Overview

The Infisical Kubernetes Agent Injector allows you to inject secrets directly into your Kubernetes pods. The Injector will create a Infisical Agent container within your pod that syncs secrets from Infisical into a shared volume mount within your pod.

The Infisical Agent Injector will patch and modify your pod’s deployment to contain an Infisical Agent container which renders your Infisical secrets into a shared volume mount within your pod.

The Infisical Agent Injector is built on Kubernetes Mutating Admission Webhooks, and will watch for CREATE and UPDATE events on pods in your cluster. The injector is namespace-agnostic, and will watch for pods in any namespace, but will only patch pods that have the org.infisical.com/inject annotation set to true.

Install the Infisical Agent Injector

To install the Infisical Agent Injector, you will need to install our helm charts using Helm.

helm repo add infisical-helm-charts 'https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/'
helm repo update
helm install --generate-name infisical-helm-charts/infisical-agent-injector

After installing the helm chart you can verify that the injector is running and working as intended by checking the logs of the injector pod.

$ kubectl logs deployment/infisical-agent-injector 
2025/05/19 14:20:05 Starting infisical-agent-injector...
2025/05/19 14:20:05 Generating self-signed certificate...
2025/05/19 14:20:06 Creating directory: /tmp/tls
2025/05/19 14:20:06 Writing cert to: /tmp/tls/tls.crt
2025/05/19 14:20:06 Writing key to: /tmp/tls/tls.key
2025/05/19 14:20:06 Starting HTTPS server on port 8585...
2025/05/19 14:20:06 Attempting to update webhook config (attempt 1)...
2025/05/19 14:20:06 Successfully updated webhook configuration with CA bundle

Supported annotations

The Infisical Agent Injector supports the following annotations:

ConfigMap Configuration

Supported Fields

When you are configuring a pod to use the injector, you must create a config map in the same namespace as the pod you want to inject secrets into. The entire config needs to be of string format and needs to be assigned to the config.yaml key in the config map. You can find a full example of the config at the end of this section.

Authentication

The Infisical Agent Injector only supports Machine Identity Kubernetes Auth authentication at the moment.

To configure Kubernetes Auth, you need to set the auth.type field to kubernetes and set the auth.config.identity-id to the ID of the machine identity you wish to use for authentication.

auth:
  type: "kubernetes"
  config:
    identity-id: "<your-infisical-machine-identity-id>"

Example ConfigMap

config-map.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: demo-config-map
data:
  config.yaml: |
    infisical:
      address: "https://app.infisical.com"
      auth:
        type: "kubernetes"
        config:
          identity-id: "<your-infisical-machine-identity-id>"
    templates:
      - destination-path: "/path/to/save/secrets/file.txt"
        template-content: |
          {{- with secret "<your-project-id>" "dev" "/" }}
          {{- range . }}
          {{ .Key }}={{ .Value }}
          {{- end }}
          {{- end }}

kubectl apply -f config-map.yaml

To use the config map in your pod, you will need to add the org.infisical.com/agent-config-map annotation to your pod’s deployment. The value of the annotation is the name of the config map you created above.

apiVersion: v1
kind: Pod
metadata:
  name: demo
  labels:
    app: demo
  annotations:
    org.infisical.com/inject: "true" # Set to true for the injector to patch the pod on create/update events
    org.infisical.com/inject-mode: "init" # The mode to use to inject the secrets into the pod. Currently only `init` mode is supported.
    org.infisical.com/agent-config-map: "name-of-config-map" # The name of the config map that you created above, which contains all the settings for injecting the secrets into the pod
spec:
  # ...

Quick Start

In this section we’ll walk through a full example of how to inject secrets into a pod using the Infisical Agent Injector. In this example we’ll create a basic nginx deployment and print a Infisical secret called API_KEY to the container logs.

Create secrets in Infisical

First you’ll need to create the secret in Infisical.

  • API_KEY: The API key to use for the nginx deployment.

Once you’ve created the secret, save your project ID, environment slug, and secret path, as these will be used in the next step.

Configuration

To use the injector you must create a config map in the same namespace as the pod you want to inject secrets into. In this example we’ll create a config map in the test-namespace namespace.

The agent injector will authenticate with Infisical using a Kubernetes Auth machine identity. Please follow the instructions to create a machine identity configured for Kubernetes Auth. The agent injector will use the service account token of the pod to authenticate with Infisical.

The template-content will be rendered as a Go Template and will have access to the following variables. It follows the templating format and supports the same functions as the Infisical Agent The destination-path refers to the path within the pod that the secrets will be injected into. In this case we’re injecting the secrets into a file called /infisical/secrets.

Replace the <your-project-id>, <your-environment-slug>, with your project ID and the environment slug of where you created your secrets in Infisical. Replace <your-infisical-machine-identity-id> with the ID of your machine identity configured for Kubernetes Auth.

config-map.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: nginx-infisical-config-map
  namespace: test-namespace
data:
  config.yaml: |
    infisical:
      address: "https://app.infisical.com"
      auth:
        type: "kubernetes"
        config:
          identity-id: "<your-infisical-machine-identity-id>"
    templates:
      - destination-path: "/infisical/secrets"
        template-content: |
          {{- with secret "<your-project-id>" "<your-environment-slug>" "/" }}
          {{- range . }}
          {{ .Key }}={{ .Value }}
          {{- end }}
          {{- end }}

Now apply the config map:

kubectl apply -f config-map.yaml

Injecting secrets into your pod

To inject secrets into your pod, you will need to add the org.infisical.com/inject: "true" annotation to your pod’s deployment.

The org.infisical.com/agent-config-map annotation will point to the config map we created in the previous step. It’s important that the config map is in the same namespace as the pod.

We are creating a nginx deployment with a PVC to store the database data.

nginx.yaml
---
apiVersion: v1
kind: Pod
metadata:
  name: nginx-pod
  namespace: test-namespace
  labels:
    app: nginx
  annotations:
    org.infisical.com/inject: "true"
    org.infisical.com/inject-mode: "init"
    org.infisical.com/agent-config-map: "nginx-infisical-config-map"
spec:
  containers:
    - name: simple-app-demo
      image: nginx:alpine
      command: ["/bin/sh", "-c"]
      args:
        - |
          export $(cat /infisical/secrets | xargs)
          echo "API_KEY is set to: $API_KEY"
          nginx -g "daemon off;"

Applying the deployment

To apply the deployment, you can use the following command:

kubectl apply -f nginx.yaml

It may take a few minutes for the pod to be ready and for the Infisical secrets to be injected. You can check the status of the pod by running:

kubectl get pods -n test-namespace

Verifying the secrets are injected

To verify the secrets are injected, you can check the pod’s logs:

$ kubectl exec -it pod/nginx-pod -n test-namespace -- cat /infisical/secrets

Defaulted container "simple-app-demo" out of: simple-app-demo, infisical-agent-init (init)

API_KEY=sk_api_... # The secret you created in Infisical

Additionally you can now check that the API_KEY secret is being logged to the nginx container logs:

$ kubectl logs pod/nginx-pod -n test-namespace                              
Defaulted container "simple-app-demo" out of: simple-app-demo, infisical-agent-init (init)
API_KEY is set to: sk_api_... # The secret you created in Infisical

Troubleshooting