Kubernetes Secrets & CKA Exam Docs Strategy¶

Reference: https://kubernetes.io/docs/concepts/configuration/secret/

What is a Kubernetes Secret?¶

A Secret is a Kubernetes object for storing sensitive data — passwords, tokens, TLS certificates, API keys. It's separate from ConfigMap (which is for non-sensitive config) specifically because sensitive data needs different access controls and handling.

How it differs from ConfigMap:

	ConfigMap	Secret
Purpose	Non-sensitive config	Sensitive data
Storage	Plain text in etcd	Base64-encoded in etcd (not encrypted by default — see below)
Access controls	Standard RBAC	Standard RBAC (same, but you'd restrict more tightly)
Env var injection	`configMapKeyRef`	`secretKeyRef`
Volume mount	`configMap` volume	`secret` volume

Important — base64 is NOT encryption: Base64 is encoding, not encryption. Anyone who can read the secret object can decode it instantly. It exists to handle binary data that can't be stored as plain text. For real encryption at rest, you need to enable etcd encryption or use an external secrets manager (Vault, AWS Secrets Manager, etc.).

Secret Structure¶

apiVersion: v1
kind: Secret
metadata:
  name: database-data
  namespace: database-ns
type: Opaque
data:
  username: YWRtaW4=       # base64("admin")
  password: cGFzc3dvcmQ=   # base64("password")

type: Opaque — generic, unstructured secret. Other types exist for specific use cases:

Type	Use case
`Opaque`	Arbitrary key-value pairs (most common)
`kubernetes.io/tls`	TLS certificates (`tls.crt` and `tls.key` fields)
`kubernetes.io/dockerconfigjson`	Docker registry credentials
`kubernetes.io/service-account-token`	Service account tokens (auto-created)
`kubernetes.io/basic-auth`	Basic auth credentials
`kubernetes.io/ssh-auth`	SSH private keys

data vs stringData: - data — values must be base64-encoded. Used for reading/exporting. - stringData — values are plain text strings. Kubernetes encodes them to base64 on write. Easier for creating secrets manually. You can't read stringData back — it converts to data on storage.

Reading a Secret¶

Step 1 — See What Keys Exist¶

kubectl get secret database-data -n database-ns -o jsonpath='{.data}'

Output:

{"password":"cGFzc3dvcmQ=","username":"YWRtaW4="}

This shows you the keys (password, username) and their base64-encoded values. Now you know the exact key names before trying to extract them.

Why do this first? If you go straight to .data.somekey and the key name is slightly different (capitalisation, hyphen vs underscore), you get empty output with no error. Seeing all keys first prevents guessing.

Step 2 — Extract and Decode a Specific Key¶

kubectl get secret database-data -n database-ns -o jsonpath='{.data.password}' | base64 -d > decoded.txt

Full breakdown:

Part	What it does
`kubectl get secret database-data`	Fetch the secret object
`-n database-ns`	In namespace `database-ns`. Short for `--namespace`
`-o jsonpath='{.data.password}'`	Extract only the `password` value from the `data` field
`\\|`	Pipe the base64 string into the next command
`base64 -d`	Decode from base64 to plain text. `-d` = decode. Without this you'd get the raw base64 string
`> decoded.txt`	Write the decoded value to a file (overwrite)

base64 -d vs base64 --decode: Identical. -d is the short flag, --decode is the long form.

`.data.*` vs `.data.specifickey` — Which to Use¶

.data.* — wildcard, gets all values concatenated:

kubectl get secret database-data -n database-ns -o jsonpath='{.data.*}' | base64 -d

Problem: if the secret has multiple keys, their base64-encoded values are concatenated with spaces before decoding. After decoding you get the decoded values of all keys smashed together with no separator — which makes it impossible to tell where one ends and another begins. Avoid this unless the secret has exactly one key.

.data.specifickey — precise, gets one value:

kubectl get secret database-data -n database-ns -o jsonpath='{.data.password}' | base64 -d

Always prefer this. You know what you're getting. Check the keys first (-o jsonpath='{.data}') then target the exact one you need.

`>>` vs `>` — Append vs Overwrite¶

> decoded.txt    # overwrite — creates file if missing, replaces content if exists
>> decoded.txt   # append — creates file if missing, adds to the end if exists

In exam tasks, they almost always want > (overwrite/create). Using >> when they want > means if the file already exists from a previous run, you'll have duplicate content — wrong answer.

Rule of thumb: unless the task explicitly says "append" or "add to", use >.

Creating Secrets¶

Imperative (from literals):

kubectl create secret generic database-data \
  --from-literal=username=admin \
  --from-literal=password=mysecretpassword \
  -n database-ns

Kubernetes handles the base64 encoding automatically.

From a file (file content becomes the value):

kubectl create secret generic tls-secret \
  --from-file=tls.crt=./cert.crt \
  --from-file=tls.key=./cert.key

Generate YAML without creating:

kubectl create secret generic database-data \
  --from-literal=password=mysecretpassword \
  $do

Using Secrets in Pods¶

As environment variables:

env:
- name: DB_PASSWORD
  valueFrom:
    secretKeyRef:
      name: database-data   # secret name
      key: password         # key within the secret's data

As a mounted volume (each key becomes a file):

volumes:
- name: secret-vol
  secret:
    secretName: database-data
volumeMounts:
- name: secret-vol
  mountPath: /etc/secrets
  readOnly: true

Result: /etc/secrets/password contains the decoded value, /etc/secrets/username contains the decoded value. The app reads files instead of env vars — better for large secrets and avoids leaking via env command output.

CKA Exam Docs Strategy — Full Bookmark List¶

The CKA is open-book: you get access to kubernetes.io/docs and kubernetes.io/blog. The key is knowing exactly where things are so you're not searching — you're navigating.

Rule: Ctrl+F on the specific doc page beats the site search bar every time. Site search is slow and returns too many results. If you know roughly which page covers the topic, go there and Ctrl+F for the exact YAML snippet you need.

Most-Used Paths During CKA — Bookmark These¶

Core Workloads: - /docs/concepts/workloads/pods/ — Pod spec, init containers, lifecycle hooks - /docs/concepts/workloads/controllers/deployment/ — Deployment, rolling updates, rollbacks - /docs/concepts/workloads/controllers/statefulset/ — StatefulSet - /docs/concepts/workloads/controllers/daemonset/ — DaemonSet - /docs/concepts/workloads/controllers/job/ — Job - /docs/concepts/workloads/controllers/cron-jobs/ — CronJob

Configuration: - /docs/concepts/configuration/configmap/ — ConfigMap creation and mounting - /docs/concepts/configuration/secret/ — Secrets, types, env var injection - /docs/tasks/configure-pod-container/configure-pod-configmap/ — Practical ConfigMap examples - /docs/concepts/configuration/manage-resources-containers/ — CPU/memory requests and limits

Storage: - /docs/concepts/storage/persistent-volumes/ — PV, PVC, access modes, reclaim policy - /docs/concepts/storage/storage-classes/ — StorageClass, dynamic provisioning - /docs/tasks/configure-pod-container/configure-persistent-volume-storage/ — PV/PVC practical examples

Networking: - /docs/concepts/services-networking/service/ — ClusterIP, NodePort, LoadBalancer, ExternalName - /docs/concepts/services-networking/ingress/ — Ingress rules, TLS, backends - /docs/concepts/services-networking/network-policies/ — NetworkPolicy, ingress/egress rules

Security / RBAC: - /docs/reference/access-authn-authz/rbac/ — Role, ClusterRole, bindings, examples - /docs/tasks/configure-pod-container/configure-service-account/ — ServiceAccount usage

Cluster Administration: - /docs/tasks/administer-cluster/configure-upgrade-etcd/ — etcd backup and restore - /docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/ — Cluster upgrade with kubeadm - /docs/tasks/administer-cluster/safely-drain-node/ — Node drain - /docs/reference/command-line-tools-reference/kubelet/ — kubelet flags

Scheduling: - /docs/concepts/scheduling-eviction/assign-pod-node/ — nodeSelector, nodeAffinity, taints/tolerations - /docs/concepts/scheduling-eviction/taint-and-toleration/ — Taints and tolerations

Logging & Monitoring: - /docs/concepts/cluster-administration/logging/ — Logging patterns - /docs/tasks/debug/debug-application/ — Debugging pods and containers

kubectl Reference: - /docs/reference/kubectl/quick-reference/ — Most useful — cheatsheet with all common commands - /docs/reference/kubectl/jsonpath/ — jsonpath syntax reference

Bookmarking Strategy¶

How to build your bookmark list before the exam: Every time you look something up during KillerCoda practice, note the exact URL. By exam day you'll have bookmarks for the 20-30 pages you actually use. The exam gives you a browser at the start — spend 2 minutes importing or recreating your bookmarks before starting tasks.

What to Ctrl+F for on each page:

Topic	Ctrl+F for
RBAC	`rules:` — gets you to the Role YAML example
PV/PVC	`accessModes:` — gets you to the PVC example
Secret	`secretKeyRef` — gets you to the env var injection example
NetworkPolicy	`podSelector:` — gets you to the policy example
etcd backup	`snapshot save` — gets you to the command
kubeadm upgrade	`drain` — gets you to the upgrade sequence
Ingress	`rules:` — gets you to the routing rules example

The Pattern to Memorise¶

You'll use Ctrl+F with a distinctive YAML key that only appears in the section you need — not a common word like "name" or "spec". Use field names that are specific to the feature: secretKeyRef, accessModes, tolerations, nodeAffinity, podSelector.