Use a Secret in a pod - User Guide for Kubernetes Clusters| Alibaba Cloud Documentation Center

We recommend that you use Secrets to store sensitive information in Kubernetes clusters. The information includes passwords and certificates. This topic describes how to create a Secret in the Container Service for Kubernetes (ACK) console. This topic also describes how to mount a Secret as a volume to a pod and expose a Secret as an environment variable for a pod. You can perform the operations by using the console or a CLI.

Prerequisites

The Secret and pod are in the same cluster and belong to the same namespace.
You are connected to a master node of the cluster. For more information, see Connect to Kubernetes clusters by using kubectl.

Background information

You can use a Secret in a pod in the following scenarios:

Mount a Secret as a volume to a pod.
Expose a Secret as an environment variable for a pod.

For more information about Secrets, see Secrets.

Create a Secret

The following example shows how to create a Secret named secret-test.

Log on to the ACK console.
In the left-side navigation pane of the ACK console, click Clusters.
On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
In the left-side navigation pane of the details page, choose Workloads > Deployments.
On the Deployments page, click Create from YAML in the upper-right corner.
Select a cluster and a namespace, select a sample template or enter a custom template, and then click Create.
The following YAML template provides an example on how to create the Secret named secret-test:
```
apiVersion: v1
kind: Secret
metadata:
  name: secret-test
type: Opaque
data:
  username: admin
  password: 12345  #Encode the password in Base64. 
```

For more information about how to create a Secret in the ACK console, see Manage Secrets.

Mount a Secret as a volume to a pod

You can mount a Secret as a volume to a pod by using the following methods:

Mount a Secret as a volume to a pod by using a CLI

A mounted Secret can be used as a file in a pod. In this example, the secret-test Secret that contains the username and password information is stored as a file under the /srt directory.

Create an example0.yaml file and copy the following content into the file:

apiVersion: v1
kind: Pod
metadata:
  name: pod0
spec:
  containers:
  - name: redis
    image: redis
    volumeMounts:
    - name: srt
      mountPath: "/srt "
      readOnly: true
  volumes:
  - name: srt
    secret:
      secretName: secret-test

Run the following command to create a pod to which the secret-test Secret is mounted:
```
kubectl apply -f example0.yaml
```
Note Replace example0.yaml with the name of the YAML file that is used.

Mount a Secret as a volume to a pod in the ACK console

Log on to the ACK console.
In the left-side navigation pane of the ACK console, click Clusters.
On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
In the left-side navigation pane of the details page, choose Workloads > Deployments.
On the Deployments page, click Create from Image in the upper-right corner.
For more information, see Create a stateless application by using a Deployment.
On the Basic Information wizard page, set the parameters and click Next.
On the Container wizard page, click Add Local Storage in the Volume section. Select Secret from the PV Type drop-down list, select the Secret that is created in Create a Secret from the Mount Source drop-down list, and specify a container path in the Container Path column. Click Next.

The following figure shows an example on how to configure the volume.
On the Advanced wizard page, set the parameters and click Create.

Expose a Secret as an environment variable for a pod.

You can mount a Secret as a volume to a pod by using the following methods:

Mount a Secret as a volume to a pod by using a CLI

In this example, the username and password stored in the secret-test Secret are referenced in an environment variable of a pod.

Create an example1.yaml file and copy the following content into the file:

apiVersion: v1
kind: Pod
metadata:
  name: pod1
spec:
  containers:
  - name: redis
    image: redis
    env:
      - name: USERNAME
        valueFrom:
          secretKeyRef:
            name: secret-test
            key: username
      - name: PASSWORD
        valueFrom:
          secretKeyRef:
            name: secret-test
            key: password

Run the following command to configure an environment variable:
```
kubectl apply -f  example1.yaml
```
Note Replace example1.yaml with the name of the YAML file that is used.

Mount a Secret as a volume to a pod in the ACK console

Log on to the ACK console.
In the left-side navigation pane of the ACK console, click Clusters.
On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
In the left-side navigation pane of the details page, choose Workloads > Deployments.
On the Deployments page, click Create from Image in the upper-right corner.
For more information, see Create a stateless application by using a Deployment.
On the Basic Information wizard page, set the parameters and click Next.
On the Container wizard page, click in the Environments section. In this example, select Secret from the Type drop-down list and select the Secret that is created in Create a Secret from the Value/ValueFrom drop-down list. After you select the Secret, you must specify the key of the key-value pair that you want to reference and specify a name for the environment variable.

The following figure shows an example on how to configure the volume.
On the Advanced wizard page, set the parameters and click Create.