Secrets often cover some specific aspect of a workload. For example:
A Kerberos credential may be bound to one node IP
An internal TLS certificate’s
subjectAlternateNamesection must match the
Podobject’s name and service
node scope is resolved to the name of the Kubernetes Node object that the Pod is running on. This will typically
be the DNS name of the node.
pod scope is resolved to the name of the Kubernetes Pod. This allows the secret to differentiate between StatefulSet replicas.
service scope allows Pod objects to specify custom scopes. This should typically correspond to Service objects that the
Pod participate in.
listener-volume scope allows Pod objects to request secrets corresponding to a listener volume that is bound to the same Pod.
listener-volume scope takes the name of the listener volume as a paremeter.
The node’s IP address
The node’s fully qualified domain name (
The pod’s fully qualified domain name (