0Pricing
Docker & Kubernetes for Developers · Lesson

Managing Secrets Securely with External Secret Stores

Stop committing plaintext Secrets and integrate Kubernetes with external vaults like HashiCorp Vault using the External Secrets Operator.

Kubernetes Secrets Are Only Encoded

By default a Kubernetes Secret is just base64-encoded, not encrypted. Anyone with API access or etcd access can read it unless extra protection is added.

Encryption at Rest

A first step is enabling encryption at rest in the API server so Secret data is encrypted before being written to etcd.

apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
  - resources: ["secrets"]
    providers:
      - aescbc:
          keys:
            - name: key1
              secret: <base64-key>

All lessons in this course

  1. Role-Based Access Control (RBAC)
  2. Pod Security & Image Scanning
  3. Securing Kubernetes Network Traffic
  4. Managing Secrets Securely with External Secret Stores
← Back to Docker & Kubernetes for Developers