What Does Secret Usage Mean?
Also known as: Secret Usage, Kubernetes Secrets, CKAD exam, CNCF, Secret Usage definition
On This Page
Quick Definition
In Kubernetes, a Secret is a safe place to store small pieces of sensitive data such as passwords, tokens, or SSH keys. Secret Usage means how you create, manage, and give these secrets to your applications without exposing them in your code or configuration files. It helps keep your applications secure and compliant with best practices.
Must Know for Exams
Secret Usage is a key topic in the CNCF Certified Kubernetes Application Developer (CKAD) exam. The CKAD exam tests your ability to create and manage Kubernetes workloads, and Secrets are a fundamental part of that. In the exam, you will be asked to create a Secret and then have a pod consume it as an environment variable or as a volume mount. You must know the syntax for creating a Secret imperatively with kubectl create secret generic and declaratively with a YAML file. You also need to know the difference between using env and envFrom in a pod spec and how to reference a specific key from a Secret.
The CKAD exam objectives include ConfigMaps and Secrets. The exam expects you to understand that Secrets are base64-encoded but not encrypted. You must be able to create a Secret, update it, and mount it correctly. There will be performance-based tasks where you have a limited time to complete a task, so you need to be efficient. For instance, you might be given a scenario where a pod is failing because it cannot read a database password. You must diagnose that the Secret does not exist or is referenced incorrectly and fix it.
The exam also tests your understanding of Secret types. You should know how to create a TLS Secret using the --cert and --key flags. You might also need to create a Docker registry Secret to pull images from a private registry. While the CKAD is the primary exam for application developers, Secret Usage also appears in the CKA (Certified Kubernetes Administrator) exam, where you might need to configure encryption at rest or troubleshoot RBAC issues related to Secrets. The CKA exam is more about cluster administration, but understanding Secret Usage is still necessary because you may have to create Secrets for cluster components.
In summary, exam questions rarely ask directly 'what is a Secret?' Instead, they give you a practical task. You must demonstrate that you can work with Secrets under time pressure. You need to memorize the kubectl commands and the YAML structure. Practice creating Secrets, mounting them, and verifying that the values are available inside the container. Remember that the exam environment uses a real Kubernetes cluster, so you can test your solutions.
Simple Meaning
Imagine you are the manager of a large office building. Every employee has an access badge that opens the main door, but some employees also need keys to open specific rooms like the server room or the supply closet. You would not want to write the combination to the server room door on a sticky note and stick it to the reception desk. That would be unsafe because anyone could see it. Instead, you keep the combination in a safe locked in your office, and you give it only to people who truly need it.
In Kubernetes, Secrets work like that safe. A Kubernetes Secret is an object that holds sensitive information like database passwords, API tokens, or TLS certificates. Instead of putting these values directly into your application code or configuration files, you store them in a Secret. Then, when your application starts, Kubernetes gives it access to the Secret in a controlled way.
The Secret itself is stored inside your Kubernetes cluster. You can create a Secret manually, or the system might create one for you automatically, like when you set up a service account. Your pods can use Secrets either as environment variables or as files. When a pod uses a Secret as a file, it mounts the Secret as a volume, so the application reads the sensitive data from a file inside the container. This is much safer than hardcoding the password in a YAML file because YAML files are often stored in version control systems where many people can see them.
Secret Usage is not just about storing secrets. It also covers how you update secrets, how you delete them, and how you control which pods can access which secrets. Kubernetes protects Secrets by encrypting them at rest (when they are stored on disk) and by limiting access through role-based access control (RBAC). By using Secrets properly, you ensure that sensitive information never ends up in the wrong hands, even if someone accidentally publishes your code to a public repository.
Full Technical Definition
A Kubernetes Secret is an object that stores sensitive data such as passwords, OAuth tokens, SSH keys, or TLS certificates. Secrets are part of the core Kubernetes API and are defined in the v1 API group. They have a type field that indicates the kind of secret, such as Opaque (arbitrary key-value pairs), kubernetes.io/tls (TLS certificates), kubernetes.io/dockercfg (Docker registry credentials), or bootstrap.kubernetes.io/token (bootstrap tokens). The data within a Secret is base64-encoded but not automatically encrypted at rest unless you enable encryption at rest in your cluster configuration.
Secret Usage involves several steps. First, you create a Secret using the kubectl create secret command, a YAML manifest, or through a controller like the External Secrets Operator. The Secret object contains a data field with key-value pairs, where the values must be base64-encoded. For example, if your database password is 'myP@ssw0rd', you encode it as 'bXlQQHNzdzByZA==' and place it in the Secret. Then you define how your pod will consume the Secret. There are three main methods: as environment variables, as files in a volume mount, or using the projected volume feature.
When a Secret is used as an environment variable, Kubernetes injects the decoded value directly into the container's environment. This method is simple but has a risk of exposing the secret in logs or through the /proc file system. When a Secret is used as a volume mount, Kubernetes creates a temporary file system (tmpfs) in memory and writes each secret key as a separate file. The container reads the file when needed. This method is more secure because the data is never written to disk in plain text, but it does consume memory.
Kubernetes also supports automatic updates. If you update a Secret, the data inside the volume mount is updated eventually, but environment variables are not updated unless you restart the pod. This is an important consideration for exam questions. In terms of security, Kubernetes RBAC controls who can create, read, update, or delete Secrets. You can also use pod security policies or OPA/Gatekeeper to enforce rules about how Secrets are used.
Key exam-relevant points: Secrets are not encrypted by default in etcd unless you configure encryption at rest. The base64 encoding is not encryption; it is just a way to store binary data in a text format. Anyone with read access to Secrets in the API server can decode them. For better security, you should use external secret management tools like HashiCorp Vault with the External Secrets Operator, but the CKAD exam focuses on native Kubernetes Secrets. Also, Secrets are namespaced, so a Secret in one namespace is not accessible from another namespace unless you copy it.
Real-Life Example
Think about a large apartment building with a central mail room. Each resident has a locked mailbox. The mail carrier has a master key that opens the mail room door, but does not have keys to individual mailboxes. Suppose you are the building superintendent. You need to give a spare key to a new cleaning service so they can access the storage closet, but you do not want to give them the master key to the entire building.
In this analogy, the building is the Kubernetes cluster. The mailboxes are pods that need access to sensitive information. The mail carrier is the system component that delivers secrets. The storage closet key is a Kubernetes Secret, like a database password. As the superintendent, you do not just leave the closet key hanging on a hook in the lobby. Instead, you put it in a locked drawer (the Secret object) and tell the cleaning service (your application) that they can take it out only when they need it.
When the cleaning service arrives, they show their job order (the pod specification) to the front desk (the Kubernetes API server). The front desk verifies that the job order includes permission to use the storage closet key. Then they hand over the key. The cleaning service uses the key, opens the closet, does their work, and returns the key. They never make a copy of the key. If a different team comes and asks for the key without a job order, the front desk refuses.
This maps to Secret Usage because: the Secret object is the locked drawer, the job order is the pod manifest that references the Secret, the front desk is the API server with RBAC, and the cleaning service is the container running inside the pod. The key (the secret data) is never stored in the pod image or in a config map. It is retrieved only when needed, and access is controlled by permissions. If you ever need to change the storage closet lock, you just update the key in the drawer (update the Secret), and the next time the cleaning service uses it, they get the new key automatically.
Why This Term Matters
Secret Usage matters because in real IT work, applications constantly need to authenticate to other services. A web application typically needs a database password, a third-party API token, and perhaps a TLS certificate. If you hardcode these values into your source code, they become a security nightmare. Anyone who can read the code repository or the container image can see the secrets. Developers often commit secrets accidentally, and then the organization must rotate those secrets and potentially notify users of a breach.
In cloud infrastructure, the risk is even higher. Attackers actively scan public code repositories like GitHub for leaked credentials. Once they find a password or API key, they can use it to gain unauthorized access to databases, storage buckets, or administrative panels. In 2021, a report found that thousands of API keys and tokens were leaked each day on public repositories. Secret Usage in Kubernetes prevents this by keeping sensitive data separate from code.
Secret Usage also helps with compliance. Regulations like GDPR, HIPAA, and PCI DSS require organizations to protect sensitive data. If you store passwords in plain text in configuration files, auditors will flag that as a violation. Using Kubernetes Secrets shows that you have a control in place to protect secrets. It also makes secret rotation easier. Instead of updating code and rebuilding containers, you can update a Secret object and let Kubernetes propagate the change to running pods.
For system administrators and platform engineers, Secret Usage is about access control. You can define exactly which service accounts and namespaces can read which secrets. This reduces the blast radius if one part of the system is compromised. For example, a compromised pod in the staging namespace should not be able to read production database credentials. By using Secrets with RBAC, you enforce that isolation. Overall, Secret Usage is a foundational practice in modern application deployment and a core skill for anyone managing Kubernetes clusters.
How It Appears in Exam Questions
In the CKAD exam, Secret Usage appears mainly in configuration and troubleshooting scenarios. A typical question might present a YAML file for a pod that is missing the Secret reference, or it might ask you to create a new deployment that uses a Secret for a database password. You will be given a shell terminal and a cluster, and you must execute commands to complete the task.
One common question pattern is the 'fix the broken pod' style. The exam describes a pod that is running but cannot connect to a database. You inspect the pod logs and find an environment variable is missing. Then you discover that the Secret referenced in the pod spec does not exist. Your task is to create the Secret with the correct name and keys, then restart the pod or wait for the controller to reconcile.
Another pattern is the 'create a new resource' style. The exam states: 'Create a Secret named db-credentials with the key password and value admin123. Then create a pod that uses this Secret as an environment variable named DB_PASSWORD.' You must write the commands or YAML files from scratch. This tests your knowledge of the kubectl create secret generic command and the syntax for env and valueFrom.secretKeyRef.
A more advanced pattern involves Secret types. You might be asked to create a TLS Secret for an ingress controller. The question will provide a certificate file and a key file, and you must create the Secret using kubectl create secret tls. Then you need to reference that Secret in an Ingress resource.
There are also questions about updating Secrets. For example: 'The database password has been changed. Update the existing Secret named db-credentials to reflect the new password. Then explain why the pods still use the old password.' The answer involves the difference between environment variable injection and file-based mounts. Environment variables are not updated unless the pod is restarted, while file mounts are eventually updated.
The exam also includes troubleshooting questions where a Secret exists but the pod cannot mount it. The cause might be that the Secret is in a different namespace, or the pod does not have the correct service account permissions. You will need to check RBAC and namespace scoping. In all cases, the exam emphasizes practical, hands-on skills rather than theoretical knowledge.
Study cncf-ckad
Test your understanding with exam-style practice questions.
Example Scenario
Imagine you work as a DevOps engineer at a company that runs a booking application on Kubernetes. The application needs to connect to a PostgreSQL database to store reservations. The database requires a username and a password. Your task is to configure the booking pod to use the database credentials without exposing them in the source code.
You start by creating a Secret named postgres-credentials. You use the command: kubectl create secret generic postgres-credentials --from-literal=username=bookuser --from-literal=password=S3cur3P@ss. This creates a Secret object in the current namespace. Next, you write a YAML file for a pod that uses the Secret. In the pod spec, you add an env section that references the Secret key username and maps it to the environment variable PGUSER, and similarly for the password to PGPASSWORD.
When the pod starts, Kubernetes reads the Secret from the API server, decodes the base64 values, and injects them as environment variables inside the container. The application then uses PGUSER and PGPASSWORD to authenticate to PostgreSQL. Later, the security team requires you to rotate the password every 90 days. You update the Secret by deleting and recreating it with a new password. However, you remember that environment variables are not updated automatically. So you also perform a rolling restart of the pod by deleting the running pod and letting the ReplicaSet recreate it with the new environment variables. This scenario covers the full lifecycle of Secret Usage: creation, consumption, update, and rotation.
Common Mistakes
Thinking that base64 encoding is same as encryption.
Base64 is a reversible encoding, not encryption. Anyone with base64 decoding tools can read the secret value instantly. It is only used to store binary data in a text format.
Always treat a Secret as plain text. Use Kubernetes encryption at rest and external secret management tools for real security.
Putting secrets directly in ConfigMaps.
ConfigMaps are designed for non-sensitive configuration data. They are not intended for secrets and do not have the same level of access control or the option for encryption at rest.
Always use Secrets for sensitive data, even if it seems small. Never use ConfigMaps for passwords, tokens, or certificates.
Using Secrets as environment variables and expecting them to update automatically.
When a Secret is mounted as an environment variable, the value is injected only at pod startup. Updating the Secret after the pod is running does not change the environment variable.
If you need live updates, mount the Secret as a volume instead of using environment variables. Volume mounts update automatically after a delay.
Hardcoding the secret value in the YAML file without encoding it.
YAML files are often stored in version control systems. Anyone with access to the repository can see the plain-text secret. Also, the Kubernetes API server expects the data field to contain base64-encoded values.
Use kubectl create secret generic to generate the YAML automatically, or use --dry-run=client -o yaml to output the correctly encoded manifest. Never manually type secrets in plain text.
Assuming Secrets are encrypted in etcd by default.
By default, Kubernetes stores Secret data as base64-encoded strings in etcd. The data is not encrypted. Anyone with direct access to etcd can read all secrets.
Enable encryption at rest in your cluster configuration by configuring the EncryptionConfiguration resource. This is a CKA-level task.
Exam Trap — Don't Get Fooled
The exam gives a pod YAML that references a Secret using envFrom, but the Secret has only one key. The pod fails to start because the environment variable name is incorrect. Always verify the environment variable names expected by the application.
If the application expects DB_PASSWORD but the Secret key is password, you must use env with a specific secretKeyRef and set the name to DB_PASSWORD. Do not rely on envFrom if the mapping needs custom names.
Commonly Confused With
ConfigMaps store non-sensitive configuration data like config file contents or feature flags. Secrets store sensitive data like passwords and tokens. The main differences are: Secrets have base64-encoded data, can be encrypted at rest, and have different RBAC rules. Both can be mounted as volumes or environment variables, but you should never put secrets in a ConfigMap.
You use a ConfigMap for an application's log level (debug or info) and a Secret for the database password. Log levels are not sensitive, but passwords are.
A ServiceAccount is a Kubernetes identity used by pods to authenticate to the API server. The token associated with a ServiceAccount is automatically mounted into pods as a Secret of type kubernetes.io/service-account-token. This is different from a user-created Secret that holds application credentials.
Your pod uses a ServiceAccount token to list pods in the cluster. But your application still needs a separate Secret to connect to an external database.
Docker containers can receive environment variables at runtime using the -e flag or ENV in a Dockerfile. Kubernetes Secrets provide a more secure and managed way to inject environment variables, with RBAC control and automatic base64 handling. Docker environment variables are not encrypted and are visible in the process list.
In a standalone Docker container, you might set DB_PASSWORD=admin when running the container. In Kubernetes, you define a Secret and reference it in the pod spec, so the password is never visible in the command line.
A TLS certificate is a type of Secret used for encrypting network traffic. The secret stores the certificate and private key. This is a specific use case of Secret Usage, distinct from generic secrets that store key-value pairs like passwords.
You create a Secret of type kubernetes.io/tls for your ingress controller to serve HTTPS. You create a different Secret of type Opaque for your application's database password.
Step-by-Step Breakdown
Plan your secret data
Identify what sensitive information your application needs. This may include database passwords, API tokens, SSH keys, or TLS certificates. Determine the key names you will use in the Secret object. For example, if your app needs a password and a username, you plan two keys: username and password.
Create the Secret object
Use kubectl create secret generic <name> --from-literal=key=value for simple values, or --from-file=key=path for files. Alternatively, write a YAML manifest where the data field contains base64-encoded values. The Secret must be created in the same namespace as the pod that will use it.
Verify the Secret
Use kubectl get secret <name> -o yaml to confirm the Secret exists and the keys are present. The output will show base64-encoded data. Do not run kubectl describe secret unless you want to see the decoded values in some output formats, but be aware it shows the data.
Reference the Secret in a pod spec
In your pod template, add an env or volume section. For environment variables, use valueFrom.secretKeyRef to reference a specific key from the Secret. For volume mounts, add a volume of type secret and mount it at a path. The container reads the data as files.
Deploy the pod and test
Apply the pod YAML with kubectl apply -f pod.yaml. Check that the pod starts successfully. For environment variables, exec into the container and run env to see the variables. For volume mounts, check the mounted directory and read the file contents.
Update the Secret when necessary
When the secret value changes, update the Secret using kubectl create secret generic with --dry-run=client -o yaml | kubectl replace -f -, or use kubectl edit secret. If you mounted the Secret as a volume, the updated values will propagate to the files after a short delay. If you used environment variables, you must restart the pod.
Practical Mini-Lesson
Secret Usage in Kubernetes is more than just storing a password in a YAML file. It is a practice that touches security, application design, and cluster management. As a professional, you need to know several things beyond the basics.
First, understand the difference between static secrets and dynamic secrets. Static secrets are created manually and stay the same until you change them. Dynamic secrets are generated on demand and have a lease. For example, if you use Vault with the External Secrets Operator, you can have a secret that is generated for each pod and expires after a short time. This is much more secure than a static password that lives for months. However, the CKAD exam focuses on static native Kubernetes secrets.
Second, you must be careful about secret size. Kubernetes Secrets are stored in etcd, which has a default limit of 1 MB per object. If you try to store a large certificate bundle or a huge file, you will get an error. Keep secrets small. For larger sensitive data, consider using a storage solution like encrypted volumes.
Third, understand how to handle secret rotation in production. If you have many pods consuming a Secret, you cannot simply delete and recreate it because the pods might fail. The best practice is to use a controller that handles rotation, such as the Reloader controller, which watches for Secret changes and triggers a rolling restart of deployments. In a manual scenario, you update the Secret, then do a rolling restart of your Deployment by running kubectl rollout restart deployment my-app.
Fourth, security hygiene. Never store secrets in a container image. Never log secret values. Use tools like kubesec or kubescape to scan your manifests for hardcoded secrets. Use RBAC to restrict secret access to only the service accounts that need them. Consider using namespaces to isolate secrets for different environments.
Finally, connect Secret Usage to broader concepts. In a microservices architecture, each service might need its own set of secrets. Managing these manually becomes tedious. This is why many organizations adopt GitOps tools like ArgoCD combined with sealed secrets or external secret operators. These tools allow you to store encrypted secrets in Git and have them decrypted only when deployed to the cluster. Secret Usage is not just a Kubernetes feature; it is part of a shift towards secure application delivery pipelines.
Memory Tip
Secrets are base64, not encrypted: treat them like a locked drawer, not a vault. The drawer is locked with a simple latch (encoding), not a combination lock (encryption).
Covered in These Exams
Related Glossary Terms
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
An A record is a DNS record that maps a domain name to the IPv4 address of the server hosting that domain.
5G is the fifth generation of cellular network technology, designed to deliver faster speeds, lower latency, and support for many more connected devices than previous generations.
Frequently Asked Questions
Can I store binary data like SSH keys in a Secret?
Yes, you can store binary data using the --from-file flag. Kubernetes will base64-encode the file content automatically. The data is decoded when the pod mounts it, so the container receives the original binary bytes.
Why is my pod failing with 'secret not found' even though I created the Secret?
The Secret must be in the same namespace as your pod. Check the namespace of both objects. Also check the spelling of the Secret name in the pod spec. The pod will not start if the Secret does not exist at the time of pod creation.
Can I share a Secret across multiple namespaces?
No, Secrets are namespaced and cannot be directly shared. You must create a copy of the Secret in each namespace. Use a controller like the External Secrets Operator or manually copy the Secret using kubectl get secret -n ns1 -o yaml | kubectl apply -n ns2 -f -.
Is it safe to use kubectl describe secret to view secret values?
No, it is not safe. kubectl describe secret shows the decoded values in some outputs. Anyone with access to the command can see the secret. Use kubectl get secret -o yaml to see the data in base64 form, but treat that output carefully as well.
How do I update a Secret without deleting the pod?
If the Secret is mounted as a volume, the files are updated automatically after a delay (usually within 60 seconds). If the Secret is used as an environment variable, you must restart the pod by deleting it or performing a rolling restart of the deployment.
What is the maximum size of a Secret?
Kubernetes limits the size of any resource object to 1 MB when stored in etcd. This includes the Secret object itself. For larger secrets, use an external secret store.
Summary
Secret Usage in Kubernetes is the practice of storing and consuming sensitive information like passwords, tokens, and certificates in a secure and controlled manner. By using Secret objects, you separate sensitive data from your application code and configuration, reducing the risk of accidental exposure. Secrets are base64-encoded but not encrypted by default, so you must enable encryption at rest for real security and use RBAC to limit access.
The CKAD exam tests your ability to create Secrets, reference them in pods as environment variables or volume mounts, and troubleshoot common issues like missing secrets or incorrect names. Remember that environment variables do not update automatically when a Secret changes, but volume mounts do. Avoid common mistakes like using ConfigMaps for secrets or thinking base64 is encryption.
By mastering Secret Usage, you build a strong foundation for secure application deployment and earn a key skill for Kubernetes certification.