Secrets Management

Secrets management involves securely storing, accessing, and rotating sensitive information like passwords, API keys, and certificates. Kubernetes provides native secrets, but they have limitations that external secret management solutions address.

Kubernetes Native Secrets

Kubernetes provides a Secrets API for storing sensitive data:

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
type: Opaque
data:
  username: YWRtaW4=
  password: cGFzc3dvcmQ=

Limitations

• Base64 encoded, not encrypted - Secrets are only base64 encoded
• Stored in etcd - May not be encrypted at rest by default
• No rotation - Manual secret rotation required
• Limited access control - RBAC is the only access control

Best Practices

1. Enable encryption at rest - Encrypt secrets in etcd
2. Use external secret stores - For production workloads
3. Rotate secrets regularly - Implement automated rotation
4. Limit access - Use RBAC to restrict secret access
5. Don’t commit secrets - Never store secrets in Git

Topics

• Encryption at Rest - Encrypting secrets in etcd
• External Secret Stores - Integrating external secret management

See Also

• RBAC - Access control for secrets
• ServiceAccounts - Pod identity and secrets