Secrets Management and Encryption at Rest

Kubernetes Secrets are base64-encoded. Not encrypted. Not hashed. Base64-encoded. Run echo <value> | base64 -d and you have the original password, token, or key in plain text. Yet Secrets are how Kubernetes stores every piece of sensitive data in your cluster: database credentials, TLS certificates, registry pull tokens, service account keys.

The gap between what people assume Secrets protect and what they actually protect is where security incidents happen. By default, Secrets sit in etcd as plain text. Anyone with etcd access, or even list permission on Secrets via the Kubernetes API, can read them all. Closing that gap requires action at multiple layers: choosing the right Secret types, encrypting data at rest, restricting access through RBAC, and for production environments, moving key material outside the cluster entirely.