Secrets in Kubernetes

01. 07. 2023 1 min read intermediate

Kubernetes Secrets are base64 encoded, not encrypted. For production you need a better solution.

Problems with K8s Secrets¶

Base64 != encryption
Visible in etcd (unless encryption at rest)
Accessible via API to anyone with RBAC permissions

External Secrets Operator¶

apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: app-secrets spec: refreshInterval: 1h secretStoreRef: name: vault kind: ClusterSecretStore data: - secretKey: DB_PASSWORD remoteRef: key: secret/myapp property: db_password

Sealed Secrets¶

Encrypt secret¶

kubeseal –format yaml < secret.yaml > sealed-secret.yaml

sealed-secret.yaml is safe for Git!¶

Key Takeaway¶

Never plain K8s Secrets in Git. External Secrets Operator + Vault for production, Sealed Secrets for GitOps.

securitykubernetessecretsvault

CORE SYSTEMS tým

Stavíme core systémy a AI agenty, které drží provoz. 15 let zkušeností s enterprise IT.

Všechny články

Další know-how

HashiCorp Vault — the secrets management we were missing

Passwords in environment variables, API keys in ConfigMaps. How HashiCorp Vault centralizes secrets management.

Secrets Management in Practice — HashiCorp Vault, SOPS and Secure Secret Management

Complete guide to secrets management in 2026. HashiCorp Vault, Mozilla SOPS, External Secrets Operator, key rotation...

Secrets Management — Vault, SOPS a bezpečné ukládání

HashiCorp Vault, Mozilla SOPS, AWS Secrets Manager.