Kubernetes Secrets Volumes vs Environment Variables
https://www.oreilly.com/library/view/velocity-conference-2017/9781491985335/video316233.html
Kubernetes secrets exposed by environment variables may be able to be enumerated on the host via /proc/. If this is the case it's probably safer to load them via volume mounts.
I agree with TMCs answer, but wanted to add a note for those that are thinking, "But what about 12-factor??". Objections are sometimes raised against using volume-mounted secrets because 12F seemingly requires configs be stored as ENV vars. First, these are suggested, voluntary, your-mileage-may-vary best-practices suggestions. Second, there is this section:
In a twelve-factor app, env vars are granular controls, each fully orthogonal to other env vars. They are never grouped together as “environments”, but instead are independently managed for each deploy. This is a model that scales up smoothly as the app naturally expands into more deploys over its lifetime.
source: https://12factor.net/config
Basically, coupled with the rest of the description I understand the guiding principles of 12F Config management to be:
- Keep config out of source
- Be able to inject config into source artifact (e.g. a docker container)
- Be able to make granular changes to the set of required configuration values
In my humble opinion, volume mounted Kubernetes Secrets can accomplish these goals depending on what sort of Secret objects you create and how you manage them.