Kubernetes Plugin

Injecting Secrets to K8s Pods via a Sidecar

The Akeyless Kubernetes plugin enables containerized applications to use Static and Dynamic secrets sourced from the Akeyless Vault Platform. This plugin leverages the Kubernetes Mutating Admission Webhook to intercept and augment specifically annotated pod configurations for secrets injection using Init and Sidecar containers.



The documentation, configuration and examples for Akeyless K8s plugin are also applicable to OpenShift environment.

Applications only need to find a secret at a filesystem path instead of managing tokens and connecting to an external API or other mechanisms for direct interaction with a secrets management platform.

The Sidecar container fetches secrets before an application starts. For example, this can be used by a web application that uses Dynamic Secrets to connect to a database with an expiring lease.

For details, see Provisioning a Secret to your K8s Cluster.

Although authorization in Kubernetes is intentionally high level, you can configure the Akeyless native injector to support full and flexible segregation using K8s policies together with the Akeyless Vault Platform's Access Roles & RBAC methodology. See Policy Segregation for Kubernetes.