How do you manage secrets securely in Kubernetes? What are the alternatives to plain Kubernetes Secrets?
Kubernetes Secrets are base64-encoded, not encrypted by default. For production, consider these approaches:
- Encryption at Rest: Enable
EncryptionConfigurationto encrypt secrets in etcd. - External Secrets Operator: Syncs secrets from AWS Secrets Manager, GCP Secret Manager, or HashiCorp Vault into Kubernetes Secrets automatically.
- HashiCorp Vault Agent Injector: Injects secrets directly into Pod filesystems without storing them in Kubernetes at all.
- Sealed Secrets: Encrypts secrets client-side so they are safe to commit to Git.