Skip to content

Base64 encoding in Kubernetes Secrets

In Kubernetes Secrets, data values must be stored as Base64 encoded strings^[400-devops-06-kubernetes-k8s-ithelp-day19-readme.md]. This encoding is a mandatory requirement for the data field within a Secret manifest^[400-devops-06-kubernetes-k8s-ithelp-day19-readme.md]. When these Secrets are mounted into a Pod, Kubernetes automatically decodes the values back to their original form for the application to use^[400-devops-06-kubernetes-k8s-ithelp-day19-readme.md].

Creation and Encoding

To create a Secret manually, the sensitive data must first be converted to Base64^[400-devops-06-kubernetes-k8s-ithelp-day19-readme.md]. This can be done using standard command-line tools.^[400-devops-06-kubernetes-k8s-ithelp-day19-readme.md]

For example, to encode a username and password: 

echo -n 'my-account' | base64
# Output: bXktYWNjb3VudA==

echo -n 'my-password' | base64
# Output: bXktcGFzc3dvcmQ=
^[400-devops-06-kubernetes-k8s-ithelp-day19-readme.md]

These encoded strings are then placed in the YAML definition under the data map^[400-devops-06-kubernetes-k8s-ithelp-day19-readme.md]: 

apiVersion: v1
kind: Secret
metadata:
  name: test-secret
data:
  username: bXktYWNjb3VudA==
  password: bXktcGFzc3dvcmQ=
^[400-devops-06-kubernetes-k8s-ithelp-day19-readme.md]

Alternatively, using kubectl create secret with the --from-literal flag handles this encoding automatically, removing the need for manual conversion^[400-devops-06-kubernetes-k8s-ithelp-day19-readme.md].

Security Implications

While Base64 provides a layer of encoding, it does not provide encryption^[400-devops-06-kubernetes-k8s-ithelp-day19-readme.md]. Base64 is a reversible encoding scheme, meaning encoded data can be easily decoded back to plain text^[400-devops-06-kubernetes-k8s-ithelp-day19-readme.md]. Consequently, anyone with access to read a Secret definition (such as via kubectl describe) can view the sensitive data^[400-devops-06-kubernetes-k8s-ithelp-day19-readme.md].

Therefore, standard Kubernetes Secrets are effectively equivalent to storing data in plain text, and native Secrets are often considered insufficient for high-security environments without additional precautions^[400-devops-06-kubernetes-k8s-ithelp-day19-readme.md].

Sources

^[400-devops-06-kubernetes-k8s-ithelp-day19-readme.md]