Is it possible to mount secrets to pods ONLY during runtime?

Question

We have an applications that requires secrets ONLY during the runtime or creation of the pod. Once the Pod is up and started the secrets are no longer needed.

I've tried to load secrets from environment variables then unset them via a script however if you exec into the container the secret is available on each new session.

I'm currently looking into mounting files as secrets and would like to know if it is possible to somehow pass a secret to a container ONLY during runtime and remove it once the pod is up and running? Maybe I can unmount the secret once the pod is running?

I should also point out that the pod is running an application ontop of a stripped down version of a centos 8 image.

Answer 1

You can't unmount a Secret while the Pod is running. (The design is any updates to the secret will be reflected immediately)

However, what you could do is use an initContainer, which mounts the secret. That initContainer and your main container also both mount an emptyDir volume, which is ephemeral. Init could copy secrets across, main container could read them then delete them.

I suspect this would react badly to failure though, you would likely need to change the Pods restartPolicy to be Never, because the initContainer won't run again if the main container fails, and when it's restarted it would now not have the secrets available to it.

All of that is on the assumption your main container needed to see the secrets. If you could do what's needed during the initContainer, then the main container will never see the secrets if they're not mounted - just use them in the initContainer.

https://kubernetes.io/docs/concepts/workloads/pods/init-containers/