[jhugo]

They're base64 encoded because they can be binary data; it's got nothing to do with hiding their value. K8s secrets are for delineating secret (as opposed to non-secret, ConfigMap) data, so that access to it can be controlled differently.

You can set up encryption at rest, you can use RBAC to control the access, etc — those features are possible because Secret gives a specific resource for secret data.

[remram]

Can't ConfigMap be binary data? I never understood why one is base64 and the other not.

[dharmab]

Because these objects were defined earlier in Kubernetes' history the fields have inconsistent names and defaults. In Secret there is a canonical data field which stores bytes and a stringData field which will convert text to bytes for you. ConfigMap has separate data (text) and binaryData (bytes) fields which are both canonical.

If the interface were redesigned today, Secrets would probably look like a renamed clone of ConfigMap.

[remram]

I didn't know about ConfigMap's binaryData or Secret's stringData, thanks!