0
0
Kubernetesdevops~10 mins

Using Secrets as environment variables in Kubernetes - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Process Flow - Using Secrets as environment variables
Create Secret
Define Pod Spec
Reference Secret in env
Deploy Pod
Pod Starts with Secret as env var
Container uses Secret securely
This flow shows how a Kubernetes Secret is created, referenced in a Pod's environment variables, and then used securely by the container.
Execution Sample
Kubernetes
kubectl create secret generic mysecret --from-literal=PASSWORD=abc123

apiVersion: v1
kind: Pod
metadata:
  name: secret-env-pod
spec:
  containers:
  - name: app
    image: busybox
    env:
    - name: PASSWORD
      valueFrom:
        secretKeyRef:
          name: mysecret
          key: PASSWORD
This code creates a secret named 'mysecret' with a password, then defines a Pod that uses this secret as an environment variable.
Process Table
StepActionResource AffectedResult
1Create Secret 'mysecret' with key PASSWORD=abc123Secret resourceSecret 'mysecret' created with PASSWORD key
2Define Pod spec referencing secret in env var PASSWORDPod specPod spec includes env var PASSWORD from secret 'mysecret'
3Deploy Pod 'secret-env-pod'Pod resourcePod created and scheduled on node
4Pod starts container 'app'Container environmentContainer env var PASSWORD set to secret value 'abc123'
5Container runs and can access PASSWORD env varContainer runtimeApplication can securely use PASSWORD from env
6Pod terminates or deletedPod resourceSecret remains intact, Pod removed
💡 Pod lifecycle ends; secret remains stored securely in Kubernetes.
Status Tracker
VariableStartAfter Step 1After Step 2After Step 3After Step 4Final
Secret 'mysecret'Not createdCreated with PASSWORD=abc123No changeNo changeNo changeExists in cluster
Pod specNot definedNo changeDefined with env var PASSWORD from secretNo changeNo changeDefined
Pod statusNot createdNo changeNo changeCreated and scheduledRunning with env var setTerminated or running
Container env var PASSWORDUnsetUnsetUnsetSet to 'abc123'Accessible to containerAccessible until pod ends
Key Moments - 3 Insights
Why doesn't the secret value appear directly in the Pod spec?
Because the Pod spec references the secret by name and key (secretKeyRef), not by embedding the secret value. This keeps the secret secure and separate, as shown in execution_table step 2.
What happens if the secret is deleted while the Pod is running?
The Pod keeps the environment variable value it received at start. Deleting the secret does not affect running Pods immediately, as environment variables are set at container start (see execution_table step 4).
How does Kubernetes keep the secret value secure in environment variables?
Kubernetes stores secrets encrypted (depending on cluster setup) and injects them only into containers that reference them. The secret is not exposed in Pod specs or logs, only inside container environment at runtime (execution_table step 4).
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table, at which step is the Pod created and scheduled on a node?
AStep 2
BStep 3
CStep 4
DStep 1
💡 Hint
Check the 'Action' column for Pod creation and scheduling in the execution_table.
According to the variable tracker, when does the container environment variable PASSWORD get its secret value?
AAfter Step 2
BAfter Step 3
CAfter Step 4
DAt Start
💡 Hint
Look at the 'Container env var PASSWORD' row in variable_tracker for when it changes from 'Unset' to the secret value.
If the secret 'mysecret' is deleted after the Pod starts, what happens to the PASSWORD env var inside the container?
AIt becomes empty immediately
BIt remains accessible until Pod restarts
CPod crashes immediately
DPod automatically recreates the secret
💡 Hint
Refer to key_moments explanation about secret deletion impact on running Pods.
Concept Snapshot
Create a Secret with kubectl create secret.
Reference it in Pod spec under env using secretKeyRef.
Deploy Pod; container gets secret as env var.
Secret value not visible in Pod spec.
Secret remains secure and separate from Pod lifecycle.
Full Transcript
This visual execution shows how to use Kubernetes Secrets as environment variables in Pods. First, a Secret named 'mysecret' is created with a key PASSWORD and value 'abc123'. Then, a Pod specification is defined that references this secret in its environment variables. When the Pod is deployed, Kubernetes injects the secret value into the container's environment variable PASSWORD. The secret value is not directly visible in the Pod spec, keeping it secure. The container can use the PASSWORD environment variable during runtime. Even if the secret is deleted later, the running Pod retains the environment variable value until it restarts or terminates.