2

We have a namespace in kubernetes where I would like some secrets (files like jks,properties,ts,etc.) to be made available to all the containers in all the pods (we have one JVM per container & one container per pod kind of Deployment).

I have created secrets using kustomization and plan to use it as a volume for spec of each Deployment & then volumeMount it for the container of this Deployment. I would like to have this volume to be mounted on each of the containers deployed in our namespace.

I want to know if kustomize (or anything else) can help me to mount this volume on all the deployments in this namespace?

I have tried the following patchesStrategicMerge

---
apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: myNamespace
spec:
  template:
    spec:
      imagePullSecrets:
        - name: pull-secret
      containers:
        - volumeMounts:
          - name: secret-files
            mountPath: "/secrets"
            readOnly: true
      volumes:
      - name: secret-files
        secret:
          secretName: mySecrets
          items:
          - key: key1
            path: ...somePath
          - key: key2
            path: ...somePath

It requires name in metadata section which does not help me as all my Deployments have different names.

David Maze
  • 130,717
  • 29
  • 175
  • 215
Mukund Jalan
  • 1,145
  • 20
  • 39

4 Answers4

2

Inject Information into Pods Using a PodPreset

You can use a PodPreset object to inject information like secrets, volume mounts, and environment variables etc into pods at creation time.

Update: Feb 2021. The PodPreset feature only made it to alpha. It was removed in v1.20 of kubernetes. See release note https://kubernetes.io/docs/setup/release/notes/

The v1alpha1 PodPreset API and admission plugin has been removed with no built-in replacement. Admission webhooks can be used to modify pods on creation. (#94090, @deads2k) [SIG API Machinery, Apps, CLI, Cloud Provider, Scalability and Testing]

Adam
  • 35,919
  • 9
  • 100
  • 137
DT.
  • 3,351
  • 2
  • 18
  • 32
1

PodPresent (https://kubernetes.io/docs/tasks/inject-data-application/podpreset/) is one way to do this but for this all pods in your namespace should match the label you specify in PodPresent spec.

Another way (which is most popular) is to use Dynamic Admission Control (https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) and write a Mutating webhook in your cluster which will edit your pod spec and add all the secrets you want to mount. Using this you can also make other changes in your pod spec like mounting volumes, adding label and many more.

Anmol Agrawal
  • 814
  • 4
  • 6
0

Standalone kustomize support a patch to many resources. Here is an example Patching multiple resources at once. the built-in kustomize in kubectl doesn't support this feature.

Jack Liu Shurui
  • 540
  • 1
  • 5
  • 14
-2

To mount secret as volume you need to update yaml construct for your pod/deployment manifest files and rebuild them. 

apiVersion: v1
kind: Pod
metadata:
  name: my-pod
spec:
  containers:
    - name: my-container
      image: nginx
      volumeMounts:
        - name: my-secret-volume
          mountPath: /etc/secretpath
  volumes:
    - name: my-secret-volume
      secret:
        secretName: my-secret

kustomize (or anything else) will not mount it for you.

DT.
  • 3,351
  • 2
  • 18
  • 32
  • I would like to do it across the namespce. Something like injecting volumes in all pods without (or with little) modification to the pod definition. – Mukund Jalan Feb 14 '20 at 04:25
  • 1
    @mukund then you should try explore the usage of [PodPreset](https://kubernetes.io/docs/tasks/inject-data-application/podpreset/) for your use case. – DT. Feb 14 '20 at 06:02