Kubernetes for instance bind mounts secrets by default on read only in memory fi... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		smarterclayton on Sept 17, 2016 \| parent \| context \| favorite \| on: Some questions about Docker and rkt Kubernetes for instance bind mounts secrets by default on read only in memory filesystems (and on Red Hat systems, with unique SELInux labels) that disappear on reboot. You can of course use secrets in env vars if you want, since sometimes it is easier. The hard part is a lot of handy public docker images use env by default, so you end up being tempted into env for convenience.

bogomipz on Sept 17, 2016 [–]

And does that Docker instance need a token to read the password out of key/value store somewhere? How then do you securely distribute the token? It seems like that would just be pushing the problem elsewhere.

Also I am assuming that something is preventing that tmpfs filesystem from swapping to disk?

Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact