K
Q

Why does k8s secrets need to be base64 encoded when configmaps does not?

3/1/2018

Why does k8s secrets need to be base64 encoded when configmaps does not?

When creating a configmap you simply do somthing like this:

apiVersion: v1
kind: ConfigMap
metadata:
  name: my-configmap
data:
  SOME_KEY: a string value

But when you want to create a secret you have to echo -n "some secret string" | base64 and then put the result of that in a file looking something like this:

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
type: Opaque
data:
  SOME_KEY: c29tZSBzZWNyZXQgc3RyaW5n

I really wonder why there is this difference? Are kubernetes secrets simply base64 encoded strings? I would expect that secrets were stored encrypted in kubernetes.

-- Benjamin Hammer Nørgaard
base64
kubernetes

Similar Questions

Can nodes on a Kubernetes cluster have dynamic IP's OIC Classic
Expose named ports through environment variables in kubernetes
k8s (single-node) not working after restart
kubernetes cassandra operator error

2 Answers

3/1/2018

Secrets can contain binary data (the type is map[string][]byte), and byte arrays are base64-encoded in JSON serialization.

ConfigMaps only contain string data (the type is map[string]string), so the JSON serialization just outputs the string.

In 1.10, ConfigMaps have a new binaryData field that allows storing binary data, which is base64-encoded, just like secrets. https://github.com/kubernetes/kubernetes/pull/57938

-- Jordan Liggitt
Source: StackOverflow
8/27/2019

Why does k8s secrets need to be base64 encoded

This allows you to provide binary data (certificates etc.) as secret, and also escape any tricky characters such as " ' \ etc.

Are kubernetes secrets simply base64 encoded strings?

Yes, kubernetes secrets are not encrypted by default. You have to set up encryption at rest on your own, see https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/

-- Victor Wong
Source: StackOverflow