create a secret from a local file, directory, or literal value.
  • docker-registry This will create a dockercfg secret file to authenticate against any Docker registries.
  • tls Used when you have a tls public/private key pair to be stored.

[NAME] — Name of the secret, will be used when you refer inside a POD


  • — from-file Used when you load the data from a file. (the value of the Secret is the entire content of the file)
  • — from-env-file Used when you want to load multiple secrets key-value pair from a file.
  • — from-literal Used when you load the secret data from key-value pair.

Creating secret will full file content

echo -n “mysecret” > ./secret.txt

kubectl create secret generic mysecret — from-file=./secret.txt

kubectl describe secrets mysecret

Creating secret from a file with key-values

vi secret2.txt , then add you key values each in a new line

kubectl create secret generic newsecret — from-env-file=./secret2.txt

kubectl describe secrets newsecret

Creating secret from literal

kubectl create secret generic literal-token — from-literal user=admin — from-literal password=1234

Creating secret from YAML

There is an important fact that you have to know, before looking into the YAML way of creating a secret. All the secrets will be Base64 encoded automatically in all the above ways of creating a secret. See the attached YAML outputs.

Now lets see how YAML way of creating is different

If you look at the YAML above, we are manually encoding the value of the secret into YAML we create.

To encode any text use

echo -n ‘admin’ | base64

Then run

kubectl apply -f secret.yaml

Exam Tips

For the exam, we should be able to do the below

  1. Map the created secret as an environment variable in the pod specification.
  2. Map the created secret to a volume and map it to the pod.

Environment Variable

When you write your pod specification use “valueFrom” into the environment variable with “secretKeyRef” and then use the name of the secret with the key of the secret.

In the below example pod, we pick up two evironment variable “SECRET_USERNAME”, “SECRET_PASSWORD” and fill them with value from the secret “mysecret” with the keys “username” and “password” respectively

Pod Volume Mapping

First create a pod volume from the secret.

volumes → name: [Volume Name] → secret → secretName: [Secret Name]

Then mount the volume to the pod

volumeMounts → name: [Volume Name] → mountPath: “[Mount Path]” → readOnly: true

You can use “readOnly” attribute optionally, if you wish that the secret file in the volume should not be modified.

A final important note: If you are not able to memorize any of the above commands, no worries. Kubernetes documentation page for secrets is there for the rescue during the exam.

That is all you need to know about secrets, we are done 🚀. Also, visit other tips and tricks for Certified Kubernetes Administrator (CKA)

We will look into other tips and tricks in an upcoming article. Let you pass with flying colors 🏄

Arun Ramakani

Written by

#ContinuousDevOps #Kubernetes #Microservices #CloudNativeApps #DevOps #Agile #CodingArchitect

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade