How to Read Kubernetes Secrets
Share
Interests
Posted in these interests:
So you’ve started using Kubernetes secrets. At some point, you’ll probably want to see the secret in plain text, either to validate it or use it in another context. In this guide, I’ll show you how to read Kubernetes secrets from the command line using kubectl.
Secure Your Sensitive Data with Kubernetes Secrets
Learn how to create and use Kubernetes secrets
tl;dr
$ kubectl get secret <SECRET_NAME> -o jsonpath="{.data.<DATA>}" | base64 --decodeReplace <SECRET_NAME> and <DATA>.
1 – Authenticate with your Kubernetes cluster
If you’re running multiple kubernetes clusters or haven’t authenticated yet, you’ll need to do so first. There are a handful of authentication strategies so I will not cover them each in this guide.
I run my clusters on GKE, so there’s a handy gcloud command to get the configuration for a particular cluster and handle authentication.
Once you’ve authenticated you can confirm your current context with:
kubectl config current-context2 – List, read, and decode secret data
Now let’s assume we want to read from a secret called mysecret. The terminology might be a little bit tricky, so I’ll try to explain. In Kubernetes, “secret” refers to the Secret object, and Secret objects can be composed of multiple pieces of sensitive information. In this demo, mysecret includes both a username and password.
So first we’ll locate our secret:
$ kubectl get secrets
NAME TYPE DATA AGE
mysecret Opaque 2 2dAnd there’s our secret. We can also confirm it has two pieces of data (presumably username and password).
Now let’s describe the secret:
$ kubectl describe secret mysecret
Name: mysecret
Namespace: default
Labels: <none>
Annotations:
Type: Opaque
Data
====
username: 20 bytes
password: 20 bytesOk. So we’ve got our secret with the username and password data.
Now, if we use kubectl get and set the output to yaml, we’ll see the base64 encoded secret data.
$ k get secret mysecret -o yaml
apiVersion: v1
data:
username: YWJjZGVmZ2hpamtsbW5vcHFyc3QK
password: MTIzNDU2Nzg5MDEyMzQ1Njc4OTAK
...Now to see the output in plain text you can simply copy the base64 encoded string, and decode it:
$ echo "YWJjZGVmZ2hpamtsbW5vcHFyc3QK" | base64 --decode
abcdefghijklmnopqrst3 – A shortcut to decoding secret data
The previous step is useful for understanding how this breaks down, but here’s a much easier way to read a secret:
$ kubectl get secret mysecret -o jsonpath="{.data.username}" | base64 --decode
abcdefghijklmnopqrstDo you need to visualize data from multiple sources? Visit our guide for steps on how to install Apache Superset on a GKE Kubernetes Cluster.
