Skip to content


Secrets are essential for the operation of production applications. Although it may be convenient, it is a bad security practice to embed secrets such as passwords, API tokens in source code or yaml files. Unintended exposure of secrets is one of the top risks that should be properly addressed.

Kubernetes Secrets

Kubernetes provides an object called Secret that can be used to store application sensitive data. Kubernetes Secrets can be injected into a Pod either as an environment variable or mounted as a file.

Storing sensitive data in a Kubernetes Secret does not automatically make it secure. By default, all data in Kubernetes Secrets is stored as a plaintext encoded with base64. Secrets are stored in the cluster's etc database. Depending on how the cluster was provisioned, the etc database may be encrypted.

Here is an example of a Kubernetes Secret YAML with a sensitive "username" and "password" encoded in base64 format.

apiVersion: v1
kind: Secret
  name: test-secret
  username: bXktYXBw
  password: Mzk1MjgkdmRnN0pi


Multi Cluster Deployments

It is operationally challenging, cumbersome and insecure to manually provision and manage secrets on every cluster esp. with a fleet of Kubernetes clusters.

No Dangling Secrets

It is a poor security practice to leave Secrets orphaned on Kubernetes clusters long after the workload has been removed from the cluster.

Dynamic Retrieval of Secrets

Instead of statically provisioning secrets on a cluster and risk exposure, the workload pods should dynamically retrieve secrets from a central secrets management system based on the cluster's identity.

Operational Complexity

It is operationally cumbersome and challenging to retrofit applications to securely communicate with Secrets Management solutions .