Kubernetes Secrets let you store sensitive data — such as passwords, TLS certificates, and Docker registry credentials — separately from your pod configuration. This keeps sensitive values out of your application manifests and limits exposure to only the pods that need them.
Secret types
By default, you can create only Opaque Secrets in the ACK console. The ACK console supports the following Secret types:
| Type | Use case |
|---|---|
| Opaque | Store arbitrary sensitive data, such as passwords and certificates. Values are Base64-encoded. |
| Private Repository Logon Secret | Store credentials for authenticating to a private Docker registry. |
| TLS certificate | Store a TLS certificate and its corresponding private key. |
Kubernetes also supports a service account type, which is automatically created and mounted to /run/secrets/kubernetes.io/serviceaccount in each pod. Service accounts provide pod identity for interacting with the API server and are not created manually through the console.
How secrets are consumed
After creating a Secret, pods in the same namespace can use it in two ways:
-
As a volume mount — the Secret is mounted as files inside the container.
-
As environment variables — individual Secret values are injected into the container environment.
To configure how a pod consumes a Secret, update the pod spec after creating the Secret. For CLI-based creation and pod configuration, see the Kubernetes documentation on Secrets.
Prerequisites
Before you begin, ensure that you have:
-
An ACK cluster. For setup instructions, see Create an ACK managed cluster
Create a Secret
-
Log on to the ACK console. In the left navigation pane, click Clusters.
-
On the Clusters page, click the name of the target cluster. In the left navigation pane, choose Configurations > Secrets.
-
On the Secrets page, select a Namespace, then click Create in the upper-right corner.
-
In the panel that appears, configure the Secret:
Parameter Description Name A name for the Secret. Must be 1–253 characters and can contain only lowercase letters, digits, hyphens ( -), and periods (.).Type The Secret type: Opaque, Private Repository Logon Secret, or TLS certificate. Depending on the type you select, configure the additional fields:
Opaque
Parameter Description Encode Data Values Using Base64 (Optional) Select this checkbox to enter plaintext values. The console encodes them in Base64 automatically. Name / Value Click + Add to add a key-value pair. Enter the secret key in Name and the secret value in Value. Base64 is an encoding scheme, not encryption. Encoded values can be decoded by anyone with access to the Secret. Apply appropriate RBAC policies to control who can read Secrets in each namespace.
Private Repository Logon Secret
Parameter Description Docker Registry URL The address of the Docker registry. Username The username for logging on to the Docker registry. Password The password for logging on to the Docker registry. TLS certificate
Parameter Description Cert The TLS certificate. Key The private key for the TLS certificate.
Manage existing secrets
After creating a Secret, you can perform the following operations on the Secrets page:
-
View details — Click the Secret name to view its basic information and data fields. Click the
icon to reveal values in plaintext. -
Edit — In the Actions column, click Edit to modify the Secret.
-
Delete — In the Actions column, click Delete to remove an unneeded Secret.
Do not delete Secrets that were generated automatically when the cluster was created.
What's next
-
To use a Secret in a pod as a volume or environment variable, see the Kubernetes documentation on Secrets.
-
To create Secrets using the CLI instead of the console, see the Kubernetes documentation on Secrets.