I've come across some claims suggesting that mounted secrets in Kubernetes might be a more secure way to handle secrets compared to using environment variables. However, I'm struggling to find reliable sources that explain the reasoning behind this idea. Can anyone share their thoughts on this topic or point me to resources that delve into the 'why' of this security approach?
1 Answer
Mounted secrets are generally considered more secure because they're protected in transit using TLS, and while running, they're encrypted in memory by the CPU. Plus, you can configure encryption at rest. On the other hand, environment variables are often passed as cleartext and may be accessible from the host machine or logged unintentionally, making them a higher risk. Both methods can expose secrets to anyone with access to the Secrets resource in that Namespace, but using an external secrets operator adds a layer of security, especially with workload identity injection.
But doesn't the external secrets operator end up creating a standard secret eventually?