K
Q

How can I mount a single distinct Secret into each Pod managed by a StatefulSet?

2/25/2019

I have 3 different Kubernetes Secrets and I want to mount each one into its own Pod managed by a StatefulSet with 3 replicas.

Is it possible to configure the StatefulSet such that each Secret is mounted into its own Pod?

-- dippynark
kubernetes
kubernetes-statefulset
statefulset

Similar Questions

Set c.cfg.Global.ElbSecurityGroup in Kubernetes
Kiali install error on kubernetes on aws [error: unable to recognize "STDIN": no matches for kind "ClusterRole" in version "v1"]
Volume is already exclusively attached to one node and can't be attached to another
Elixir - Using distributed Cachex with Kubernetes. How to set the :nodes config

1 Answer

2/26/2019

Not really. A StatefulSet (and any workload controller for that matter) allows only a single pod definition template (it could have multiple containers). The issue with this is that a StatefulSet is designed to have N replicas so can you have an N number of secrets. It would have to be a SecretStatefulSet: a different controller.

Some solutions:

  • You could define a single Kubernetes secret that contains all your required secrets for all of your pods. The downside is that you will have to share the secret between the pods. For example:

    apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  pod1: xxx
  pod2: xxx
  pod3: xxx
  ...
  podN: xxx

  • Use something like Hashicorp's Vault and store your secret remotely with keys such as pod1, pod2, pod3,...podN. You can also use an HSM. This seems to be the more solid solution IMO but it might take longer to implement.

In all cases, you will have to make sure that the number of secrets matches your number of pods in your StatefulSet.

-- Rico
Source: StackOverflow