Create a Secret in the ACK console-Container Service for Kubernetes(ACK)-阿里云帮助中心

Create and manage Kubernetes Secrets to store sensitive data such as passwords and TLS certificates separately from pod configuration.

Secret types

By default, only Opaque Secrets can be created in the ACK console. The console supports these types:

Type	Use case
Opaque	Store arbitrary sensitive data, such as passwords and certificates. Values are Base64-encoded.
Private Repository Logon Secret	Store private Docker registry credentials.
TLS certificate	Store a TLS certificate and its private key.

Kubernetes also supports a service account type, automatically created and mounted to /run/secrets/kubernetes.io/serviceaccount in each pod. Service accounts provide pod identity for API server interaction and are not manually created in the console.

How pods use Secrets

Pods in the same namespace can consume a Secret in two ways:

As a volume mount — mounted as files inside the container.
As environment variables — Secret values are injected into the container environment.

Update the pod spec to configure Secret consumption. See the Kubernetes documentation on Secrets.

Prerequisites

An ACK managed cluster is created.

Create a Secret

Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the target cluster name. In the left navigation pane, choose Configurations > Secrets.
On the Secrets page, select a Namespace, then click Create.

In the panel, configure the Secret:

Parameter	Description
Name	The Secret name. 1–253 characters; only lowercase letters, digits, hyphens (`-`), and periods (`.`).
Type	The Secret type: Opaque, Private Repository Logon Secret, or TLS certificate.

Additional fields vary by type:

Opaque

Parameter	Description
Encode Data Values Using Base64	(Optional) Select to enter plaintext values. The console auto-encodes them in Base64.
Name / Value	Click + Add to create key-value pairs. Enter the key in Name and the value in Value.

Base64 is encoding, not encryption. Anyone with Secret access can decode the values. Apply RBAC policies to control Secret access per namespace.

Private Repository Logon Secret

Parameter	Description
Docker Registry URL	The Docker registry address.
Username	The Docker registry username.
Password	The Docker registry password.

TLS certificate

Parameter	Description
Cert	The TLS certificate.
Key	The TLS private key.

Manage existing secrets

On the Secrets page, you can:

View details — Click a Secret name to view its information and data fields. Click the icon to show plaintext values.
Edit — In the Actions column, click Edit.
Delete — In the Actions column, click Delete.

Important

Do not delete Secrets auto-generated during cluster creation.

Next steps

Use a Secret in a pod as a volume or environment variable. See the Kubernetes documentation on Secrets.
Create Secrets with the CLI. See the Kubernetes documentation on Secrets.