Get Kubernetes Secrets With kubectl
In Kubernetes, a Secret is an object that stores sensitive data for containers to use in the form of a key-value pair, such as a password, a token, or an access key.
The short answer
To display the detailed list of Secrets stored in the Kubernetes cluster, including their name, type, number of data values, and age, you can use the following command:
Which will output something similar to this:
Where:
- [.inline-code]NAME[.inline-code] is the unique name of the Secret.
- [.inline-code]TYPE[.inline-code] is the built-in type of the Secret like [.inline-code]Opaque[.inline-code], [.inline-code]kubernetes.io/ssh-auth[.inline-code] etc.
- [.inline-code]DATA[.inline-code] is the number of data values the Secret contains.
- [.inline-code]AGE[.inline-code] is the time when the Secret was created.
If you want to learn more about Secrets, you can read our article on how to create a Secret in Kubernetes with kubectl.
[#easily-recall-with-ai] Easily retrieve this command using Warp’s AI Command Suggestions [#easily-recall-with-ai]
If you’re using Warp as your terminal, you can easily retrieve this command using the Warp AI Command Suggestions feature:
Entering [.inline-code]k8s get secrets options[.inline-code] in the AI Command Suggestions will prompt a list of [.inline-code]kubectl[.inline-code] commands that can then quickly be inserted into your shell by doing [.inline-code]CMD+ENTER[.inline-code].
[#list-secrets-in-yaml-or-json] Listing secrets in the YAML and JSON formats [#list-secrets-in-yaml-or-json]
By default, the output format of the [.inline-code]kubectl get secrets[.inline-code] command is a table. However, you can specify other formats, such as YAML or JSON using the [.inline-code]-o[.inline-code] flag (short for [.inline-code]--output[.inline-code]):
Where:
- [.inline-code]output_format[.inline-code] is one of [.inline-code]yaml[.inline-code] or [.inline-code]json[.inline-code].
For example, the following command will output comprehensive details about all the Secrets in the YAML format:
[#list-secrets-by-name] Listing Secrets by name [#list-secrets-by-name]
To list one or more Secrets by name in your Kubernetes cluster, you can use the [.inline-code]kubectl get secrets[.inline-code] command as follows:
Where:
- [.inline-code]secret_name…[.inline-code] is a list of Secret names separated by a space character.
For example, the following command will output a table of information about the Secrets named [.inline-code]mysecret1[.inline-code] and [.inline-code]mysecret2[.inline-code]:
[#list-secrets-by-label] Listing Secrets by label [#list-secrets-by-label]
Labels are key-value pairs attached to the Kubernetes objects that organize resources based on specific criteria.
To list Secrets based on a specific label, you can use the [.inline-code]kubectl get secrets[.inline-code] command with the [.inline-code]-l[.inline-code] flag (short for [.inline-code]--label[.inline-code]):
Where:
- [.inline-code]label[.inline-code] is the key of the label.
- [.inline-code]value[.inline-code] is the value associated with the label.
For example, the following command will display all the Secrets labeled [.inline-code]app=myapp[.inline-code]:
[#list-all-secrets-labels] Listing the labels of all Secrets [#list-all-secrets-labels]
To view the labels associated with all the secrets at once, you can use the [.inline-code]kubectl get secrets[.inline-code] command with the [.inline-code]--show-label[.inline-code] flag:
Upon execution, the above command will output an additional column showing any labels associated with secrets.
[#list-secrets-by-type] Listing Secrets by type [#list-secrets-by-type]
To list Secrets based on a specific type, you can use the [.inline-code]kubectl get secrets[.inline-code] command with the [.inline-code]--field-selector[.inline-code] flag:
Where:
- The [.inline-code]field_name[.inline-code] is a JSONPath expression used for selecting a specific field.
- The [.inline-code]field_value[.inline-code] is the value for the specified field.
For example, this command will filter and display the list of all Secrets with type [.inline-code]Opaque [.inline-code]:
And this command will get the list of TLS Secrets via selecting the type [.inline-code]kubernetes.io/tls[.inline-code]:
[#list-secrets-by-namespace] Listing Secrets by namespace [#list-secrets-by-namespace]
In Kubernetes, namespaces provide a logical way to separate resources within an application.
To list all the Secrets in a specified namespace, you can use the [.inline-code]kubectl get secrets[.inline-code] command with the [.inline-code]-n[.inline-code] flag (short for [.inline-code]--namespace[.inline-code]) as follows:
For example, this command will list all the Secrets in the [.inline-code]myNamespace[.inline-code] namespace.
[#list-secrets-by-namespace] Listing Secrets in all namespaces [#list-secrets-by-namespace]
To list Secrets across all namespaces, you can use the [.inline-code]kubectl get secrets[.inline-code] command with the [.inline-code]--all-namespaces[.inline-code] flag:
[#extract-secrets-information] Extracting Secrets information [#extract-secrets-information]
To output specific field values of Secrets, you can use the [.inline-code]kubectl get secrets[.inline-code] command with the [.inline-code]-o[.inline-code] flag combined with a JSONPath expression as follows:
Where:
- [.inline-code]expression[.inline-code] is a JSONPath expression
For example, this command will extract the key-value pairs of each label assigned to the Secret:
Where:
- [.inline-code].items[*][.inline-code] indicates to iterate over each Secret.
- [.inline-code].metadata[.inline-code] specifies the Secret metadata.
- [.inline-code]labels[.inline-code] retrieves the label name from the metadata information.
[#decode-secrets-values] Decoding the values of Secrets [#decode-secrets-values]
By default, the data values of Secret objects are encoded in Base64, providing a protective measure to conceal their contents.
To decode and retrieve a specific value, you can use the [.inline-code]kubectl get secrets[.inline-code] command as follows:
Where:
- The [.inline-code]secret_name[.inline-code] is the name of a specific Secret.
- The [.inline-code]field_name[.inline-code] is the field name for which you want to get the value using the JSONPath expression.
- The [.inline-code]|[.inline-code] is a pipe symbol that redirects the output of one command to the input of another command.
- The [.inline-code]base64[.inline-code] is a command that encodes or decodes data using the Base64 algorithm.
- The [.inline-code]-d[.inline-code] is an option used with [.inline-code]base64[.inline-code] command for decoding the input data.
For example, this command will fetch the Secret object [.inline-code]mysecret[.inline-code], extract the [.inline-code]username[.inline-code] value from it and decode it from Base64 to plain text:
[#sort-the-secrets-list] Sorting the output of the [.inline-code]kubectl get secrets[.inline-code] command [#sort-the-secrets-list]
To sort the output of the [.inline-code]kubectl get secrets[.inline-code] command based on a specific field, you can use the [.inline-code]kubectl get secrets[.inline-code] command with the [.inline-code]--sort-by[.inline-code] flag:
Where:
- [.inline-code]expression[.inline-code] is a JSONPath expression.
For example, this command will display the list of all Secrets sorted by their names in ascending order:
[#customize-the-secrets-list] Customizing the output of the [.inline-code]kubectl get secrets[.inline-code] command [#customize-the-secrets-list]
To customize the output columns of the [.inline-code]kubectl get secrets[.inline-code] command, you can use the [.inline-code]kubectl get secrets[.inline-code] command with the [.inline-code]-o custom-columns[.inline-code] flag:
Where:
- [.inline-code]custom_column_name[.inline-code] is the name you want to assign to a column.
- [.inline-code]expression[.inline-code] is a JSONPath expression.
For example, this command will only output the [.inline-code]NAME[.inline-code] and [.inline-code]TYPE[.inline-code] columns populated with the values of the [.inline-code]metadata.name[.inline-code] and [.inline-code]type[.inline-code] properties:
Note that if specifying custom-columns becomes lengthy or if you plan to reuse the same column configurations frequently, you can opt for a template file as follows:
Where the [.inline-code]myTemplate.txt[.inline-code] file has the following content:
[#describe-secrets] Describing secrets with additional information [#describe-secrets]
To display additional information about the secrets, you can use the [.inline-code]kubectl describe secrets[.inline-code] command as follows:
Where:
- [.inline-code]secret_name …[.inline-code] is a list of Secrets names separated by a space indicator.
For example, this command will output details about the [.inline-code]mysecret1[.inline-code] and [.inline-code]mysecret2[.inline-code] Secrets, such as their associated labels, annotations, type, data size, and more.
To output details about all secrets in the cluster, execute the following command without specifying secret names: