Securing Secrets in Kubernetes

More or less every application you develop has sensitive data that it uses to execute some business logic. It could be username and password to connect to a Database, or an application key and secret to connect to a 3rd party service. Using these secrets in the code is straight forward but keeping these secrets secure is a big challenge.

If your workload is containerized and you are using Kubernetes (k8s) as an orchestration engine, then there is some relief. k8s has a native resource called Secret which lets you manage and store sensitive data. It sores secrets as unencrypted base64-encoded string. These secrets can be injected into the containers running inside the Pod as Environment variables or can be mounted as Data volumes.

To keep sensitive data secure, k8s secret objects should be encrypted at rest and should be access controlled using k8s RBAC mechanism. If you are leveraging AWS Public Cloud for hosting the k8s cluster (Self hosted or Managed EKS), AWS Key Management Service (KMS) can be leveraged for encrypting data at rest.

Kubernetes manifest files are generally checked-in into the Code repository for version control. But you may not want to check-in the secrets in plain text or as base64-encoded strings into the Git. We all know why!!! But then where do you keep the sensitive data outside of the Kubernetes cluster to ensure…