Let's take a look at how to mount the same secrets as files. We will use the following pod definition to demonstrate how this can be done:
apiVersion: v1
kind: Pod
metadata:
name: secret-using-volume
spec:
containers:
- name: nginx
image: nginx
volumeMounts:
- name: secretvolume
mountPath: "/etc/secrets"
readOnly: true
volumes:
- name: secretvolume
secret:
secretName: myapi-url-token
The preceding definition tells us that the volumeMounts section should mount a volume called secretvolume. The mountPath where it should be mounted is /etc/secrets; additionally, it is readOnly.
Note that this is more succinct than the env definition, as you don't have to define a name for each and every secret. However, applications need to have a special code to read the contents of the file in order to load it properly. This method is suited for loading entire config files.
Let's see whether the secrets made it through:
- Save the preceding file as pod-with-vol-secret.yaml. Then, create the pod using the following command:
kubectl create -f pod-with-vol-secret.yaml
- Echo the contents of the files in the mounted volume:
kubectl create -f secret-using-volume bash
ls /etc/secrets/ | xargs -I {} cat /etc/secrets/{}
/x~Lhx Az!,;.Vk%[#n+";9p%jGF6[
https://my-secret-url-location.topsecret.com
RBAC is very important, even though there is some protection from storing secrets separately. A person who has access to the cluster has access to the secrets that are stored and encrypted with a single master key in the etcd data containers. Also, with enough user rights, any secret can be decoded by accessing the pod or using kubectl get -o yaml secrets/... method.