secret volume sources are validated to ensure that the specified object
reference points to a secret
object. Therefore, a secret needs to be created
before the pods that depend on it.
secret API objects reside in a namespace. They can only be referenced by pods in
that same namespace.
Individual secrets are limited to 1MB in size. This is to discourage the
creation of large secrets that would exhaust apiserver and kubelet memory.
However, creation of a number of smaller secrets could also exhaust memory.
Currently, when mounting a secret, the service account for a pod must have the secret in the list
of mountable secrets. If a template contains a secret definition and pods that consume it, the
pods will be rejected until the service account is updated.
secret Data Keys
secret keys must be in a DNS subdomain.