Secret is a Kubernetes object that encapsulates sensitive data such as a password or key. A
Secret can be consumed by a container so that applications can access the sensitive data at runtime.
Defining a Secret
Secret definition is shown below.
Secret value can be set as either a plain string or a Base64 encoded string. The example above uses the
data attribute with a Base64 encoded value for the key
databasePassword. Base64 encoding is useful if you want to specify binary data such as a certificate. Note: base64 encoded values are not secure. Although Base64 encoding mildly obscures a value, in terms of security it’s essentially plain text. If you don’t want to use Base64 encoding you can specify the
Secret value using
Consuming a Secret as an Environment Variable
Secret can be consumed by a container as an environment variable or as a volume. The
Pod example below shows the
Secret created earlier being consumed as an environment variable.
- name: sample-secret-env-var-pod
command: [ 'sh', '-c', 'echo Database Password: $DATABASE_PASSWORD & sleep 3600' ]
- name: DATABASE_PASSWORD
env you specify the name that will be used by the container to reference the environment variable.
valueFrom indicates where the env variable will be sourced from. In this example we use
secretKeyRef to tell Kubernetes we want to reference a
Secret object by the name of
key: databasePassword references the key we defined in the
Consuming a Secret as Volume
Pod definition below consumes the
Secret using a volume.
- name: secret-volume
- name: sample-secret-volume-pod
command: [ 'sh', '-c', 'echo Database Password from Volume: $(cat /var/my-secret/databasePassword) & sleep 3600' ]
- name: secret-volume
Pod spec a
Volume is defined called
secret-volume. Line 8 tells Kubernetes this
Volume exposes a
Secret and line 9 provides the
container definition we specify a volume mount to reference the
Secret volume created above. The name of the
VolumeMount matches the
Volume name used above.
mountPath is the directory where the mounted
Secret will be available to the container.
Kubernetes creates a file at the
mountPath where the file name is the
databasePassword we defined earlier. To access the
Secret value we simply read this file. We do exactly this on line 13 where we echo out the contents of
exec into the running container and see the
The sample code for these notes is available here.