Inject a Secret in a container using stdin

Hi guys, is there a possibility to inject a kubernetes secret into a deployment/pod using stdin with command?

scenario is to reduce the attack surface, where variables and files are exposed to other processes within the container. and it would be very interesting to do this built-in.

Kubernetes version: 1.27

I found a stdin parameter in the CRI and Kubernetes specifications that can be used, but I didn’t understand how, since it is a boolean.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: redis-deployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: redis
  template:
    metadata:
      labels:
        app: redis
    spec:
      containers:
      - name: redis-container
        image: redis:latest
        command: ["kubectl get secret my-redis-secret", "|", "redis-server", "--requirepass-stdin"]
        ports:
        - containerPort: 6379
---
apiVersion: v1
kind: Secret
metadata:
  name: my-redis-secret
type: Opaque
data:
  redis-password: BASE64_ENCODED_PASSWORD_HERE

the “kubectl get secret my-redis-secret” command would be executed outside the container and passed via stdin to the container.

There’s no automatic way to do this but you could run command: sh and `args: [ -c “something | something_else” ], I guess.

I’m not sure what that is defending against, though.

This way does not work, as it executes everything inside the container.

Once an environment/volume variable is exposed, in cases where the image is vulnerable, any other process that can access the container will be able to access them.

via stdin only the official process will receive this value, and it will not be possible to obtain it later.

And, if your container were to crash… Then what?