1Password SecretHub has joined 1Password! Find out more on the SecretHub blog. 🎉

SecretHub Kubernetes Mutating Webhook

This mutating webhook allows you to use secret references (secrethub://path/to/secret) in any containers spec, without including SecretHub in the image itself:

apiVersion: v1
kind: Pod
  name: my-app
    secrethub.io/mutate: my-app
    - name: my-app
      image: my-image
        - name: STRIPE_SECRET_KEY
          value: secrethub://acme/app/prod/stripe/secret_key
        - name: PGPASSWORD
          value: secrethub://acme/app/prod/pg/password

You can annotate your pod spec with secrethub.io/mutate which expects a comma separated list of the names of the containers to mutate.

When the annotation is found:

  • A volume which will hold the SecretHub CLI is created.
  • An init container which copies the SecretHub CLI into the volume is created.

And for every container that is listed in the secrethub.io/mutate annotation:

  • The volume is mounted to the container.
  • The command is prefixed with <path/to/volume>/secrethub run --.

The version of the SecretHub CLI Docker image to be used can optionally be configured with secrethub.io/version, e.g. secrethub.io/version: 0.39.0. If it is not set, the latest version is used. A list of available versions can be found here.


This project is based on and heavily inspired by Berglas’s Kubernetes Mutating Webhook.

Deploy the Webhook

The simplest method to deploy the webhook is as a serverless function:

We’re also working on a way to deploy the webhook in the Kubernetes cluster itself.