How to use the Infisical Kubernetes Agent Injector to inject secrets directly into Kubernetes pods.
CREATE
and UPDATE
events on pods in your cluster.
The injector is namespace-agnostic, and will watch for pods in any namespace, but will only patch pods that have the org.infisical.com/inject
annotation set to true
.
org.infisical.com/inject
true
and the pod will be patched with an Infisical Agent container on update or create.org.infisical.com/inject-mode
init
mode is supported.init
: The init method will create an init container for the pod that will render the secrets into a shared volume mount within the pod. The agent init container will run before any other containers in the pod runs, including other init containers.org.infisical.com/agent-config-map
config.yaml
key in the config map. You can find a full example of the config at the end of this section.
infisical.address
https://app.infisical.com
if not provided.infisical.auth.type
kubernetes
authentication type is supported.
You can refer to our Kubernetes Auth documentation for more information on how to create a machine identity for Kubernetes Auth.
Please note that the pod’s default service account will be used to authenticate with Infisical.infisical.auth.config.identity-id
infisical.auth.type
is set to kubernetes
.templates[]
templates[].destination-path
/shared/infisical-secrets
. If you have multiple templates and don’t provide a destination path, the destination paths will default to /shared/infisical-secrets-1
, /shared/infisical-secrets-2
, etc.templates[].template-content
auth.type
field to kubernetes
and set the auth.config.identity-id
to the ID of the machine identity you wish to use for authentication.
org.infisical.com/agent-config-map
annotation to your pod’s deployment. The value of the annotation is the name of the config map you created above.
API_KEY
to the container logs.
API_KEY
: The API key to use for the nginx deployment.test-namespace
namespace.
The agent injector will authenticate with Infisical using a Kubernetes Auth machine identity. Please follow the instructions to create a machine identity configured for Kubernetes Auth.
The agent injector will use the service account token of the pod to authenticate with Infisical.
The template-content
will be rendered as a Go Template and will have access to the following variables. It follows the templating format and supports the same functions as the Infisical Agent
The destination-path
refers to the path within the pod that the secrets will be injected into. In this case we’re injecting the secrets into a file called /infisical/secrets
.
Replace the <your-project-id>
, <your-environment-slug>
, with your project ID and the environment slug of where you created your secrets in Infisical. Replace <your-infisical-machine-identity-id>
with the ID of your machine identity configured for Kubernetes Auth.
org.infisical.com/inject: "true"
annotation to your pod’s deployment.
The org.infisical.com/agent-config-map
annotation will point to the config map we created in the previous step. It’s important that the config map is in the same namespace as the pod.
We are creating a nginx deployment with a PVC to store the database data.
API_KEY
secret is being logged to the nginx container logs:
The pod is stuck in `Init` state
Init
state, it means the Agent init container is failing to start or is stuck in a restart loop.
This could be due to a number of reasons, such as the machine identity not having the correct permissions, or trying to fetch secrets from a non-existent project/environment.You can check the logs of the infisical init container by running: