Mounting a Kubernetes Secret as a single file inside a Pod

Recently I needed to mount an SSH private key used for one app to connect to another app into a running Pod, but to make sure it was done securely, we put the SSH key into a Kubernetes Secret, and then mounted the Secret into a file inside the Pod spec for a Deployment.

I wanted to document the process here because (a) I know I'm going to have to do it again and this will save me a few minutes' research, and (b) it's very slightly unintuitive (at least to me).

First I defined a secret in a namespace:

apiVersion: v1
kind: Secret
  name: ssh-key
  namespace: acme
  id_rsa: {{ secret_value_base64_encoded }}

Note the key of id_rsa for the secret data—I used this because when you mount a secret into a volume, the mount point will be a directory, and each file in that directory corresponds to a key in the Secret's data. So in this case, if I set a mount path of /var/my-app, then Kubernetes would place a file in there named id_rsa, with the value from the Secret. (Note that I'm using Ansible to template and apply manifests, so I'm actually using a value like {{ ansible_vault_encrypted_string | b64encode }}, which uses Ansible Vault to decrypt an encrypted private key in a playbook variable—though that's besides the point here).

To get that file to mount in the path /var/my-app/id_rsa, I add the volume like so in my Deployment spec:

      - image: "my-image:latest"
        name: my-app
          - mountPath: "/var/my-app"
            name: ssh-key
            readOnly: true
        - name: ssh-key
            secretName: ssh-key

Note that you can control the secrets files permissions using defaultMode in the volumes definition, or even individually per file (if there are multiple keys in the Secret's data), but that exercise is left up to the reader. See the Secrets documentation for more on that (specifically, the section on Secret files permissions).


Hi, thank you for the informative tutorial.

Could you provide more information on how you are using Ansible to populate the values inside the secrets file?

This was useful, I stop by here to remind myself, because it's the simplest guide out there. Thanks!

In Linux I expect a mount to make anything in the directory be mounted onto to become unavailable. Here it looks like /var/my-app is not getting wiped out, but added to. Is that correct?