Kubernetes Secrets Volumes vs Environment Variables Kubernetes Secrets Volumes vs Environment Variables kubernetes kubernetes

Kubernetes Secrets Volumes vs Environment Variables


kubernetes environment-variables docker-volume kubernetes-security kubernetes-secrets

https://www.oreilly.com/library/view/velocity-conference-2017/9781491985335/video316233.html

Kubernetes secrets exposed by environment variables may be able to be enumerated on the host via /proc/. If this is the case it's probably safer to load them via volume mounts.

kubernetes environment-variables docker-volume kubernetes-security kubernetes-secrets

I agree with TMCs answer, but wanted to add a note for those that are thinking, "But what about 12-factor??". Objections are sometimes raised against using volume-mounted secrets because 12F seemingly requires configs be stored as ENV vars. First, these are suggested, voluntary, your-mileage-may-vary best-practices suggestions. Second, there is this section:

In a twelve-factor app, env vars are granular controls, each fully orthogonal to other env vars. They are never grouped together as “environments”, but instead are independently managed for each deploy. This is a model that scales up smoothly as the app naturally expands into more deploys over its lifetime.

source: https://12factor.net/config

Basically, coupled with the rest of the description I understand the guiding principles of 12F Config management to be:

  • Keep config out of source
  • Be able to inject config into source artifact (e.g. a docker container)
  • Be able to make granular changes to the set of required configuration values

In my humble opinion, volume mounted Kubernetes Secrets can accomplish these goals depending on what sort of Secret objects you create and how you manage them.

kubernetes environment-variables docker-volume kubernetes-security kubernetes-secrets

Mounted Secrets are updated automatically

  • When a secret being already consumed in a volume is updated, projected keys are eventually updated as well. Kubelet is checking whether the mounted secret is fresh on every periodic sync. However, it is using its local cache for getting the current value of the Secret. 

  • in an multi container pod, each container inside a pod has to request the secret volume in its volumeMounts for it to be visible within the container. This can be used to construct useful security partition at pod level. 

With above finding from official docs secret by volume mount look a better option.

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last