Home

SecretKeyRef

SecretKeyRef is a reference mechanism used in Kubernetes to obtain a value from a Secret for a container’s configuration, most commonly to populate environment variables. It points to a specific key within a Secret rather than the entire Secret, allowing for granular access control and flexible deployment.

In manifests, SecretKeyRef appears as part of an environment variable source (EnvVarSource) under secretKeyRef. The essential

Usage examples include setting an environment variable from a Secret: env: - name: DB_PASSWORD valueFrom: secretKeyRef: name:

Operational considerations: Secrets in Kubernetes are stored as base64-encoded data and are subject to RBAC controls.

fields
are
name
and
key:
name
specifies
the
name
of
the
Secret
resource,
and
key
selects
the
specific
data
item
within
that
Secret.
An
optional
field,
optional,
can
be
set
to
true
to
indicate
that
the
key
may
be
missing
without
causing
the
pod
to
fail;
if
the
key
is
missing
and
optional
is
false,
the
pod
will
error
at
startup.
db-secret
key:
password.
SecretKeyRef
can
also
be
used
in
other
contexts
that
consume
a
secret
key,
depending
on
the
API
version
and
tooling.
Values
loaded
via
SecretKeyRef
are
resolved
at
container
startup;
they
do
not
automatically
refresh
in
a
running
container
when
the
underlying
Secret
changes.
If
dynamic
updates
are
required,
restarting
the
pod
or
redeploying
the
workload
is
usually
necessary.
Alternatives
include
envFrom
to
load
all
keys
from
a
Secret
or
using
mounted
Secret
volumes
for
broader
refresh
behavior.