All Products
Search

This Product

    Container Compute Service:Manage secrets

    Document Center

    Container Compute Service:Manage secrets

    Last Updated:Dec 03, 2025

    When connecting workloads to backend database services or authenticating client requests, you may need to store sensitive configuration information, such as usernames, passwords, and certificates. You can use secrets in an Alibaba Cloud Container Compute Service (ACS) cluster to manage this sensitive information and prevent its exposure. This topic describes how to create, edit, and delete secrets in an ACS cluster.

    Prerequisites

    An ACS cluster is created. For more information, see Create an ACS cluster.

    Background information

    Secrets are classified into the following types:

    • Service Account: A secret used to access the Kubernetes API. Kubernetes automatically creates this secret and mounts it to the /run/secrets/kubernetes.io/serviceaccount directory of a pod.

    • Opaque: A Base64-encoded secret used to store sensitive information, such as passwords and certificates.

    In ACS, you can create secrets with a single click. This action automatically encodes plaintext data into the Base64 format. You can also manually create secrets from the command line. For more information, see Kubernetes Secret.

    Create a secret

    1. Log on to the ACS console. In the left-side navigation pane, click Clusters.

    2. On the Clusters page, find the cluster that you want to manage and click its ID. In the left-side navigation pane of the cluster details page, choose Configurations > Secrets.

    3. On the Secrets page, select a Namespace and click Create in the upper-left corner. In the panel that appears, configure the new secret.

      Parameter

      Description

      Name

      Enter a name for the secret.

      Type

      The type can be Opaque, Private Repository Logon Secret, or TLS Certificate.

      Opaque

      If you set Type to Opaque, configure the following parameters:

      • Configure the secret data. Click Add, then enter a name and value in the Name and Value text boxes.

      • Optional: To encode plaintext data into Base64 format, select Encode Data Values Using Base64.

      Private Repository Logon Secret

      If you set Type to Private Repository Logon Secret, configure the following parameters:

      • Docker Registry URL: Enter the address of the image repository.

      • Username: Enter the username for the image repository.

      • Password: Enter the password for the image repository.

      TLS Certificate

      If you set Type to TLS Certificate, configure the following parameters:

      • Certificates: Enter the TLS certificate.

      • Key: Enter the TLS private key.

    Related operations

    After you create a secret, you can perform the following operations on the Secrets page:

    • Click the name of the target secret to view its basic information and details.

      Note

      Click the image.png icon to view the data in plaintext.

    • Click Edit in the Actions column of the target secret to modify its information.

    • Click Delete in the Actions column of a secret that you no longer need.

      Important

      Do not delete or modify secrets that are automatically created in system namespaces, such as kube-system. This helps ensure the stability and security of the cluster.

    References

    For more information about how to use secrets in an ACS cluster with volumes and environment variables, see Use secrets in pods.