Secrets

The name "Secret" is optimistic. A base64-encoded value stored in plain text in etcd is not a secret. It's obfuscation. Run kubectl get secret my-db-creds -o jsonpath='{.data.password}' | base64 --decode and you have the credential in two commands. Anyone with get access on the Secret API can do this. Anyone with list access can do it for every Secret in the namespace at once.

Secrets exist to decouple sensitive data from Pod specs and container images. Without them, passwords end up embedded in Deployment manifests or hardcoded in container entrypoints. With them, you get a dedicated API object with its own RBAC surface, kubelet-level tmpfs handling (sensitive data never touches disk on the node), and the hooks for encryption at rest and external secret sync. The security story isn't in the encoding. It's in what you build around the API.