kube-secrets-init
kube-secrets-init is a Kubernetes mutating admission webhook that injects a secrets-init initContainer into pods using specially prefixed environment variables from Kubernetes Secrets, ConfigMaps, or direct references. It modifies the pod entrypoint to the secrets-init init system, which runs as PID 1, launches the original command, forwards signals, and resolves secret variable values from external secret management services before passing them to the main process. Supported integrations include AWS Secrets Manager, AWS Systems Manager Parameter Store, and Google Secret Manager, allowing users to reference secret ARNs or names as environment variable values that are transparently replaced with actual secret values. Injection can be skipped on a per-namespace basis via the admission.secrets-init/ignore label. In AWS environments, secrets-init requires an IAM role granting access to the relevant secrets, ideally assigned to the pod rather than the underlying EC2 instance for better security isolation.