Secrets: Types, Encryption at Rest, and Best Practices

Run etcdctl get /registry/secrets/default/db-password on any cluster that hasn't configured encryption at rest. You get the password back in plaintext, base64-decoded with a one-liner. That is the default security posture of Kubernetes Secrets: base64-encoded, stored unencrypted in etcd, readable by anyone with API access or a direct etcd connection.

Fixing this requires deliberate steps at multiple layers: choosing the right Secret type so controllers can validate your data, configuring EncryptionConfiguration so etcd stores ciphertext instead of plaintext, mounting Secrets through tmpfs-backed volumes instead of environment variables, and writing RBAC policies that don't accidentally hand out read access to every Secret in the namespace.