You will learn:
✔ Create a Secret (base64-encoded data)
✔ Mount Secret as environment variables
✔ Mount Secret as files in a volume
✔ Verify inside the Pod
✔ Understand automatic masking
🟩 Step 1 — Create a Kubernetes Secret
You can create a Secret from CLI or YAML.
We’ll use YAML because it is production-friendly.
First encode values in base64:
echo -n "admin" | base64
→ YWRtaW4=
echo -n "SuperSecretPassword123" | base64
→ U3VwZXJTZWNyZXRQYXNzd29yZDEyMw==
🟩 Step 2 — Create secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: demo-secret
type: Opaque
data:
username: YWRtaW4=
password: U3VwZXJTZWNyZXRQYXNzd29yZDEyMw==
Apply it:
kubectl apply -f secret.yaml
Verify:
kubectl get secret demo-secret -o yaml
You will see base64 strings — this is normal.
🟩 Step 3 — Create a Pod That Uses the Secret as Environment Variables
Create pod-secret-env.yaml:
apiVersion: v1
kind: Pod
metadata:
name: secret-env-demo
spec:
containers:
- name: demo-container
image: busybox
command: ["sh", "-c", "sleep 3600"]
env:
- name: DB_USERNAME
valueFrom:
secretKeyRef:
name: demo-secret
key: username
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: demo-secret
key: password
Apply:
kubectl apply -f pod-secret-env.yaml
Wait for the Pod:
kubectl wait --for=condition=Ready pod/secret-env-demo --timeout=60s
🟩 Step 4 — Verify Secret Environment Variables Inside the Pod
Exec into container:
kubectl exec -it secret-env-demo -- sh
Inside:
echo $DB_USERNAME
echo $DB_PASSWORD
Output:
admin
SuperSecretPassword123
Kubernetes decodes base64 automatically.
Exit:
exit
🟩 Step 5 — Mount Secret as Files (Recommended for apps like MySQL, Nginx, Spring Boot)
Create pod-secret-volume.yaml:
apiVersion: v1
kind: Pod
metadata:
name: secret-volume-demo
spec:
containers:
- name: demo-container
image: busybox
command: ["sh", "-c", "sleep 3600"]
volumeMounts:
- name: secret-volume
mountPath: "/etc/secret-data"
readOnly: true
volumes:
- name: secret-volume
secret:
secretName: demo-secret
Apply:
kubectl apply -f pod-secret-volume.yaml
Wait:
kubectl wait --for=condition=Ready pod/secret-volume-demo --timeout=60s
🟩 Step 6 — Verify Mounted Secret Files
kubectl exec -it secret-volume-demo -- sh
List the directory:
ls -l /etc/secret-data
Expected:
-rw-r--r-- 1 root root 5 username
-rw-r--r-- 1 root root 22 password
Read values:
cat /etc/secret-data/username
cat /etc/secret-data/password
Secrets are auto-decoded when mounted.
Exit:
exit
🔐 Automatic Masking
Try:
kubectl describe pod secret-env-demo
You will NOT see the actual secret values.
Kubernetes masks them automatically.
🌟 Thanks for reading! If this post added value, a like ❤️, follow, or share would encourage me to keep creating more content.
— Latchu | Senior DevOps & Cloud Engineer
☁️ AWS | GCP | ☸️ Kubernetes | 🔐 Security | ⚡ Automation
📌 Sharing hands-on guides, best practices & real-world cloud solutions
Top comments (0)