This documentation is not applicable to vSphere CSI Driver. Please visit for information about vSphere CSI Driver.
Edit me


vSphere credentials can be protected from being exposed as clear text by using Kubernetes secrets instead of plain-text usernames and passwords in your vsphere.conf.

Config file changes

Create a vsphere.conf file with secret-name and secret-namespace defined instead of username and password as is detailed here.

secret-name = "vcconf"
secret-namespace = "kube-system"
port = "443"
insecure-flag = "1"

[VirtualCenter ""]
datacenters = "DC-1"

server = ""
datacenter = "DC-1"
default-datastore = "vsanDatastore"
resourcepool-path = "ClusterNameHere/Resources"
folder = "kubernetes"

scsicontrollertype = pvscsi

Encode the username and password

Launch the Kubernetes cluster with vSphere Cloud Provider configured as above.

Create base64 encoded strings for the username and password:

$ echo -n 'Administrator@vsphere.local' | base64

$ echo -n 'password' | base64

Create a K8s secret

Next, create a Kubernetes secret with the base64 encoded vCenter credentials.

Create a credentials.yaml as shown below - replacing your vCenter IP address and base64 strings from above, as appropriate. In the below example, the secret name is vcconf and matches what we put in the secret-name section of vsphere.conf file above.

apiVersion: v1
kind: Secret
 name: vcconf
type: Opaque
data: QWRtaW5pc3RyYXRvckB2c3BoZXJlLmxvY2Fs cGFzc3dvcmQ=

Import the secret definition into Kubernetes (note, we are importing into the kube-system namespace, which must match the secret-namespace section in the vsphere.conf file from above):

kubectl create -f credentials.yaml --namespace=kube-system

The vSphere Cloud Provider will authenticate with the vCenter using the Kubernetes managed secret.

Using SAML auth

Note: vSphere credentials can also be encrypted using SAML token authentication, Please refer documentation for SAML token authentication using vCenter SSO API.