Daily Interview Question
Daily DevOps insights to ace your interviews
Question of the Day
📝 Scenario:
You need to inject secrets securely from a secret management system (like HashiCorp Vault or AWS Secrets Manager) into a Kubernetes pod.
How would you set up access?
How would the pod retrieve these secrets?
How would you integrate them into Kubernetes manifests or application code?
✅ Step-by-Step Answer
1️⃣ Configure Access & Permissions
Create a role or policy in your secret manager that grants the minimum required permissions to read only the secrets your pod needs.
For AWS Secrets Manager, this means creating an IAM role with
secretsmanager:GetSecretValuepermission.Attach this role to your Kubernetes Service Account using IRSA (IAM Roles for Service Accounts) on EKS.
2️⃣ Map the Role to the Pod
Ensure the pod uses the service account bound to the IAM role.
Example (using
eksctl):
eksctl create iamidentitymapping \
--cluster <cluster-name> \
--namespace <namespace> \
--service-account <sa-name> \
--arn arn:aws:iam::<account-id>:role/<role-name>
3️⃣ Retrieve Secrets Inside the Pod
Your application can fetch secrets dynamically at runtime.
Example in Python:
import boto3
def fetch_secret(secret_name, region):
client = boto3.client(”secretsmanager”, region_name=region)
secret = client.get_secret_value(SecretId=secret_name)
return secret[”SecretString”]
secret_value = fetch_secret(”my-secret”, “us-east-1”)
print(secret_value)
4️⃣ Integrate Secrets into Kubernetes
Environment variables: inject secret values at runtime (good for short-lived secrets).
Volumes via CSI drivers: mount secrets as files into the pod (recommended for sensitive data).
Sidecar containers or init containers: fetch secrets and provide them to the main app securely.
💡 Best Practices
Never hardcode secrets in manifests or container images.
Use least privilege: pods should only access secrets they actually need.
Rotate secrets regularly and automate updates in your pods using CSI drivers or app-level retrieval.
Monitor access logs from your secret manager to detect suspicious activity.
✅ Key Takeaway:
Secure secret injection in Kubernetes is a combination of proper IAM/service account configuration, dynamic secret retrieval, and careful pod integration, balancing security, maintainability, and operational simplicity.