What is the point of Kubernetes secrets if I can decode them?

4/21/2020

I can easily get the secrets stored in Kubernetes.

$ kubectl get secret my-app-secrets -o yaml

Select secret value from output that I want to decode.

Example ZXhwb3NlZC1wYXNzd29yZAo=

$ echo ZXhwb3NlZC1wYXNzd29yZAo= | base64 --decode
> exposed-password

I'm not sure I understand the effectiveness of the secrets resources in Kubernetes ecosystem since it's easy to obtain this.

-- alex
kubernetes
kubernetes-secrets
kubernetes-security

2 Answers

4/22/2020

The point is that in Kubernetes, the secret allows you to protect your password (what you want to do by encrypting it) by controlling the access to the secret, instead of by encrypting it.

There are several mechanisms for it:

That said, in case something goes wrong, solutions as Sealed Secrets created by Bitnami or others solutions (see Mokrecov answer) have arisen to give even more robustness to the matter, just in case someone undesired gained access to your secret.

-- Btc Sources
Source: StackOverflow

4/21/2020

base64 is encoding, not encryption, it allows you to simply encode information in a convenient way.

The data that you encode may contain many unrecognized characters, line feeds, etc., so it is convenient to encode them.

In kubernetes, you can enable encryption using this instruction.

But kubernetes should not be the only source of truth, rather kubernetes loads these secrets from an external vault that you need to select, such as hashicorp's vault, as indicated in the comments.

In addition to hashicorp vault, there are various ways to store secrets in git:

You may also be interested in the kubesec project, which can be used to analyze kubernetes resources for security risks.

-- V. Mokrecov
Source: StackOverflow