A Kubernetes Secret is a built-in object for storing sensitive data such as passwords, API tokens, TLS keys, and application credentials. It lets workloads read needed values at runtime instead of hard-coding them into images or source code.
Secrets matter because they are often the bridge from a container to real infrastructure access. If a Secret is exposed through weak RBAC, verbose logs, mounted files, misconfigured environment variables, or an unencrypted control-plane store, an attacker may reuse the credential to reach databases, cloud APIs, or other clusters. Defenders reduce risk by limiting who can read Secrets, rotating values often, separating namespaces, and using external secret managers or encryption at rest. In attacks, stolen Kubernetes Secrets are valuable because they can survive cleanup of the original host and continue to grant access until revoked.



