Kubernetes Secrets vs Hashicorp/Azure Vault

development

#1

I’m migrating from Docker Swarm where secrets were immutable and could not be updated. This made them a pain to deploy. Is that also the case with Kubernetes? Ideally I just want an idempotent apply script.

I’ve also read that Kubernetes secrets are just a minimum bar for security and that ideally you should use a dedicated secret store like Azure Key Vault or Hashicorp Vault but you need a secret to access those services, so presumably that secret would be stored in a Kubernetes secret.

Finally, I’d also like to know whether it’s recommended to use Secrets exposed as volumes or environment variables.


#2

On the min-bar questions, yes Kubernetes secrets are base64 encoded strings. If you can access the secret, you can access the data. Azure has just released a solution for KeyVault that appears to work without also storing the KeyVault secrets in Kubernetes (through pod identity). I have not checked it out myself, but intend to do so:

On volumes vs. environment variables, the best explanation / argument I’ve seen was by Liz Rice at Velocity conf 2017 where she argued in favor of volumes. I do not have all the details but have found this presentation that may help:

Liz may be able to provide an updated / Kubernetes specific copy.

Hope this helps


#3

Thanks for the links. I found a YouTube video for the talk you mentioned.

I’m migrating from Docker Swarm, so the lack of built in secret support is a bit sad. That said, the Swarm implementation does not allow updating secrets, only create and delete which is a pain when deploying.

Given the above, I think it’s probably only a matter of time before better encryption of secrets in Kubernetes is implemented.