Cloud Technology

What is the most reliable way to manage secrets in Kubernetes without using plain YAML files?

RA Asked by Rachel Adams · 10-06-2025
0 upvotes 9,346 views 0 comments
The question

I'm uncomfortable storing Base64 encoded secrets in our Git repository, even if the repo is private. It feels like a massive security risk. What are the current industry standards for integrating external vaults like HashiCorp Vault or AWS Secrets Manager into a K8s workflow? Should I be looking at "External Secrets Operator" or "Secrets Store CSI Driver"?

3 answers

0
MI
Answered on 02-08-2025

You are right to be concerned; Base64 is not encryption. The industry is moving heavily toward the External Secrets Operator (ESO). It allows you to define a 'SecretStore' that points to your external provider and then automatically syncs those values into native K8s secrets. This means your application code doesn't need to change—it still reads from environment variables or volumes. In my current project, we use ESO with Azure Key Vault, and it has completely removed the need for developers to ever touch a sensitive YAML file. It’s a "set and forget" solution that keeps your GitOps pipeline clean.

0
JE
Answered on 15-08-2025

Does your security team require that the secrets never even touch the ETCD database as a native K8s secret object, or is syncing them acceptable?

BR 20-08-2025

Jeffrey, that's the million-dollar question. If you need a "zero-touch" approach where secrets only live in memory, the Secrets Store CSI Driver is better because it mounts the secrets directly as a volume. However, it's a bit more complex to set up. For most companies, syncing to ETCD with 'Encryption at Rest' enabled in the cluster is a perfectly acceptable middle ground that balances security with operational simplicity.

0
TH
Answered on 05-09-2025

Sealed Secrets is another great option if you want to keep everything in Git but keep it encrypted. Only the controller in the cluster can decrypt them.

RA 10-09-2025

Sealed Secrets is excellent for smaller teams. It fits perfectly into a standard GitOps flow without needing a heavy external vault infrastructure.

Share your thoughts

Your email address will not be published. Required fields are marked (*)

Professional Counselling Session

Still have questions?
Schedule a free counselling session

Our experts are ready to help you with any questions about courses, admissions, or career paths. Get personalized guidance from industry professionals.

Request a Call Back

Search Online

We Accept

We Accept

Follow Us

"PMI®", "PMBOK®", "PMP®", "CAPM®" and "PMI-ACP®" are registered marks of the Project Management Institute, Inc. | "CSM", "CST" are Registered Trade Marks of The Scrum Alliance, USA. | COBIT® is a trademark of ISACA® registered in the United States and other countries.

Book Free Session