# Pods

- apply .yaml to pods <code>kubectl apply -f nginx.yaml</code>
- Acess the application locally <code>kubectl port-forward nginx 3001:80</code>

## Streaming logs
<code>kubectl logs</code>

![image.png](attachment:image.png)

## Executing commands in pods

- <code>kubectl exec nginx -- ls</code>
- <code>kubectl exec -it nginx -- bash</code> #run an interactive (-it) session in bash

## Killing pods
<code>kubectl delete pod nginx</code> **or** <code>kubectl delete -f nginx.yaml</code>

## Running an Apache container

In [None]:
#apache.yaml
apiVersion: v1
kind: Pod 
metadata:
    name: apache
spec:
    containers:
    - name: apache-container
      image: httpd

- <code>kubectl apply -f apache.yaml</code> *Apply the manifest
- <code>kubectl get pods</code>
- <code>kubectl port-forward apache 3000:80</code>Once the pod is in the running state, we’ll use <code>kubectl</code> port-forward to send requests from <code>localhost:3000</code> to the container’s port 80:
- <code>kubectl exec -it apache -- sh</code> change the contents of the <code>/usr/local/apache2/htdocs/index.html</code>
- <code>echo "Welcome to Apache!" > /usr/local/apache2/htdocs/index.html</code> Once inside the container, we can change the contents of this file to whatever string we want.

# Deployment
**As soon as the deployment notices our pod died, it starts a new one**

## Deployment Manifest

In [None]:
apiVersion: apps/v1
kind: Deployment
metadata:
  name: hellok8s
spec:
  replicas: 1
  selector:
    matchLabels:
      app: hellok8s
  template:
    metadata:
      labels:
        app: hellok8s
    spec:
      containers:
      - image: ecapi96/hellok8s:v1
        name: hellok8s-container

## Scaling Up/Down Our Application
**Updating our manifest file with our new desired number of replica and sending that to Kubernetes:**

- <code>kubectl apply -f scaleup.yaml</code> **Scale Up**
- <code>kubectl apply -f scaledown.yaml</code> **Scale Down**


- <code>kubectl get deployments</code>
- <code>kubectl get pods</code>

In [None]:
apiVersion: apps/v1
kind: Deployment
metadata:
  name: hellok8s
spec:
  replicas: 10
  selector:
    matchLabels:
      app: hellok8s
  template:
    metadata:
      labels:
        app: hellok8s
    spec:
      containers:
      - image: brianstorti/hellok8s:v1
        name: hellok8s-container

## Releasing new versions

**Update the version of our application and create an Image**
- <code>docker build . -t ecapi96/hellok8s:v2</code>
- <code>docker push ecapi96/hellok8s:v2</code>

In [None]:
apiVersion: apps/v1
kind: Deployment
metadata:
  name: hellok8s
spec:
  replicas: 2
  selector:
    matchLabels:
      app: hellok8s
  template:
    metadata:
      labels:
        app: hellok8s
    spec:
      containers:
      - image: ecapi/hellok8s:v2 #new image version
        name: hellok8s-container

**We can use the** <code>--watch</code> **flag to watch changes to a command output. For example,** <code>kubectl get pods --watch</code> **or** <code>watch kubectl get pods</code>

<code>kubectl apply -f deployment.yaml</code>

### Rolling Update
*A RollingUpdate, means we first create one pod with the new version. And after it’s running, we terminate one pod running the previous versions, and we keep doing that until all the pods running are using the desired version.*

![image.png](attachment:image.png)

### maxSurge and maxUnavailable
*Imagine you have 100 replicas running, and we wanted to roll out a new version in the same way. We’d have to add one new pod with the new version, wait until it’s ready, and then remove one pod with the old version. It would take forever!*

**There are two properties we can use to define how fast our rollout will happen:** <code>maxSurge</code> **and**<code>maxUnavailable</code>.

The <code>**maxSurge**</code> property will define how many pods we can have exceeding our desired replica count, which is specified in the deployment manifest. <code>**maxUnavailable**</code> defines how many pods we can have below this count. These properties can be defined as an absolute number (for example, 10) or as a percentage (for example, 20%). The default value for both is 25%. Here’s an example of how that would work, assuming a Deployment with 3 replicas and a <code>**maxSurge**</code> and <code>**maxUnavailable**</code> of 1.

![image.png](attachment:image.png)

In [None]:
apiVersion: apps/v1
kind: Deployment
metadata:
  name: hellok8s
spec:
  strategy:
     rollingUpdate:
      maxSurge: 1
      maxUnavailable: 1
  replicas: 3
  selector:
    matchLabels:
      app: hellok8s
  template:
    metadata:
      labels:
        app: hellok8s
    spec:
      containers:
      - image: ecapi96/hellok8s:v2
        name: hellok8s-container

### Recreate

*When we are using the <code>rollingUpdate</code> strategy (which is the default) we will have, for a period of time, both versions of our application (<code>v1</code> and <code>v2</code>) running in parallel. If we don’t want that to happen for any reason, we can configure the Deployments with a different strategy called <code>Recreate</code>:*

In [None]:
apiVersion: apps/v1
kind: Deployment
metadata:
  name: hellok8s2
spec:
  strategy:
    type: Recreate
  replicas: 3
  selector:
    matchLabels:
      app: hellok8s
  template:
    metadata:
      labels:
        app: hellok8s
    spec:
      containers:
      - image: ecapi/hellok8s:v2
        name: hellok8s-container

**All our pods will be terminated, then pods using the new version will be created. Unfortunately, this creates a period of downtime while the new pods are being created:**

![image.png](attachment:image.png)

### Rollback

<code>kubectl rollout undo deployment hellok8s</code>

### Automatically blocking bad releases

**Kubernetes** lets us define a way to automatically probe a pod before it starts receiving requests

- <code>readinessProbe</code>
- <code>livenessProbe</code>

#### readinessProbe:

In [None]:
apiVersion: apps/v1
kind: Deployment
metadata:
  name: hellok8s
spec:
  replicas: 2
  selector:
    matchLabels:
      app: hellok8s
  template:
    metadata:
      labels:
        app: hellok8s
    spec:
      containers:
      - image: brianstorti/hellok8s:v2 # Still using v2
        name: hellok8s-container
        readinessProbe: # New readiness probe
          periodSeconds: 1
          successThreshold: 5
          httpGet:
            path: /
            port: 4567

**We are telling Kubernetes that it should consider this container ready to start receiving requests only after it has received five successful responses from a GET request to the / path on port 4567. And that it should send this request once every second.**

In [None]:
#Explanation
readinessProbe:
  periodSeconds: 1
  successThreshold: 5
  httpGet:
    path: /
    port: 4567

![image.png](attachment:image.png)

##### Debug
<code>kubectl describe</code>

<code>kubectl describe pod hellok8s-68f47f657c-zw</code>

#### livenessProbe
A livenessProbe is a way for us, as the application developers, to tell Kubernetes what is considered a healthy state and when our application should be considered “alive.”

In [None]:
apiVersion: apps/v1
kind: Deployment
metadata:
  name: hellok8s
spec:
  replicas: 2
  selector:
    matchLabels:
      app: hellok8s
  template:
    metadata:
      labels:
        app: hellok8s
    spec:
      containers:
      - image: ecapi96/hellok8s:v2
        name: hellok8s-container
        readinessProbe:
          periodSeconds: 1
          successThreshold: 5
          httpGet:
            path: /
            port: 4567
        livenessProbe:
          httpGet:
            path: /
            port: 4567

This will keep pinging the / path every few seconds to make sure the container is healthy. The period is 10 seconds by default, but this can also be changed with the periodSeconds attribute. If it starts receiving a 5xx status code from this endpoint, it will automatically restart the container.

In this case, we are just requesting the / path. But we could have, for example, a /health endpoint that performs various checks to make sure our application is in a healthy state and return an error code if it’s not, which would make Kubernetes automatically restart it.

**Having a health script:**

Kubernetes would then run this script every few seconds, just like it did for our http requests and consider the container healthy while the script returns a 0 (success) status code.

In [None]:
apiVersion: apps/v1
kind: Deployment
metadata:
  name: hellok8s
spec:
  replicas: 2
  selector:
    matchLabels:
      app: hellok8s
  template:
    metadata:
      labels:
        app: hellok8s
    spec:
      containers:
      - image: brianstorti/hellok8s:v2
        name: hellok8s-container
        readinessProbe:
          periodSeconds: 1
          successThreshold: 5
          httpGet:
            path: /
            port: 4567
        livenessProbe:
          exec:
            command:
              - check_health.sh

## Deployment Recap

- We can use two different strategies to roll out new versions of our applications: <code>Recreate</code> and code>RollingUpdate</code>


- <code>Recreate</code>strategy will guarantee that we don’t have different versions running at the same time and at the cost of requiring a short downtime.


- <code>RollingUpdate</code> is the default strategy and will gradually create pods that use the new version while terminating pods running the previous versions.


- We can use<code>maxSurge</code> and <code>maxUnavailable </code>to control the rollout rate


- A <code>readinessProbe</code> can be used to only allow traffic to be sent to a container after we determine it is ready.


- A <code>livenessProbe</code> can be used to automatically restart containers that don’t appear to be healthy anymore.

# Services

*A Service is another Kubernetes resource that lets us provide a stable endpoint for our pods. It’s something that sits in front of the pods and takes care of receiving requests and delivering them to all the pods that are behind it.*

![image.png](attachment:image.png)

In [None]:
apiVersion: apps/v1
kind: Deployment
metadata:
  name: hellok8s
spec:
  replicas: 2
  selector:
    matchLabels:
      app: hellok8s
  template:
    metadata:
      labels:
        app: hellok8s
    spec:
      containers:
      - image: ecapi96/hellok8s:v3
        name: hellok8s-container

<code>kubectl get service hellok8s-svc</code>

## Cluster IP

This is the simplest type of service. It’s also the default type, which means if we create a service without a type attribute Kubernetes will assume we mean ClusterIP.

In [None]:
apiVersion: v1
kind: Service
metadata:
  name: clusterip-svc
spec:
  type: ClusterIP # optional
  selector:
    app: nginx
  ports:
  - port: 80
    targetPort: 80

---

apiVersion: v1
kind: Pod
metadata:
  name: nginx
  labels:
    app: nginx
spec:
  containers:
  - name: nginx-container
    image: nginx

**Notice that we are creating a Service and a Pod in the same file. Multiple resources can be grouped together in a single manifest, separated by a line with three dashes (-).**

## NodePort

![image.png](attachment:image.png)

*When we create a NodePort service exposing the port 30001, this port is open on both nodes and our external clients would be able to access either http://node1-ip:30001 or http://node2-ip:30001 the same way. When one of the nodes receives a request on this port, it will find our service that will then be able to decide which pod should receive the request (even if the pod is physically running in another node).*

## LoadBalancer

Load Balancer is an extension of a NodePort and ClusterIP. This means you have all the capabilities we discussed before, plus the automatic load balancer provisioning.

![image.png](attachment:image.png)

## ExternalName (db example)

This service type is a little bit different, as it is not used to provide a stable endpoint to an internal service but to an external one. For example, let’s say we have a database running at <code>my-db.company.com</code>. Instead of having this endpoint hardcoded or defined in a config somewhere, we could create a db service like the following:

In [None]:
apiVersion: v1
kind: Service
metadata:
  name: db
spec:
  type: ExternalName
  externalName: my-db.company.com

Then our pods can talk to this service without having to know the real address where our database is running. Now, the service is the only place we need to change if this database moves to a different location. Our pods are not affected.

![image.png](attachment:image.png)

## DNS

Kubernetes provides an out-of-the box, a DNS service to resolve service names. Here’s how it works: If you create a service called service-a, Kubernetes will add an entry for this service in its DNS, so any pod will be able to call, for example, http://service-a:4567. That will be correctly resolved to the service’s IP. Let’s see an example.

In [None]:
#service.yaml

apiVersion: v1
kind: Service
metadata:
  name: hellok8s-svc
spec:
  type: NodePort
  selector:
    app: hellok8s
  ports:
  - port: 4567
    nodePort: 30001

In [None]:
# Replace the pod name to what you have running locally
kubectl exec -it hellok8s-7f4c57d446-7j6rd -- sh

# Replace the service ip to what you have running locally
curl http://10.102.141.32:4567
# [v3] Hello, Kubernetes, from hellok8s-7f4c57d446-7j6rd!

curl http://hellok8s-svc:4567
# [v3] Hello, Kubernetes, from hellok8s-7f4c57d446-lh44f!

## Environment Variables

*Every container that Kubernetes creates will have environment variables that can be used to find every service that is currently running in the cluster*

**Filtering the HELLOK8S resource by it's name by using grep:**
- <code>env | grep HELLOK8S</code>

*So we could access our service with something like:*

<code>curl $HELLOK8S_SVC_SERVICE_HOST:$HELLOK8S_SVC_SERVICE_PORT</code>

# Ingress
**Ingress** is another Kubernetes resource we can use to expose http(s) routes to external users.

![image.png](attachment:image.png)

- Before we start if we have any deployments and services that are running, we need to delete those first just to make sure we are starting clean by using the following command.

    - <code>kubectl delete deployment,service --all</code>

-Then we will create a Service and a Deployment for our hellok8s applications:

In [None]:
apiVersion: v1
kind: Service
metadata:
  name: hellok8s-svc
spec:
  selector:
    app: hellok8s
  ports:
  - port: 4567
    targetPort: 4567

---

apiVersion: apps/v1
kind: Deployment
metadata:
  name: hellok8s
spec:
  replicas: 2
  selector:
    matchLabels:
      app: hellok8s
  template:
    metadata:
      labels:
        app: hellok8s
    spec:
      containers:
      - image: ecapi96/hellok8s:v3
        name: hellok8s-container

#The same thing for nginx
# nginx.yaml
apiVersion: v1
kind: Service
metadata:
  name: nginx-svc
spec:
  selector:
    app: nginx
  ports:
  - port: 1234
    targetPort: 80

--- #triple dash Multiple resources can be grouped together

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx
spec:
  replicas: 2
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - image: nginx
        name: nginx-container

## Ingress in action

In [None]:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: hello-ingress
  annotations:
    # We are defining this annotation to prevent nginx
    # from redirecting requests to `https` for now
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
  rules:
    - http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: nginx-svc
                port:
                  number: 1234

*ingress.extensions/hello-ingress created*
<code>kubectl apply -f ingress.yaml</code>

<code>kubectl get ingress</code>

![image.png](attachment:image.png)

In [None]:
#add path /hello
kind: Ingress
metadata:
  name: hello-ingress
  annotations:
    # We are defining this annotation to prevent nginx
    # from redirecting requests to `https` for now
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
  rules:
    - http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: nginx-svc
                port:
                  number: 1234
          - path: /hello
            pathType: Prefix
            backend:
              service:
                name: hellok8s-svc
                port:
                  number: 4567

![image.png](attachment:image.png)

## Serving services in different hosts

In practice, though, we usually will want to serve our services in different hosts. For example, we could want to serve nginx in http://nginx.example.com and hellok8s in http://hello.example.com.

In [None]:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: hello-ingress
  annotations:
    # We are defining this annotation to prevent nginx
    # from redirecting requests to `https` for now
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
  rules:
    - host: nginx.local.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: nginx-svc
                port:
                  number: 1234

    - host: hello.local.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: hellok8s-svc
                port:
                  number: 4567

![image.png](attachment:image.png)

In [None]:
# Applying the ingress Controller

kubectl apply -f \
https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.44.0/\
deploy/static/provider/cloud/deploy.yaml

kubectl apply -f hellok8s.yaml
# service/hellok8s-svc created
# deployment.apps/hellok8s created

kubectl apply -f nginx.yaml
# service/nginx-svc created
# deployment.apps/nginx created

kubectl apply -f ingress.yaml
# ingress.extensions/hello-ingress configured

# Please enter the following command if you get an error while applying the ingress 
# and then reapply the ingress using the above command
# If not, you can skip this command and move ahead
kubectl delete -A ValidatingWebhookConfiguration ingress-nginx-admission

kubectl get ingress
# NAME           HOSTS             ADDRESS   PORTS
# hello-ingress  nginx.local.com   localhost 80
#                hello.local.com

## Ingress vs. LoadBalancer

An Ingress is not a service type. It will act just as a smart router sending traffic to services based on the rules we define, while a LoadBalancer will actually provision an entirely new load balancer for each service we have.

![image.png](attachment:image.png)

In some cases, we can, but there are a few advantages in using an Ingress.

For each **LoadBalancer** service we have, a new load balancer needs to be created. If we have 50 services running in our cluster, that means we will need 50 load balancers, which can get quite expensive. An Ingress allows us to achieve the same thing with a single load balancer!

Another thing that’s very useful with ingresses is that we can set up our rules in a way that requests to different paths are sent to different services. For example, if our users access **example.com/foo**, we may want to send these requests to the foo service and requests to example.com/bar should go to the bar service. This is trivial to implement with an **Ingress**, but it would be a lot harder if **foo** and **bar** each had their own load balancer.

Personally, a **LoadBalancer**is the easiest way to expose our services, while an Ingress is the most powerful.

## Recap

- <code>Ingress</code> is a Kubernetes resource used to expose HTTP routes to external clients.


- In order to use this resource, we first need to have an <code>Ingress Controller</code> running in our cluster. There are several open source controllers available, and we used the <code>nginx ingress controller</code> for our examples.


- With an <code>Ingress</code>, we can define different rules that will route requests to the service we choose when matched.


- These rules can be based on the <code>path</code> received, the <code>host</code> of the requests, or even both.


- In some cases an <code>Ingress</code> can do the same job that would require several <code>LoadBalancer</code> services to do.

# ConfigMaps

In [None]:
apiVersion: apps/v1
kind: Deployment
metadata:
  name: hellok8s
spec:
  replicas: 2
  selector:
    matchLabels:
      app: hellok8s
  template:
    metadata:
      labels:
        app: hellok8s
    spec:
      containers:
      - image: brianstorti/hellok8s:v4
        name: hellok8s-container
        env:
          - name: MESSAGE
            valueFrom: #configMa
              configMapKeyRef:
                name: hellok8s-config
                key: MESSAGE

Here, we are saying that this container should be created with the environment variable MESSAGE, and that the value for this variable should come from the key MESSAGE defined in a ConfigMap called hellok8s-config

In [None]:
kubectl apply -f hellok8s-config.yaml

kubectl apply -f hellok8s.yaml

kubectl apply -f service.yaml

curl localhost:30001
# [v4] It works with a ConfigMap! (from hellok8s-54d5fb5765-nl62z)

## Getting all the variables from a ConfigMap

In [None]:
#variables
env:
  - name: VAR1
    valueFrom:
      configMapKeyRef:
        name: hellok8s-config
        key: VAR1

  - name: VAR2
    valueFrom:
      configMapKeyRef:
        name: hellok8s-config
        key: VAR2

  - name: VAR3
    valueFrom:
      configMapKeyRef:
        name: hellok8s-config
        key: VAR3
# ...

**get all the variables from a ConfigMap and inject them into the container at once**

In [None]:
apiVersion: apps/v1
kind: Deployment
metadata:
  name: hellok8s
spec:
  replicas: 2
  selector:
    matchLabels:
      app: hellok8s
  template:
    metadata:
      labels:
        app: hellok8s
    spec:
      containers:
      - image: brianstorti/hellok8s:v4
        name: hellok8s-container
        envFrom:
          - configMapRef:
              name: hellok8s-config

In [None]:
kubectl apply -f hellok8s-updated.yaml

curl localhost:30001
# [v4] It works with a ConfigMap! (from hellok8s-54d5fb5765-nl62z)

## Exposing ConfigMap as files

Instead of injecting a ConfigMap as environment variables as we have done so far, we can also expose it as files that are mounted into the container.

**We first create a volume called config, using our ConfigMap as the source. Then we mount this volume at the /config path in the container.**

In [None]:
apiVersion: apps/v1
kind: Deployment
metadata:
  name: hellok8s
spec:
  replicas: 2
  selector:
    matchLabels:
      app: hellok8s
  template:
    metadata:
      labels:
        app: hellok8s
    spec:
      volumes: #create a configmap
       - name: config
         configMap:
           name: hellok8s-config
      containers:
      - image: brianstorti/hellok8s:v4
        name: hellok8s-container
        volumeMounts: #on a /config directory inside the container
        - name: config
          mountPath: /config

In [None]:
#apply it
kubectl apply -f hellok8s.yaml
kubectl apply -f hellok8s-config.yaml

kubectl get pods
# NAME                       READY   STATUS
# hellok8s-8c56675c9-7gxpv   1/1     Running
# hellok8s-8c56675c9-bfk8t   1/1     Running

# Replace the pod name to what you have running locally
kubectl exec -it hellok8s-8c56675c9-7gxpv -- sh
cat /config/MESSAGE
# It works with a ConfigMap!

## Recap


- <code>ConfigMaps</code> can be used to extract applications configuration so they don’t need to be baked into the docker image.


- We can inject environment variables one-by-one or use <code>envFrom</code> to get all the variables from a .<code>ConfigMap</code>


- We can also use the <code>prefix</code> property to avoid conflicting variable names for clarity.


- <code>ConfigMaps</code> can also be mounted as files in the container, and that can be useful when we are storing things like config files in a <code>ConfigMap</code> instead of only simple strings.

# Secrets
The way a Secret is used is pretty similar to a **ConfigMap**, but there are some key differences in how they work under the hood:

- Secrets are only distributed to the nodes that are running a pod that needs them.
- They are never written to physical storage.
- In the master node, they are stored encrypted.
- When we read a Secret, we will get the data base64 encoded. This is mostly so we can store binary values in a secret, not much of a security feature as base64 is easily decoded.

In [None]:
# hellok8s-secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: hellok8s-secret
data:
  SECRET_MESSAGE: "SXQgd29ya3Mgd2l0aCBhIFNlY3JldAo="

## Injecting secrets as environment variables


In [None]:
#deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: hellok8s
spec:
  replicas: 2
  selector:
    matchLabels:
      app: hellok8s
  template:
    metadata:
      labels:
        app: hellok8s
    spec:
      containers:
      - image: ecapi96/hellok8s:v4
        name: hellok8s-container
        env:
          - name: MESSAGE
            valueFrom:
              secretKeyRef: #only difference between configMapKeyRef
                name: hellok8s-secret
                key: SECRET_MESSAGE

In [None]:
#hellok8s-secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: hellok8s-secret
data:
  SECRET_MESSAGE: "SXQgd29ya3Mgd2l0aCBhIFNlY3JldAo="

In [None]:
#hellok8s-secret
apiVersion: v1
kind: Secret
metadata:
  name: hellok8s-secret
stringData:
  SECRET_MESSAGE: "It works with a Secret"

In [None]:
kubectl apply -f hellok8s-secret.yaml
kubectl apply -f deployment.yaml

kubectl get pods
# NAME                        READY   STATUS
# hellok8s-6d7579848d-f56wb   1/1     Running
# hellok8s-6d7579848d-kzq57   1/1     Running

# Replace the pod name to what you have running locally
kubectl exec -it hellok8s-6d7579848d-kzq57 --  env | grep MESSAGE
# MESSAGE=It works with a Secret

### Injecting values from a secret
Alternatively, we can also inject all the values from a **Secret**, as we did with a **ConfigMap**:

In [None]:
apiVersion: apps/v1
kind: Deployment
metadata:
  name: hellok8s
spec:
  replicas: 2
  selector:
    matchLabels:
      app: hellok8s
  template:
    metadata:
      labels:
        app: hellok8s
    spec:
      containers:
      - image: brianstorti/hellok8s:v4
        name: hellok8s-container
        envFrom: #as ConfigMap
         - secretRef:
             name: hellok8s-secret

## Mounting secrets as Files
Just like we did with **ConfigMaps**, we can also mount Secrets as files in our containers:

In [None]:
apiVersion: apps/v1
kind: Deployment
metadata:
  name: hellok8s
spec:
  replicas: 2
  selector:
    matchLabels:
      app: hellok8s
  template:
    metadata:
      labels:
        app: hellok8s
    spec:
      volumes:
        - name: secrets
          secret:
            secretName: hellok8s-secret
      containers:
      - image: brianstorti/hellok8s:v4
        name: hellok8s-container
        volumeMounts:
          - name: secrets
            mountPath: /secrets

In [None]:
kubectl apply -f deployment.yaml
kubectl apply -f hellok8s-secret.yaml

kubectl get pods
# NAME                        READY   STATUS    RESTARTS
# hellok8s-6696859cbd-72g9b   1/1     Running   0       
# hellok8s-6696859cbd-hbczd   1/1     Running   0       

# Replace the pod anme to what you have running locally
kubectl exec -it hellok8s-6696859cbd-72g9b -- \
cat /secrets/SECRET_MESSAGE
# It works with a Secret

### Environment variables or volume mounts?
It’s up to you to decide if you want to inject your secrets as environment variables or mount a volume, but keep in mind that putting sensitive data in environment variables may have unintended consequences. It’s not uncommon for applications to dump all the environment variables when they crash, outputting everything for error reporting, which could expose some sensitive information. For example, we could be shipping our logs to a third party provider that would gladly receive our database credentials. Environment variables are also inherited by child processes that our container can create. So depending on what we are running, we may not want that to happen.

## Recap

- <code>Secrets</code> are very similar to <code>ConfigMaps</code> in the way they are used, but there are some key differences in how they work to provide more security.


- A <code>Secret</code> will never be written to physical storage, they are stored encrypted in the master node, and they are only distributed to the nodes that are running pods that need them.


- <code>Secrets</code>, like <code>ConfigMaps</code>, can be injected into containers as environment variables or mounted as a volume.


- Keeping sensitive data in environment variables can have unintended consequences, so we should think twice before doing that.

# Running Jobs