A secret is an object in Kubernetes can be defined from a file or command line. Secrets are helping us to store sensitive information in Kubernetes level like passwords, keys, tokens, etc. Secrets are stored in Etcd in the Kubernetes cluster level. Etcd is a distributed key-value pair storage used by Kubernetes Master Nodes to store also other cluster information and states.
- After Kubernetes API v1.13 you can enable encryption at rest for Etcd data including secrets.
- A Kubernetes Cluster Administrator can access any secrets created in the cluster
- You can use SSL/TLS communication between Etcd instances if you have multiple master nodes.
- If you define highly sensitive data as secret it does not mean that it is highly protected and sealed in the Kubernetes cluster level. In terms of secret life cycle management, you should be aware of what Kubernetes can provide you and what you should do.
- Base64 encoding is applied during secret creation but Base64 is not there for an encryption or security convention!