How can I mount a single distinct Secret into each Pod managed by a StatefulSet?

2/25/2019

I have 3 different Kubernetes Secrets and I want to mount each one into its own Pod managed by a StatefulSet with 3 replicas.

Is it possible to configure the StatefulSet such that each Secret is mounted into its own Pod?

-- dippynark
kubernetes
kubernetes-statefulset
statefulset

1 Answer

2/26/2019

Not really. A StatefulSet (and any workload controller for that matter) allows only a single pod definition template (it could have multiple containers). The issue with this is that a StatefulSet is designed to have N replicas so can you have an N number of secrets. It would have to be a SecretStatefulSet: a different controller.

Some solutions:

  • You could define a single Kubernetes secret that contains all your required secrets for all of your pods. The downside is that you will have to share the secret between the pods. For example:

    apiVersion: v1
    kind: Secret
    metadata:
      name: mysecret
    type: Opaque
    data:
      pod1: xxx
      pod2: xxx
      pod3: xxx
      ...
      podN: xxx
    
  • Use something like Hashicorp's Vault and store your secret remotely with keys such as pod1, pod2, pod3,...podN. You can also use an HSM. This seems to be the more solid solution IMO but it might take longer to implement.

In all cases, you will have to make sure that the number of secrets matches your number of pods in your StatefulSet.

-- Rico
Source: StackOverflow