Kubernetes Secret Management

Definition

Practices and tools for securely storing, distributing, rotating, and auditing sensitive configuration data — API keys, certificates, database passwords — in Kubernetes environments to prevent secret sprawl and credential exposure.

Technical Details

Kubernetes Secrets are base64-encoded (not encrypted) by default and stored in etcd in plaintext unless encryption-at-rest is configured. External secrets management systems (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager) with secrets injection via the External Secrets Operator or CSI secrets driver provide encryption, auditing, and automatic rotation. All secret access should be logged and bounded to specific workloads via RBAC and workload identity.

Practical Usage

Platform teams should configure Kubernetes etcd encryption-at-rest, disable default service account token mounting, and migrate sensitive values from ConfigMaps and environment variables to a secrets management system with audit logging. Secrets should be rotated automatically and access should be governed by workload identity rather than shared static credentials.

Examples

HashiCorp Vault's Kubernetes auth method issues short-lived database credentials to pods without storing any static secrets in the cluster.
The External Secrets Operator syncs secrets from AWS Secrets Manager into Kubernetes Secrets with automatic rotation.
A security audit finds database passwords stored in plaintext ConfigMaps readable by all pods in the namespace.

Related Terms

Kubernetes RBAC Misconfiguration Workload Identity Container Security Key Management Cloud Security

← Back to Glossary