#kubernetes (2024-03)
Archive: https://archive.sweetops.com/kubernetes/
2024-03-15
still fairly new to k8s, but wracking my brain on a small issue:
we have a main app service that will have a sidecar container. this sidecar container provides a “broker” (of sorts) to facilitate writing / getting secrets from a customer’s external secrets management system. this sidecar container allows the main app to make requests to get / write / delete secrets.
we have a k8s job that provisions a database (db, tables, schemas, grants, etc). this job will need to also get secrets from this sidecar container.
i think it’s possible to expose ports for the main app and sidecar container. that way we have this setup:
main-service.svc.cluster.local:8443
- main app
main-service.svc.cluster.local:6666
- sidecar
is it possible for another pod or k8s job to interact with this sidecar container by using the main service’s DNS + port for the sidecar?
i currently we have this secrets-broker as it’s own service/pod so other pods (that support our product) can communicate with it and fetch/write secrets. but getting pushback and told this needs to be a sidecar.
i am open to any suggestions to improve our security posture here.