Creating Kubernetes Secret⚓︎
This article explains how to create a Kubernetes Secret manifest and seal it for secure storage.
In this step, we’ll generate a standard Kubernetes Secret manifest that can later be sealed and encrypted with kubeseal. By outputting the YAML without applying it, you get full control over your secret definitions.
1. Generate the Secret YAML⚓︎
Use the following command to create a generic Secret named database in the default namespace. The DB_PASSWORD key is set to password123.
kubectl create secret generic database \
-n default \
--from-literal=DB_PASSWORD=password123 \
--dry-run=client \
-o yaml > secret.yaml
| Option | Description | Example |
|---|---|---|
create secret generic <name> |
Creates a generic Secret resource | kubectl create secret generic database |
-n <namespace> |
Specifies the target namespace | -n default |
--from-literal=KEY=VALUE |
Adds literal key-value pairs to the Secret | --from-literal=DB_PASSWORD=password123 |
--dry-run=client -o yaml |
Outputs the manifest without applying it | --dry-run=client -o yaml |
Note
Kubernetes Secrets store data as base64-encoded strings, not encrypted values. Always seal or encrypt sensitive data before committing to version control.
2. Inspecting the Generated YAML⚓︎
Your secret.yaml will look like this:
apiVersion: v1
kind: Secret
metadata:
name: database
namespace: default
data:
DB_PASSWORD: cGFzc3dvcmQxMjM=
3. Verifying the Base64 Encoding⚓︎
To confirm the encoding, decode the DB_PASSWORD field:
4. Next Steps: Sealing the Secret⚓︎
Now that you have secret.yaml, pass it through kubeseal to produce a secure SealedSecret:
This encrypted manifest can be safely stored in Git and applied to any cluster that holds your Sealed Secrets key.