• Secret API object
    • stores secrets as base64 encoded in etcd
    • encryption comes with extra-configuration or integration
    • plain-text values can be used with "stringData" attribute
  • Encryption at rest (with EncryptionConfiguration API object)
    • Defines a key which encrypts and decrypts Secrets in etcd
    • however, the encryption key is in plain-text in apiserver
      • this is a concern if apiserver and etcd are co-hosted on a same node
    • keys must rotated
  • KMS (Envelope encryption)
    • Data is encrypted with Data encyption key (DEK)
    • DEK is encrypted with Key Encryption Key (KEK)
    • Data and and enrypted DEK are stored side-by-side
    • When data is decrypted, a call to KMS provider is done to decrypt the DEK
      • so the secret is never transmitted to KMS provider
    • Most usable with cloud providers with KMS service
  • External provider
    • Hashicorp Vault
    • Integration on
      • platform level
        • Vault Injection
          • creates init container for fetching secrets from Vault
            • uses mutating webhook to inject Vault init container
          • or run as sidecar, and fetch if secrets secrets are modified
      • application level
  • Sealed secrets
    • mostly solves the problem of keeping secrets safe outside of Kubernetes
    • plain-text copies of sealed secret controller secrets and secrets itself are stored to etcd. So encrypting etcd need to be solved somehow
  • csi-secret-driver
    • mount secrets/keys/certs to pod using a CSI volume
    • still in experimental state

Decode secrets

Decodes all values of certain secret.
kubectl get secret <secret_name> -o go-template='{{range $k,$v := .data}}{{printf "%s: " $k}}{{if not $v}}{{$v}}{{else}}{{$v | base64decode}}{{end}}{{"\n"}}{{end}}'