Authentication mongo deployed on kubernetes
Master System Design with Codemia
Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.
Introduction
Running MongoDB on Kubernetes without authentication is fine only for throwaway local experiments. In any real environment, you should create credentials, store them as Kubernetes secrets, and start MongoDB with authentication enabled. The practical setup usually involves one secret, one workload manifest, persistent storage, and a connection string that points clients at the correct authentication database.
Store Credentials in a Secret
The first step is to avoid hardcoding usernames and passwords in manifests. Put them in a Kubernetes Secret.
Apply it:
This gives the workload a safe place to read credentials from at startup.
Start MongoDB With Auth-Initializing Environment Variables
The official MongoDB container image supports MONGO_INITDB_ROOT_USERNAME and MONGO_INITDB_ROOT_PASSWORD during initialization. A simple single-instance deployment looks like this:
And the matching PVC:
The root user is created when the database initializes against an empty data directory.
Expose MongoDB Internally
Most applications on Kubernetes should access MongoDB through a ClusterIP service.
Pods in the same namespace can then use mongo:27017 as the host name.
Connect With the Right Authentication Database
When you initialize the root user through the standard environment variables, that account is typically stored in the admin database. Client applications therefore need the right auth source in the connection string.
If you omit authSource=admin, login may fail even though the credentials are correct.
That one detail causes a large percentage of "authentication failed" reports in containerized Mongo setups.
Initialization Happens Only Once Per Data Directory
The root-user environment variables are used during initialization of a fresh database directory. If you already have persistent data and change the secret later, MongoDB does not recreate the root user automatically.
That means you should think carefully about first boot versus ongoing credential rotation. A secret update alone is not a full user-management strategy for an already initialized database.
For more advanced setups, create application users explicitly using init scripts or admin commands rather than relying on the root account for application traffic.
Debugging Authentication Problems
A practical debugging checklist is:
- confirm the secret values were actually mounted into the pod
- confirm MongoDB initialized against an empty data directory the first time
- check that the client uses the right host, username, password, and
authSource - inspect logs for startup and authentication failures
Useful commands:
This helps separate credential problems from networking or storage problems.
Common Pitfalls
The most common mistake is assuming that updating the Kubernetes secret will recreate the Mongo root user on an already initialized persistent volume. It will not.
Another issue is forgetting authSource=admin for root credentials created by the initialization variables.
Developers also often run the application against the root user permanently. That works, but it is not good long-term security hygiene. Create app-specific users for application access.
Finally, do not skip persistent storage. Without it, the pod may restart into a fresh database and reinitialize in ways that surprise the application.
Summary
- Store Mongo credentials in a Kubernetes secret, not directly in manifests.
- Use the Mongo initialization environment variables on first boot to create the root user.
- Back MongoDB with persistent storage so auth setup is stable across restarts.
- Use a connection string with the correct
authSource, oftenadminfor the root user. - Treat secret updates and user lifecycle as separate concerns once the database has been initialized.

