Storage Security

Every Secret you kubectl create lands in etcd as base64-encoded plaintext. Not encrypted. Not hashed. Base64, which is an encoding, not a protection mechanism. That includes database passwords, TLS private keys, and API tokens. Anyone with read access to etcd, or a backup of it, gets everything.

That is three separate security problems: the API data sitting in etcd, the persistent volumes living on block devices and NFS shares, and the volume types that workloads are allowed to mount. Miss any one of them and you have a data exposure path. This lesson covers all three layers, mapping each to the CIS Kubernetes Benchmark checks that the KCSA exam tests. It closes the Cluster Component Security domain (22% of the exam) by connecting the etcd security concepts from the previous lesson to practical data protection.