kubernetesconfigPractitioner

Kubernetes Secrets: Safeguarding Sensitive Data in Your Clusters

5 min read Kubernetes DocsApr 28, 2026Reviewed for accuracy

Practitioner — Hands-on experience recommended

Kubernetes Secrets exist to help you manage sensitive data without hardcoding it into your application code or exposing it in your configuration files. They provide a way to store and access sensitive information, such as passwords, tokens, and keys, securely. This separation reduces the risk of exposure during the workflow of creating, viewing, and editing Pods, which is crucial in maintaining the integrity of your applications.

Secrets can be created independently of the Pods that use them, allowing for better management and security. The default type of Secret is Opaque, but Kubernetes also supports specific types like ServiceAccount token Secrets, which store token credentials for ServiceAccounts. You can create a Secret using a simple command like kubectl create secret generic empty-secret, and then reference it in your Pods. For instance, you can mount a Secret as a volume in a Pod, making it accessible at a specified path. However, be cautious: by default, Secrets are stored unencrypted in etcd, meaning anyone with API access can retrieve or modify them. This makes it crucial to implement proper access controls and consider encryption at rest for your etcd data store.

In production, remember that files starting with a dot are hidden from standard directory listings. Use ls -la to see them. Also, if you're using ServiceAccount token Secrets, be aware that the recommended approach in Kubernetes v1.22 and later is to use the TokenRequest API for short-lived, automatically rotating tokens instead. This change helps mitigate the security risks associated with long-lived tokens stored in Secrets.

Key takeaways

→Understand that Kubernetes Secrets are stored unencrypted by default, posing security risks.
→Use the TokenRequest API for ServiceAccount tokens to avoid persisting long-lived credentials.
→Create Secrets independently of Pods to enhance security during workflow processes.
→Mount Secrets as volumes in your Pods for secure access to sensitive data.
→Remember to use 'ls -la' to view hidden files when working with Secrets.

Why it matters

In production, mishandling Secrets can lead to severe security breaches, exposing sensitive data to unauthorized users. Proper management of Secrets is critical for maintaining the security posture of your applications.

Code examples

YAML

apiVersion:v1kind:Secretmetadata:name:dotfile-secretdata:.secret-file:dmFsdWUtMg0KDQo=

YAML

apiVersion:v1kind:Podmetadata:name:secret-dotfiles-podspec:volumes:-name:secret-volumesecret:secretName:dotfile-secretcontainers:-name:dotfile-test-containerimage:registry.k8s.io/busyboxcommand:- ls-"-l"-"/etc/secret-volume"volumeMounts:-name:secret-volumereadOnly:truemountPath:"/etc/secret-volume"

YAML

apiVersion:v1kind:Secretmetadata:name:secret-sa-sampleannotations:kubernetes.io/service-account.name:"sa-name"type:kubernetes.io/service-account-tokendata:extra:YmFyCg==