July 2019
Intermediate to advanced
502 pages
14h
English
Content preview from Hands-On Microservices with Kubernetes
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Passing secrets to containers
There are many ways to pass secrets to containers, such as the following:
- You can bake secrets into the container image.
- You can pass them into environment variables.
- You can mount them as files.
The most secure way is to mount your secrets as files. When you bake your secret into the image, anyone with access to the image can retrieve your secrets. When you pass your secrets as environment variables, they can be viewed via docker inspect, kubectl describe pod, and by child processes if you don't clean up the environment. In addition, it is common to log your entire environment when reporting an error, which takes discipline from all your developers to sanitize and redact secrets. Mounted files don't suffer ...