Skip to content

Secret mounting methods

Secret mounting methods refer to the techniques used to pass sensitive data stored in Kubernetes Secrets to running containers. While Secrets are used to store sensitive information like passwords or API keys, they must be mounted into a Pod to be usable by the application^[400-devops-06-kubernetes-k8s-ithelp-day19-readme.md]. Kubernetes provides several mechanisms to inject these Secrets, ensuring that the data is available to the application processes either as files in the filesystem or as environment variables^[400-devops-06-kubernetes-k8s-ithelp-day19-readme.md].

Volume Mounting

The most common method for accessing Secret data is mounting it as a volume at a specific path within the container's filesystem^[400-devops-06-kubernetes-k8s-ithelp-day19-readme.md].

To implement this, the Pod definition must include a volumes section referencing the Secret by name, and a volumeMounts section in the container specification defining the mountPath^[400-devops-06-kubernetes-k8s-ithelp-day19-readme.md].

When a Secret is mounted as a volume, Kubernetes automatically creates files based on the keys defined in the Secret^[400-devops-06-kubernetes-k8s-ithelp-day19-readme.md]. It handles the decoding of the data, presenting the decoded values as file content^[400-devops-06-kubernetes-k8s-ithelp-day19-readme.md].

Example: In a scenario where a Secret containing keys username and password is mounted to /etc/secret-volume: * The container will see two files inside that directory: username and password^[400-devops-06-kubernetes-k8s-ithelp-day19-readme.md]. * Reading the file cat /etc/secret-volume/username will output the decoded plaintext value^[400-devops-06-kubernetes-k8s-ithelp-day19-readme.md].

Environment Variables

Secrets can also be injected into a container as environment variables^[400-devops-06-kubernetes-k8s-ithelp-day19-readme.md]. This method allows the application to consume configuration and sensitive data directly from the process environment, rather than reading from a file.

Image Pull Secrets

A specific mounting method exists for container images stored in private registries^[400-devops-06-kubernetes-k8s-ithelp-day19-readme.md].

By creating a Secret of the docker-registry type and adding it to the Pod definition, Kubernetes can automatically handle authentication with the private registry^[400-devops-06-kubernetes-k8s-ithelp-day19-readme.md]. This functions as a stored docker login mechanism, removing the need to manually log in to pull images^[400-devops-06-kubernetes-k8s-ithelp-day19-readme.md].

Sources

^[400-devops-06-kubernetes-k8s-ithelp-day19-readme.md]