docs.rafay.co
Open in
urlscan Pro
2606:4700:3108::ac42:2929
Public Scan
Submitted URL: http://kubernetesvault.com/
Effective URL: https://docs.rafay.co/integrations/secrets/overview/
Submission: On March 17 via api from US — Scanned from US
Effective URL: https://docs.rafay.co/integrations/secrets/overview/
Submission: On March 17 via api from US — Scanned from US
Form analysis 1 forms found in the DOM
Name: search —
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required="">
<label class="md-search__icon md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24">
<path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"></path>
</svg>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24">
<path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"></path>
</svg>
</label>
<nav class="md-search__options" aria-label="Search">
<button type="reset" class="md-search__icon md-icon" title="Clear" aria-label="Clear" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24">
<path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41Z"></path>
</svg>
</button>
</nav>
</form>Text Content
Skip to content
Rafay Product Documentation
KOP Integrations - Overview
Type to start searching
* Home
* Documentation
* Get Started/Tutorials
* Releases
* Blog
* Contact
Rafay Product Documentation
* Home
* Documentation
Documentation
* Home
* Overview
Overview
* Architecture
* Organizations
* Automation
Automation
* Overview
* CLI
CLI
* Overview
* Setup
* Commands
Commands
* AddOns
* Agents
* Backup
* Blueprints
* Catalog
* Clusters
* Cloud Credentials
* IdP/SSO
* Namespaces
* Network Policy
* Overrides
* Pipelines
* Policy
* Projects
* Repository
* RBAC
* Secret Groups
* Secret Stores
* Service Mesh
* Templating
* Trigger
* Workloads
* Legacy
Legacy
* Overview
* Blueprints
* Addons
* Agents
* Clusters
* Credentials
* Namespaces
* Pipeline
* Projects
* Repository
* Trigger
* Workloads
* Terraform Provider
* APIs
* Clusters
Clusters
* Home
* Overview
* Metadata
Metadata
* Location
* Cluster Labels
* Node Labels
* Node Taints
* Health
* Amazon EKS
Amazon EKS
* Overview
* Templates
Templates
* Create Cluster Template
* Create Cluster from Template
* CLI for Cluster Template
* Credentials
* IAM Policy
IAM Policy
* Overview
* Full
* Customer-Managed VPC
* Customer-Managed VPC & IAM
* Customer-Managed VPC & IAM with Restrictions
* Cluster Config
* CLI
CLI
* Overview
* GitOps
GitOps
* Overview
* Examples
* Config Schema
* Provision
* Convert to Managed
* IAM Service Accounts
IAM Service Accounts
* Overview
* CLI for IRSA
* CNI Providers
* Control Plane
* VPC Networking
VPC Networking
* Overview
* Secondary CIDR with VPC
* Nodegroups
Nodegroups
* Overview
* Custom AMI
* Wavelength Zone
* AWS Tags
* Spot Instances
* Node Labels
* Visibility and Monitoring
* RBAC based KubeCTL
* Identity Mapping
* Deprovision
* Upgrade Strategies
* k8s Upgrades
* AMI Upgrades
* Audit
* API
* Best Practices
* FAQ
* Troubleshooting
* Amazon EKS Anywhere
Amazon EKS Anywhere
* Overview
* Import
* Azure AKS
Azure AKS
* Overview
* Supported Versions
* Templates
Templates
* Create Cluster Template
* Create Cluster from Template
* CLI for Cluster Template
* Azure Setup
* Credentials
* Provision
* Convert to Managed
* Node Labels
* Spot Price
* Visibility and Monitoring
* Deprovision
* K8s Upgrades
* Audit
* CLI
CLI
* Overview
* GitOps
GitOps
* Overview
* Examples
* Config Schema
* Troubleshooting
* Bare Metal/VM
Bare Metal/VM
* Approaches
* Overview
* Supported Environments
* Configuration
* Preflight Checks
* Provisioning
* Master Nodes
* Worker Nodes
* CLI
* Config Schema
* Kubernetes Upgrades
* Node OS Upgrades
* Troubleshooting
* Retry and Backoff
* Reset Node
* Storage
Storage
* Add Storage
* Zero Trust Host Access
Zero Trust Host Access
* Overview
* Examples
Examples
* Single Command-Node
* Multiple Command-Node
* Command-Cluster
* Command History
* Edge
Edge
* Overview
* Simulator
* Equinix Metal
Equinix Metal
* Overview
* Provision Servers
* Provision Kubernetes
* Google GKE
Google GKE
* Overview
* Supported Environments
* Templates
Templates
* Create Cluster Template
* Create Cluster from Template
* GCP IAM
* Credentials
* Provisioning
* CLI
* Config Schema
* Troubleshooting
* Imported
Imported
* Overview
* Imperative
* Declarative
* Import Failures
* Remove Operator
* Analysis
* Open Stack
Open Stack
* Overview
* Provision
* Deprovision
* Lifecycle
* FAQ
* RedHat OpenShift
RedHat OpenShift
* Overview
* Provision
* Import
* Blueprints
* Dashboards
* Virtual Appliance
Virtual Appliance
* Overview
* Provision
* Deprovision
* Lifecycle
* vSphere Example
* SSH Example
* VMware vSphere
VMware vSphere
* Overview
* Supported Environments
* Gateway
* Credentials
* Provisioning
* Custom OS Image
* CLI
* Config Schema
* Troubleshooting
* Multi Tenancy
Multi Tenancy
* Overview
* Hard Tenancy
* Projects
Projects
* Overview
* Description
* Resource Quotas
* Cluster Sharing
* CLI
* Soft Tenancy
Soft Tenancy
* Workspace
* Namespace
Namespace
* Overview
* Management
* Reconciliation
* CLI
* Services
Services
* Overview
* Backup and Restore
Backup and Restore
* Overview
* Backup Location
Backup Location
* Overview
* AWS S3 Bucket
* Azure Blob Storage
* S3 Compatible Storage
* CLI
* Credentials
Credentials
* Overview
* AWS
* Azure
* S3 Compatible
* Data Agent
* Backup Policy
* Backup Job
* Restore Policy
* Restore Job
* Considerations
* Blueprints
Blueprints
* Overview
* Custom Add-Ons
* Managed Add-Ons
Managed Add-Ons
* Overview
* Ingress Controller
Ingress Controller
* Background
* Managed Ingress
* Blueprint Types
Blueprint Types
* Default System Blueprints
Default System Blueprints
* Overview
* Minimal Blueprint
* Standard Default Blueprint
* Default AKS
* Default GKE
* Default Openshift
* Default Upstream
* Custom and Golden Blueprints
Custom and Golden Blueprints
* Custom Blueprint
* Golden Blueprint
* Cluster Fleet Management
* Sharing
* Cluster Overrides
* Update Blueprint
* Pod Security Policy (EOL)
* CLI
CLI
* Blueprint CLI
* Add-Ons CLI
* API
* Catalog
Catalog
* Overview
* Manage Catalogs
* CLI
* Cost Management
Cost Management
* Overview
* Cost Profiles
* Cloud Credentials
* AWS Integration
* Azure Integration
* Visibility
* Chargeback/Showback
* CLI
CLI
* Profiles
* Chargeback Groups
* GitOps (Apps & Infra)
GitOps (Apps & Infra)
* Overview
* Benefits
* Pipelines
* Stages
Stages
* Overview
* Approval
* Deploy Workload
* Infra Provisioner
Infra Provisioner
* Overview
* CLI
* System Sync
* Workload Template
* Triggers
Triggers
* Overview
* Troubleshooting
* Secret Groups
Secret Groups
* Pipeline Secret Groups
* CLI
* Agents
* Network Policy
Network Policy
* Background
* Overview
* Installation Profiles
* Network Policy Rules
Network Policy Rules
* Overview
* Cluster-Wide Network Policy Rules
* Namespace Network Policy Rules
* Cluster-Wide Network Policies
* Namespace Network Policies
* Network Visibility
* CLI
* Policy Mgmt
Policy Mgmt
* Overview
* Installation Profiles
* Constraint Templates
* Constraints
* Policies
* Policy Violations
* CLI
* Secrets Management
Secrets Management
* AWS Secrets Manager
AWS Secrets Manager
* Secrets Store Add-on
* Secret Provider Classes
* Configure IRSA
* Annotations
* CLI
* HashiCorp Vault
HashiCorp Vault
* Overview Overview
Table of contents
* Kubernetes Secrets
* Challenges
* Multi Cluster Deployments
* No Dangling Secrets
* Dynamic Retrieval of Secrets
* Operational Complexity
* Configure Vault
* Use Vault-Helm/YAML
Use Vault-Helm/YAML
* ENV Variables
* Files
* Use Vault-Wizard
* Sealers
Sealers
* Secret Sealer
* Use Secret Sealer
* Service Mesh
Service Mesh
* Background
* Overview
* Installation Profiles
* Service Mesh Rules
Service Mesh Rules
* Overview
* Cluster-Wide Rules
* Namespace-Wide Rules
* Cluster-Wide Policies
* Namespace Policies
* Visibility
* CLI
* Common Use cases
Common Use cases
* mTLS (Self-signed)
* mTLS (Vault)
* mTLS (ACM)
* Visibility & Monitoring
Visibility & Monitoring
* Visibility
Visibility
* Overview
* Organization
* Projects
* Cluster
* My Clusters
* Nodes
* Kubernetes Resources
Kubernetes Resources
* View/Edit/Delete
* Create
* Kubernetes Events
* Pod Dashboard
* Container Dashboard
* Configuration
* GPU Dashboard
* Monitoring
Monitoring
* Overview
* Alerts
* Notifications
* Custom Metrics HPA
* Zero Trust Kubectl
Zero Trust Kubectl
* Background
* Overview
* KubeCTL
KubeCTL
* Browser
* KubeCTL CLI
* Configuration
* RBAC
* Audit Trail
* Private Kube API Proxy
* FAQ
* App Deployments
App Deployments
* Overview
* Kubectl
* Helm
* Workloads
Workloads
* Overview
* Helm Charts
* k8s YAML
* Registry
Registry
* Overview
* System Registry
* Repositories
Repositories
* Overview
* Public Repos
* Private Repos
* Lifecycle
* Agents
* Wizard
Wizard
* Overview
* Ingress
* DNS based GSLB
* Containers
* Container Registry
* Upgrade Strategy
* Storage
* Policy
* Publish
* VM Wizard
* Cluster Overrides
* CLI
* Zero Trust Debug
Zero Trust Debug
* Overview
* Developer Tools
* Continuous Integration
Continuous Integration
* Overview
* Common Patterns
* Jenkins
Jenkins
* Overview
* Workload Basics
* Workload Wizard
* Helm Workloads
* YAML Workloads
* Provision Upstream k8s
* Provision Amazon EKS
* CircleCI
* GitLab
* Azure DevOps
* Integrated GitOps
* 3rd Party GitOps
3rd Party GitOps
* ArgoCD
* Recipes
Recipes
* Overview
* Contributors
* AlertManager
AlertManager
* Slack
* PagerDuty
* Opsgenie
* Microsoft Teams
* Backup
Backup
* CloudCasa
* Velero
Velero
* Overview
* Credentials - IAM Role
* Credentials - IAM User
* Credentials - MinIO
* Use Velero
* Cost Management
Cost Management
* Overview
* Kubecost
* Cert-Manager
Cert-Manager
* Overview
* Create Addon
* Use Cert-Manager
* Databases
Databases
* Redis
* InfluxDB
* Developer Self-Service
Developer Self-Service
* Backstage
* Vclusters
* Functions
Functions
* Kubeless
* Governance
Governance
* OPA Gatekeeper
OPA Gatekeeper
* Overview
* Policies
* Examples
Examples
* Container without limits configured
* Container without probes configured
* Pull container images from only ECR registry
* Unique Service Selector
* Unique Ingress Host
* Run Containers only with selective users
* Kyverno
Kyverno
* Overview
* Policies
* GPU
GPU
* Overview
* Nvidia GPU Operator
* Test GPU
* Ingress
Ingress
* ALB
ALB
* Overview
* Create
* Configure
* Access
* Ambassador
* Citrix
* Kong
Kong
* Install Kong
* Enable Monitoring
* Enable Logging
* Sample Application
* NGINX
NGINX
* Overview
* Create Blueprint
* Test Workload
* Load Balancer
Load Balancer
* MetalLB
MetalLB
* Overview
* Setup
* Install
* Test
* Logging
Logging
* CloudWatch
* OpenSearch
OpenSearch
* Overview
* Create
* Configure
* Access
* Splunk
* Sumologic
* New Relic
* Monitoring
Monitoring
* Amazon Prometheus
Amazon Prometheus
* Overview
* Create
* Configure
* Access
* CloudWatch
* Datadog Agent
* Grafana
* New Relic
* Prometheus Operator
* Splunk Connect
* Network Policy
Network Policy
* Overview
* Calico
Calico
* Install
* Test
* Cilium
Cilium
* Install
* Secrets
Secrets
* AWS Secrets Manager
AWS Secrets Manager
* Overview
* Create
* Configure
* Access
* Hashicorp Vault
Hashicorp Vault
* Overview
* Create
* Configure
* Access
* Sealed Secrets
* Security
Security
* Araali
* Kube-bench
* Service Mesh
Service Mesh
* Istio
Istio
* Overview
* Use Istio
* Linkerd
Linkerd
* Overview
* Use Linkerd
* Storage
Storage
* MinIO
* Ondat
* Portworx
* User Management
User Management
* Overview
* Users
* MFA
* Groups
* Roles
* CLI
* Single Sign On
Single Sign On
* Overview
* ADFS
* AWS SSO
* Azure AD
* Duo SSO
* Google Workspace
* KeyCloak
* Okta
* Ping One
* CLI
* Webhooks
* Security
Security
* Overview
* White Listing
* Audit Logging
* Audit Log Aggregation
Audit Log Aggregation
* Overview
* CloudWatch
* DataDog
* Splunk
* Compliance
* Vulnerabilities
* CIS Benchmark
* Contact
* Self Hosted Controller
Self Hosted Controller
* Home
* Overview
* Supported Versions
* Configurations
* Services
* Environments
Environments
* Bare Metal/VM
Bare Metal/VM
* Requirements
* Installation
* Amazon EKS
Amazon EKS
* Requirements
* Installation
* Backup and Restore
* Azure AKS
Azure AKS
* Requirements
* Installation
* Backup and Restore
* Google GKE
Google GKE
* Requirements
* Installation
* Backup and Restore
* Upgrades
Upgrades
* 1.20.x to 1.22.x
* 1.16.x to 1.22.x
* 1.5.x to 1.6.x
* 1.4.x to 1.5.x
* Partners
Partners
* Overview
* Operations
* Cluster Health State
* Whitelabeling
* Get Started/Tutorials
Get Started/Tutorials
* Home
* Overview
* Kubernetes
Kubernetes
* Overview
* Install MicroK8s
* Kubernetes 101
Kubernetes 101
* Part 1: Using Namespaces
* Part 2: Using Pods
* Part 3: Using Deployments
* Part 4: Using Services
* Part 5: Using Ingress
* Kubernetes 201
Kubernetes 201
* Part 1: Using ConfigMaps
* Part 2: Using Secrets
* Part 3: Using PV
* Part 4: Using PVC
* Kubernetes 301
Kubernetes 301
* Deployments, StatefulSets, DaemonSets
* Part 1: Using StatefulSets
* Part 2: Using DaemonSets
* Basics
Basics
* Overview
* Prerequisites
* Part 1: Create Project
* Part 2: User Management
* Part 3: Zero Trust Kubectl
* Part 4: Namespaces
* Part 5: Cluster Blueprints
* Part 6: Visibility & Monitoring
* Part 7: GitOps Pipelines
* Part 8: Policy Management
* Part 9: Backup/Restore
* Clean Up
* Amazon EKS
Amazon EKS
* Home
* Backup/Restore
Backup/Restore
* Overview
* Part 1: Setup Environment
* Part 2: Create Resources
* Part 3: Backup/Restore
* Cluster Lifecycle
Cluster Lifecycle
* Overview
* Prerequisites
* Part 1: Provision
* Part 2: Scale
* Part 3: Node Group
* Part 4: Upgrade
* Part 5: Deprovision
* Cluster Templates
Cluster Templates
* Overview
* Part 1: Setup
* Part 2: Utilize
* CloudWatch
CloudWatch
* Overview
* Part 1: Setup
* Part 2: Provision
* Part 3: Blueprint
* Part 4: Deprovision
* Cluster Autoscaler
Cluster Autoscaler
* Overview
* Part 1: Setup
* Part 2: Blueprint
* Part 3: Provision
* Part 4: Workload
* Part 5: Deprovision
* EKS System Sync
EKS System Sync
* Overview
* Part 1: Setup
* Part 2: Sync from Git
* Part 3: Sync from System
* GitOps
GitOps
* Overview
* Part 1: Setup
* Part 2: Provision
* Part 3: Pipeline
* Part 4: Utilize
* Part 5: Deprovision
* GPU
GPU
* Overview
* Part 1: Setup
* Part 2: Blueprint
* Part 3: Provision
* Part 4: Workload
* Part 5: Scaling
* Part 6: Deprovision
* Graviton
Graviton
* Overview
* Provision
* Deploy Workload
* Deprovision
* Karpenter
Karpenter
* Overview
* Part 1: Setup
* Part 2: Provision
* Part 3: Blueprint
* Part 4: Workload
* Part 5: Deprovision
* Secrets Manager
Secrets Manager
* Overview
* Part 1: Provision
* Part 2: Blueprint
* Part 3: Workload
* Part 4: Deprovision
* Spot Instances
Spot Instances
* Overview
* Part 1: Provision
* Part 2: Deprovision
* Takeover
Takeover
* Overview
* Import & Takeover
* Lifecycle Operations
* Deprovision
* Standard Operating Model
Standard Operating Model
* Overview
* Part 1: Setup
* Part 2: Provision
* Part 3: Deprovision
* Windows
Windows
* Overview
* Part 1: Provision
* Part 2: Workload
* Part 3: Deprovision
* App Lifecycle
App Lifecycle
* Workload Lifecycle
Workload Lifecycle
* Overview
* Part 1: YAML
* Part 2: Helm
* Part 3: Update
* Workload Troubleshooting
Workload Troubleshooting
* Overview
* Part 1: Troubleshoot
* Azure AKS
Azure AKS
* Home
* Backup/Restore
Backup/Restore
* Overview
* Part 1: Setup Environment
* Part 2: Create Resources
* Part 3: Backup/Restore
* Cluster Lifecycle
Cluster Lifecycle
* Overview
* Prerequisites
* Part 1: Provision
* Part 2: Scale
* Part 3: Node Pool
* Part 4: Upgrade
* Part 5: Deprovision
* Cluster Takeover
Cluster Takeover
* Overview
* Part 1: Provision
* Part 2: Deprovision
* Cluster Templates
Cluster Templates
* Overview
* Part 1: Setup
* Part 2: Utilize
* Standard Operating Model
Standard Operating Model
* Overview
* Part 1: Setup
* Part 2: Provision
* Part 3: Deprovision
* Blueprints
Blueprints
* Blueprint Lifecycle
Blueprint Lifecycle
* Overview
* Part 1: Create
* Part 2: Update
* Part 3: Monitor
* Add-Ons and Overrides
Add-Ons and Overrides
* Overview
* Part 1: Create
* Part 2: Utilize
* Drift Detection
Drift Detection
* Overview
* Part 1: Detect
* Part 2: Block
* Namespace Syncronization
Namespace Syncronization
* Overview
* Part 1: Create
* Part 2: Manage
* Google GKE
Google GKE
* Cluster Lifecycle
Cluster Lifecycle
* Overview
* Part 1: Provision
* Part 2: Scale
* Part 3: Upgrade
* Part 4: Deprovision
* Upstream MKS
Upstream MKS
* Home
* Cluster Lifecycle
Cluster Lifecycle
* Overview
* Part 1: Provision
* Part 2: Scale
* Part 3: Upgrade
* Part 4: Deprovision
* Managed Storage
Managed Storage
* Overview
* Part 1: Setup
* Part 2: Blueprint
* Part 3: Utilize
* Part 4: Expand
* Standard Operating Model
Standard Operating Model
* Overview
* Part 1: Setup
* Part 2: Provision
* Part 3: Deprovision
* Windows
Windows
* Overview
* Part 1: Provision
* Part 2: Workload
* Part 3: Deprovision
* VMware vSphere
VMware vSphere
* Cluster Lifecycle
Cluster Lifecycle
* Overview
* Part 1: Setup
* Part 2: Provision
* Part 3: Scale
* Part 4: Upgrade
* Part 5: Deprovision
* GitOps
GitOps
* AKS System Sync
AKS System Sync
* Overview
* Part 1: Setup
* Part 2: Provision
* Part 3: Deprovision
* Deployment Strategies
Deployment Strategies
* Overview
* Setup
* Recreate
* Rolling Update
* Blue-Green
* Canary
* System Sync
System Sync
* Overview
* Part 1: Setup
* Part 2: Sync Blueprint
* Part 3: Sync Workload
* EKS System Sync
EKS System Sync
* Overview
* Part 1: Setup
* Part 2: Provision
* Part 3: Deprovision
* Multi-tenancy
Multi-tenancy
* Overview
* Project based isolation
* Shared clusters
* Policy Management
Policy Management
* OPA Gatekeeper
OPA Gatekeeper
* Overview
* Part 1: Setup
* Part 2: Policy
* Part 3: Blueprint
* Part 4: Workload
* Turnkey OPA Policies
Turnkey OPA Policies
* Overview
* Part 1: Setup
* Part 2: Apply
* Part 3: Test
* Network Policy
Network Policy
* Overview
* Part 1: Setup
* Part 2: Network Visibility
* Part 3: Namespace Isolation
* Part 4: Self-Service via RBAC
* Cost Management
Cost Management
* Overview
* Part 1: Setup
* Part 2: Visualization
* Part 3: Chargeback/Showback
* Service Mesh
Service Mesh
* Overview
* Part 1: Setup
* Part 2: Service Mesh Visibility
* Part 3: Enforce strict mTLS
* Troubleshooting
Troubleshooting
* Workloads
Workloads
* Overview
* Part 1: Troubleshoot
* Zero Trust Kubectl
Zero Trust Kubectl
* Overview
* Controlled Access
* Break Glass
* Audit Logs
* CNCF Recipes
* Releases
Releases
* Overview
* Production
Production
* 2023
2023
* Mar
* Feb
* Jan
* 2022
* 2021
* 2020
* 2019
* Preview
Preview
* Overview
* Upcoming
* Blog
Blog
* Index
* Archive
Archive
* 2023
* 2022
* Categories
Categories
* Amazon EKS Lifecycle Management
* Amazon EKS
* Azure AKS
* Backstage
* Basics of Kubernetes
* Best Practices
* Compliance
* Cost Management
* Developer Self-Service
* Discovery
* Drift Detection
* EBS Volumes
* Hands-on Learning
* Infrastructure as Code (IaC)
* Istio Service Mesh
* Platform Teams
* Product Blog
* Product Documentation
* Rafay Terraform Provider
* Security
* Training
* Upgrade to EKS v1.23
* Windows Containers on Kubernetes
* Contact
Contact
* Email
* Slack
Table of contents
* Kubernetes Secrets
* Challenges
* Multi Cluster Deployments
* No Dangling Secrets
* Dynamic Retrieval of Secrets
* Operational Complexity
OVERVIEW
Secrets are essential for the operation of production applications. Although it
may be convenient, it is a bad security practice to embed secrets such as
passwords, API tokens in source code or yaml files. Unintended exposure of
secrets is one of the top risks that should be properly addressed.
--------------------------------------------------------------------------------
KUBERNETES SECRETS¶
Kubernetes provides an object called Secret that can be used to store
application sensitive data. Kubernetes Secrets can be injected into a Pod either
as an environment variable or mounted as a file.
Storing sensitive data in a Kubernetes Secret does not automatically make it
secure. By default, all data in Kubernetes Secrets is stored as a plaintext
encoded with base64. Secrets are stored in the cluster's etc database. Depending
on how the cluster was provisioned, the etc database may be encrypted.
Here is an example of a Kubernetes Secret YAML with a sensitive "username" and
"password" encoded in base64 format.
apiVersion: v1
kind: Secret
metadata:
name: test-secret
data:
username: bXktYXBw
password: Mzk1MjgkdmRnN0pi
--------------------------------------------------------------------------------
CHALLENGES¶
MULTI CLUSTER DEPLOYMENTS¶
It is operationally challenging, cumbersome and insecure to manually provision
and manage secrets on every cluster esp. with a fleet of Kubernetes clusters.
NO DANGLING SECRETS¶
It is a poor security practice to leave Secrets orphaned on Kubernetes clusters
long after the workload has been removed from the cluster.
DYNAMIC RETRIEVAL OF SECRETS¶
Instead of statically provisioning secrets on a cluster and risk exposure, the
workload pods should dynamically retrieve secrets from a central secrets
management system based on the cluster's identity.
OPERATIONAL COMPLEXITY¶
It is operationally cumbersome and challenging to retrofit applications to
securely communicate with Secrets Management solutions .
--------------------------------------------------------------------------------
Previous CLI
Next Configure Vault
Copyright © 2017-2023 Rafay Systems