Merge pull request #31763 from sgaist/patch-1

k8s-ci-robot · web-flow · commit dea4f2b10348 · 2022-02-27T17:44:57.000-08:00
Add secure example for getting secret values
diff --git a/content/en/docs/tasks/configmap-secret/managing-secret-using-kubectl.md b/content/en/docs/tasks/configmap-secret/managing-secret-using-kubectl.md
@@ -130,6 +130,12 @@ The output is similar to:
 Now you can decode the `password` data:
 
 ```shell
+# This is an example for documentation purposes.
+# If you did things this way, the data 'MWYyZDFlMmU2N2Rm' could be stored in
+# your shell history.
+# Someone with access to you computer could find that remembered command
+# and base-64 decode the secret, perhaps without your knowledge.
+# It's usually better to combine the steps, as shown later in the page.
 echo 'MWYyZDFlMmU2N2Rm' | base64 --decode
 ```
 
@@ -139,6 +145,15 @@ The output is similar to:
 1f2d1e2e67df
 ```
 
+In order to avoid storing a secret encoded value in your shell history, you can
+run the following command:
+
+```shell
+kubectl get secret db-user-pass -o jsonpath='{.data.password}' | base64 --decode
+```
+
+The output shall be similar as above.
+
 ## Clean Up
 
 Delete the Secret you created:
