Deploying enterprise applications requires managing sensitive data like database passwords and API keys. Hardcoding this information into your code poses severe security risks and can lead to data leaks. Kubernetes Secrets provide an encrypted storage mechanism to separate sensitive data from your application code. This helps prevent security incidents caused by code exposure.
Choose a method
Method | Features | Use cases |
Mount as a volume (Recommended) | Isolates data using file permissions to prevent exposure between processes. Changes to the Secret are automatically synced to the mounted files. | Ideal for production environments, especially for highly sensitive data such as database passwords and API keys where fine-grained file permission control is required. |
Inject as an environment variable | Easy to access by all processes within a container, but this increases the risk of accidental exposure through logs. Pods must be restarted for updates to take effect. | Suitable for simple configuration injection, such as log levels or service endpoints, and for legacy applications designed to consume environment variables. |
Create a Secret
Console
Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, click the name of the one you want to change. In the left navigation pane, choose .
On the Secrets page, select the default Namespace and click Create. Configure the new Secret:
Name: nginx-secret
Type: Opaque
Opaque: a base64-encoded secret used to store sensitive data, such as passwords and certificates.
Private Repository Logon Secret: stores authentication credentials for a private image repository.
TLS Certificate: stores a Transport Layer Security (TLS)/Secure Sockets Layer (SSL) certificate and private key.
Add the following key-value pairs:
username: admin
password: MySecurePassword!
api-key: ak-1234567890abcdef
If you enter a plaintext value, select Encode Data Values Using Base64.
kubectl
Create the Secret.
ImportantThis example is for demonstration only. In production, create secrets from files or other secure sources instead of using
--from-literal.kubectl create secret generic nginx-secret \ --from-literal=username=admin \ --from-literal=password='MySecurePassword!' \ --from-literal=api-key='ak-1234567890abcdef' \ -n defaultVerify that the Secret was created.
kubectl get secret nginx-secretExpected output:
NAME TYPE DATA AGE nginx-secret Opaque 3 23h
Use a Secret
The Deployment and the Secret it uses must be in the same namespace.
Method 1: Mount as a volume
This method securely exposes Secret data as files inside your container.
Console
Create a Deployment.
On the Clusters page, find the cluster you want to manage and click its name. In the left navigation pane, choose .
Create a stateless workload (Deployment).
On the Deployments page, click Create from Image.
In the Basic Information step, configure the following parameters and click Next:
Name: nginx-volume-demo
Namespace: default
Replicas: 2
Type: Deployment
Configure the container.
In the Container step, configure the Image Name and Port:
Image Name:
anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6Container Port: 80, Protocol: TCP
ImportantYour cluster must have Internet access to pull this image. If you selected Configure SNAT for VPC (enabled by default) when creating the cluster, no further action is needed. Otherwise, see Enable an existing ACK cluster to access the Internet.
In the Volume section, click Add Local Storage.
PV Type: Secret
Name: secret-volume
Mount Source: select the created Secret, such as nginx-secret.
Container Path: Specify the mount path inside the container, such as /etc/nginx/secrets.
Then, click Next.
In the Advanced step, configure access control, scaling, scheduling, labels, and annotations as needed. Then, click Create at the bottom of the page.
In the Complete step, monitor the application task.
In the Creation Task Submitted section, click View Details and verify that the container status is
Running.
Verify that the Secret files were mounted.
Select the pod you want to access, such as
nginx-volume-demo-7xxxxxx****. In the Actions column, click Terminal and choose thenginxcontainer to open a terminal session.Verify that the Secret files were mounted.
ls -la /etc/nginx/secretsExpected output:
total 4 drwxrwxrwt 3 root root 140 Sep 15 02:31 . drwxr-xr-x 1 root root 4096 Sep 15 02:31 .. drwxr-xr-x 2 root root 100 Sep 15 02:31 ..2025_09_15_02_31_13.2599431463 lrwxrwxrwx 1 root root 32 Sep 15 02:31 ..data -> ..2025_09_15_02_31_13.2599431463 lrwxrwxrwx 1 root root 18 Sep 15 02:31 api-key.txt -> ..data/api-key.txt lrwxrwxrwx 1 root root 22 Sep 15 02:31 db-password.txt -> ..data/db-password.txt lrwxrwxrwx 1 root root 22 Sep 15 02:31 db-username.txt -> ..data/db-username.txtVerify the content of the files.
cat /etc/nginx/secrets/db-username.txt cat /etc/nginx/secrets/api-key.txtExpected output:
admin ak-1234567890abcdef
The output matches the data in the Secret, confirming that the application can access it.
kubectl
Create a file named nginx-volume-demo.yaml.
apiVersion: apps/v1 kind: Deployment metadata: name: nginx-volume-demo namespace: default labels: app: nginx-volume spec: replicas: 2 selector: matchLabels: app: nginx-volume template: metadata: labels: app: nginx-volume spec: containers: - name: nginx image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6 ports: - containerPort: 80 protocol: TCP # Mount the secret volume volumeMounts: - name: secret-volume mountPath: /etc/nginx/secrets readOnly: true volumes: - name: secret-volume secret: secretName: nginx-secret # Set file permissions defaultMode: 0644 # Optional: Customize file name mapping items: - key: username path: db-username.txt - key: password path: db-password.txt - key: api-key path: api-key.txtCreate a Deployment that uses the Secret.
kubectl apply -f nginx-volume-demo.yamlCheck the pod status.
kubectl get pods -l app=nginx-volume -n defaultExpected output:
NAME READY STATUS RESTARTS AGE nginx-volume-demo-7db46895bc-c98b5 1/1 Running 0 4h20m nginx-volume-demo-7db46895bc-pc6qg 1/1 Running 0 4h20mVerify that the Secret files were mounted.
kubectl exec deployment/nginx-volume-demo -n default -- ls -la /etc/nginx/secretsExpected output:
total 4 drwxrwxrwt 3 root root 140 Sep 15 02:31 . drwxr-xr-x 1 root root 4096 Sep 15 02:31 .. drwxr-xr-x 2 root root 100 Sep 15 02:31 ..2025_09_15_02_31_13.2599431463 lrwxrwxrwx 1 root root 32 Sep 15 02:31 ..data -> ..2025_09_15_02_31_13.2599431463 lrwxrwxrwx 1 root root 18 Sep 15 02:31 api-key.txt -> ..data/api-key.txt lrwxrwxrwx 1 root root 22 Sep 15 02:31 db-password.txt -> ..data/db-password.txt lrwxrwxrwx 1 root root 22 Sep 15 02:31 db-username.txt -> ..data/db-username.txtVerify the content of the files.
kubectl exec deployment/nginx-volume-demo -n default -- cat /etc/nginx/secrets/db-username.txt kubectl exec deployment/nginx-volume-demo -n default -- cat /etc/nginx/secrets/api-key.txtExpected output:
admin ak-1234567890abcdefThe output matches the data in the Secret, confirming that the application can access it.
Method 2: Inject as an environment variable
This method exposes Secret data as environment variables inside your container.
Console
Create a deployment.
On the Clusters page, find the cluster you want to manage and click its name. In the left navigation pane, choose .
Create a Deployment.
On the Deployments page, click Create From Image.
In the Basic Information step, configure the following parameters and click Next:
Name: nginx-env-demo
Namespace: default
Replicas: 2
Type: Deployment
Configure the container.
In the Container step, configure the Image Name and Port:
Image Name:
anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6Container Port: 80, Protocol: TCP
ImportantYour cluster must have Internet access to pull this image. If you selected Configure SNAT for VPC (enabled by default) when creating the cluster, no further action is needed. Otherwise, see Enable an existing ACK cluster to access the Internet.
In the Environments section, click Add.
Type: Secrets
Variable Key:
USERNAME.Value/ValueFrom: Select the source from the created Secret, such as
nginx-secret. Then, specify an environment variable name for each key.
Then, click Next.
In the Advanced step, configure access control, scaling, scheduling, labels, and annotations as needed. Then, click Create at the bottom of the page.
In the Complete step, monitor the application task.
In the Creation Task Submitted section, click View Details and verify that the container status is
Running.
Verify that the environment variables were injected.
Select the pod you want to access, such as
nginx-env-demo-7xxxxxx****. In the Actions column, click Terminal and choose thenginxcontainer to open a terminal session.env | grep -E 'DB_|API_|NGINX_'Expected output:
API_KEY=ak-1234567890abcdef NGINX_api-key=ak-1234567890abcdef NGINX_password=MySecurePassword! NGINX_username=admin DB_USERNAME=admin DB_PASSWORD=MySecurePassword!The output matches the data in the Secret, confirming that the application can access it through environment variables.
kubectl
Create a file named nginx-env-demo.yaml.
apiVersion: apps/v1 kind: Deployment metadata: name: nginx-env-demo namespace: default labels: app: nginx-env spec: replicas: 2 selector: matchLabels: app: nginx-env template: metadata: labels: app: nginx-env spec: containers: - name: nginx image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6 ports: - containerPort: 80 protocol: TCP # Inject a single key-value pair from the Secret env: - name: DB_USERNAME valueFrom: secretKeyRef: name: nginx-secret key: username - name: DB_PASSWORD valueFrom: secretKeyRef: name: nginx-secret key: password - name: API_KEY valueFrom: secretKeyRef: name: nginx-secret key: api-key # Optional: Inject all key-value pairs from the Secret with a prefix envFrom: - prefix: NGINX_ secretRef: name: nginx-secretCreate a Deployment that uses the Secret.
kubectl apply -f nginx-env-demo.yamlCheck the pod status.
kubectl get pods -l app=nginx-env -n defaultExpected output:
NAME READY STATUS RESTARTS AGE nginx-env-demo-6dc7556d9-6pjhj 1/1 Running 0 3h33m nginx-env-demo-6dc7556d9-rcqsh 1/1 Running 0 3h33mVerify that the environment variables were injected.
kubectl exec deployment/nginx-env-demo -n default -- env | grep -E 'DB_|API_|NGINX_'Expected output:
API_KEY=ak-1234567890abcdef NGINX_api-key=ak-1234567890abcdef NGINX_password=MySecurePassword! NGINX_username=admin DB_USERNAME=admin DB_PASSWORD=MySecurePassword!The output matches the data in the Secret, confirming that the application can access it through environment variables.
Manage a Secret
After a Secret is created, you can perform the following actions on the Secrets page:
Action | Description |
View a Secret | Click a Secret's name to view its details. |
Edit a Secret | In the Actions column, click Edit to modify a Secret's data. Important Changes to a Secret are applied automatically and can cause immediate service disruptions if the Secret is in use. Proceed with caution. |
Delete a Secret | In the Actions column, click Delete to remove a Secret you no longer need. Important Do not delete system-generated Secrets in the |
References
To learn how to diagnose and troubleshoot common pod issues, see Troubleshoot abnormal pods.
To create a stateless application in an ACK cluster using the console and kubectl, see Create a Deployment.
See the Kubernetes official documentation for more information about Secrets.