惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

P
Palo Alto Networks Blog
大猫的无限游戏
大猫的无限游戏
Martin Fowler
Martin Fowler
GbyAI
GbyAI
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
量子位
T
The Blog of Author Tim Ferriss
Y
Y Combinator Blog
Microsoft Azure Blog
Microsoft Azure Blog
C
CERT Recently Published Vulnerability Notes
Recent Announcements
Recent Announcements
A
About on SuperTechFans
aimingoo的专栏
aimingoo的专栏
P
Privacy International News Feed
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
博客园 - 叶小钗
L
Lohrmann on Cybersecurity
G
GRAHAM CLULEY
T
The Exploit Database - CXSecurity.com
Hugging Face - Blog
Hugging Face - Blog
P
Proofpoint News Feed
NISL@THU
NISL@THU
博客园 - Franky
C
Cybersecurity and Infrastructure Security Agency CISA
The Register - Security
The Register - Security
M
MIT News - Artificial intelligence
Know Your Adversary
Know Your Adversary
A
Arctic Wolf
F
Full Disclosure
T
Threat Research - Cisco Blogs
P
Privacy & Cybersecurity Law Blog
The Hacker News
The Hacker News
博客园 - 【当耐特】
D
Docker
T
Tailwind CSS Blog
S
SegmentFault 最新的问题
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Jina AI
Jina AI
Help Net Security
Help Net Security
V
Visual Studio Blog
小众软件
小众软件
B
Blog
Vercel News
Vercel News
云风的 BLOG
云风的 BLOG
N
News and Events Feed by Topic
Forbes - Security
Forbes - Security
N
Netflix TechBlog - Medium
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
C
Cisco Blogs
Security Archives - TechRepublic
Security Archives - TechRepublic

Devoriales - DevOps and Python Tutorials

Cloud & DevOps & AI Digest: The Week of Jun 28, 2026 Cloud & DevOps & AI Digest: The Week of Jun 20, 2026 Ansible for DevOps Engineers: Architecture, Core Concepts, and Hands-On Lab Login Must-Have Kubernetes CLI Tools Every Platform Engineer Should Know Login Login Login Why Your Best Engineers Are Quitting (And How to Stop It) Login ArgoCD Vulnerability: How the ServerSideDiff Feature Exposes Kubernetes Secrets Login How Kubernetes Controls What Your Containers Can Do Login Multi-AZ Is Not Disaster Recovery: What the AWS Bahrain Outage Finally Proved Trivy Supply Chain Attack: When Your Security Scanner Becomes the Threat Is Claude Opus 4.6 Fast Mode Really Worth 6× the Price? Login Unlocking Higher Pod Density in EKS with Prefix Delegation AWS Regional NAT Gateway: What It Is and Why You Should Care Kubernetes 1.35 Timbernetes Release AWS re:Invent 2025: The Future of Kubernetes on EKS Debate Series: How Do We Control Deployment Order in Kubernetes? Kubernetes CRDs Explained: A Beginner-Friendly Guide to Extending the Kubernetes API Reduce Cloud Cross-Zone Data Transfer Costs with Kubernetes 1.33 trafficDistribution Building Custom Bitnami Images: A Guide for Self-Hosted Container Images New Features in Kubernetes 1.34: An Overview From Free to Fee: How Broadcom's Bitnami Monetization Disrupts DevOps Infrastructure Claude Code Cheat Sheet: The Reference Guide Kubernetes Loses Enterprise Slack Status: Discord Among Platforms Being Considered Understanding Container Security: A Guide to Docker and Pod Security Container Patterns in Kubernetes: Init Containers, Sidecars, and Co-located Containers Explained AWS Launches Serverless MCP Server: AI-Powered Development Gets a Serverless Boost Valve Responds to Alleged Steam Data Breach Reports: What Users Need to Know ArgoCD 3.0: The Evolution Toward Secure GitOps Redis Returns to Open Source: The AGPLv3 Licensing Decision New Features in Kubernetes 1.33: An Overview Prometheus: How We Slashed Memory Usage IngressNightmare: Critical Ingress-NGINX Vulnerabilities and How to Check Your Exposure New Features in Kubernetes 1.32: An Overview What to Consider If You're Not Signing Up for Bitnami Premium Certified Kubernetes Administrator (CKA) Exam Updates for 2025 DeepSeek AI and the Question of the AI Bubble Python Tops the Tiobe Index: The Most Popular Programming Languages - January 2025 2024 in Review: IT Trends, Startups, and What’s Next Inside Argo: The Open-Source Journey Captured in a CNCF Documentary Running Docker on macOS Without Docker Desktop - updated with Kubernetes installation HashiCorp Rolls Out Terraform 2.0 at HashiConf, Keeps IBM Acquisition in the Shadows Is the EU Falling Behind in the Global AI Race? Prometheus Essentials: Node Exporter And System Monitoring Prometheus Essentials: Install and Start Monitoring Your App Prometheus Essentials: Introduction To Metric Types Kubernetes Pod Scheduling Explained: Taints, Tolerations, and Node Affinity Retrieval Augmented Generation (RAG) Explained for Beginners Like Me Using Sealed Secrets with Your Kubernetes Applications
Debate Series: Should We Eliminate Kubernetes Secrets Entirely?
Aleksandro Matejic · 2025-11-29 · via Devoriales - DevOps and Python Tutorials

Kubernetes Secrets vs. Vault

A post on Reddit set the ground for this debate. An engineer explained that their senior cloud architect had pushed for a major shift which is to delete every Kubernetes Secret and rely on Vault, with Vault Agent or BankVaults handling distribution. While the engineer understood the concern about duplicated information, they struggled to see how a zero-Secrets cluster could work when so many third-party components depend on Secrets by design.

Kubernetes Secrets were, in the artchitect's view, not secure enough, and storing sensitive information in both Vault and Kubernetes created unnecessary duplication. On paper, the idea looked clean and consistent. In practice, it ignited a debate about how Kubernetes actually operates.

The request dropping Kubernetes secrets left the engineer unsure whether the zero-Secrets vision was even achievable or whether tools such as External Secrets Operator, Sealed Secrets, or the Secrets Store CSI driver were more realistic options

The team operating the platform had already removed Secrets for internal applications. The problems appeared once they reached components they did not control. Operators, controllers, and many Helm charts rely on Kubernetes Secrets as part of their core design. This left the engineer unsure whether the zero-Secrets vision was even achievable or whether tools such as External Secrets Operator, Sealed Secrets, or the Secrets Store CSI driver were more realistic options.

This question reflects a familiar discussions seen across large Kubernetes deployments. On one side is the desire to establish a unified security model using a Secrets Manager as Vault to be the sole authority. On the other side is the practical reality that most of the Kubernetes ecosystem is built around Secrets. When I first began working with Kubernetes platform, the handling of sensitive data was always one of the challenges. I tested many open-source tool available, and while each one offered its own style of abstraction or workflow, they all target the same problem: Kubernetes workloads expect Secrets, and many tools embed this assumption deep into their logic.

Take cert-manager as one example: it stores generated TLS certificates as Secrets. PostgreSQL operators such as CloudNativePG store database credentials the same way. Continuous delivery tools like Argo CD keep repository access details in Secrets. Service mesh components depend on Secrets for mTLS. Removing these objects means rewriting, forking, or wrapping a large portion of the ecosystem. Any attempt to erase Secrets completely forces the organization into complex maintenance mode, where every chart upgrade or operator release becomes a significant engineering task. Some teams  could consider building custom operators to bridge this gap, but that level of investment rarely aligns with the value gained.

The argument that Kubernetes Secrets lack security also requires more nuance. Secrets can be protected with encryption at rest. In the major cloud distributions, enabling this requires only minimal configuration, and once it is active, Secrets inside etcd are secured with strong encryption. Without this feature, Secrets are only Base64-encoded, which offers no protection. With it active, the risk model shifts away from the storage layer and toward access control.

“The difference between a Secret volume and Vault-injected data becomes less meaningful when the surrounding controls are broad."

And that brings us to the factor that matters just as much as encryption: RBAC. Misconfigured permissions create a dangerous exposure. Anyone who can read Secrets usually can also read pods, where credentials appear in plain form once an application is running. If Vault Agent is writing secrets to the filesystem inside a pod, the contents are just as accessible to anyone with the ability to exec into that container. The difference between a Secret volume and Vault-injected data becomes less meaningful when the surrounding controls are broad.

Vault and most of the secrets manager provides significant advantages: centralized audit logs, secret rotation, dynamic credentials with limited lifetimes, and fine-grained access policies. But none of those advantages change the fact that secrets eventually appear inside a pod, and once they do, the protection depends on RBAC, workload isolation, and network boundaries.

“If RBAC is weak, the method of secret delivery becomes secondary.”

A more grounded approach is to acknowledge that some Secrets will always exist in the cluster, especially for platform components. Vault can remain the central source of truth, and operators like External Secrets Operator can sync Vault data into the Secret objects required by the ecosystem. This avoids the maintenance overhead of rewriting or patching third-party tools while still ensuring that Vault controls the authoritative version of every credential. Combined with encryption at rest, careful RBAC, and strict administrative access patterns, this model provides strong security without working against Kubernetes itself.

One production environment I worked with implemented short-lived administrative permissions. Engineers held no permanent cluster-admin rights. Instead, they requested temporary elevated access only when needed, and the system automatically revoked it after a short period. This design reduced the chance of broad Secret exposure and forced teams to handle sensitive operations with more discipline. There are many ways to achieve a similar result, but the principle is consistent: even the most advanced secret management strategy weakens if the surrounding permissions are loose.

When considering a Vault-only design, the better question is not whether Kubernetes Secrets should disappear, but whether the risks they introduce can be managed effectively with encryption, RBAC, and workload isolation. The zero-Secrets vision may appear straightforward, yet it often overlooks the operational and architectural layers that make Kubernetes successful. A balanced model — Vault as the source of truth, ESO as the bridge, and Kubernetes Secrets as the caching mechanism required by controllers — tends to deliver stronger long-term stability.

In the end, this debate shows that an approach that appears completely logical on paper does not always hold up in real environments. Running a cluster with no Secrets is only achievable when an organization is ready to modify large parts of the Kubernetes ecosystem. Most teams gain far more by investing in secure configuration, strict access controls, and clear ownership rather than removing a core Kubernetes concept.  In practice, the middle ground remains where teams achieve both security and operational stability.

Related Posts

You can find some posts and tutorials under the Secrets category.

You may find this article interesting as well: https://devoriales.com/post/150/kubernetes-rbac-and-admission-controllers

This post is part of the Debate Series on devoriales.com, where I share my perspective on topics that often spark strong opinions in the tech community. My view is not the final answer, and it shouldn’t be treated as such. The goal is to exchange ideas, question assumptions, and learn from each other. If you see something differently or have experience that adds another angle, I welcome your thoughts. These discussions shape how we grow, and my own opinions may shift as the conversations continue.