Kubernetes Secret Extraction¶

Kubernetes Secret Extraction involves retrieving sensitive data, such as passwords or tokens, stored within Kubernetes Secrets from a running cluster. This is typically achieved by querying the specific Secret object and decoding its data fields^[400-devops__04-CI-CD-Pipelines__devops-ci__github-action__argocd-app-config__README.md].

In Kubernetes, data stored in Secret objects is serialized using Base64 encoding to ensure safety during YAML or JSON transport^[400-devops__04-CI-CD-Pipelines__devops-ci__github-action__argocd-app-config__README.md]. To read the actual value, the encoded string must be extracted and then decoded back into plain text^[400-devops__04-CI-CD-Pipelines__devops-ci__github-action__argocd-app-config__README.md].

Common Use Case: Initial Admin Password¶

A frequent application of this technique is retrieving the initial password for applications deployed via Helm charts or manifests, such as ArgoCD^[400-devops__04-CI-CD-Pipelines__devops-ci__github-action__argocd-app-config__README.md].

For example, to access the ArgoCD UI after installation, one must extract the password from the argocd-initial-admin-secret^[400-devops__04-CI-CD-Pipelines__devops-ci__github-action__argocd-app-config__README.md]. This is performed using kubectl combined with decoding tools:

[kubectl](<./kubectl.md>) -n [ArgoCD](<./argocd.md>) get secret argocd-initial-admin-secret \
  -o jsonpath="{.data.password}" | base64 --decode

Related Concepts¶

• Kubernetes
• ArgoCD

Sources¶

^[400-devops__04-CI-CD-Pipelines__devops-ci__github-action__argocd-app-config__README.md]