All Products
Search

This Product

    Container Service for Kubernetes:Use secrets to distribute credentials

    Document Center

    Container Service for Kubernetes:Use secrets to distribute credentials

    Last Updated:Jan 13, 2026

    When you deploy enterprise applications, you must manage sensitive data such as database passwords and API keys. If you hard-code this information in your code, you introduce serious security risks and potential data leaks. Secrets provide an encrypted storage mechanism that completely separates sensitive data from application code. This helps prevent security incidents caused by code leaks.

    Selection reference

    Method

    Features

    Scenarios

    Mount as a volume (Recommended)

    Isolates data using file permissions to prevent exposure between processes. File content is automatically synchronized.

    Recommended for production environments, especially for highly sensitive information such as database passwords and API keys that require fine-grained file permission control.

    Environment Variable Injection

    Environment variables are easily accessed by all processes, which creates a risk of data leaks in logs. Pods must be restarted for configuration updates to take effect.

    A simple and fast method for configuration injection. This method is suitable for configuring log levels and endpoints, or for legacy applications that are adapted to use environment variables.

    Create a secret

    Console

    1. Log on to the ACK console. In the left navigation pane, click Clusters.

    2. On the Clusters page, click the name of the one you want to change. In the left navigation pane, choose Configurations > Secrets.

    3. On the Secrets page, select the Namespace (default), click Create in the upper-right corner, and then configure the secret in the panel that appears.

      • Name: nginx-secret

      • Type: Opaque

        • Opaque: a Base64-encoded secret that is used to store sensitive information, such as passwords and certificates.

        • Private image repository credential: stores the authentication information for a private image repository.

        • TLS certificate: stores a TLS/SSL certificate and its private key.

      • Add or delete key-value pairs.

        • username: admin

        • password: 'MySecurePassword!'

        • api-key: 'ak-1234567890abcdef'

        If you enter plaintext data for the secret, select Encode data values using Base64.

    kubectl

    1. Connect to your cluster using kubectl.

    2. Create the secret.

      kubectl create secret generic nginx-secret \
  --from-literal=username=admin \
  --from-literal=password='MySecurePassword!' \
  --from-literal=api-key='ak-1234567890abcdef' \
  -n default

    3. View information about the secret.

      kubectl get secret nginx-secret

      Expected output:

      NAME           TYPE     DATA   AGE
nginx-secret   Opaque   3      23h

    Use a secret

    The deployment and the secret must be in the same namespace.

    Method 1: Mount as a volume

    This method lets you securely access sensitive data, such as certificates, private keys, and configuration files, by mounting the secret as files. The application can then read them as if they were local files.

    Configure in the console

    1. Create a deployment.

      If you have an existing deployment, choose Workloads > Stateless and edit the volume in the Container Configuration section as described in the following steps.

      1. On the Clusters page, click the name of the target cluster. In the navigation pane on the left, choose Workloads > Stateless.

      2. Create a stateless workload (Deployment).

        1. On the Stateless page, click Create from Image.

        2. On the Application Basic Information page, set the basic information for the application. Then, click Next to go to the Container Configuration page.

          • Application Name: nginx-volume-demo

          • Namespace: default

          • Number of Replicas: 2

          • Type: Stateless (Deployment)

        3. Configure the container.

          1. On the Container Configuration tab, configure the Image Name and Port.

            • Image Name: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6

            • Container Port: 80, Protocol: TCP

            Important

            The cluster must have public network access to pull this image. If you selected Configure SNAT for VPC (enabled by default) when you created the cluster, no additional configuration is required. Otherwise, see Enable an ACK cluster to access the Internet.

          2. On the Container Configuration tab, in the Volume section, click Add Local Storage.

            • Volume Type: Secret

            • Name: secret-volume

            • Mount Source: Select the secret that you created, such as nginx-secret.

            • Container Path: Specify the mount path in the container, such as /etc/nginx/secrets.

            After you configure the information, click Next.

        4. On the Advanced Configuration page, configure scaling, scheduling, labels, and annotations as needed. Then, click Create at the bottom of the page.

        5. On the Creation Complete page, view the application task.

          In the Application Creation Task Submitted panel, click View Application Details and check whether the container status is Running.

    2. Verify that the secret files are mounted.

      Select the container that you want to log on to, such as nginx-volume-demo-7xxxxxx****. In the Actions column, click Terminal and select nginx to log on to the container.

      1. Verify that the secret files are mounted.

        ls -la /etc/nginx/secrets

        Expected output:

        total 4
drwxrwxrwt 3 root root  140 Sep 15 02:31 .
drwxr-xr-x 1 root root 4096 Sep 15 02:31 ..
drwxr-xr-x 2 root root  100 Sep 15 02:31 ..2025_09_15_02_31_13.2599431463
lrwxrwxrwx 1 root root   32 Sep 15 02:31 ..data -> ..2025_09_15_02_31_13.2599431463
lrwxrwxrwx 1 root root   18 Sep 15 02:31 api-key.txt -> ..data/api-key.txt
lrwxrwxrwx 1 root root   22 Sep 15 02:31 db-password.txt -> ..data/db-password.txt
lrwxrwxrwx 1 root root   22 Sep 15 02:31 db-username.txt -> ..data/db-username.txt

      2. Verify that the file content is correct.

        cat /etc/nginx/secrets/db-username.txt
cat /etc/nginx/secrets/api-key.txt

        Expected output:

        admin
ak-1234567890abcdef

      The output is consistent with the secret configuration. This indicates that the application can access the secret data by mounting the secret as a volume.

    Kubectl configuration

    1. Create a file named nginx-volume-demo.yaml.

      apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-volume-demo
  namespace: default
  labels:
    app: nginx-volume
spec:
  replicas: 2
  selector:
    matchLabels:
      app: nginx-volume
  template:
    metadata:
      labels:
        app: nginx-volume
    spec:
      containers:
      - name: nginx
        image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
        ports:
        - containerPort: 80
          protocol: TCP
        # Mount the secret volume
        volumeMounts:
        - name: secret-volume
          mountPath: /etc/nginx/secrets
          readOnly: true
      volumes:
      - name: secret-volume
        secret:
          secretName: nginx-secret
          # Set file permissions
          defaultMode: 0644
          # Optional: Customize file name mapping
          items:
          - key: username
            path: db-username.txt
          - key: password  
            path: db-password.txt
          - key: api-key
            path: api-key.txt

    2. Create a deployment that uses the secret.

      kubectl apply -f nginx-volume-demo.yaml

    3. Check the pod status.

      kubectl get pods -l app=nginx-volume -n default

      Expected output:

      NAME                                 READY   STATUS    RESTARTS   AGE
nginx-volume-demo-7db46895bc-c98b5   1/1     Running   0          4h20m
nginx-volume-demo-7db46895bc-pc6qg   1/1     Running   0          4h20m

    4. Verify that the secret files are mounted.

      kubectl exec deployment/nginx-volume-demo -n default -- ls -la /etc/nginx/secrets

      Expected output:

      total 4
drwxrwxrwt 3 root root  140 Sep 15 02:31 .
drwxr-xr-x 1 root root 4096 Sep 15 02:31 ..
drwxr-xr-x 2 root root  100 Sep 15 02:31 ..2025_09_15_02_31_13.2599431463
lrwxrwxrwx 1 root root   32 Sep 15 02:31 ..data -> ..2025_09_15_02_31_13.2599431463
lrwxrwxrwx 1 root root   18 Sep 15 02:31 api-key.txt -> ..data/api-key.txt
lrwxrwxrwx 1 root root   22 Sep 15 02:31 db-password.txt -> ..data/db-password.txt
lrwxrwxrwx 1 root root   22 Sep 15 02:31 db-username.txt -> ..data/db-username.txt

    5. Verify that the file content is correct.

      kubectl exec deployment/nginx-volume-demo -n default -- cat /etc/nginx/secrets/db-username.txt
kubectl exec deployment/nginx-volume-demo -n default -- cat /etc/nginx/secrets/api-key.txt

      Expected output:

      admin
ak-1234567890abcdef

      The output is consistent with the secret configuration. This indicates that the application can access the secret data by mounting the secret as a volume.

    Method 2: Inject as an environment variable

    This method securely injects sensitive data, such as passwords, API keys, and tokens, as environment variables. This method separates configuration from code and improves application security and portability.

    Configure in the console

    1. Create a deployment.

      If you have an existing deployment, choose Workloads > Stateless and edit the environment variables in the Container Configuration section as described in the following steps.

      1. On the Clusters page, click the name of the target cluster. In the navigation pane on the left, choose Workloads > Stateless.

      2. Create a Deployment.

        1. On the Stateless page, click Create from Image.

        2. On the Application Basic Information page, set the basic information for the application. Then, click Next to go to the Container Configuration page.

          • Application Name: nginx-env-demo

          • Namespace: default

          • Number of Replicas: 2

          • Type: Stateless (Deployment)

        3. Configure the container.

          1. On the Container Configuration tab, configure the Image Name and Port.

            • Image Name: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6

            • Container Port: 80, Protocol: TCP

            Important

            The cluster must have public network access to pull this image. If you selected Configure SNAT for VPC (enabled by default) when you created the cluster, no additional configuration is required. Otherwise, see Enable an ACK cluster to access the Internet.

          2. On the Container Configuration tab, in the Environment Variables section, click Add.

            • Type: Secret

            • Name: USERNAME

            • Value/Reference: Select the source, which is the secret that you created (such as nginx-secret), and then specify a corresponding environment variable name for each key.

            After you configure the information, click Next.

        4. On the Advanced Configuration page, configure scaling, scheduling, labels, and annotations as needed. Then, click Create at the bottom of the page.

        5. On the Creation Complete page, view the application task.

          In the Application Creation Task Submitted panel, click View Application Details, and check whether the container status is Running.

    2. Verify that the environment variables are injected.

      Select the container that you want to log on to, such as nginx-env-demo-7xxxxxx****. In the Actions column, click Terminal and select nginx to log on to the container.

      env | grep -E 'DB_|API_|NGINX_'

      Expected output:

      API_KEY=ak-1234567890abcdef
NGINX_api-key=ak-1234567890abcdef
NGINX_password=MySecurePassword!
NGINX_username=admin
DB_USERNAME=admin
DB_PASSWORD=MySecurePassword!

      The output is consistent with the secret configuration. This indicates that the application can access the secret data by injecting the secret as environment variables.

    Configure using kubectl

    1. Create a file named nginx-env-demo.yaml.

      apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-env-demo
  namespace: default
  labels:
    app: nginx-env
spec:
  replicas: 2
  selector:
    matchLabels:
      app: nginx-env
  template:
    metadata:
      labels:
        app: nginx-env
    spec:
      containers:
      - name: nginx
        image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
        ports:
        - containerPort: 80
          protocol: TCP
        # Inject a single key-value pair from the Secret
        env:
        - name: DB_USERNAME
          valueFrom:
            secretKeyRef:
              name: nginx-secret
              key: username
        - name: DB_PASSWORD
          valueFrom:
            secretKeyRef:
              name: nginx-secret
              key: password
        - name: API_KEY
          valueFrom:
            secretKeyRef:
              name: nginx-secret
              key: api-key
        # Optional: Inject all key-value pairs from the Secret with a prefix
        envFrom:
        - prefix: NGINX_
          secretRef:
            name: nginx-secret

    2. Create a deployment that uses the secret.

      kubectl apply -f nginx-env-demo.yaml

    3. Check the pod status.

      kubectl get pods -l app=nginx-env -n default

      Expected output:

      NAME                             READY   STATUS    RESTARTS   AGE
nginx-env-demo-6dc7556d9-6pjhj   1/1     Running   0          3h33m
nginx-env-demo-6dc7556d9-rcqsh   1/1     Running   0          3h33m

    4. Verify that the environment variables are injected.

      kubectl exec deployment/nginx-env-demo -n default -- env | grep -E 'DB_|API_|NGINX_'

      Expected output:

      API_KEY=ak-1234567890abcdef
NGINX_api-key=ak-1234567890abcdef
NGINX_password=MySecurePassword!
NGINX_username=admin
DB_USERNAME=admin
DB_PASSWORD=MySecurePassword!

      The output is consistent with the secret configuration. This indicates that the application can access the secret data by injecting the secret as environment variables.

    Manage secrets

    After a secret is created, you can perform the following operations on the Secrets page.

    Operation

    Description

    View a secret

    Click the name of the target secret to view its basic information and details.

    Edit a secret

    In the Actions column, click Edit to modify the information of the secret.

    Important

    Modifying a secret that is in use may cause service interruptions. Proceed with caution.

    Delete a secret

    In the Actions column, click Delete to delete a secret that you no longer need.

    Important

    Do not delete secrets that are automatically generated in the kube-system and kube-public namespaces when a cluster is created, such as secrets related to service accounts.

    References