Can Kubernetes Keep a Secret?

Every application uses secrets to function. These secrets include usernames and passwords, API keys, and other similar private keys. Applications running inside Kubernetes are no exception. Unfortunately, Kubernetes has a reputation for not being able to keep a secret. Is that reputation valid? In this talk, Omer Levi Hevroni explores potential solutions that show Kubernetes can in fact keep a secret.

Who Handles Secrets?

A centralized management team oversees secrets in some companies as part of running deployments. The alternative model, though, is Super Devs with full responsibility for writing code, deploying it, and monitoring it. On the one hand, a centralized team manages secrets securely. On the other hand, Super Devs yield a simpler and more scalable organization. That said, Super Devs need good tools to support them, to minimize mistakes, and to make systems secure by design.

GitOps

Developers are already familiar with Git. As a result, there are many upsides to relying on Git for the entire workflow, referred to as GitOps. Typically, code and Kubernetes manifest files live in the repository. Then, they are deployed from there into Kubernetes pods. However, what about the application secrets that must be stored securely?

Requirements

The goal was to find a solution that met these requirements:

Sponsorships Available

Sponsorships Available

Sponsorships Available

• Embraces GitOps
• Integrates natively with Kubernetes
• Stores secrets securely by design

For this analysis, security related to the Kubernetes pod is out of scope. For example, SSH access to the pod and secret leakage from the pod are interesting subjects but not part of this analysis.

Options

Option 1: Kubernetes Secrets

Kubernetes Secrets are the official Kubernetes means of storing secrets securely. They’re intended for use on SSH keys, OAuth tokens, and passwords. By comparison, Kubernetes Secrets are safer and more flexible than deploying directly in the pod or a docker image.

Here’s (Read more...)