The Infisical Kubernetes Agent Injector allows you to inject secrets directly into your Kubernetes pods. The Injector will create a Infisical Agent container within your pod that syncs secrets from Infisical into a shared volume mount within your pod.
The Infisical Agent Injector will patch and modify your pod’s deployment to contain an Infisical Agent container which renders your Infisical secrets into a shared volume mount within your pod.
The Infisical Agent Injector is built on Kubernetes Mutating Admission Webhooks, and will watch for CREATE and UPDATE events on pods in your cluster.
The injector is namespace-agnostic, and will watch for pods in any namespace, but will only patch pods that have the org.infisical.com/inject annotation set to true.
The Infisical Agent Injector supports the following annotations:
The inject annotation is used to enable the injector on a pod. Set the value to true and the pod will be patched with an Infisical Agent container on update or create.
The inject mode annotation is used to specify the mode to use to inject the secrets into the pod. Currently only init mode is supported.
init: The init method will create an init container for the pod that will render the secrets into a shared volume mount within the pod. The agent init container will run before any other containers in the pod runs, including other init containers.
The agent config map annotation is used to specify the name of the config map that contains the configuration for the injector. The config map must be in the same namespace as the pod.
When you are configuring a pod to use the injector, you must create a config map in the same namespace as the pod you want to inject secrets into.
The entire config needs to be of string format and needs to be assigned to the config.yaml key in the config map. You can find a full example of the config at the end of this section.
The address of your Infisical instance. This field is optional and will default to https://app.infisical.com if not provided.
The authentication type to use to connect to Infisical. Currently only the kubernetes authentication type is supported.
You can refer to our Kubernetes Auth documentation for more information on how to create a machine identity for Kubernetes Auth.
Please note that the pod’s default service account will be used to authenticate with Infisical.
The ID of the machine identity to use to connect to Infisical. This field is required if the infisical.auth.type is set to kubernetes.
The templates hold an array of templates that will be rendered and injected into the pod.
The path to inject the secrets into within the pod.
If not specified, this will default to /shared/infisical-secrets. If you have multiple templates and don’t provide a destination path, the destination paths will default to /shared/infisical-secrets-1, /shared/infisical-secrets-2, etc.
The content of the template to render.
This will be rendered as a Go Template and will have access to the following variables.
It follows the templating format and supports the same functions as the Infisical Agent
The Infisical Agent Injector only supports Machine Identity Kubernetes Auth authentication at the moment.
To configure Kubernetes Auth, you need to set the auth.type field to kubernetes and set the auth.config.identity-id to the ID of the machine identity you wish to use for authentication.
To use the config map in your pod, you will need to add the org.infisical.com/agent-config-map annotation to your pod’s deployment. The value of the annotation is the name of the config map you created above.
apiVersion: v1kind: Podmetadata: name: demo labels: app: demo annotations: org.infisical.com/inject: "true" # Set to true for the injector to patch the pod on create/update events org.infisical.com/inject-mode: "init" # The mode to use to inject the secrets into the pod. Currently only `init` mode is supported. org.infisical.com/agent-config-map: "name-of-config-map" # The name of the config map that you created above, which contains all the settings for injecting the secrets into the podspec: # ...
In this section we’ll walk through a full example of how to inject secrets into a pod using the Infisical Agent Injector.
In this example we’ll create a basic nginx deployment and print a Infisical secret called API_KEY to the container logs.
To use the injector you must create a config map in the same namespace as the pod you want to inject secrets into. In this example we’ll create a config map in the test-namespace namespace.
The agent injector will authenticate with Infisical using a Kubernetes Auth machine identity. Please follow the instructions to create a machine identity configured for Kubernetes Auth.
The agent injector will use the service account token of the pod to authenticate with Infisical.
The template-content will be rendered as a Go Template and will have access to the following variables. It follows the templating format and supports the same functions as the Infisical Agent
The destination-path refers to the path within the pod that the secrets will be injected into. In this case we’re injecting the secrets into a file called /infisical/secrets.
Replace the <your-project-id>, <your-environment-slug>, with your project ID and the environment slug of where you created your secrets in Infisical. Replace <your-infisical-machine-identity-id> with the ID of your machine identity configured for Kubernetes Auth.
To inject secrets into your pod, you will need to add the org.infisical.com/inject: "true" annotation to your pod’s deployment.
The org.infisical.com/agent-config-map annotation will point to the config map we created in the previous step. It’s important that the config map is in the same namespace as the pod.
We are creating a nginx deployment with a PVC to store the database data.
To verify the secrets are injected, you can check the pod’s logs:
$ kubectl exec -it pod/nginx-pod -n test-namespace -- cat /infisical/secretsDefaulted container "simple-app-demo" out of: simple-app-demo, infisical-agent-init (init)API_KEY=sk_api_... # The secret you created in Infisical
Additionally you can now check that the API_KEY secret is being logged to the nginx container logs:
$ kubectl logs pod/nginx-pod -n test-namespaceDefaulted container "simple-app-demo" out of: simple-app-demo, infisical-agent-init (init)API_KEY is set to: sk_api_... # The secret you created in Infisical
If the pod is stuck in Init state, it means the Agent init container is failing to start or is stuck in a restart loop.
This could be due to a number of reasons, such as the machine identity not having the correct permissions, or trying to fetch secrets from a non-existent project/environment.
You can check the logs of the infisical init container by running:
# For deploymentskubectl logs deployment/your-deployment-name -c infisical-agent-init -n "<namespace>"# For podskubectl logs pod/your-pod-name -c infisical-agent-init -n "<namespace>"
You can also check the logs of the pod by running:
When checking the logs of the agent init container, you may see something like the following:
Starting infisical agent...11:10AM INF starting Infisical agent...11:10AM INF Infisical instance address set to https://daniel1.tunn.dev11:10AM INF template engine started for template 1...11:10AM INF attempting to authenticate...11:10AM INF new access token saved to file at path '/home/infisical/config/identity-access-token'11:10AM ERR unable to process template because template: literalTemplate:1:9: executing "literalTemplate" at <secret "3c0d3ff6-165c-4dc9-b52c-ff3ffaedfce311111" "dev" "/">: error calling secret: CallGetRawSecretsV3: Unsuccessful response [GET https://daniel1.tunn.dev/api/v3/secrets/raw?environment=dev&expandSecretReferences=true&include_imports=true&secretPath=%2F&workspaceId=3c0d3ff6-165c-4dc9-b52c-ff3ffaedfce311111] [status-code=404] [response={"reqId":"req-ljqNq567jchFrK","statusCode":404,"message":"Project with ID '3c0d3ff6-165c-4dc9-b52c-ff3ffaedfce311111' not found during bot lookup. Are you sure you are using the correct project ID?","error":"NotFound"}]+ echo 'Agent failed with exit code 1'+ exit 1Agent failed with exit code 1
In the above error, the project ID was invalid in the config map.
