[Kubernetes] – How to create a Secret with base64 encode values? Is it safe to store confidential info?


The following example will show how to create a secret with base64 encode values. In this example, the values in the Secret will be a username and a password.

  • Let’s first encode the string values.

$echo -n "camilamacedo86" | base64

$ echo -n "test-pwd" | base64

  • Now, let’s create the secret as the following example. ($vim secret-base64.yaml)
apiVersion: v1
kind: Secret
  name: user-pass-test
type: Opaque
  username: Y2FtaWxhbWFjZWRvODY=
  password: dGVzdC1wd2Q=
  • The following command will apply the secret.
$ kubectl apply -f secret-base64.yaml
  • Then, let’s check it.
$ kubectl get secret | grep user
user-pass-test                    Opaque                                2      92s
$ kubectl describe secret/user-pass-test
Name:         user-pass-test
Namespace:    default
Type:         Opaque

password:  8 bytes
username:  14 bytes

NOTE: You can use the command kubectl get secret/user-pass-test --output yaml to output the content in YAML format and redirect it to a file if you wish by adding at the end > name.yaml .

Is it safe? Should confidential data be stored in this way? 

Besides secrets be the most appropriate resources to store passwords you need to be aware that in the base64, it can be easily obtained as the following example.

$ echo `echo dGVzdC1wd2Q= | base64 --decode`

Also, if the secrets are used by ENVIRONMENT variables, then it can be checked in the virtual-filesystem /proc for users which maybe should not have access to it as we will show in the following example.

Pod with secret via env

apiVersion: v1
kind: Pod
  name: secret-env-pod
  - name: mycontainer
    image: redis
      - name: SECRET_USERNAME
            name: mysecret
            key: username
      - name: SECRET_PASSWORD
            name: mysecret
            key: password
  restartPolicy: Never

Then,  find the PID of the pod container which is using the secret.

$ docker ps | grep secret-env-pod
$ docker top <CONTAINER ID>

So, see that it is possible to get this info by :

$ sudo cat /proc/<PID>/environ

In this way, the best approach to keep this data safe would be by encrypting it.

How to encrypt Secret Data?

Following a few possibilities that can be used to do it.

NOTE: See here the Secret k8s documentation to understand how it works better. Also, feel free to check related post by searching for the Kubernetes tag in this website.

Sponsored by:

Logo-horizontalCP Logo Big - vertical invert (1)


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s