KubernetesHow-ToBeginner · 4 min read

How to Use Secret in Pod in Kubernetes: Simple Guide

To use a Secret in a Kubernetes Pod, you create the secret object first, then reference it in the pod's spec either as environment variables or as mounted files. This lets your containers access sensitive data securely without hardcoding it in the pod definition.

📐

Syntax

A Kubernetes Secret can be used in a pod in two main ways:

Environment variables: Reference the secret keys as environment variables inside the container.
Volume mount: Mount the secret as files inside the container's filesystem.

The pod spec must include a secret reference under envFrom or env for environment variables, or under volumes and volumeMounts for files.

yaml

apiVersion: v1
kind: Pod
metadata:
  name: secret-pod
spec:
  containers:
  - name: mycontainer
    image: busybox
    env:
    - name: SECRET_USERNAME
      valueFrom:
        secretKeyRef:
          name: mysecret
          key: username
    volumeMounts:
    - name: secret-volume
      mountPath: "/etc/secret"
      readOnly: true
  volumes:
  - name: secret-volume
    secret:
      secretName: mysecret

💻

Example

This example shows a pod using a secret named mysecret to pass a username and password as environment variables and also mount the secret as files inside the container.

yaml

apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
stringData:
  username: admin
  password: s3cr3t
---
apiVersion: v1
kind: Pod
metadata:
  name: secret-pod
spec:
  containers:
  - name: mycontainer
    image: busybox
    command: ["sh", "-c", "echo Username: $SECRET_USERNAME; echo Password: $SECRET_PASSWORD; cat /etc/secret/username; cat /etc/secret/password; sleep 3600"]
    env:
    - name: SECRET_USERNAME
      valueFrom:
        secretKeyRef:
          name: mysecret
          key: username
    - name: SECRET_PASSWORD
      valueFrom:
        secretKeyRef:
          name: mysecret
          key: password
    volumeMounts:
    - name: secret-volume
      mountPath: "/etc/secret"
      readOnly: true
  volumes:
  - name: secret-volume
    secret:
      secretName: mysecret

Output

Username: admin Password: s3cr3t admin s3cr3t

⚠️

Common Pitfalls

Secret not found: The secret must exist before the pod is created, or the pod will fail to start.
Key mismatch: The key used in secretKeyRef must exactly match a key in the secret.
Incorrect volume mount path: Mount path must be a directory, not a file.
Not setting readOnly: true: For security, secret volumes should be mounted read-only.

yaml

Wrong example:

apiVersion: v1
kind: Pod
metadata:
  name: bad-pod
spec:
  containers:
  - name: container
    image: busybox
    env:
    - name: SECRET_VALUE
      valueFrom:
        secretKeyRef:
          name: missingsecret
          key: password

Right example:

apiVersion: v1
kind: Pod
metadata:
  name: good-pod
spec:
  containers:
  - name: container
    image: busybox
    env:
    - name: SECRET_VALUE
      valueFrom:
        secretKeyRef:
          name: mysecret
          key: password

📊

Quick Reference

Use these tips when working with secrets in pods:

Create secrets before pods that use them.
Use env or envFrom to inject secrets as environment variables.
Use volumes and volumeMounts to mount secrets as files.
Always mount secret volumes as read-only.
Check key names carefully to avoid mismatches.

✅

Key Takeaways

Create the secret object before referencing it in a pod.

Use env or volumeMounts in the pod spec to access secrets.

Secret keys must match exactly between the secret and pod references.

Mount secret volumes as read-only for security.

Pods will fail to start if the referenced secret does not exist.