#kubernetes (2024-03)

kubernetes

Archive: https://archive.sweetops.com/kubernetes/

2024-03-15

Rohan MB avatar
Rohan MB

still fairly new to k8s, but wracking my brain on a small issue:

we have a main app service that will have a sidecar container. this sidecar container provides a “broker” (of sorts) to facilitate writing / getting secrets from a customer’s external secrets management system. this sidecar container allows the main app to make requests to get / write / delete secrets.

we have a k8s job that provisions a database (db, tables, schemas, grants, etc). this job will need to also get secrets from this sidecar container.

i think it’s possible to expose ports for the main app and sidecar container. that way we have this setup:

main-service.svc.cluster.local:8443 - main app main-service.svc.cluster.local:6666 - sidecar

is it possible for another pod or k8s job to interact with this sidecar container by using the main service’s DNS + port for the sidecar?

i currently we have this secrets-broker as it’s own service/pod so other pods (that support our product) can communicate with it and fetch/write secrets. but getting pushback and told this needs to be a sidecar.

i am open to any suggestions to improve our security posture here.

Moti avatar

why not use the same sidecar on the “k8s job” ?

1

2024-03-18

    keyboard_arrow_up