Kubernetesdevops~5 mins

Using Secrets as mounted volumes in Kubernetes - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Sometimes applications need sensitive information like passwords or API keys. Storing these secrets safely and making them available to apps without exposing them in code is important. Kubernetes lets you store secrets and mount them as files inside your app's containers.

When your app needs a database password without hardcoding it in the app code.

When you want to provide TLS certificates to your app securely.

When you need to share API keys with your app without exposing them in environment variables.

When you want to update secrets without rebuilding your app image.

When you want to keep sensitive data separate from your app configuration files.

Config File - secret-volume-pod.yaml

secret-volume-pod.yaml

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
type: Opaque
data:
  username: bXl1c2Vy
  password: bXlwYXNzd29yZA==
---
apiVersion: v1
kind: Pod
metadata:
  name: secret-volume-pod
spec:
  containers:
  - name: my-container
    image: busybox
    command: ["sleep", "3600"]
    volumeMounts:
    - name: secret-volume
      mountPath: "/etc/secret-data"
      readOnly: true
  volumes:
  - name: secret-volume
    secret:
      secretName: my-secret

This file has two parts:

Secret: Stores sensitive data encoded in base64. Here, 'username' and 'password' are stored.
Pod: Defines a pod that mounts the secret as a volume at /etc/secret-data. The container runs a simple sleep command to keep running.

The secret data will appear as files inside the container at the mount path.

Commands

This command creates the secret and the pod that mounts the secret as a volume. It sets up the environment for the app to access secret data as files.

Terminal

kubectl apply -f secret-volume-pod.yaml

Expected OutputExpected

secret/my-secret created pod/secret-volume-pod created

Check that the pod is running and ready to use the secret volume.

Terminal

kubectl get pods

Expected OutputExpected

NAME READY STATUS RESTARTS AGE secret-volume-pod 1/1 Running 0 10s

List the files inside the mounted secret volume to verify the secret keys are available as files.

Terminal

kubectl exec secret-volume-pod -- ls /etc/secret-data

Expected OutputExpected

password username

Read the content of the username file inside the container to see the secret value.

Terminal

kubectl exec secret-volume-pod -- cat /etc/secret-data/username

Expected OutputExpected

myuser

Key Concept

If you remember nothing else from this pattern, remember: Kubernetes secrets can be securely mounted as files inside containers, letting your app read sensitive data without exposing it in code or environment variables.

Common Mistakes

Not encoding secret data in base64 before creating the secret manifest.

Kubernetes requires secret data to be base64 encoded; otherwise, the secret creation will fail or data will be corrupted.

Encode your secret values using base64 before adding them to the secret manifest.

Mounting the secret volume without setting readOnly to true.

Without readOnly, the container might accidentally modify or delete secret files, risking security and stability.

Always set readOnly: true when mounting secrets as volumes to prevent accidental changes.

Trying to access secret files before the pod is fully running.

If the pod is not ready, the secret volume might not be mounted yet, causing file not found errors.

Wait until the pod status is Running and Ready before accessing secret files.

Summary

Create a Kubernetes secret with base64 encoded data.

Define a pod that mounts the secret as a volume at a specific path.

Verify the pod is running and list the secret files inside the container.

Read secret values from the mounted files securely inside the container.