⌂ Home

Secrets as a Volume

Mount Secrets as read-only files inside Pods so apps can consume credentials more safely.

Secrets-as-files keep passwords, tokens, and keys out of images and out of plain configuration. The main goal is secure externalization of sensitive runtime data.

Core Concepts

Repository YAML Files:
  • k8s/labs/storage/secret-volume.yaml — Pod mounting a Secret as a read-only volume

Sensitive file projection

Each Secret key becomes a file in a mounted directory, making file-based credentials easy to consume.

Read-only mounts

Secret volumes are commonly mounted read-only so apps can read but not accidentally alter credential files.

Different from ConfigMaps

Secrets are for confidential values, while ConfigMaps are for ordinary non-sensitive configuration.

Secret Volume Flow

1

Create the Secret

Store sensitive values such as passwords, usernames, tokens, or certificates.

2

Mount it as a volume

The Pod references the Secret in the volumes section.

3

Read files in the container

Kubernetes projects each Secret key into the mount path as a file.

4

Operate with least exposure

Use RBAC, narrow mount paths, and read-only access to keep credential exposure controlled.

Key point: Secret volumes reduce accidental exposure in images and config files, but they still depend on strong cluster security and access control.

Representative YAML

Secret

apiVersion: v1
kind: Secret
metadata:
  name: db-credentials
type: Opaque
data:
  username: c3VwZXJ1c2Vy
  password: cGFzc3dvcmQ=

Deployment with Secret Volume

apiVersion: apps/v1
kind: Deployment
metadata:
  name: secret-deployment
spec:
  template:
    spec:
      containers:
      - name: secret-container
        image: nginx
        volumeMounts:
        - name: secret-volume
          mountPath: /etc/secrets
          readOnly: true
      volumes:
      - name: secret-volume
        secret:
          secretName: db-credentials

ConfigMap vs Secret Volumes

TopicConfigMap VolumeSecret Volume
Data typeNon-sensitive configSensitive credentials or keys
Main concernConfiguration managementConfidentiality and controlled exposure
Typical fitSettings and templatesPasswords, certs, tokens
Design hint: If exposing the value in a plain config file would be risky, it likely belongs in a Secret.

How To Use It In Practice

Database credentials

Mount usernames and passwords into apps that expect file-based runtime configuration.

Certificate delivery

Provide TLS keys and certs to services or reverse proxies through mounted files.

Safer packaging

Keep sensitive values out of container images and out of environment-specific image builds.