...

/

Hands-On with Secrets

Hands-On with Secrets

Get introduced to Kubernetes Secrets.

Secrets are almost identical to ConfigMaps — they hold application configuration data that Kubernetes injects into containers at runtime. However, Secrets are designed to hold sensitive data such as passwords, certificates, and OAuth tokens.

Are Kubernetes Secrets secure?

The quick answer to this question is no. But here’s the slightly longer answer…

Despite being designed for sensitive data, Kubernetes does not encrypt Secrets in the cluster store. It only obscures them as base-64 encoded values, which anyone can decode without a key. Fortunately, most service meshes encrypt network traffic, and we can configure encryption-at-rest with EncryptionConfiguration objects. However, many people use tools such as HashiCorp’s Vault for a more complete and secure secrets management solution.

We’ll focus on the basic secrets management functionality provided natively by Kubernetes as it’s still useful if augmented with third-party tools.

A typical secrets workflow looks like this:

  1. We create the Secret and it gets persisted to the cluster store as an un-encrypted object. ...