kubernetes
Kubernetes Secret Generator
Generate a Kubernetes Secret YAML with base64-encoded values. Includes security warnings and usage examples. Never commit Secrets to Git without encryption.
Kubernetes Secrets — Security Guide
Secrets store sensitive data. The default base64 encoding provides no security — it's just encoding, not encryption.
Security Ladder
| Approach | Security | Complexity |
|---|---|---|
| Plain Secret in cluster | Low — readable from etcd | None |
| Encryption at rest | Medium — encrypted in etcd | Low |
| Sealed Secrets (Git) | High — encrypted in Git | Medium |
| External Secrets + Vault | Highest — zero secrets in cluster | High |
Enable Encryption at Rest
# /etc/kubernetes/encryption-config.yaml
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources: [secrets]
providers:
- aescbc:
keys: [{ name: key1, secret: <base64-32-byte-key> }]
- identity: {}Sealed Secrets Workflow
# Install kubeseal CLI
brew install kubeseal# Encrypt a Secret for Git kubeseal --format yaml < secret.yaml > sealedsecret.yaml git add sealedsecret.yaml # safe to commit
# The controller decrypts it in the cluster automatically ```
RBAC: Restrict Secret Access
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"] # never use '*' for secrets
resourceNames: ["my-app-secret"] # specific secret onlyKey Terms
Full glossary →kubeadm
A tool for bootstrapping Kubernetes clusters. It automates the setup of control plane components and joining worker nodes, following Kubernetes best practices.
etcd
A distributed key-value store used by Kubernetes to store all cluster state and configuration. etcd is the single source of truth for the entire cluster.
cert-manager
A Kubernetes controller for automating TLS certificate management. cert-manager can issue certificates from Let's Encrypt, Vault, or internal CAs, and automatically renews them.
Helm
A package manager for Kubernetes. Helm charts bundle Kubernetes manifests into reusable packages with configurable values, versioned and published to chart repositories.
Frequently Asked Questions
Are Kubernetes Secrets actually secure?
By default, Secrets are only base64-encoded — not encrypted. Anyone with etcd access can read them in plain text. For real security: enable encryption at rest (EncryptionConfiguration in the API server), use Sealed Secrets (Bitnami) to store encrypted Secrets in Git, or use External Secrets Operator to pull from Vault, AWS Secrets Manager, or GCP Secret Manager. Never commit plain Secret YAML to Git.
What is the difference between Opaque and other Secret types?
Opaque is the generic type for arbitrary key-value pairs (passwords, API keys). kubernetes.io/tls is for TLS certificates — Kubernetes validates it has tls.crt and tls.key fields. kubernetes.io/dockerconfigjson is for container registry credentials — used by imagePullSecrets. Using the correct type enables validation and allows Kubernetes components to consume the secret correctly.
How do I create a Secret from a file?
kubectl create secret generic my-secret --from-file=ssh-key=/path/to/key --from-literal=API_KEY=abc123 -o yaml --dry-run=client. The --dry-run=client flag prints the YAML without applying it — useful for review. For TLS: kubectl create secret tls my-tls --cert=cert.pem --key=key.pem.
What are Sealed Secrets and should I use them?
Sealed Secrets (Bitnami) encrypts Kubernetes Secrets using a cluster-specific key — the encrypted SealedSecret object is safe to commit to Git. A controller in the cluster decrypts it back into a regular Secret. This is the GitOps-friendly way to manage secrets. Install: helm install sealed-secrets sealed-secrets/sealed-secrets -n kube-system. Then: kubeseal < secret.yaml > sealedsecret.yaml.
Related Guides
kubernetes
CI/CD for Kubernetes with GitHub Actions: A Complete Guide (2026)
A practical walkthrough of building a full GitHub Actions pipeline that builds a container image, pushes it to a registry, and deploys to Kubernetes — with secrets handling, rollback, and Helm support.
kubernetes
ArgoCD vs Flux: Choosing a GitOps Tool for Kubernetes in 2026
A no-fluff comparison of ArgoCD and Flux for GitOps on Kubernetes — covering architecture, UI, Helm support, multi-tenancy, and when to pick each one.
kubernetes
Hetzner vs DigitalOcean for Kubernetes in 2026: An Honest Comparison
Hetzner is 3–5× cheaper than DigitalOcean for equivalent Kubernetes compute. But DO has managed K8s, better global coverage, and a larger app marketplace. Here's when each is the right choice.