diff --git a/pkg/describe/describe.go b/pkg/describe/describe.go
index e1a7b1363..a721a21f8 100644
--- a/pkg/describe/describe.go
+++ b/pkg/describe/describe.go
@@ -22,9 +22,11 @@ import (
 	"crypto/x509"
 	"fmt"
 	"io"
+	"maps"
 	"net"
 	"net/url"
 	"reflect"
+	"slices"
 	"sort"
 	"strconv"
 	"strings"
@@ -2580,12 +2582,12 @@ func describeSecret(secret *corev1.Secret) (string, error) {
 		w.Write(LEVEL_0, "\nType:\t%s\n", secret.Type)
 
 		w.Write(LEVEL_0, "\nData\n====\n")
-		for k, v := range secret.Data {
+		for _, k := range slices.Sorted(maps.Keys(secret.Data)) {
 			switch {
 			case k == corev1.ServiceAccountTokenKey && secret.Type == corev1.SecretTypeServiceAccountToken:
-				w.Write(LEVEL_0, "%s:\t%s\n", k, string(v))
+				w.Write(LEVEL_0, "%s:\t%s\n", k, string(secret.Data[k]))
 			default:
-				w.Write(LEVEL_0, "%s:\t%d bytes\n", k, len(v))
+				w.Write(LEVEL_0, "%s:\t%d bytes\n", k, len(secret.Data[k]))
 			}
 		}
 
diff --git a/pkg/describe/describe_test.go b/pkg/describe/describe_test.go
index 8003354f5..02c17b583 100644
--- a/pkg/describe/describe_test.go
+++ b/pkg/describe/describe_test.go
@@ -372,6 +372,9 @@ func TestDescribeSecret(t *testing.T) {
 	if strings.Contains(out, "YWRtaW4=") || strings.Contains(out, "MWYyZDFlMmU2N2Rm") {
 		t.Errorf("sensitive data should not be shown, unexpected out: %s", out)
 	}
+
+	expectedOut := "Name:         bar\nNamespace:    foo\nLabels:       <none>\nAnnotations:  <none>\n\nType:  \n\nData\n====\npassword:  16 bytes\nusername:  8 bytes\n"
+	assert.Equal(t, expectedOut, out)
 }
 
 func TestDescribeNamespace(t *testing.T) {