Featured resource
2025 Tech Upskilling Playbook
Tech Upskilling Playbook

Build future-ready tech teams and hit key business milestones with seven proven plays from industry leaders.

Check it out
  • Lab
    • Libraries: If you want this lab, consider one of these libraries.
    • Cloud
Google Cloud Platform icon
Labs

Managing Secrets in Kubernetes

The student is guided to perform the exercises that demonstrate the Kubernetes Secrets resource and how to pass secrets to applications running within pods.

Google Cloud Platform icon
Lab platform
Lab Info
Level
Beginner
Last updated
Sep 20, 2025
Duration
1h 0m

Contact sales

By filling out this form and clicking submit, you acknowledge our privacy policy.
Table of Contents
  1. Challenge

    Create and interrogate secrets from the command line with kubectl.

    From the Master Node, as cloud_user

    Example: Username and Password

    First, store the secret data in a file. In this example, we will place a username and password in two files encoded with base64.

    echo -n 'admin' > ./username.txt
    
    echo -n 'L1nux@cad3my' > ./password.txt
    

    The kubectl can package these files into a 'Secret' object on the API server.

    kubectl create secret generic ks-user-pass --from-file=./username.txt --from-file=./password.txt
    

    You can look up secrets with get and describe as follows:

    kubectl get secrets
    
    kubectl describe secrets/ks-user-pass
    

    Secrets are masked by default. If you need to obtain the value of a stored secret, you may use the following commands:

    kubectl get secret ks-user-pass -o yaml
    

    Then decode the values with:

    echo '[stored value here]' | base64 -d
    
  2. Challenge

    Create Secrets using YAML.

    You may also create secrets with a YAML file. The following is an example:

    Example YAML:

    apiVersion: v1
    kind: Secret
    metadata:
      name: ks-lab-secret
    type: Opaque
    data:
      username: "admin"
      password: "L1nux@cad3my"
    

    Additional fields may also be stored in a YAML file.

    Use an editor to create ks-secret-config.yaml.

    vi ks-secret-config.yaml
    
    apiVersion: v1
    kind: Secret
    metadata:
      name: ks-secret-config
    type: Opaque
    stringData:
      config.yaml: |-
        apiUrl: https://ks.api.com/api/v1
        username: admin
        password: L1nux@cad3my
        branchid: branch21
    

    Then create the secret with:

    kubectl create -f ks-secret-config.yaml
    

    You may look at the fields by getting the secret in YAML, and then passing the config.yaml field through the decoder.

    kubectl get secret ks-secret-config -o yaml
    
    echo '[stored value here]' | base64 -d
    
  3. Challenge

    Pass Secrets to a pod through a mounted volume.

    Secrets may be passed to pods through mounted volumes or through environment variables.

    The following is an example as to how volumeMounts specified in a pod's YAML file may be used:

    vi ks-pod.yaml
    
    apiVersion: v1
    kind: Pod
    metadata:
      name: ks-pod
      namespace: default
    spec:
      containers:
      - name: ks-pod
        image: busybox
        command:
          - sleep
          - "10000"
        volumeMounts:
        - name: ks-path
          mountPath: "/etc/ks-path"
          readOnly: true
      restartPolicy: Never
      volumes:
      - name: ks-path
        secret:
          secretName: ks-secret-config
          items:
          - key: config.yaml
            path: config.yaml
            mode: 400
    

    Then create the pod.

    kubectl create -f ks-pod.yaml
    

    After creating the pod, verify it is ready.

    kubectl get pods
    

    Once the pod is ready, exec a shell in the pod container.

    kubectl exec -it ks-pod -- sh
    

    Once you are inside the busybox container, lets have a look at our secrets.

    cd /etc/ks-path
    
    ls -l
    
    cat config.yaml
    
  4. Challenge

    Pass Secrets to a pod through an environment variable.

    Now lets do an example where we can get these secrets through an environment variable.

    vi ks-pod-env.yaml
    
    apiVersion: v1
    kind: Pod
    metadata:
      name: ks-pod-env
    spec:
      containers:
      - name: ks-pod-env
        image: busybox
        command:
          - sleep
          - "10000"
        env:
          - name: SECRET_CONFIG
            valueFrom:
              secretKeyRef:
                name: ks-secret-config
                key: config.yaml
      restartPolicy: Never
    

    Now lets create the pod.

    kubectl create -f ks-pod-env.yaml
    

    Lets go have a look.

    kubectl exec -it ks-pod-env -- sh
    

    And check our variable.

    echo $SECRET_CONFIG
    
About the author

Pluralsight Skills gives leaders confidence they have the skills needed to execute technology strategy. Technology teams can benchmark expertise across roles, speed up release cycles and build reliable, secure products. By leveraging our expert content, skill assessments and one-of-a-kind analytics, keep up with the pace of change, put the right people on the right projects and boost productivity. It's the most effective path to developing tech skills at scale.

Real skill practice before real-world application

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Learn by doing

Engage hands-on with the tools and technologies you’re learning. You pick the skill, we provide the credentials and environment.

Follow your guide

All labs have detailed instructions and objectives, guiding you through the learning process and ensuring you understand every step.

Turn time into mastery

On average, you retain 75% more of your learning if you take time to practice. Hands-on labs set you up for success to make those skills stick.

Get started with Pluralsight