Kubernetesdevops~5 mins

Using Secrets as environment variables in Kubernetes - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Sometimes you need to keep passwords or keys safe when running apps. Kubernetes Secrets let you store these safely and use them as environment variables inside your app containers.

When your app needs a database password without putting it directly in the code.

When you want to keep API keys hidden but accessible to your app.

When you deploy apps that require secure tokens to connect to other services.

When you want to update sensitive data without changing your app image.

When you want to avoid exposing secrets in plain text in your deployment files.

Config File - secret-env-pod.yaml

secret-env-pod.yaml

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
type: Opaque
data:
  username: bXl1c2Vy
  password: c2VjdXJlcGFzcw==
---
apiVersion: v1
kind: Pod
metadata:
  name: secret-env-pod
spec:
  containers:
  - name: my-container
    image: busybox
    command: ["sh", "-c", "env; sleep 3600"]
    env:
    - name: USERNAME
      valueFrom:
        secretKeyRef:
          name: my-secret
          key: username
    - name: PASSWORD
      valueFrom:
        secretKeyRef:
          name: my-secret
          key: password
  restartPolicy: Never

This file has two parts separated by ---

First part creates a Secret named my-secret with two keys: username and password. The values are base64 encoded.

Second part creates a Pod named secret-env-pod that runs a simple container. It sets environment variables USERNAME and PASSWORD from the Secret keys.

This way, the app inside the container can use these secrets as environment variables safely.

Commands

This command creates the Secret and the Pod in Kubernetes from the configuration file.

Terminal

kubectl apply -f secret-env-pod.yaml

Expected OutputExpected

secret/my-secret created pod/secret-env-pod created

Check that the Pod is running and ready to use the secrets as environment variables.

Terminal

kubectl get pods

Expected OutputExpected

NAME READY STATUS RESTARTS AGE secret-env-pod 1/1 Running 0 10s

This command prints the environment variables USERNAME and PASSWORD inside the running Pod to verify the secrets are set correctly.

Terminal

kubectl exec secret-env-pod -- printenv USERNAME PASSWORD

Expected OutputExpected

myuser securepass

Key Concept

If you remember nothing else from this pattern, remember: Kubernetes Secrets can be safely injected as environment variables to keep sensitive data out of your code.

Common Mistakes

Not base64 encoding the secret values before creating the Secret.

Kubernetes requires secret data to be base64 encoded; otherwise, the Secret creation will fail or data will be incorrect.

Always encode your secret values using base64 before adding them to the Secret manifest.

Referencing a secret key in the Pod environment that does not exist in the Secret.

The Pod will fail to start or the environment variable will be empty because the key is missing.

Double-check that the secret key names in the Pod spec exactly match those in the Secret.

Exposing secrets directly in the Pod spec as plain text environment variables.

This defeats the purpose of using Secrets and risks leaking sensitive data.

Always use valueFrom with secretKeyRef to reference secrets securely.

Summary

Create a Kubernetes Secret with base64 encoded sensitive data.

Create a Pod that uses the Secret keys as environment variables via secretKeyRef.

Verify the Pod is running and the environment variables contain the secret values.